Amazon GuardDuty Energy - I See It. I Flag It. I Block It

Transcript

1. Amazon GuardDuty Energy - I See It. I Flag It.

   I Block It. Sena Yakut, 2025

2. ABOUT ME! Sena Yakut Cloud Security Architect @CyberWhiz All links

   about me!

3. Threat Intelligence Service What is Amazon GuardDuty?

4. Threat Intelligence Service Regional Service What is Amazon GuardDuty?

5. What is Amazon GuardDuty? Different Resources Different Risks Different Protections

   Different Findings

6. What is Amazon GuardDuty?

7. Attack Sequences NEW – Critical Severity Amazon GuardDuty Extended Threat

   Detection https://aws.amazon.com/blogs/aws/introducing-amazon-guardduty-extended-threat-detection-aiml-attack- sequence-identification-for-enhanced-cloud-security/

8. Multiple Accounts? Multiple Regions? Alerting? Amazon GuardDuty Extended Threat Detection

9. Amazon GuardDuty Extended Threat Detection DEMO

10. Characters: • Ece, the head of security for a university

    research project hosted on AWS. • Deniz, a bright but sneaky intern who just got temporary access. • Prof. Arda, the lead professor who trusts everyone a little too much. • Amazon GuardDuty, the silent guardian. The watchful protector. Scenario 1: The Case of the Intern

11. The Setup: The university is building an AI model for

    predicting earthquakes. All the data and code is stored in: • An S3 bucket (ai-research-data) • A couple of EC2 instances running training jobs • IAM users and roles set up — but with over-permissioned policies Prof. Arda gives Deniz admin-level IAM access by accident. “You’re smart, just don’t touch anything weird.” Spoiler: Deniz touches weird things. Scenario 1: The Case of the Intern

12. The Incident: Deniz: • Copies sensitive datasets from S3. •

    Downloads them from a strange IP in another country. • Spins up a huge EC2 instance to mine crypto under the university's bill. • Disables CloudTrail logs for a few hours. Scenario 1: The Case of the Intern

13. How GuardDuty Saves the Day: GuardDuty lights up like a

    Christmas tree: • Recon:IAMUser/AnomalousBehavior – unusual use of permissions • UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration – someone tried to use instance credentials outside AWS • Discovery:S3/AnomalousBehavior – sudden, massive download from S3 • CryptoCurrency:EC2/BitcoinTool.B!DNS – EC2 is doing crypto stuff Ece checks the GuardDuty findings, sees Deniz's user involved in everything, and acts fast. Scenario 1: The Case of the Intern
14. None

15. Characters: • Yiğit, a final-year student building a cool IoT

    dashboard project using AWS. • Sena, his teammate who handles GitHub and deployment. • CodeBandit, a bot that scrapes public GitHub repos for secrets like API keys. • Amazon GuardDuty, once again the silent superhero. Scenario 2: The GitHub Oops and the Stolen AWS Keys

16. The Setup: Yiğit creates an IAM user for the project

    with programmatic access and generates AWS access keys. Sena accidentally commits a file named .env with this inside: AWS_ACCESS_KEY_ID=AKIA.... AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCY... She pushes it to GitHub... on a public repo. Scenario 2: The GitHub Oops and the Stolen AWS Keys

17. The Incident: Within minutes, CodeBandit’s bot finds the leaked keys,

    and someone from a suspicious IP: • Spins up dozens of EC2 instances for crypto mining. • Uploads large files to S3 to use as temporary storage. • Tries to enumerate other IAM roles and policies. • Connects to malicious domains from inside EC2. The AWS bill is exploding Scenario 2: The GitHub Oops and the Stolen AWS Keys

18. How GuardDuty Saves the Day: GuardDuty quickly detects: • UnauthorizedAccess:EC2/BitcoinTool.B!DNS

    • Recon:IAMUser/NetworkPermissions – trying to understand the network layout • Impact:CredentialExfiltration – usage of IAM keys from unusual geolocations • Recon:IAMUser/MaliciousIPCaller – known bad IPs contacting the account Scenario 2: The GitHub Oops and the Stolen AWS Keys
19. None

20. Characters: : • Mert, a student working on a machine

    learning project for traffic prediction. • Zehra, his classmate who helps with datasets and reports. • BucketCrawler, a data-harvesting bot that scans the internet for public S3 buckets. • Amazon GuardDuty, the hero of the cloud. Scenario 3: The Curious Case of the Public S3 Bucket

21. The Setup: • Mert uploads anonymized traffic sensor data to

    an S3 bucket and shares access with Zehra. • While trying to quickly debug permissions, he sets the bucket policy to public read/write and forgets to change it back. The bucket now: • Has open access to the internet • Contains research data + internal reports • Is indexed by search engines Scenario 3: The Curious Case of the Public S3 Bucket

22. The Incident: • BucketCrawler, an automated bot, finds the exposed

    S3 bucket and: • Downloads multiple files, including research PDFs and CSVs • Uploads a malicious file to the bucket (evil.js) • Accesses the bucket from an unusual country Scenario 3: The Curious Case of the Public S3 Bucket

23. How GuardDuty Saves the Day: GuardDuty generates these alerts: •

    Policy:S3/BucketPublicAccess – a bucket was made public • Recon:S3/ListBuckets – scanning activity detected • UnauthorizedAccess:S3/TorIPCaller – bucket accessed by an IP in the TOR network • Impact:S3ObjectWrite.B – unknown object written to a bucket Scenario 3: The Curious Case of the Public S3 Bucket

24. THANK YOU