Skip to main content
Dive into the powerful world of AWS GuardDuty, a threat detection service designed to secure your AWS environment by proactively monitoring for suspicious activities. GuardDuty leverages machine learning, threat intelligence, and real-time analysis to identify unauthorized access, compromised instances, and malicious network traffic. GuardDuty collects data from a wide array of sources including CloudTrail events, VPC flow logs, DNS logs, control plane events (such as S3 and EKS audit logs), and login events. It then analyzes these inputs for patterns that signal potential malicious intent. Once identified, GuardDuty can trigger automated responses or alert you for further investigation.
The image is a diagram explaining how GuardDuty works, showing the process of collecting data from various sources, detecting threats, and triggering responses.
GuardDuty categorizes security findings by severity:
  • High Severity: Indicates a compromised resource that demands immediate remediation.
  • Medium Severity: Signals suspicious activity warranting investigation to verify its legitimacy.
  • Low Severity: Suggests minor issues such as port scans or failed login attempts that could be indicative of broader malicious behavior.
The image is a severity level scale ranging from 0 to 9, with categories labeled as Low, Medium, and High, and includes a note about investigating suspicious activity.
GuardDuty supports the use of both trusted and threat IP lists. Trusted IP lists include IP addresses known to be safe (e.g., used for security scanning), while threat IP lists contain addresses associated with malicious activity. GuardDuty ignores entries on the trusted list but flags those on the threat list as dangerous. Note that these lists can include up to 250,000 CIDR ranges or individual IP addresses.
The image is a table comparing Trusted IP Lists and Threat IP Lists, detailing their purpose, effect, and limitations in the context of AWS security.
GuardDuty detects suspicious activity across four key categories:
  • Reconnaissance: Unusual port scanning or unauthorized port probing.
  • Instance Compromise: Activities such as using instances for cryptocurrency mining, deploying malware, or launching denial-of-service attacks.
  • Account Compromise: Suspicious API calls, attempts to disable logging, modifications to password policies, or unexpected resource deployments.
  • Bucket Compromise: Unusual activities linked to Amazon S3 operations.
The image lists GuardDuty detection categories related to account compromise, including suspicious API activity, attempts to disable AWS CloudTrail logging, changes that weaken password policies, and unexpected resource deployments or region changes.
The image lists GuardDuty detection categories related to security threats, including suspicious data access patterns, unusual Amazon S3 activity, unauthorized S3 access, and unusual data retrieval requests.
In summary, AWS GuardDuty serves as a vigilant guardian for your AWS infrastructure, continuously monitoring network traffic and control plane activities to promptly detect potential intrusions or threats. This proactive approach is pivotal in protecting your cloud resources against evolving security challenges.
We hope you found this overview informative. Happy securing! For more insights into AWS security best practices, check out AWS Security Documentation.

Watch Video