GuardDuty findings give visibility on the following:
- Severity: High/medium/low (associated with scores)
- Where the behavior/activity occurred: Region, resource ID, account ID
- When: Last seen date/time
- Detailed information
- Affected resource: type/instance ID/image ID/port/resource type/image description/launch time/tags/network interfaces (public IP, private IP, subnet ID, VPCID, security groups)
- Action: type/connection direction
For more information about Amazon GuardDuty, see the Amazon GuardDuty official website.
There are five configurable environment variables in the Lambda function:
The minimum severity to block an IP address. Defaults to 3. Value ranges from 1 to 10 by AWS GuardDuty definition.
S3 bucket name to store the ip block list file. No default value. Must specify.
Path to the ip block list file within the S3 bucket. No default value. Must specify. The relative file path to the S3 bucket.
AWS region to run Lambda, DynamoDB services. Must specify.
DynamoDB table name which stores malicious IP addresses from findings. Must specify.