Anomaly Detection Integration with AWS GuardDuty

Question

Pulumi · Accepted Answer

Amazon GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior to protect your AWS accounts and workloads. With GuardDuty, you can set up threat intelligence feeds that help you identify threats by providing lists of known malicious IP addresses and domains. This is typically done using resources such as `ThreatIntelSet` and `Detector`.

Here's how we can integrate AWS GuardDuty into your AWS infrastructure for anomaly detection using Pulumi with Python:

1. **GuardDuty Detector**: This is the primary GuardDuty resource which represents the threat detection service itself. First, a `Detector` must be created to enable GuardDuty.

2. **ThreatIntelSet**: After the GuardDuty Detector is enabled, you can create a ThreatIntelSet. A ThreatIntelSet is a collection of known malicious IP addresses and domains. It can be used by GuardDuty to check for threats against your AWS environment.

Below is a complete program that showcases how you might set up an AWS GuardDuty Detector and a ThreatIntelSet using Pulumi:

```python
import pulumi
import pulumi_aws as aws

# Create a GuardDuty detector to initiate the service
guardduty_detector = aws.guardduty.Detector("myGuardDutyDetector",
    enable=True,
    finding_publishing_frequency="SIX_HOURS")

# Assuming you have a list of known malicious IPs provided as a txt file on S3,
# you can use it to create a ThreatIntelSet for the Detector
threat_intel_set = aws.guardduty.ThreatIntelSet("myThreatIntelSet",
    detector_id=guardduty_detector.id,
    format="TXT",
    location="s3://my-threatintel-bucket/my_threat_intel_list.txt",
    activate=True)

# Export the ID of the GuardDuty detector
pulumi.export('guardduty_detector_id', guardduty_detector.id)
# Export the ID of the GuardDuty ThreatIntelSet
pulumi.export('threat_intel_set_id', threat_intel_set.id)
```

This Pulumi program does the following:

- It initializes a new Pulumi project for AWS.
- It creates a new GuardDuty Detector which is necessary for GuardDuty to begin threat detection.
- It sets up a ThreatIntelSet, which is a feed of known bad IPs and domains, configuring it with a file from an S3 bucket (you need to provide the actual path to your threat intelligence list).

Before you run this program, you will need to have the AWS CLI configured with the appropriate credentials. Install the Pulumi CLI and the AWS provider package, `pulumi_aws`, in your Python environment. You can then run this program using the Pulumi CLI to create the GuardDuty Detector and ThreatIntelSet in your AWS account.

Refer to the [AWS GuardDuty Detector](https://www.pulumi.com/registry/packages/aws/api-docs/guardduty/detector/) and [AWS GuardDuty ThreatIntelSet](https://www.pulumi.com/registry/packages/aws/api-docs/guardduty/threatintelset/) documentation for more details on the resources used in this example.