Does AWS GuardDuty monitor traffic through an ELB? Announcing the arrival of Valued Associate #679: Cesar Manara Planned maintenance scheduled April 17/18, 2019 at 00:00UTC (8:00pm US/Eastern) Come Celebrate our 10 Year Anniversary!fedora default traffic monitor toolDoes AWS ELB apply the health check when adding nodesmonitor traffic using port mirroring and wiresharkMonitor network traffic/usage by PORTDoes the ELB also route outbound reply traffic in AWSFull end to end encryption with AWS Elastic Load Balancer, Nginx and SSLForwarding traffic from AWS ELB to another ELBAWS ELB mapping different portsHow does AWS ELB deals with DoS?Route traffic from AWS VPC through OpenVPN
What LEGO pieces have "real-world" functionality?
How can I protect witches in combat who wear limited clothing?
How to select 3,000 out of 10,000 files in file manager?
Why does this iterative way of solving of equation work?
What computer would be fastest for Mathematica Home Edition?
What to do with post with dry rot?
Is above average number of years spent on PhD considered a red flag in future academia or industry positions?
Do working physicists consider Newtonian mechanics to be "falsified"?
What kind of display is this?
Failing to enforce immigration laws?
What's the point in a preamp?
What was Bilhah and Zilpah's ancestry?
3 doors, three guards, one stone
What do you call a plan that's an alternative plan in case your initial plan fails?
What items from the Roman-age tech-level could be used to deter all creatures from entering a small area?
What did Darwin mean by 'squib' here?
Why is there no army of Iron-Mans in the MCU?
What are the performance impacts of 'functional' Rust?
How to say that you spent the night with someone, you were only sleeping and nothing else?
How do you clear the ApexPages.getMessages() collection in a test?
Am I ethically obligated to go into work on an off day if the reason is sudden?
I'm having difficulty getting my players to do stuff in a sandbox campaign
I'm thinking of a number
What was the last x86 CPU that did not have the x87 floating-point unit built in?
Does AWS GuardDuty monitor traffic through an ELB?
Announcing the arrival of Valued Associate #679: Cesar Manara
Planned maintenance scheduled April 17/18, 2019 at 00:00UTC (8:00pm US/Eastern)
Come Celebrate our 10 Year Anniversary!fedora default traffic monitor toolDoes AWS ELB apply the health check when adding nodesmonitor traffic using port mirroring and wiresharkMonitor network traffic/usage by PORTDoes the ELB also route outbound reply traffic in AWSFull end to end encryption with AWS Elastic Load Balancer, Nginx and SSLForwarding traffic from AWS ELB to another ELBAWS ELB mapping different portsHow does AWS ELB deals with DoS?Route traffic from AWS VPC through OpenVPN
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;
I've been trying to find a definitive answer to this question for a while. I would expect the answer to be "yes" but it does not align with what I see in practice. From the docs GuardDuty "identifies threats by continuously monitoring the network activity and account behavior within the AWS environment." From the diagram on that page, this includes VPC flow logs.
However, I've never seen a GuardDuty finding involving port probs (or any other kind of inbound Recon/UnauthorizedAccess alerts) against any of our instances behind an ELB or against the ELB itself. I do believe we have them locked down fairly well but I would expect to see port probes against 443 at least. (Not that I want them mind you. But it is public facing...)
Does AWS GuardDuty monitor and alert on traffic to and through an ELB?
*We are using Classic ELBs if that helps.
Update
I did open up port 443 to the world on an inconsequential server behind an ELB. I did start getting alerts on the instance but not the ELB. However having anything hit that server from anywhere other than the ELB is likely outside GuardDuty's normal activity baseline and could be enough to trigger it.
I'm still searching for an answer.
amazon-web-services network-monitoring
asked Apr 9 at 18:15
Dave RagerDave Rager
1114
New contributor
Dave Rager is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
I've been trying to find a definitive answer to this question for a while. I would expect the answer to be "yes" but it does not align with what I see in practice. From the docs GuardDuty "identifies threats by continuously monitoring the network activity and account behavior within the AWS environment." From the diagram on that page, this includes VPC flow logs.
