TABLE OF CONTENTS

Background

Aqua platform CSPM integrates with AWS GuardDuty to allow users to correlate Wave Real-Time Events and scan results with potential findings from GuardDuty. This integration is built into the existing CSPM connection, and no additional configuration is required (aside from having GuardDuty enabled in your account; see "Pre-Requisites" below).


Pre-Requisites

To use the Aqua platform CSPM AWS GuardDuty integration:

  • Ensure that you are using an Aqua platform Premier plan account
  • Ensure that GuardDuty is activated in your AWS account
  • Ensure that you have not modified the default connection profile (IAM role permissions) between Aqua and your account. The default permissions include access to GuardDuty APIs, but if you deployed the role manually, or modified the CloudFormation stack during onboarding, you may need to re-add these permissions.


Use Cases

Aqua platform provides correlation to GuardDuty from both its Real-Time Events (via IP Address) and Scans (for S3 buckets).


Correlating Real-Time Events with GuardDuty

If you have activated the Aqua platform CSPM Real-Time Events for your AWS account, you will see a new option, "Correlate with GuardDuty" next to each event. Clicking this option will take you to the GuardDuty integration, filtered by the IP address used in the Event. This integration helps determine if a suspicious IP address that triggered an Aqua platform Event is also triggering events in GuardDuty.



Correlating Scan Results with GuardDuty

GuardDuty maps many of its findings to specific resources via ARN. Because Aqua platform CSPM scan reports also detect the affected resource ARN, this can be used to correlate results. For example, a finding attached to an S3 bucket in Aqua related to the bucket being publicly exposed can be correlated to results in GuardDuty to see if any suspicious activity had occurred on that bucket. Next to each supported scan result is an option to "Correlate with GuardDuty" which, when clicked, will load the associated GuardDuty results.



Changing the GuardDuty Region

Because GuardDuty is a regional service, the specific region must be provided when accessing results. Aqua platform defaults to using the "us-east-1" region unless the Real-Time Event or scan result contained a region, in which case that region will take precedence. However, global-level activity can be sent to any (or all) GuardDuty regions, depending on your account's configuration.


For these reasons, the Aqua platform allows you to override the pre-selected region if you have activated GuardDuty elsewhere. You can do this via the "Change Region" drop-down on the GuardDuty integration page.



Preview

Aqua platform's GuardDuty integration is currently in preview. Not all resource types are supported, but more will be added shortly. Please feel free to share any feedback you have with us.