Ensure that Amazon GuardDuty is Enabled:
Amazon GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior.
It can detect port scans and generate findings for these events.
Create an Amazon CloudWatch Alarm for Detected EC2 and Port Scan Findings:
Configure GuardDuty to monitor for port scans and other threats.
Create a CloudWatch alarm that triggers when GuardDuty detects port scan activities.
Connect the Alarm to the SNS Topic:
The CloudWatch alarm should be configured to send notifications to the SNS topic subscribed by the security team.
This setup ensures that the security team receives near-real-time notifications when a port scan is detected on the EC2 instances.
Example configuration steps:
Enable GuardDuty and ensure it is monitoring the relevant AWS accounts.
Create a CloudWatch alarm:
{
"AlarmName": "GuardDutyPortScanAlarm",
"MetricName": "ThreatIntelIndicator",
"Namespace": "AWS/GuardDuty",
"Statistic": "Sum",
"Dimensions": [
{
"Name": "FindingType",
"Value": "Recon:EC2/Portscan"
}
],
"Period": 300,
"EvaluationPeriods": 1,
"Threshold": 1,
"ComparisonOperator": "GreaterThanOrEqualToThreshold",
"AlarmActions": ["arn:aws:sns:region:account-id:SecurityAlerts"]
}
[References:, Amazon GuardDuty, Creating CloudWatch Alarms for GuardDuty Findings, , , , ]
