Skip to main content

Detection and Response: GuardDuty, Config, and CloudTrail

No combination of preventive controls will stop every threat. The detection and response layer ensures you know when something unexpected happens and can act before the damage spreads. On AWS, four services form the core of this layer: CloudTrail, AWS Config, GuardDuty, and Security Hub.

CloudTrail: API Audit Logging

CloudTrail records every API call made in your AWS account. Every RunInstances, PutObject, AssumeRole, and CreateUser call is logged with the caller identity, timestamp, source IP, parameters, and response.

Key Configuration Decisions

SettingRecommendation
Multi-region trailAlways enable. A single-region trail misses API calls made in other regions.
Management eventsAlways log. These are control plane operations (create, modify, delete).
Data eventsEnable selectively. S3 object-level operations and Lambda invocations generate high volume.
Log file validationAlways enable. Provides integrity checking via digest files.
S3 bucketSeparate security account with restricted access. CloudTrail logs should never be stored in the same account they monitor.
CloudWatch Logs integrationEnable for real-time alerting on specific API calls.

What CloudTrail Does Not Log

  • Data plane operations for most services (the contents of your DynamoDB queries, the payload of your Lambda invocations)
  • Console sign-in events to the root account are logged, but some legacy services may not send all events
  • Read operations on CloudTrail itself (to prevent recursive logging)

Common Use Cases

  • Investigating who deleted a resource: Filter by eventName and resourceARN.
  • Detecting unauthorized access: Look for ConsoleLogin events from unexpected IPs or without MFA.
  • Tracking IAM changes: Monitor CreateUser, AttachUserPolicy, CreateAccessKey events.

AWS Config: Configuration Compliance

AWS Config continuously monitors and records your resource configurations. While CloudTrail tells you who did what, Config tells you what your resources look like right now and how they have changed over time.

Config Rules

Config rules evaluate whether your resources comply with your desired configuration. There are two types:

TypeHow It WorksExample
AWS Managed RulesPre-built rules you enables3-bucket-server-side-encryption-enabled, iam-root-access-key-check
Custom RulesLambda functions you writeCheck that all EC2 instances have a specific tag

Evaluation triggers:

  • Configuration change: Rule evaluates when a matching resource changes.
  • Periodic: Rule evaluates on a schedule (1, 3, 6, 12, or 24 hours).

Conformance Packs

Conformance packs are collections of Config rules and remediation actions packaged together. AWS provides pre-built conformance packs for compliance frameworks:

  • Operational Best Practices for HIPAA
  • Operational Best Practices for PCI DSS
  • Operational Best Practices for CIS AWS Foundations Benchmark

These give you a compliance baseline that you can deploy and customize, rather than building rule sets from scratch.

Automatic Remediation

Config rules can trigger automatic remediation using SSM Automation documents. For example:

  • Non-compliant S3 bucket (public access enabled) triggers an SSM document that enables Block Public Access.
  • Non-compliant security group (open SSH) triggers an SSM document that removes the offending rule.

This creates a self-healing infrastructure where configuration drift is automatically corrected.

GuardDuty: Threat Detection

GuardDuty is a managed threat detection service that continuously analyzes data from multiple sources to identify potential threats:

Data SourceWhat It Detects
CloudTrail management eventsUnusual API calls, credential abuse, policy changes from unexpected principals
CloudTrail S3 data eventsAnomalous S3 access patterns, data exfiltration
VPC Flow LogsPort scanning, communication with known malicious IPs, cryptocurrency mining
DNS logsDNS-based data exfiltration, communication with command-and-control servers
EKS audit logsKubernetes-specific threats (optional, additional cost)
Runtime monitoringProcess-level threat detection on EC2, ECS, EKS (optional)

Finding Types

GuardDuty organizes findings into categories:

  • Recon: Port probing, API enumeration
  • UnauthorizedAccess: Unusual console logins, API calls from known bad IPs
  • Exfiltration: Unusual data transfer patterns from S3 or EC2
  • CryptoCurrency: EC2 instances communicating with mining pools
  • Trojan/Backdoor: Communication with command-and-control servers
  • Stealth: CloudTrail logging disabled, password policy weakened

Each finding has a severity (Low, Medium, High) and includes the affected resource, actor details, and recommended remediation.

GuardDuty Best Practices

  • Enable in every region, even regions you do not actively use. Attackers often use unused regions.
  • Enable all optional data sources (S3 protection, EKS protection, runtime monitoring) based on your workloads.
  • Export findings to Security Hub for centralized management.
  • Set up automated responses for high-severity findings using EventBridge rules.

Security Hub: Centralized Findings

Security Hub aggregates findings from GuardDuty, Config, Inspector, Macie, Firewall Manager, and third-party tools into a single dashboard. It provides:

Security Standards

Security Hub runs automated checks against security standards:

StandardWhat It Checks
AWS Foundational Security Best Practices200+ controls across IAM, S3, EC2, RDS, Lambda, etc.
CIS AWS Foundations BenchmarkCIS Level 1 and Level 2 controls
PCI DSSControls relevant to cardholder data environments
NIST 800-53NIST compliance controls

How These Services Work Together

The four services form a detection and response pipeline:

┌──────────────┐     ┌──────────────┐     ┌──────────────┐
│  CloudTrail  │     │  AWS Config  │     │  GuardDuty   │
│  (API logs)  │     │  (resource   │     │  (threat     │
│              │     │   state)     │     │   detection) │
└──────┬───────┘     └──────┬───────┘     └──────┬───────┘
       │                    │                    │
       └────────────────────┼────────────────────┘

                   ┌────────────────┐
                   │  Security Hub  │
                   │  (aggregate +  │
                   │   prioritize)  │
                   └────────┬───────┘


                   ┌────────────────┐
                   │  EventBridge   │
                   │  (automate     │
                   │   response)    │
                   └────────┬───────┘

                  ┌─────────┼─────────┐
                  ▼         ▼         ▼
             ┌────────┐ ┌────────┐ ┌────────┐
             │ Lambda │ │  SNS   │ │  SIEM  │
             │(auto-  │ │(alert) │ │(ingest)│
             │ fix)   │ │        │ │        │
             └────────┘ └────────┘ └────────┘
  1. CloudTrail logs all API activity to S3 and optionally to CloudWatch Logs.
  2. AWS Config monitors resource configurations and evaluates compliance rules.
  3. GuardDuty analyzes CloudTrail, VPC Flow Logs, and DNS logs for threats.
  4. Security Hub aggregates findings from all three (plus other services) and scores them.
  5. EventBridge routes findings to automated responses: Lambda for remediation, SNS for alerts, or a SIEM for investigation.

Key Takeaways

  • Enable CloudTrail in all regions with log file validation. Store logs in a separate security account.
  • Use AWS Config with managed rules and conformance packs to continuously validate your configuration.
  • Enable GuardDuty in all regions, even those you do not use.
  • Use Security Hub to aggregate, prioritize, and automate responses to findings across all detection services.
  • Connect EventBridge to trigger automated remediation for high-confidence findings.

Flashcards

1 / 7
Question

What is the difference between CloudTrail and AWS Config?

Click to reveal
Answer

CloudTrail records who did what (API call audit log). AWS Config records what your resources look like and whether they comply with rules. CloudTrail is about activity; Config is about state.