Amazon GuardDuty

Learn how to continuously monitor the resources in AWS for threat detection using Amazon GuardDuty.

We'll cover the following

Key concepts and terminologies
How GuardDuty works
GuardDuty protections

Amazon GuardDuty is a threat detection service that continuously monitors AWS accounts and workloads for malicious activity and unauthorized behavior. It is a regional service that is fully managed by AWS. GuardDuty helps organizations protect AWS environments by identifying potential security issues such as unusual API calls, compromised EC2 instances, unauthorized access attempts, and potentially malicious IP addresses. By providing actionable alerts and insights into potential security risks, GuardDuty enables organizations to respond promptly to security incidents, mitigate threats, and strengthen our overall security posture in the AWS Cloud.

Press + to interact

Key concepts and terminologies

Here are some key concepts and terminologies related to Amazon GuardDuty:

Detector: A GuardDuty detector is an instance of the GuardDuty service that continuously monitors and analyzes AWS resources and account activity for potential security threats in a region.
Finding: A finding represents a security alert generated by GuardDuty when suspicious or malicious activity is detected within an AWS environment. Findings provide detailed information about the detected threat, including the affected AWS resources, the type of activity observed, and recommendations for remediation.
Threat intelligence feeds: GuardDuty leverages threat intelligence feeds from AWS, third-party sources, and open-source feeds to enhance its detection capabilities. These feeds contain information about known malicious IP addresses, domains, and other indicators of compromise, which GuardDuty uses to identify potentially malicious activity.
Severity: Each finding generated by GuardDuty is assigned a severity level based on the perceived impact and risk associated with the detected security threat. Severity levels range from low to high, with high-severity findings representing the most critical security issues that require immediate attention and remediation.

How GuardDuty works

Amazon GuardDuty works by continuously monitoring and analyzing activity within an AWS environment to identify potential security threats and vulnerabilities. It collects and analyzes data logs from various sources within an AWS account, including AWS CloudTrail logs, VPC Flow Logs, and DNS logs.

These logs provide detailed information about user activity, resource changes, network traffic, and DNS resolutions occurring within the AWS environment. It then uses a combination of machine learning algorithms, anomaly detection techniques, and threat intelligence feeds to analyze the collected data and identify suspicious or malicious activity. It looks for patterns and indicators of compromise (IOCs) associated with common attack vectors, such as unauthorized access attempts, compromised instances, malware infections, and data exfiltration.

When GuardDuty detects potentially malicious activity or security threats, it generates findings to provide detailed information about the detected threats, including the affected AWS resources, the type of activity observed, and the severity level of the threat. These findings are categorized based on the severity level, ranging from low to high, to prioritize remediation efforts.

Once security findings are identified, GuardDuty provides recommendations and remediation guidance to help organizations address security threats effectively. It enables security teams to investigate incidents, mitigate risks, and implement proactive security measures to improve the overall security posture of our AWS environments.

A common use case of GuardDuty is to protect EC2 instances and containers used for Bitcoin mining. It monitors the account for suspicious activity, such as unauthorized deployments or unusual API calls. It can also export the findings to a S3 bucket that can be helpful for further analysis.

GuardDuty protections

GuardDuty monitors potential security threats for other AWS services, such as EKS, Lambda, EC2, EBS, ECS, RDS, and S3. Let’s look at how these resources are being protected against malicious activities:

EKS protection: GuardDuty analyzes the EKS Audit Log for a sequence of events from users to protect against any suspicious activities in EKS clusters.
Lambda protection: GuardDuty scans VPC logs to monitor any suspicious piece of code in the Lambda function.
Malware protection: GuardDuty scans the EBS volumes that are attached to EC2 instances for the presence of any potential malware.
RDS protection: GuardDuty helps protect the Aurora databases against potential login access threats.
Runtime monitoring: GuardDuty helps to observe operating system-level networking for EKS, ECS, EC2 instances, and AWS Fargate.
S3 protection: GuardDuty monitors AWS CloudTrail data events for the Amazon S3 to identify potential threats to the objects in S3 buckets.

