Amazon GuardDuty
Intelligent threat detection — continuous monitoring of AWS accounts using VPC Flow Logs, CloudTrail, and DNS logs to identify malicious activity.
Overview
Amazon GuardDuty is a managed threat detection service — it continuously analyses AWS CloudTrail event logs, VPC Flow Logs, and DNS query logs using machine learning, anomaly detection, and integrated threat intelligence to identify malicious or unauthorised activity.
GuardDuty requires no agents, no log collection infrastructure, and no rule writing. Enable it with one click and it begins analysing data sources automatically.
Core Concepts
| Concept | Description |
|---|---|
| Detector | The GuardDuty resource in a region; enabling GuardDuty creates a detector |
| Finding | A security issue detected by GuardDuty (e.g., compromised instance, unusual API call) |
| Finding Type | Classification of the threat (e.g., Recon:EC2/PortProbeUnprotectedPort) |
| Severity | Low (1–3.9), Medium (4–6.9), High (7–10) based on confidence and impact |
| Threat Intelligence | AWS-curated and third-party IP reputation lists and known malware indicators |
| Suppression Rule | Filters out known-good findings to reduce noise (does not delete, only hides) |
| Trusted IP List | IPs that GuardDuty will not flag (e.g., corporate VPN endpoints) |
| Threat IP List | Custom IP blacklist to generate findings when traffic matches |
Data Sources
| Data Source | Detects |
|---|---|
| CloudTrail Management Events | Unusual API calls, unauthorised access attempts, suspicious account activity |
| CloudTrail S3 Data Events | Anomalous S3 API patterns (data exfiltration) |
| VPC Flow Logs | Port scanning, unusual outbound traffic, cryptocurrency mining |
| DNS Logs | DNS queries to known malicious domains |
| EKS Audit Logs | Suspicious Kubernetes API activity |
| Lambda Network Logs | Anomalous Lambda function network activity |
| RDS Login Events | Brute-force or anomalous database login attempts |
| Runtime Monitoring | Container and EC2 runtime behaviour (file access, process execution) |
GuardDuty does not require enabling Flow Logs or CloudTrail separately — it independently accesses these data streams.
Finding Categories
| Category | Examples |
|---|---|
| Reconnaissance | Port scanning, API enumeration from unusual IPs |
| Instance Compromise | Cryptocurrency mining, malware communication, data exfiltration |
| Account Compromise | API calls from unusual locations, disabled security controls, anomalous credential use |
| S3 Compromise | Unusual bucket access patterns, public bucket policy changes |
| Kubernetes | Anonymous access, privilege escalation, suspicious pod/container activity |
| Malware | Detected via EBS malware scanning (on-demand and automated) |
Multi-Account Management
| Approach | Description |
|---|---|
| AWS Organizations | Designate a GuardDuty delegated administrator account |
| Invitation-based | Manually invite and accept member accounts |
| Centralised findings | All member account findings visible in the admin account |
SAA/SAP Tip: In a multi-account setup, designate a security tooling account as the GuardDuty delegated administrator. This centralises all findings without granting the management account operational access.
Automation and Response
GuardDuty findings can trigger automated remediation:
GuardDuty Finding
→ EventBridge Rule (match finding type + severity)
→ Lambda Function
→ Isolate instance (modify SG)
→ Block IP (update NACL)
→ Send alert (SNS → Slack/PagerDuty)
→ Create JIRA ticketCommon Use Cases
- Compromised instance detection — Identify EC2 instances communicating with known command-and-control servers.
- Cryptocurrency mining — Detect unauthorised mining activity on EC2 instances.
- Data exfiltration — Identify unusual S3 access patterns or large outbound data transfers.
- Brute-force attacks — Detect SSH/RDP brute-force attempts and anomalous RDS login activity.
- Centralised security monitoring — Aggregate findings across 100+ accounts in a delegated admin model.
- Automated incident response — EventBridge + Lambda to isolate compromised instances in seconds.
SAA/SAP Exam Tips
SAA/SAP Tip: GuardDuty is the go-to answer for "detect compromised EC2 instances," "identify malicious activity," or "threat detection across AWS accounts." It is agentless and requires no log collection setup.
Exam Trap: GuardDuty detects threats but does not prevent them. For prevention, combine GuardDuty with automated remediation (EventBridge + Lambda) or AWS WAF/Shield. GuardDuty = detection; WAF = prevention.
Cross-Cloud Equivalents
| Provider | Service / Solution | Notes |
|---|---|---|
| AWS | Amazon GuardDuty | Baseline |
| Azure | Microsoft Defender for Cloud | Broader scope; includes recommendations |
| GCP | Google Security Command Center + Event Threat Detection | Similar finding-based model |
| On-Premises | CrowdStrike, SentinelOne, Splunk SIEM | Endpoint detection + SIEM platforms |
Pricing Model
| Dimension | Unit | Notes |
|---|---|---|
| CloudTrail management events | Per million events | Tiered; first 500M cheaper |
| VPC Flow Logs analysis | Per GB | Tiered pricing by volume |
| DNS query logs | Per million queries | Included in base analysis |
| S3 data event analysis | Per million events | Tiered by volume |
| EKS audit log analysis | Per million events | Additional charge |
| Malware scanning (EBS) | Per GB scanned | On-demand or automated |
| 30-day free trial | All features | Full functionality for evaluation |
Related Services / See Also
- AWS Security Hub — aggregates findings from GuardDuty, Inspector, Macie, and more
- Amazon Macie — S3 sensitive data discovery (complements GuardDuty)
- AWS WAF and Shield — preventive controls for web applications
- AWS IAM — GuardDuty detects IAM credential misuse
- Amazon EventBridge — event-driven automation for GuardDuty findings
Amazon VPC
Virtual Private Cloud — isolated network environment covering subnets, route tables, NAT Gateways, NACLs, security groups, VPC endpoints, and peering.
AWS IAM
Identity and Access Management — users, groups, roles, policies, cross-account access, permission boundaries, federation, and least-privilege patterns.