Is GuardDuty inspecting the AWS Firewall flow logs or VPC flow logs only ?

Question

In a hub&spoke topology with centralized inspection and egress, and considering the cost of VPC flow logs if enabled in every spoke VPCs, I am tempted to only have the AWS firewall flow logs enabled at all time and only enable spoke VPC flow logs for troubleshooting purposes. On the other hand we have GuardDuty enabled so I am wondering if I also need to have VPC flow logs enabled in the inspection VPCs to have GuardDuty look at it but this sounds like duplicating the flow logs costs just for GD. It would make sense to me that ANFW flow logs be inspected by default if GD is enabled but is it the case or planned to be ?

Thanks !

Answer

No, GuardDuty doesn't directly inspect AWS Firewall logs, enabling VPC flow logs in the inspection VPC can provide comprehensive monitoring without duplicating costs across all spoke VPCs. However, GuardDuty primarily analyzes CloudTrail logs, DNS logs, and VPC flow logs. In a hub-and-spoke topology, enabling VPC flow logs in the inspection VPC can provide comprehensive monitoring without duplicating costs across all spoke VPCs.

Refrence:

https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_integrations.html

### Refrence:

https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_integrations.html

Is GuardDuty inspecting the AWS Firewall flow logs or VPC flow logs only ?

Refrence:

関連するコンテンツ