Get hands-on with 1300+ tech skills courses.

Introduction

AWS Fundamentals

Understanding Cloud Computing Essentials— From Zero to Hero

Identity and Access Management

Securing AWS Resources: Managing Access with IAM

AWS IAM Permission Boundaries

Using AWS IAM Access Analyzer

Compute Services

Understanding AWS Compute Services — From Zero to Hero

Amazon EC2: Elastic Compute Cloud

Working with Instances: An Amazon EC2 Walkthrough

Managing Instance Volumes Using EBS

Networking

Understanding Networking Services in AWS—From Zero to Hero

Controlling VPC Traffic Using Network ACLs

Managing Peer Connections between Amazon Virtual Private Clouds

Accessing AWS Services over AWS PrivateLink Using VPC Endpoints

Monitoring IP Traffic Using VPC Flow Logs

Route 53

Serverless Computing

Getting to Know AWS Lambda

Building and Deploying Serverless Applications with AWS SAM

Developing RESTful Microservices with API Gateway and DynamoDB

Building a WebSocket-Based Chat Application Using API Gateway

Mastering AWS AppSync Lambda Resolvers

Application Integration

Getting Started with Amazon Simple Queue Service (SQS)

Handling Amazon SNS Notifications with AWS Lambda

Build a Fanout Serverless Architecture using SNS, SQS, and Lambda

Decoupling Serverless Applications with Amazon EventBridge

Getting Started with AWS Step Functions

Containers

Getting Started with Amazon ECS

Create an EKS Cluster and Deploy an Application

High Availability and Scalability

Managing Application Traffic Using Elastic Load Balancers

Understanding Auto Scaling Group (ASG) in AWS

Mastering Amazon EC2 Dynamic Scaling Policies

Storage

Understanding AWS Storage Options—From Zero to Hero

Simple Storage Service (S3)

Working with AWS S3 Cross-Region Replication

Resizing Images with S3 Batch Operations and AWS Lambda

Managing Data Access with Amazon S3 Access Points

File Storage and Transfer

Getting Started with Amazon FSx for Windows File Server

Databases

Working with Relational Databases: A Beginner's Guide to AWS RDS

Getting Started with Amazon Aurora Database Engine

Working with NoSQL Databases: A Beginner's Guide to AWS DynamoDB

Exploring Graphs with Amazon Neptune

Getting Started with Amazon Keyspaces

Achieving Ultra-Fast Performance Using Amazon MemoryDB for Redis

Improving Database Performance with Amazon ElastiCache for Redis

Migration and Transfer

Use of AWS Database Migration Service from Aurora MySQL to S3

Security and Compliance

Getting Started with AWS Key Management Service (KMS)

Encrypting S3 Buckets and EBS Volumes Using KMS

Protecting Web Applications Using AWS WAF

Managing Aurora DB Credentials and API Keys Using Secrets Manager

Finding Vulnerabilities on EC2 Instances Using AWS Inspector

Deployment Services

Mastering AWS Deployment Services—From Zero to Hero

CloudFormation

Getting to Know AWS CloudFormation

AWS CloudFormation Updates: Change Sets and Stack Policies

Mastering AWS CloudFormation Helper Scripts

Machine Learning

Understanding Machine Learning Services on AWS—From Zero to Hero

Deploying a Machine Learning Model with Amazon SageMaker

Getting Started with Amazon Fraud Detector

Build an Educative Chatbot with Conversational AI Using AWS Lex

Content Delivery and Optimization

Analytics

Analyzing S3 Data and CloudTrail Logs Using Amazon Athena

Getting Started with Amazon EMR

Getting Started with Amazon Redshift

Building ETL Pipelines on AWS

Create a Data Lake with Lake Formation and Analyze It with Athena