The logical order is:
1. Activate security
2. Observe (dashboard)
3. Understand data sources
4. Improve protection
5. Simulate an attack
6. Detect (finding)
7. Analyze
8. Prioritize (severity)
1. Activate GuardDuty (start
the protection)
Amazon GuardDuty
👉 Why start here?
Because:
Nothing can be detected if the service is not active
✔️ You are turning ON the security system
💡 Like installing a security camera before monitoring anything.
---
2. GuardDuty Dashboard (see the global view)
👉 Why next?
Because:
Once activated, you need to see what’s happening
✔️ You visualize:
➡️ findings
➡️ severity
➡️ status
💡 This is your security control panel.
---
3. Data Sources (understand what is analyzed)
👉 Why here?
Because:
You need to know where the data comes from
✔️ GuardDuty analyzes:
➡️ AWS CloudTrail
➡️ Amazon VPC Flow Logs
➡️ Amazon Route 53 logs
💡 No data → no detection
---
4. Configure protections (enhance security)
👉 Why now?
Because:
The service is running
Now you improve detection capabilities
✔️ Examples:
➡️ S3 Protection
➡️ Kubernetes Protection
➡️ Malware Protection
---
5. Simulate a suspicious activity
👉 Why here?
Because:
You need to create a real scenario
✔️ Example:
➡️ network scan
➡️ suspicious login
💡 No attack → no alert
---
6. Detection (finding appears)
👉 Why now?
Because:
GuardDuty detects the simulated threat
✔️ Example:
➡️ UnauthorizedAccess:IAMUser
💡 This proves the system works
---
7. Analyze the alert
Why after detection?
Because:
You must understand the threat
✔️ You analyze:
➡️ suspicious IP
➡️ targeted resource
➡️ attack details
---
8. Severity level (prioritize the risk)
👉 Why last?
Because:
Not all alerts are equally important
✔️ Levels:
➡️ Low
➡️ Medium
➡️ High
➡️ Critical
💡 You decide what to fix first
-Activation of the GuardDuty service :
-
-Appearance of a finding (alert) :
Copyright © All rights reserved.