Amazon GuardDuty Documentation

GuardDuty is a threat detection service that is designed to monitor for malicious activity and unauthorized behavior across your AWS environments. GuardDuty combines machine learning (ML), anomaly detection, and malicious file discovery, using both AWS and third-party sources to help protect workloads and data. GuardDuty analyzes events across multiple AWS data sources, including AWS CloudTrail logs, Amazon VPC Flow Logs, Amazon Elastic Kubernetes Service (Amazon EKS) audit logs, and DNS query logs. GuardDuty also monitors Amazon Simple Storage Service (Amazon S3) data events, Amazon Aurora login events, and runtime activity for Amazon Elastic Kubernetes Service (Amazon EKS), Amazon Elastic Compute Cloud (Amazon EC2) (Preview), and Amazon Elastic Container Service (Amazon ECS)—including serverless container workloads on AWS Fargate.

GuardDuty is designed to identify unusual activity within your accounts, analyze the security relevance of the activity, and give the context in which it was invoked. This allows you to determine if you should spend time on further investigation. GuardDuty findings are assigned a severity, and you can automate actions by integrating with AWS Security Hub, Amazon EventBridge, AWS Lambda, and AWS Step Functions. Amazon Detective is also tightly integrated with GuardDuty so that you can perform deeper forensic and root cause investigation.

Account-level threat detection

GuardDuty is designed to give you accurate threat detection of account compromise which can be particularly difficult to detect quickly if you are not continuously monitoring for factors in near real-time. GuardDuty can help you detect signs of account compromise, such as access of AWS resources from an unusual geolocation at an atypical time of day. For programmatic AWS accounts, GuardDuty is designed to check for unusual API calls, such as attempts to obscure account activity by disabling CloudTrail logging or taking snapshots of a database from a malicious IP address.

Continuous monitoring across AWS accounts

GuardDuty is designed to continuously monitor and analyze your AWS account and workload event data found in CloudTrail, VPC flow logs, and DNS logs. There is no additional security software or infrastructure to deploy and maintain for the foundational protections in GuardDuty. By associating your AWS accounts together, you can aggregate threat detection instead of having to work on an account-by-account basis. In addition, you do not have to collect, analyze, and correlate large volumes of AWS data from multiple accounts.

Threat detections developed for the cloud

GuardDuty gives you access to built-in detection techniques that are developed for the cloud. The detection algorithms are maintained and continuously improved upon by AWS Security. The primary detection categories include:                                            

Reconnaissance – This activity suggests reconnaissance by an attacker, such as unusual API activity, intra-VPC port scanning, unusual patterns of failed login requests, or unblocked port probing from a known bad IP.

Instance compromise – This activity indicates an instance compromise, such as cryptocurrency mining, backdoor command and control (C&C) activity, malware using domain generation algorithms (DGA), outbound denial of service activity, unusually high volume of network traffic, unusual network protocols, outbound instance communication with a known malicious IP, temporary Amazon EC2 credentials used by an external IP address, and data exfiltration using DNS.

Account compromise -- Common patterns indicative of account compromise include API calls from an unusual geolocation or anonymizing proxy, attempts to disable AWS CloudTrail logging, changes that weaken the account password policy, unusual instance or infrastructure launches, infrastructure deployments in an unusual region, and API calls from known malicious IP addresses.

Bucket compromise – This activity indicates  a bucket compromise, such as suspicious data access patterns indicating credential misuse, unusual S3 API activity from a remote host, unauthorized S3 access from known malicious IP addresses, and API calls to retrieve data in S3 buckets from user that had no prior history of accessing the bucket or invoked from an unusual location. Amazon GuardDuty continuously monitors and analyzes CloudTrail S3 data events (for example, GetObject, ListObjects, DeleteObject) to detect suspicious activity across all of your Amazon S3 buckets.

Malware detection – GuardDuty begins a malware detection scan when it identifies suspicious behavior indicative of malicious software in EC2 instance or container workloads. GuardDuty generates temporary replicas of Amazon EBS volumes attached to such EC2 instance or container workloads and scans the volume replicas for trojans, worms, crypto miners, rootkits, bots, and more that might be used to compromise the workloads, repurpose resources for malicious use, and gain unauthorized access to data. GuardDuty Malware Protection generates contextualized findings that can validate the source of the suspicious behavior. These findings can be routed to the proper administrators and initiate automated remediation.

Container compromise – Activity identifying possible malicious or suspicious behavior in container workloads is detected by continuously monitoring and profiling EKS clusters by analyzing its EKS audit logs and container runtime activity in EKS or ECS.

Threat severity levels for efficient prioritization

GuardDuty provides three severity levels (Low, Medium, and High) to help customers prioritize their response to potential threats. A Low severity level indicates suspicious or malicious activity that was blocked before it compromised your resource. A Medium severity level indicates suspicious activity. An example would be a large amount of traffic being returned to a remote host that is hiding behind the Tor network, or activity that deviates from normally observed behavior. A “High” severity level indicates that the resource in question (for example, an EC2 instance or a set of IAM user credentials) is compromised and is actively being used for unauthorized purposes.

Automate threat response and remediation

GuardDuty offers HTTPS APIs and command line interface (CLI) tools, as well as integration with Amazon EventBridge to support automated security responses to security findings. For example, you can automate the response workflow by using EventBridge as an event source to trigger a Lambda function.

Scalable threat detection

GuardDuty is designed to manage resource utilization based on the overall activity levels within your AWS accounts, workloads, and data stored in Amazon S3. GuardDuty is designed to add detection capacity only when necessary and reduces utilization when capacity is no longer needed.

Deployment with no additional software or infrastructure to deploy and manage

Through the AWS Management Console or using a single API call, you can enable Amazon GuardDuty on a single account. With a few more clicks in the console, you can enable GuardDuty across multiple accounts. Amazon GuardDuty supports multiple accounts through AWS Organizations integration as well as natively within GuardDuty. Once enabled, GuardDuty starts analyzing continuous streams of account and network activity at scale. There are no additional security software, sensors, or network appliances to deploy or manage. Threat intelligence is pre-integrated into the service and is updated and maintained.

Broad, container-aware protection

GuardDuty provides comprehensive protection for container workloads across your AWS compute estate that would otherwise be difficult and complex to achieve. Whether you're running workloads with server-level control on EC2 or serverless modern application workloads on ECS with Fargate, GuardDuty detects potentially malicious and suspicious activity, gives you container-level context with runtime monitoring, and helps you identify security coverage gaps in your container workloads across your AWS environment.

Additional Information

For additional information about service controls, security features and functionalities, including, as applicable, information about storing, retrieving, modifying, restricting, and deleting data, please see https://docs.aws.amazon.com/index.html. This additional information does not form part of the Documentation for purposes of the AWS Customer Agreement available at http://aws.amazon.com/agreement, or other agreement between you and AWS governing your use of AWS’s services.