How can the Security team suppress alerts about authorized security tests while still receiving alerts about the unauthorized activity?
Use a filter in AWS CloudTrail to exclude the IP addresses of the Security team’s EC2 instances.
Add the Elastic IP addresses of the Security team’s EC2 instances to a trusted IP list in Amazon GuardDuty.
Install the Amazon Inspector agent on the EC2 instances that the Security team uses.
Grant the Security team’s EC2 instances a role with permissions to call Amazon GuardDuty API operations.
Explanations:
CloudTrail filters are used for tracking API activity and events, not for managing GuardDuty alerts. Excluding IP addresses in CloudTrail would not suppress GuardDuty alerts.
Adding the Security team’s EC2 instance Elastic IPs to a trusted IP list in GuardDuty suppresses alerts triggered by their pre-approved security tests, while still allowing unauthorized activity to generate alerts.
Installing the Amazon Inspector agent helps assess security vulnerabilities but does not influence GuardDuty’s behavior in terms of suppressing alerts for authorized activities.
Granting a role with permissions to call GuardDuty API operations does not affect the alerting logic. GuardDuty alerts are based on activity patterns, not API calls.
If memory serves me right, the answer is:
Add the Elastic IP addresses of the Security team’s EC2 instances to a trusted IP list in Amazon GuardDuty.