AWS GuardDuty Response Connector

An AWS account with the AWS client id, secret key, and on which region the EC2 and S3 bucket will be running.

Create a S3 bucket where the export guard duty findings will be done. S2 bucket with the following permission.

1. Read/Write access to EC2.
2. Read/Write access to EKS.

Setting up the AWS GuardDuty.

1. Open the GuardDuty console at https://console.aws.amazon.com/guardduty/. Select the region for GuardDuty. Here the region will be the same as the S3 Bucket region.
2. Choose Get Started.
3. Choose Enable GuardDuty.

Granting GuardDuty permission to a KMS key.

1. Open the AWS KMS console at https://console.aws.amazon.com/kms.

2. Makes Sure the region use for KMS is same as S3 bucket. If not change the region.

3. Go to Create Key.Use the Configuration key: Key type: Symmetric and Key usage: Encrypt and Decrypt. Click on Next.

4. Provide the KMS key Alias name, Like: aws_guardduty_kms_configuation. Click on Next.

5. Define the key administrative Permission. Select the Email address to provide the permission. Click on Next.

6. Define key Usage permission. Select the Email address to provide the key usage permission. Click on Next.

7. Click on Finish to create a key.

8. In Customer-managed keys, the key alias name will present. Click on the key Alias Name.

9. Select the key and under the key policy click on Switch to policy view . Then click on Edit.

10. Add the following key policy to your KMS key, granting GuardDuty access to your key. This statement allows GuardDuty to use only the key that you changed the policy for. When editing the key policy, make sure your JSON syntax is valid, if you add the statement before the final statement, you must add a comma after the closing bracket.

    { "Sid": "AllowGuardDutyKey", "Effect": "Allow", "Principal": { "Service": "guardduty.amazonaws.com" }, "Action": "kms:GenerateDataKey", "Resource": <arn_of_KMS>, "Condition": { "StringEquals": { "aws:SourceAccount": <account_id>, "aws:SourceArn": "arn:aws:guardduty: <aws_region>:<account_id>:detector/<aws_gaurdduty_SourceDetectorID>" } } }

    Note:

    1. Replace <arn_of_KMS> with ARN of KMS. Under General configuration ARN is present.
    2. Replace <account_id> with the AWS account ID of the GuardDuty account.
    3. Replace <aws_region> with the Region of the GuardDuty account. (If you're using GuardDuty in a manually-enabled Region, replace the value for the "Service" with the Regional endpoint for that Region. For example, if you're using GuardDuty in the Asia Pacific (Mumbai) (ap-south-1) Region, replace "Service": "guardduty.amazonaws.com" with "Service": "guardduty.ap-south-1.amazonaws.com".)
    4. From the Guard duty Settings copy the detectorId and replace with the <aws_gaurdduty_SourceDetectorID>.

11. Click on Save.

Granting GuardDuty permissions to a bucket.

1. Select the Bucket which is created in Step 1 of AWS Guard Duty Connector Configuration Requirement.

2. Choose Permissions, and then choose Bucket Policy. Click on Edit

3. Use the following policy,

   { "Version": "2012-10-17", "Statement": [ { "Sid": "AllowGuardDutygetBucketLocation", "Effect": "Allow", "Principal": { "Service": "guardduty.amazonaws.com" }, "Action": "s3:GetBucketLocation", "Resource": "arn:aws:s3:::<BucketName>", "Condition": { "StringEquals": { "aws:SourceAccount": <account_id>, "aws:SourceArn": "arn:aws:guardduty:<aws_region>:<account_id>:detector/<aws_gaurdduty_SourceDetectorID>" } } }, { "Sid": "AllowGuardDutyPutObject", "Effect": "Allow", "Principal": { "Service": "guardduty.amazonaws.com" }, "Action": "s3:PutObject", "Resource": "arn:aws:s3:::<BucketName>/*", "Condition": { "StringEquals": { "aws:SourceAccount": <account_id>, "aws:SourceArn": "arn:aws:guardduty:<aws_region>:<account_id>:detector/<aws_gaurdduty_SourceDetectorID>" } } }, { "Sid": "DenyUnencryptedUploadsThis is optional", "Effect": "Deny", "Principal": { "Service": "guardduty.amazonaws.com" }, "Action": "s3:PutObject", "Resource": "arn:aws:s3:::<BucketName>/*", "Condition": { "StringNotEquals": { "s3:x-amz-server-side-encryption": "aws:kms" } } }, { "Sid": "DenyIncorrectHeaderThis is optional", "Effect": "Deny", "Principal": { "Service": "guardduty.amazonaws.com" }, "Action": "s3:PutObject", "Resource": "arn:aws:s3:::<BucketName>/*", "Condition": { "StringNotEquals": { "s3:x-amz-server-side-encryption-aws-kms-key-id": <arn_of_KMS> } } }, { "Sid": "DenyNon-HTTPS", "Effect": "Deny", "Principal": "*", "Action": "s3:*", "Resource": "arn:aws:s3:::<BucketName>/*", "Condition": { "Bool": { "aws:SecureTransport": "false" } } } ] }

   Note:

   1. Replace <arn_of_KMS> with ARN of KMS. Under General configuration ARN is present.
   2. Replace <account_id> with the AWS account ID of the GuardDuty account.
   3. Replace <aws_region> with the Region of the GuardDuty account. (If you're using GuardDuty in a manually-enabled Region, replace the value for the "Service" with the Regional endpoint for that Region. For example, if you're using GuardDuty in the Asia Pacific (Mumbai) (ap-south-1) Region, replace "Service": "guardduty.amazonaws.com" with "Service": "guardduty.ap-south-1.amazonaws.com".)
   4. From the Guard duty Settings copy the detectorId and replace with the <aws_gaurdduty_SourceDetectorID>.
   5. Replace with the S3 Bucket name which is created in Step 1 of AWS Guard Duty Connector Configuration Requirement.

4. Click on Save the Changes.

To configure findings export using an existing bucket.

1. Open the GuardDuty console. Choose Setting.
2. Under S3 bucket in the Finding export options section, choose Configure now.
3. Choose Existing bucket in your account. Select the Bucket which is created in Step 1 of AWS Guard Duty Connector Configuration Requirement.
4. Under KMS encryption. Select Choose key from your account. Then in Key alias choose the keys created in KMS.
5. Click on Save.