Amazon GuardDuty Integration
The Aviatrix Controller integrates with Amazon GuardDuty to provide you the IDS protection on a per account and region basis.
Amazon GuardDuty continuously monitors an account’s AWS environment and reports findings. GuardDuty sifts through CloudTrail logs, VPC Flow logs, and DNS logs to assess risk and generate findings. To learn more about GuardDuty, read the Amazon GuardDuty FAQ.
While there are no additional Aviatrix charges to use this feature, there are AWS charges associated with using Amazon GuardDuty. For more information, see Amazon GuardDuty Pricing. |
Integration and Enforcements
The Aviatrix Controller provides additional monitoring, logging and enforcement services when you enable Amazon GuardDuty from the Aviatrix Controller Console, as listed below.
-
Aviatrix Controller periodically polls Amazon GuardDuty findings. The polling time is configurable between 5-60 minutes.
-
Findings from Amazon GuardDuty are logged to the Controller syslog. (Syslog can be exported to Aviatrix supported Logging services.)
-
Findings from Amazon GuardDuty are displayed in the Alert Bell on the Aviatrix Controller console.
-
In addition, if a finding is about instances in a VPC being probed by a malicious IP address, this IP address is blocked by deploying Public Subnet Filtering Gateway, as shown in the diagram below.
Configuration
Additional permissions must be granted in the aviatrix-app-policy IAM policy for each account where this feature is enabled. You may need to update IAM policies prior to enabling this feature. |
To enable GuardDuty Integration, log in to the Aviatrix Controller and follow these steps:
-
Go to Security > AWS GuardDuty.
-
Click + Add New.
-
Select the Account Name of the AWS account where you would like to enable GuardDuty integration.
-
Select the AWS Region.
-
Click Enable.
If you have already enabled GuardDuty on the AWS Console, the Controller will detect and pull the information, and then proceed. |