1 00:00:01,400 --> 00:00:04,140 So now let's learn about Amazon GuardDuty. 2 00:00:04,140 --> 00:00:06,530 So Amazon GuardDuty is a service in AWS 3 00:00:06,530 --> 00:00:09,710 that will perform intelligent threat discovery 4 00:00:09,710 --> 00:00:12,690 in order to protect your AWS accounts. 5 00:00:12,690 --> 00:00:14,480 So it's going to use machine learning algorithm 6 00:00:14,480 --> 00:00:17,160 in the backend and do anomaly detection 7 00:00:17,160 --> 00:00:19,640 and use third-party data to detect 8 00:00:19,640 --> 00:00:22,150 if your account is under attack. 9 00:00:22,150 --> 00:00:24,260 And it's just one click to enable 10 00:00:24,260 --> 00:00:25,810 and you get a 30-days trial 11 00:00:25,810 --> 00:00:27,870 and you don't need to install any kind of software, 12 00:00:27,870 --> 00:00:30,220 it works in the backend as is. 13 00:00:30,220 --> 00:00:32,420 So Amazon GuardDuty takes some input data 14 00:00:32,420 --> 00:00:34,130 from several sources. 15 00:00:34,130 --> 00:00:37,290 It takes data from your CloudTrail Events logs, 16 00:00:37,290 --> 00:00:39,620 and it looks for unusual API calls 17 00:00:39,620 --> 00:00:42,440 for unauthorized deployments, and so on. 18 00:00:42,440 --> 00:00:44,950 So it can use, at the Management Events, for example, 19 00:00:44,950 --> 00:00:46,060 these are the events that happen 20 00:00:46,060 --> 00:00:48,430 when you create a VPC subnet, when you create a trail, 21 00:00:48,430 --> 00:00:50,830 they're just API calls within your accounts. 22 00:00:50,830 --> 00:00:53,890 And it also looks at CloudTrail S3 Data Events. 23 00:00:53,890 --> 00:00:54,723 For example, 24 00:00:54,723 --> 00:00:57,150 it looks at the events happening within your buckets. 25 00:00:57,150 --> 00:01:00,980 So API calls such as get object, list objects, 26 00:01:00,980 --> 00:01:03,020 delete object, and so on. 27 00:01:03,020 --> 00:01:04,580 It looks at your VPC Flow Logs 28 00:01:04,580 --> 00:01:08,750 to detect unusual internet traffic or unusual IP addresses, 29 00:01:08,750 --> 00:01:10,650 your DNS Logs to look whether or not 30 00:01:10,650 --> 00:01:12,890 you have compromised EC2 instances 31 00:01:12,890 --> 00:01:16,230 that are going to send encoded data within DNS queries, 32 00:01:16,230 --> 00:01:19,260 and finally your Kubernetes Audit Logs 33 00:01:19,260 --> 00:01:21,540 to detect suspicious activities 34 00:01:21,540 --> 00:01:24,660 and potential EKS cluster compromises. 35 00:01:24,660 --> 00:01:27,050 So all these things are happening behind the scenes. 36 00:01:27,050 --> 00:01:30,220 And then you're going to set up CloudWatch Event rules 37 00:01:30,220 --> 00:01:32,680 to be modified in case of findings. 38 00:01:32,680 --> 00:01:34,140 And in case you have findings, 39 00:01:34,140 --> 00:01:37,180 well, you can set up a rule to target, for example, 40 00:01:37,180 --> 00:01:39,470 a lambda function to do some action 41 00:01:39,470 --> 00:01:42,173 or an SNS topic to send some emails. 42 00:01:43,140 --> 00:01:45,930 Finally, and that's something that can come up in the exam, 43 00:01:45,930 --> 00:01:47,750 GuardDuty can help you be protected 44 00:01:47,750 --> 00:01:49,810 against CryptoCurrency attacks 45 00:01:49,810 --> 00:01:52,700 because it has a dedicated finding for it. 46 00:01:52,700 --> 00:01:53,883 So to summarize, 47 00:01:53,883 --> 00:01:55,730 GuardDuty detects your VPC Flow logs, 48 00:01:55,730 --> 00:01:58,130 your CloudTrail logs, your DNS logs, 49 00:01:58,130 --> 00:02:00,450 as well as your EKS Audit logs. 50 00:02:00,450 --> 00:02:02,420 They all go into GuardDuty 51 00:02:02,420 --> 00:02:05,530 and then thanks to CloudWatch Event rules, 52 00:02:05,530 --> 00:02:07,410 you're going to get lambda function 53 00:02:07,410 --> 00:02:11,190 or SNS topics being notified, and you have the full picture. 54 00:02:11,190 --> 00:02:13,010 All right, that's it for this lecture. 55 00:02:13,010 --> 00:02:14,080 I hope you liked it, 56 00:02:14,080 --> 00:02:16,030 and I will see you in the next lecture.