Back to Integrations
AWS GuardDuty

AWS GuardDuty

Integration Documentation

Documentation

AWS GuardDuty Integration

Overview

AWS GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior to protect your AWS accounts, workloads, and data stored in Amazon S3.

Prerequisites

  • AWS account with GuardDuty enabled
  • IAM permissions to access GuardDuty findings
  • Bloo platform access credentials

    • Configuration Steps

    1. Enable AWS GuardDuty

  • Sign in to the AWS Management Console

    • 2. Navigate to GuardDuty service

    3. Click "Get started" to enable GuardDuty

    4. Choose your master account and member accounts

    5. Select the regions where you want to enable GuardDuty

    2. Create IAM Role

    Create an IAM role with the following permissions:

    {
    

        "Version": "2012-10-17",
    

        "Statement": [
    

            {
    

                "Effect": "Allow",
    

                "Action": [
    

                    "guardduty:GetFindings",
    

                    "guardduty:ListFindings",
    

                    "guardduty:GetDetector",
    

                    "guardduty:ListDetectors"
    

                ],
    

                "Resource": "*"
    

            }
    

        ]
    

    }

    3. Configure Bloo Integration

  • Log into your Bloo platform dashboard

    • 2. Navigate to Integrations > AWS GuardDuty

    3. Click "Configure Integration"

    4. Enter your AWS credentials:

    - Access Key ID

    - Secret Access Key

    - Region

    5. Test the connection

    6. Save the configuration

    4. Set Up Alerting

    Configure alert rules in Bloo:

  • High Severity Findings: Immediate notification
  • Medium Severity Findings: Daily summary
  • Low Severity Findings: Weekly summary

    • Supported Finding Types

  • Reconnaissance: Port scanning, unauthorized access attempts
  • Instance Compromise: Malware detection, suspicious API calls
  • Account Compromise: Unusual login patterns, credential abuse
  • Data Exfiltration: Unusual data access patterns

    • Monitoring and Maintenance

    Regular Tasks

  • Review Findings: Check for new findings daily

    • 2. Update Rules: Keep GuardDuty rules updated

    3. Monitor Costs: Track GuardDuty usage costs

    4. Test Integration: Verify connectivity monthly

    Troubleshooting

    Common Issues:

  • Authentication Errors

    • - Verify IAM credentials

    - Check role permissions

    - Ensure GuardDuty is enabled

    2. No Findings Received

    - Verify region configuration

    - Check GuardDuty detector status

    - Review IAM permissions

    3. High Latency

    - Check network connectivity

    - Verify AWS service status

    - Review API rate limits

    Best Practices

  • Enable GuardDuty in all regions where you have resources

    • 2. Use dedicated IAM roles for integration access

    3. Implement least privilege access controls

    4. Regularly review and update finding filters

    5. Monitor GuardDuty costs and adjust as needed

    Support

    For additional support:

  • Bloo Documentation: [docs.bloo.com/integrations/aws-guardduty](https://docs.bloo.com/integrations/aws-guardduty)
  • AWS GuardDuty Documentation: [docs.aws.amazon.com/guardduty](https://docs.aws.amazon.com/guardduty)
  • Bloo Support: [support.bloo.com](https://support.bloo.com)