AWS GuardDuty


What is AWS GuardDuty?

Amazon GuardDuty is a continuous monitoring service that detects and reports potential threats within an AWS instance. It provides actionable threat protection for AWS accounts and workloads. GuardDuty’s findings are actionable because they include detailed information about the affected resources. This includes tags, security groups or credentials, as well as information about the potential threat, such as IP address and geo-location.

GuardDuty generates custom threat intelligence across all associated AWS accounts using:

  • Machine learning
  • AWS CloudTrail event logs
  • DNS logs
  • AWS VPC Flow Log data
  • Data related to API and AWS account usages, such as password policy changes and unauthorized infrastructure deployments
  • Threat intelligence feeds, such as lists of malicious IPs, URLs, and domains
  • Suspicious activity, such as escalation of privileges or use of exposed credentials as well as communication from malicious IPs, URLs, or domains

Accessing GuardDuty

GuardDuty can be accessed in three ways.

  1. GuardDuty management console
  2. AWS SDKs
  3. GuardDuty HTTPS API

Management Console

When GuardDuty is enabled, the AWS management console can be used to centrally manage threat detection across any AWS accounts. The management console provides a simple interface for displaying threat findings, aggregating events and highlighting trends. It can also be used to analyze the history of findings.

Unexpected, unauthorized or potentially malicious activities are displayed in the management console. They are categorized as a low, medium or high threat alert and users are provided with detailed data and recommendations for remediation. Alerts can also be sent to Amazon CloudWatch as well as to third-party services, such as Splunk, Sumo Logic and PagerDuty as well as to tools, such as JIRA, ServiceNow and Slack.

Automated Workflows

To reduce remediation and recovery time, GuardDuty can automate responses to threats. Users can set up remediation scripts or use AWS Lambda functions to trigger incident responses based on GuardDuty findings.