How do I set up a trusted IP address list for GuardDuty?

3 minute read

I want to set up a trusted IP address list for Amazon GuardDuty.

Short description

You can configure GuardDuty to use your own custom trusted IP list. Use this list to configure your allowed IP addresses for secure communication with your AWS infrastructure and applications. For more information, see Working with trusted IP lists and threat lists.

Resolution

Create a trusted IP list

Review the accepted format for trusted IP list files. Then, follow the instructions to upload the file to an Amazon Simple Storage Service (Amazon S3) bucket.

Note: The trusted IP list file must be in TXT, STIX, OTX_CSV, ALIEN_VAULT, PROOF_POINT, or FIRE_EYE format. The trusted IP list doesn't support IPv6 addresses. You can have a maximum number of 2000 IP addresses and CIDR for each trusted IP list. You can have only one trusted IP list per Detector resource. For more information, see Quotas for Amazon GuardDuty.

Check IAM identity permissions

Be sure that your AWS Identity and Access Management (IAM) identity has permissions with trusted IP lists and GuardDuty:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "VisualEditor0",
      "Effect": "Allow",
      "Action": [
        "guardduty:*IPSet*",
        "guardduty:List*",
        "guardduty:Get*"
      ],
      "Resource": "*"
    }
  ]
}

Be sure that your IAM identity has permissions for PutRolePolicy and DeleteRolePolicy for the GuardDuty service linked role AWSServiceRoleForAmazonGuardDuty.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "VisualEditor0",
      "Effect": "Allow",
      "Action": [
        "iam:DeleteRolePolicy",
        "iam:PutRolePolicy"
      ],
      "Resource": "arn:aws:iam::123456789123:role/aws-service-role/guardduty.amazonaws.com/AWSServiceRoleForAmazonGuardDuty"
    }
  ]
}

For more information, see Editing IAM policies.

Add and activate a trusted IP list in GuardDuty

Open the GuardDuty console.
In the navigation pane, choose Lists.
Choose Add a trusted IP list.
For List name, enter a name that is meaningful to you.
For Location, enter the location for your S3 bucket. For example, https://s3.amazonaws.com/bucket-name/file.txt.
Choose the Format dropdown menu, and then choose your list's file type.
Select the I agree check box, and then choose Add list.
In Trusted IP lists, choose Active for your trusted IP list name.

Note: It might take up to 5 minutes for the list to activate.

If you change a trusted IP list in GuardDuty, you must update and then reactivate the list. For instructions, see To update trusted IP lists and threat lists.

Related information

How to use Amazon GuardDuty and AWS Web Application Firewall to automatically block suspicious hosts

Why did GuardDuty send me alert findings for a trusted IP list address?

Topics

Security, Identity, & Compliance

Relevant content

How do I allow a dynamic IP address from a provider or partner when using the anonymous IP list in AWS WAF?
Sreyny
asked 9 months ago
WorkSpaces - Domains and IP Addresses to Add to Your Allow List
Accepted Answer
AWS-User-4503442
asked 3 years ago
GuardDuty Customers! - Anyone with experience using partner GuardDuty threat lists?
rePost-bwollermann
asked 2 years ago
Amazon GuardDuty Detectoy list
dfos23
asked 9 months ago
Amazon GuardDuty IP Block List Automation - Implement periodic logging of the current Block List
JPC
asked 7 months ago
How can I configure an EventBridge rule for GuardDuty to send custom SNS notifications for specific AWS service event types?
AWS OFFICIALUpdated a year ago
How do I allow a legitimate IP address when using the IP reputation list or anonymous IP list in AWS WAF?
AWS OFFICIALUpdated 2 years ago
Why did GuardDuty send me alert findings for a trusted IP list address?
AWS OFFICIALUpdated 2 years ago
I activated GuardDuty in my environment, but GuardDuty didn't generate any finding types
AWS OFFICIALUpdated 2 years ago
Allow Listing in AWS Security Groups
EXPERT
Rob_H
published 2 years ago