What is Amazon GuardDuty

Amazon GuardDuty employs smart and ongoing threat detection for your AWS accounts, Amazon S3-stored data, and workloads to minimize risk. This security service monitors all activities within your account infrastructure and notifies you of any suspicious behavior.

The service uses machine learning, anomaly detection, and integrated threat intelligence to recognize and prioritize potential threats. GuardDuty scrutinizes numerous events — amounting to tens of billions — across various AWS data sources, including AWS CloudTrail event logs, Amazon VPC Flow Logs, and DNS logs.

GuardDuty identifies three primary categories of threats:

• Compromised instances. GuardDuty identifies abnormal spikes in network traffic and instances where resources, such as EC2 instances, are hijacked by external IP addresses.
• Reconnaissance. This refers to attackers gathering network information. GuardDuty detects reconnaissance activities like unblocked port probing from known malicious IPs, VPC port scanning, and unusual API behavior.
• Compromised accounts. GuardDuty recognizes common patterns indicating an account compromise. This includes API calls from unusual locations, updates weakening the account's password policy, and API calls originating from known malicious IPs.

The alerts generated by the service are classified into three levels of severity: low, medium, and high.

• Low-severity threats usually refer to threats that have been successfully blocked without any compromise to resources.
• Medium-severity threats signify suspicious activities, such as a noticeable increase in traffic directed toward domains associated with Bitcoin, potentially indicating cryptocurrency mining.
• High-severity threats indicate a compromised resource and require immediate remedial action.

• EKS/ECS protection. GuardDuty monitors Amazon EKS cluster control plane activity by analyzing Amazon EKS audit logs.
• EKS runtime monitoring. GuardDuty provides runtime monitoring for Amazon EKS clusters, detecting runtime threats from over 30 security findings related to container runtime activities.
• Malware protection. GuardDuty can scan workloads for malware when it detects suspicious activity on Amazon EC2 instances or container workloads running on Amazon EC2.
• RDS protection. GuardDuty uses tailored machine learning models and integrated threat intelligence to detect potential threats in Amazon RDS, starting with Amazon Aurora. It can identify high-severity brute force attacks, suspicious logins, and access by known threat actors.
• Security findings. GuardDuty produces security findings that inform users of the status of their AWS environment. These findings can be viewed in the GuardDuty console, exported to an Amazon S3 bucket, and integrated with other services such as AWS Security Hub and Detective.
• Easy integration. GuardDuty can be accessed and managed through the GuardDuty console or via AWS command line tools. The console provides a browser-based interface to access GuardDuty, while the command line tools allow users to issue commands when performing various tasks.
• Lambda protection. GuardDuty continuously monitor AWS Lambda functions to detect threats such as AWS Lambda functions maliciously repurposed for unauthorized cryptocurrency mining or compromised Lambda functions that are communicating with known threat actor servers.