1. Introduction
Hello! We are a writer team from Definer Inc.
In this issue, you are wondering about the use of detect credential usage from other accounts in GuardDuty.
Let's take a look at the actual screens and resources to explain in detail with these information:
- What's is gaurduty is used for?
- What is AWS guarduty?
- Using guarduty to detect credential from another account
- Prismscaler solution for guarduty
2. Purpose/Use Cases
This article summarizes information and practices that can be helpful when you want to detect credential use from other accounts in GuardDuty. Here are some use cases you should consider using GuardDuty:
- Protect your compute workloads:
Detect when your EC2 instance are used to mine cryptocurrency or communicate with IP addresses and domains associated with known malicious actors.
- Protect your AWS credentials:
Detect when your AWS credentials are used in a suspicious way, such as from IP addresses associated with known malicious actors, or in an a way that deviates from their expected behavior.
- Protect your data stored in Amazon S3 buckets:
Detect when data stored in your Amazon S3 buckets is accessed in a highly suspicious manner, such as when an unusual volume of objects are retrieved form an unusual location, or when the S3 bucket is accessed from IP addresses associated with known malicious actors.
3. What is GuardDuty?
GuardDuty is a service that detects threats to AWS accounts and AWS resources.
No software installation or difficult configuration is required, and any AWS user can easily start using the service.
It analyzes and monitors data such as CloudTrail logs and VPC flow logs, and uses AI to detect malicious activity in AWS.
This includes over-granting of privileges, use of publicly available credentials, and communications from malicious IP addresses.
It also recognizes infrastructure deployments, such as EC2 instances in previously unused regions, and password policy changes to reduce password strength.
・The Need for GuardDuty
When launching a service using a cloud service such as AWS, while it is easy, there are many cases where the service is released to the public without sufficient security.
This is especially common when resources are created in the development environment for verification purposes and then forgotten about without deleting them.
The number of attackers on cloud resources is increasing every year, and resources need to be properly protected.
GuardDuty uses AI to detect threats by leveraging the vast amount of logs and other data held by AWS, so it is highly recommended to use GuardDuty, especially for development sites that are concerned about security.
4. GuardDuty detects credential used from another account
Amazon GuardDuty now offers new threat detection capabilities. This feature notifies you when EC2 instance credentials are used to call an API from an IP address owned by a different AWS account than the one on which the associated EC2 instance is running. While Amazon GuardDuty will always notify you when an EC2 instance's credentials are used from outside his AWS, this new threat detection will prevent a malicious actor from using her EC2 instance from another of her AWS accounts. Suppress using credentials to evade detection.
Let's get started and use GuardDuty to detect credential usage from another account.
Assuming you have one EC2 instance (EC2-A) is running on AWS account A and one EC2 instance (EC2-B) is running on AWS account B.
(1) First, you need to enable GuardDuty in your AWS account. This can be done through the AWS Management Console, AWS CLI (Command Line Interface), or AWS SDKs (Software Development Kits). Once enabled, GuardDuty will start monitoring and analyzing data for potential threats.
(2) As a test, create an IAM role in account A and attach it to EC2-A. This IAM role should have GuardDutyReadOnlyAccess permission as default.
(3) Access to EC2-A instance and execute the following command on EC2-A to check the credentials.
You can check the credentials of the attached IAM role in its own metadata.
## Command to check credentials
mu=http://169.254.169.254/latest/meta-data/iam/security-credentials/;curl -s $mu | echo $mu$(cat) | xargs -n1 curl
## Display the access token, access key, and secret token
Next, access to EC2-B instance on AWS account B.
(4) Set the credentials of EC2-A (the credentials you check on EC2-A before) to EC2-B of account B.
(5) Execute the CLI from EC2-B of account B to account A.
(6) Check GuardDuty, and you will see an alert that the credential was used from another account with an importance level of "High".
Checking the JSON in the details, we see the ID of the access key that was used!
## Run CLI from account B to account A
## Create a profile (enter the key information of EC2-A you obtained)
aws configure --profile test
## Execute CLI with a profile
aws ec2 describe-vpcs --profile test
5. Cited/Referenced Articles
Amazon GuardDuty to detect EC2 instances used from another AWS account ...
Amazon GuardDuty Enhanced EC2 Instance Credentials Compromise Detection ...
GuardDuty IAM Detection Result Type - Amazon GuardDuty
Continuous Security in the AWS Cloud and Containers
Amazon GuardDuty - Amazon GuardDuty User Guide
Amazon GuardDuty - Amazon GuardDuty User Guide
Let's set the update frequency of GuardDuty results for all regions to 15 minutes …
6. About the proprietary solution "PrismScaler"
・PrismScaler is a web service that enables the construction of multi-cloud infrastructures such as AWS, Azure, and GCP in just three steps, without requiring development and operation.
・PrismScaler is a web service that enables multi-cloud infrastructure construction such as AWS, Azure, GCP, etc. in just 3 steps without development and operation.
・The solution is designed for a wide range of usage scenarios such as cloud infrastructure construction/cloud migration, cloud maintenance and operation, and cost optimization, and can easily realize more than several hundred high-quality general-purpose cloud infrastructures by appropriately combining IaaS and PaaS.
7. Contact us
This article provides useful introductory information free of charge. For consultation and inquiries, please contact "Definer Inc".
8. Regarding Definer
・Definer Inc. provides one-stop solutions from upstream to downstream of IT.
・We are committed to providing integrated support for advanced IT technologies such as AI and cloud IT infrastructure, from consulting to requirement definition/design development/implementation, and maintenance and operation.
・We are committed to providing integrated support for advanced IT technologies such as AI and cloud IT infrastructure, from consulting to requirement definition, design development, implementation, maintenance, and operation.
・PrismScaler is a high-quality, rapid, "auto-configuration," "auto-monitoring," "problem detection," and "configuration visualization" for multi-cloud/IT infrastructure such as AWS, Azure, and GCP.