Amazon GuardDuty Integration¶
The Aviatrix Controller integrates with Amazon GuardDuty to provide you the IDS protection on a per account and region basis.
Amazon GuardDuty continuously monitors an account’s AWS environment and reports findings. GuardDuty sifts through CloudTrail logs, VPC Flow logs, and DNS logs to assess risk and generate findings. To learn more about GuardDuty, read Amazon GuardDuty FAQ.
While there are no additional Aviatrix charges to use this feature, there are AWS charges associated with using Amazon GuardDuty. For more information, see Amazon GuardDuty Pricing.
To enable GuardDuty Integration, log in to the Aviatrix Controller and follow these steps:
Additional permissions must be granted in the aviatrix-app-policy IAM policy for each account where this feature is enabled. You may need to update IAM policies prior to enabling this feature.
- Go to Security > AWS GuardDuty.
- Click + New.
- Select the Account Name of the AWS account where you would like to enable GuardDuty integration.
- Select the AWS Region.
- Click Enable.
If you have already enabled GuardDuty on AWS Console, the Controller will detect, pull the information, and proceed.
Integration and Enforcements¶
The Aviatrix Controller provides additional monitoring, logging and enforcement services when you enable Amazon GuardDuty from the Aviatrix Controller Console, as listed below.
- Aviatrix Controller periodically polls Amazon GuardDuty findings. The polling time is configurable between 5 minutes to 60 minutes.
- Findings from Amazon GuardDuty are logged to the Controller syslog. (Syslog can be exported to Aviatrix supported Logging services.)
- Findings from Amazon GuardDuty are displayed in Alert Bell on the Controller console.
- In addition, if a finding is about instances in a VPC being probed by a malicious IP address, this IP address is blocked by deploying Public Subnet Filtering Gateway, as shown in the diagram below.
Go to Security > AWS GuardDuty > Change Scanning Interval. Select a time and click Apply.