Posted On: Feb 28, 2018
Amazon GuardDuty has added twelve new threat detections, including nine AWS CloudTrail-based anomaly detections that identify highly suspicious activity in accounts utilizing the service. Customers can now detect sensitive API calls that change the security posture of an account, or attempt to undermine the ability to monitor AWS activities.
The new category of detections intelligently catches reconnaissance of and changes to network, resource, or user permissions. The detections include anomalous activity in Amazon EC2, AWS CloudTrail, and AWS management console log-ins. Highly-sensitive APIs are those that either change the security posture of an account by adding or elevating users, user policies, roles, or account-key IDs (AKIDs). Highly-suspicious circumstances are determined from underlying models profiled at the API level by GuardDuty.