GuardDuty findings give visibility on the following:
- Severity: High/medium/low (associated with scores)
- Where the behavior/activity occurred: region, resource ID, account ID
- When: last seen date/time
- Detailed information
- Affected resource: type/instance ID/image ID/port/resource type/image description/launch time/tags/network interfaces (public IP, private IP, subnet ID, VPCID, security groups)
- Action: type/connection direction
For more information, see the Amazon GuardDuty official website.
There are five configurable environment variables in the Lambda function:
The minimum severity to block an IP address. Defaults to 3. Value ranges from 1 to 10 by AWS GuardDuty definition.
S3 bucket name to store the IP block list file. This variable has no default value. You must specify a value.
Path to the IP block list file within the S3 bucket. This variable has no default value. You must specify a value. The relative file path to the S3 bucket.
AWS region to run Lambda and DynamoDB services. You must specify a value.
DynamoDB table name which stores malicious IP addresses from findings. You must specify a value.