Custom Threat IP Lists in Amazon GuardDuty

Amazon GuardDuty, a security monitoring service, analyzes a variety of sources for potential malicious activity in your AWS account. Sources of data include CloudTrail logs, VPC flow logs, and DNS logs, EC2 virtual machines, ECS containers, S3 logs, and RDS login activity.

GuardDuty can also generate findings by leveraging external sources of information. Threat lists consist of known malicious IP addresses (associated with malware, spam, and other undesirables) and can be obtained from third-party security vendors and open source aggregators. One popular aggregator of threat lists is FireHOL IP Lists. The service describes the source of each list, how often lists are being updated and their last publish date. For example, the popular Emerging Threats list aggregates data from multiple sources and is updated daily.

To register a threat list with GuardDuty, you’ll need to upload the data in a specific format to an S3 bucket, and use the GuardDuty console or AWS CLI to activate processing of the file. GuardDuty can handle up to 250,000 IP addresses and CIDR ranges per list (and up to six threat lists per AWS account per each region).

Any time the file changes at the source, the above process must be repeated. Since threat lists are updated hourly, daily, or in between, automating the data refresh is a must. AWS published an example in 2018 that uses an AWS Lambda function to drive the update process. However, other viable solutions include:

• Deploy a script to an EC2 instance that uses the AWS CLI or SDK and schedule it with a cron job

• Run an ECS task based on a schedule

• Create an AWS Systems Manager Automation and corresponding CloudWatch Alarm for failures.

GuardDuty findings that match up with entries in a threat list as marked as UnauthorizedAccess:EC2/MaliciousIPCaller.Custom in the AWS Console. These findings will also appear in AWS Security Hub.