Amazon GuardDuty is an intelligent threat detection service that continuously monitors your AWS accounts for malicious activity and unauthorized behavior.
Amazon GuardDuty is an intelligent threat detection service that continuously monitors for malicious activity and unauthorized behavior.
GuardDuty's main function is alerting rather than directly blocking application-level traffic. It operates as an intrusion detection service that uses AI/ML to identify abnormal/malicious behavior. It also updates a database of known malicious domains/IPs from external feeds.
GuardDuty continuously monitors and analyzes various AWS data sources to detect potential threats.
GuardDuty analyzes multiple AWS data sources for its core threat detection capabilities:
Technical Specs: VPC Flow Logs: Capture information about IP traffic going to and from network interfaces in your VPC, allowing GuardDuty to detect suspicious network activity, such as communication with known malicious IP addresses or unusual traffic patterns. AWS CloudTrail Management Events: Provide a history of API calls made to your AWS services, enabling GuardDuty to detect unauthorized or unusual API activity, such as attempts to disable logging or create resources in uncharacteristic regions. DNS Logs: GuardDuty analyzes DNS queries to identify communication with known malicious domains, which can indicate malware or botnet activity.
While the above are foundational, specific GuardDuty protection plans leverage additional data sources:
Technical Specs: Malware Protection: Leverages Amazon EBS volume data for malware scanning. EKS Protection plans: Leverage Kubernetes audit logs for EKS.
GuardDuty identifies a range of malicious activities and unauthorized behaviors across your AWS environment.
GuardDuty automatically monitors AWS accounts for compromised EC2 instances, unusual S3 activities, or crypto mining. It offers built-in detection for EC2, S3, and IAM.
GuardDuty uncovers unauthorized behavior by evaluating all API requests in your account. Its anomaly detection feature identifies events associated with common techniques used by attackers, such as unusual API calls in your account.
GuardDuty seamlessly integrates with other AWS security services for comprehensive monitoring and enables automated responses to detected threats.
GuardDuty aids in investigating security incidents. For example, Amazon Detective analyzes billions of data points to investigate security incidents and potential threats identified by GuardDuty. GuardDuty findings are also aggregated into AWS Security Hub, which provides a consolidated view of security alerts from GuardDuty, Inspector, Macie, and other services.
GuardDuty can trigger EventBridge rules for notifications or remediation. It can perform automated remediation actions by leveraging Amazon CloudWatch Events and AWS Lambda.