Amazon GuardDuty Integration

Aviatrix Controller integrates with Amazon GuardDuty to provide you the IDS protection on a per account and region basis.

Amazon GuardDuty continuesly monitors an account’s AWS environment and reports findings. GuardDuty sifts through CloudTrail logs, VPC Flow logs and DNS logs to assess risk and generate findings. To learn more on GuardDuty, read Amazon GuardDuty FAQ.

Note

While there are no additional Aviatrix charges to use this feature, there are AWS charges associated with using Amazon GuardDuty. For more information, see Amazon GuradDuty Pricing.

Configuration

To enable GuardDuty Integration, login to Aviatrix Controller and follow these steps:

Note

Additional permissions must be granted in the aviatrix-app-policy IAM policy for each account where this feature is enabled. You may need to update IAM policies prior to enabling this feature.

  1. Go to Security > AWS GuardDuty
  2. Click + New
  3. Select the Account Name of the AWS account where you would like to enable GuardDuty integration
  4. Select the AWS Region
  5. Click Enable

guardduty_config

Note

If you have already enabled GuardDuty on AWS Console, the Controller will detect, pull the information and proceed.

Integration and Enforcements

Aviatrix Controller provides additional monitoring, logging and enforcement services when you enable Amazon GuardDuty from the Aviatrix Controller Console, as listed below.

  • Aviatrix Controller polls periodically Amazon GuardDuty findings.
  • Findings from Amazon GuardDuty are logged to the Controller syslog. (Syslog can be exported to Aviatrix supported Logging services.)
  • Findings from Amazon GuardDuty are displayed in Alert Bell on the Controller console.
  • In addition, if a finding is about instances in a VPC being probed by a malicious IP address, this IP address is blocked by the Controller automatically programming the Network ACL of the VPC, as shown below.

guardduty_acl