Parameters
GuardDuty findings give visibility on the following:
- Severity: High/medium/low (associated with scores)
- Where the behavior/activity occurred: region, resource ID, account ID
- When: last seen date/time
- Count
- Detailed information
- Affected resource: type/instance ID/image ID/port/resource type/image description/launch time/tags/network interfaces (public IP, private IP, subnet ID, VPCID, security groups)
- Action: type/connection direction
- Actor
- Additional
For more information, see the Amazon GuardDuty official website.
There are five configurable environment variables in the Lambda function:
Variable name
Type
Description
MIN_SEVERITY
Integer
The minimum severity to block an IP address. Defaults to 3. Value ranges from 1 to 10 by AWS GuardDuty definition.
S3_BUCKET
Text
S3 bucket name to store the IP block list file. This variable has no default value. You must specify a value.
S3_BLOCKLIST_KEY
Text
Path to the IP block list file within the S3 bucket. This variable has no default value. You must specify a value. The relative file path to the S3 bucket.
REGION
Text
AWS region to run Lambda and DynamoDB services. You must specify a value.
DDB_TABLE_NAME
Text
DynamoDB table name which stores malicious IP addresses from findings. You must specify a value.