However, I've never seen a GuardDuty finding involving port probs (or any other kind of inbound Recon/UnauthorizedAccess alerts) against any of our instances behind an ELB or against the ELB itself. I do believe we have them locked down fairly well but I would expect to see port probes against 443 at least. (Not that I want them mind you. But it is public facing...)
Does AWS GuardDuty monitor and alert on traffic to and through an ELB?
*We are using Classic ELBs if that helps.
Update
I did open up port 443 to the world on an inconsequential server behind an ELB. I did start getting alerts on the instance but not the ELB. However having anything hit that server from anywhere other than the ELB is likely outside GuardDuty's normal activity baseline and could be enough to trigger it.
I'm still searching for an answer.
amazon-web-services network-monitoring
asked Apr 9 at 18:15
Dave RagerDave Rager
1114
New contributor
Dave Rager is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
I've been trying to find a definitive answer to this question for a while. I would expect the answer to be "yes" but it does not align with what I see in practice. From the docs GuardDuty "identifies threats by continuously monitoring the network activity and account behavior within the AWS environment." From the diagram on that page, this includes VPC flow logs.
However, I've never seen a GuardDuty finding involving port probs (or any other kind of inbound Recon/UnauthorizedAccess alerts) against any of our instances behind an ELB or against the ELB itself. I do believe we have them locked down fairly well but I would expect to see port probes against 443 at least. (Not that I want them mind you. But it is public facing...)
Does AWS GuardDuty monitor and alert on traffic to and through an ELB?
*We are using Classic ELBs if that helps.
Update
I did open up port 443 to the world on an inconsequential server behind an ELB. I did start getting alerts on the instance but not the ELB. However having anything hit that server from anywhere other than the ELB is likely outside GuardDuty's normal activity baseline and could be enough to trigger it.
I'm still searching for an answer.
amazon-web-services network-monitoring
asked Apr 9 at 18:15
Dave RagerDave Rager
1114
New contributor
Dave Rager is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
I've been trying to find a definitive answer to this question for a while. I would expect the answer to be "yes" but it does not align with what I see in practice. From the docs GuardDuty "identifies threats by continuously monitoring the network activity and account behavior within the AWS environment." From the diagram on that page, this includes VPC flow logs.
However, I've never seen a GuardDuty finding involving port probs (or any other kind of inbound Recon/UnauthorizedAccess alerts) against any of our instances behind an ELB or against the ELB itself. I do believe we have them locked down fairly well but I would expect to see port probes against 443 at least. (Not that I want them mind you. But it is public facing...)
Does AWS GuardDuty monitor and alert on traffic to and through an ELB?
*We are using Classic ELBs if that helps.
Update
I did open up port 443 to the world on an inconsequential server behind an ELB. I did start getting alerts on the instance but not the ELB. However having anything hit that server from anywhere other than the ELB is likely outside GuardDuty's normal activity baseline and could be enough to trigger it.
I'm still searching for an answer.
amazon-web-services network-monitoring
amazon-web-services network-monitoring
asked Apr 9 at 18:15
Dave RagerDave Rager
1114
New contributor
Dave Rager is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked Apr 9 at 18:15
Dave RagerDave Rager
1114
New contributor
Dave Rager is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
edited 2 days ago
Dave Rager
asked Apr 9 at 18:15
Dave RagerDave Rager
1114
New contributor
Dave Rager is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked Apr 9 at 18:15
Dave RagerDave Rager
1114
asked Apr 9 at 18:15
Dave RagerDave Rager
1114
1114
New contributor
Dave Rager is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
Dave Rager is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Dave Rager is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
Guard Duty monitors all traffic inside your VPC. It uses flow logs, CloudTrail, and DNS logs, but as it consumes that information at source from the hyperplane you don't actually need to have flow logs or CloudTrail turned on. I have no written source for that, it came from an AWS solution architect.
AWS Shield is integrated with CloudFront and load balancers, and may be preventing some bad actors reaching your instances.
