How can the Security team suppress alerts about authorized security tests while still receiving alerts about the unauthorized activity?

By:
On:
In: SCS-C01
Tagged:
With: 0 Comments
An organization wants to be alerted when an unauthorized Amazon EC2 instance in its VPC performs a network port scan against other instances in the VPC.When the Security team performs its own internal tests in a separate account by using pre-approved third-party scanners from the AWS Marketplace, the Security team also then receives multiple Amazon GuardDuty events from Amazon CloudWatch alerting on its test activities.

How can the Security team suppress alerts about authorized security tests while still receiving alerts about the unauthorized activity?

Use a filter in AWS CloudTrail to exclude the IP addresses of the Security team’s EC2 instances.

Add the Elastic IP addresses of the Security team’s EC2 instances to a trusted IP list in Amazon GuardDuty.

Install the Amazon Inspector agent on the EC2 instances that the Security team uses.

Grant the Security team’s EC2 instances a role with permissions to call Amazon GuardDuty API operations.

Explanations:

CloudTrail filters are used for tracking API activity and events, not for managing GuardDuty alerts. Excluding IP addresses in CloudTrail would not suppress GuardDuty alerts.

Adding the Security team’s EC2 instance Elastic IPs to a trusted IP list in GuardDuty suppresses alerts triggered by their pre-approved security tests, while still allowing unauthorized activity to generate alerts.

Installing the Amazon Inspector agent helps assess security vulnerabilities but does not influence GuardDuty’s behavior in terms of suppressing alerts for authorized activities.

Granting a role with permissions to call GuardDuty API operations does not affect the alerting logic. GuardDuty alerts are based on activity patterns, not API calls.

Leave a Reply

Your email address will not be published. Required fields are marked *

4 × 3 =