Security in the AWS cloud with GuardDuty

En Garde!

Terraforming AWS

When you enable the handful of behind-the-scenes resources that get your GuardDuty instance running, you want to be certain you can destroy them with ease too. To my mind, the mighty Terraform is the best tool for this job.

As with all things DevOps, it's likely that somebody, somewhere has scratched their heads at a similar scenario or quandary you are facing and has kindly documented it somewhere online. This applies perfectly to GuardDuty. Although you can find some very useful examples on GitHub, I'll show you my functional code first and then point you toward a bells and whistles option. I've had both working beautifully in the past.


Often during setup and troubleshooting with Terraform, the AWS command-line interface (CLI) is useful. To follow the code in this article, you not only need to download the latest version of Terraform (and put it in your user's path), you need to create an AWS credentials file to use the CLI [5].

I installed my AWS CLI client with the Python installer command mentioned on the AWS site:

$ pip install awscli --upgrade --user

Be warned that you're not always guaranteed to get the current version from your package manager, so using pip ultimately is a timesaver. If you think you're lacking the latest features of the CLI client, try this command:

$ aws --version

You can then check against what Google reports as the latest version. Note the section on the AWS site about adding the AWS CLI to your user's path correctly. I also tend to create a Bash alias:

alias aws='/root/.local/bin/aws'

Once you're cooking with gas, you can get your hands dirtier with GuardDuty commands.

The simple example commands shown below should need little introduction and whet your appetite sufficiently. The first command is to generate a list of "detectors," that is, instances of GuardDuty present on your account:

$ aws guardduty list-detectors --region eu-west-1 --query 'DetectorIds'

After you've run Terraform or manually hit Enable in the AWS Console or enabled through the CLI, you will probably have just one. Having run this command, which effectively shows you the money in terms of listing GuardDuty instances, you can then delete one of those listed:

$ aws guardduty delete-detectors --region eu-west-1 --detector-id 86b2f93d992891XXXXXXX54278602ed

Clearly the aws guardduty command subset offers a heap more options than just list and delete , but this should get you started. Try --help if you're keen to learn more.

Without Further Ado

To get things moving in the right direction, explore the relatively simple, concise code and how you might use the code from scratch.

To get Terraform up and running (once you've downloaded Terraform and included it in your user's path), you need an AWS account for testing; additionally, you need to use the export command to tell Terraform about your AWS access key and secret key:


Next, clone the GitHub code (assuming you have Git installed) or create files with the code I'm about to show you, with this command:

$ git clone https://<github-account>/<repo-name>

Inside the directory where your Terraform code lives, check that Terraform will run correctly:

$ terraform init

Once you've answered any complaints from Terraform, hit the "plan" button with:

$ terraform plan

Although you can opt to save your planning data to a plan file, I'm keeping it super-simple in this example. The command

$ terraform apply

applies your plan.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

comments powered by Disqus
Subscribe to our ADMIN Newsletters
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs

Support Our Work

ADMIN content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.

Learn More”>


		<div class=