Amazon GuardDuty

How GuardDuty Works

GuardDuty is designed to be easy to enable and manage. Its process is entirely automated and agentless.

Analyzes Data Sources:

GuardDuty pulls from and analyzes data from multiple independent AWS data streams without you needing to manage them. These sources include:
- AWS CloudTrail Logs: Monitors for unusual API calls, unauthorized deployments, and other account-level malicious activity. This includes both management events and S3 data events.
- Amazon VPC Flow Logs: Analyzes network traffic to identify suspicious patterns like communication with malicious IP addresses or unusual data transfers.
- DNS Logs: Monitors DNS queries made by resources within your VPC to identify communication with domains known for serving malware or involved in cryptocurrency mining.
Applies Threat Intelligence and Machine Learning:

To identify threats, GuardDuty uses:
- Integrated Threat Intelligence: Utilizes up-to-date threat intelligence feeds from AWS and third-party security partners (like Proofpoint and CrowdStrike) which contain lists of known malicious domains and IP addresses.
- Machine Learning (ML) & Anomaly Detection: Establishes a baseline of normal activity for your accounts and resources, and then uses ML models to identify deviations from this baseline that could indicate a threat.
Generates Detailed Findings:

When a potential security issue is detected, GuardDuty generates a finding. Each finding is a detailed security alert that provides the information needed to investigate and respond.

A GuardDuty finding is a report on a detected security issue. You can view findings in the AWS Console, or access them via the CLI and API.

Finding Type: A unique title describing the potential threat (e.g., Recon:EC2/Portscan or CryptoCurrency:EC2/BitcoinTool.B).
Severity: A rating of the finding's importance, categorized as High, Medium, or Low.
Affected Resource: Details about the AWS resource involved, including:
- Resource ID (e.g., Instance ID, Access Key ID)
- Resource Type (e.g., EC2, IAMUser)
- Port and other connection details.
Action: Information about the suspicious action, such as the API call made or the network connection details.
Threat Details: Includes the name of the threat list that flagged the activity, if applicable.
Metadata: Includes the Region, Account ID, Count (number of times the activity occurred), and First/Last Seen timestamps.

Agentless & No Performance Impact: Because it analyzes logs externally, GuardDuty has zero impact on the performance or availability of your production workloads.
Easy to Enable and Manage: Can be enabled with a single click in the AWS Management Console and immediately begins monitoring.
Multi-Account Management: Integrates with AWS Organizations, allowing you to manage GuardDuty and view findings across all your AWS accounts from a single designated administrator account.
Customizable Detection: You can upload your own lists to reduce false positives and enhance detection:
- Trusted IP Lists: Whitelists of IP addresses for which GuardDuty will not generate findings.
- Threat Lists: Your own lists of known malicious IP addresses. You can upload up to six threat lists per region.
Automated Response: GuardDuty is integrated with Amazon EventBridge, allowing you to automatically trigger remediation actions (e.g., isolating an EC2 instance with a Lambda function, revoking credentials) in response to specific findings.

Pay-per-Use Model: GuardDuty pricing is based on the volume of data it analyzes. There are no upfront costs or subscriptions.
- The cost is calculated based on the quantity of AWS CloudTrail events analyzed and the data volume (per GB) of VPC Flow Logs and DNS Logs processed.
Free Trial: Every new GuardDuty account gets a 30-day free trial to evaluate the service and estimate its monthly cost.