I've seen Guard Duty alert on port probes, open security groups for RDP, all sorts of things. I've seen https probes against my web server which is behind CloudFlare, which isn't a load balancer but is effectively a reverse proxy. I turn off the low priority alerts as they were just getting annoying and didn't represent any real kind of threat.
answered Apr 10 at 1:04
TimTim
18k41950
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Dave Rager is a new contributor. Be nice, and check out our Code of Conduct.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f962279%2fdoes-aws-guardduty-monitor-traffic-through-an-elb%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
Guard Duty monitors all traffic inside your VPC. It uses flow logs, CloudTrail, and DNS logs, but as it consumes that information at source from the hyperplane you don't actually need to have flow logs or CloudTrail turned on. I have no written source for that, it came from an AWS solution architect.
AWS Shield is integrated with CloudFront and load balancers, and may be preventing some bad actors reaching your instances.
I've seen Guard Duty alert on port probes, open security groups for RDP, all sorts of things. I've seen https probes against my web server which is behind CloudFlare, which isn't a load balancer but is effectively a reverse proxy. I turn off the low priority alerts as they were just getting annoying and didn't represent any real kind of threat.
answered Apr 10 at 1:04
TimTim
18k41950
add a comment |
Guard Duty monitors all traffic inside your VPC. It uses flow logs, CloudTrail, and DNS logs, but as it consumes that information at source from the hyperplane you don't actually need to have flow logs or CloudTrail turned on. I have no written source for that, it came from an AWS solution architect.
AWS Shield is integrated with CloudFront and load balancers, and may be preventing some bad actors reaching your instances.
I've seen Guard Duty alert on port probes, open security groups for RDP, all sorts of things. I've seen https probes against my web server which is behind CloudFlare, which isn't a load balancer but is effectively a reverse proxy. I turn off the low priority alerts as they were just getting annoying and didn't represent any real kind of threat.
answered Apr 10 at 1:04
TimTim
18k41950
add a comment |
Guard Duty monitors all traffic inside your VPC. It uses flow logs, CloudTrail, and DNS logs, but as it consumes that information at source from the hyperplane you don't actually need to have flow logs or CloudTrail turned on. I have no written source for that, it came from an AWS solution architect.
AWS Shield is integrated with CloudFront and load balancers, and may be preventing some bad actors reaching your instances.
I've seen Guard Duty alert on port probes, open security groups for RDP, all sorts of things. I've seen https probes against my web server which is behind CloudFlare, which isn't a load balancer but is effectively a reverse proxy. I turn off the low priority alerts as they were just getting annoying and didn't represent any real kind of threat.
answered Apr 10 at 1:04
TimTim
18k41950
Guard Duty monitors all traffic inside your VPC. It uses flow logs, CloudTrail, and DNS logs, but as it consumes that information at source from the hyperplane you don't actually need to have flow logs or CloudTrail turned on. I have no written source for that, it came from an AWS solution architect.
AWS Shield is integrated with CloudFront and load balancers, and may be preventing some bad actors reaching your instances.
I've seen Guard Duty alert on port probes, open security groups for RDP, all sorts of things. I've seen https probes against my web server which is behind CloudFlare, which isn't a load balancer but is effectively a reverse proxy. I turn off the low priority alerts as they were just getting annoying and didn't represent any real kind of threat.
answered Apr 10 at 1:04
TimTim
18k41950
answered Apr 10 at 1:04
TimTim
18k41950
answered Apr 10 at 1:04
TimTim
18k41950
answered Apr 10 at 1:04
TimTim
18k41950
18k41950
add a comment |
add a comment |
Dave Rager is a new contributor. Be nice, and check out our Code of Conduct.
Dave Rager is a new contributor. Be nice, and check out our Code of Conduct.
Dave Rager is a new contributor. Be nice, and check out our Code of Conduct.
Dave Rager is a new contributor. Be nice, and check out our Code of Conduct.
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f962279%2fdoes-aws-guardduty-monitor-traffic-through-an-elb%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
