Amazon GuardDuty Integration Benefits

The Amazon GuardDuty integration allows you to automate response workflows for security issues that could affect your AWS infrastructure.

PagerDuty ensures that the correct people receive notifications regarding unauthorized behavior, and you can use PagerDuty alert grouping to reduce noise by grouping similar alerts into a single incident.

Requirements

PagerDuty Permissions

Managers, Admins, Global Admins, and the Account Owner can configure the integration.

AWS Permissions

If you set up and manage AWS Config, you must have full-access permissions. Read the Amazon documentation Granting Permissions for AWS Config Administration for more information about managing permissions in AWS.

How It Works

This is a one-way integration. GuardDuty rules send finding events to PagerDuty, and those events generate incidents.

Version

This guide details the configuration of the Amazon GuardDuty V1 integration.

Integration Walkthrough

In PagerDuty

There are two ways to integrate Amazon GuardDuty with PagerDuty:

Integrate With Event Orchestration: Integrating with Event Orchestration is beneficial if you want to build nested rules based on the payload coming from AWS.
Integrate With a PagerDuty Service: Integrating with a PagerDuty service directly is beneficial if you do not need to route alerts from AWS to different responders based on the event payload. You can still use service-level Event Orchestration to perform actions such as suppressing.

Integrate With Event Orchestration

Configure a Global Orchestration Integration

Configure a Global Orchestration in your PagerDuty account.
Navigate to AIOps Event Orchestration and click the name of your Global Orchestration.
Select the Global Orchestration Key dropdown and copy the Integration Key.
Once you have your Integration Key, the Integration URL is:

https://events.pagerduty.com/x-ere/YOUR_INTEGRATION_KEY_HERE

Proceed to the In the AWS Management Console section.

Configure a Service Orchestration Integration

Configure a Service Orchestration in your PagerDuty account.
Create a Generic Events API integration on the same service.
Copy the Integration Key and paste it into the following URL:

https://events.pagerduty.com/x-ere/YOUR_INTEGRATION_KEY_HERE

Proceed to the In the AWS Management Console section.

Integrate With a PagerDuty Service

Add to a New Service

To add the integration to a new service, navigate to Services Service Directory and click New Service.
Follow the prompts and configure the service to your preferences. On the Integrations screen, select Amazon GuardDuty from the search bar dropdown.
Click Create Service.
You are now in the service Integrations tab. Find your integration in the list and click to view and copy your Integration URL. Keep it in a safe place for later use.
Proceed to the In the AWS Management Console section.

Add to an Existing Service

To add an integration to an existing service, navigate to Services Service Directory and select the service where you want to configure the integration.
Select the Integrations tab and click Add another integration.
Select Amazon GuardDuty from the search bar dropdown and click Add.
Find your integration in the list and click to view and copy your Integration URL. Keep it in a safe place for later use.
Proceed to the In the AWS Management Console section.

In the AWS Management Console

In the Services search bar, search and select Simple Notification Service. In the SNS dashboard left menu, select Topics and click Create Topic. This topic routes alerts to PagerDuty from AWS.
Select the Standard topic type.
Enter the following information in the fields provided, then click Create topic:

Field	Value
Name	Enter a name for your topic. You can name your topic after your PagerDuty service name.
Display name (optional)	Enter an optional display name.

In the left menu, select Subscriptions and click Create Subscription.
Enter the following information in the fields provided, then click Create Subscription:

Field	Value
Topic ARN	Select the Topic ARN of the topic you created in the previous section.
Protocol	Select HTTPS.
Endpoint	Paste your Integration URL generated in the previous section.
Enable raw message delivery	Check this checkbox if you integrate with Global Orchestrations. Uncheck this checkbox if you do not integrate with Global Orchestrations.

Your subscription confirms automatically. Refresh the page to verify the Status is Confirmed and not PendingConfirmation.
If you have not enabled GuardDuty, follow the Amazon documentation to enable it. If you already enabled GuardDuty, proceed to the next step.
In the Services search bar, search and select EventBridge.
In the left menu, select Rules and click Create Rule.
Enter the following information in the fields provided, then click Next:

Field	Value
Name	Enter an identifiable name.
Description (optional)	Enter a description of the rule, pattern, and targets.
Event Bus	Select default.
Enable the rule on the selected event bus	Toggle to the on position.
Rule with an event pattern	This option is preselected automatically.

Enter the following information in the fields provided, then click Next:

Field	Value
Event source	Select AWS events or EventBridge partner events.
Sample event (optional)	View sample events if desired.
Event Source	Select AWS services.
AWS Service	Select GuardDuty.
Event type	Select GuardDuty Finding.

Enter the following information in the fields provided, then click Next:

Field	Value
Target types	Select AWS service.
Select a target	Search and select SNS topic.
Topic	Search and select the topic created in the previous section.

Add optional tags based on your preference, then click Next.
Review your settings and click Create Rule. To create more rules, repeat steps 9 through 14.

To verify the configuration is successful, navigate to the Amazon GuardDuty console, select Settings in the left menu, and click Generate Sample Findings. Select Findings in the left menu to view the generated sample findings. In PagerDuty, you see the correlated sample alert.