Amazon GuardDuty

Protect your AWS accounts with intelligent threat detection

Benefits of GuardDuty

Keep your accounts, workloads, and data secure by continuously monitoring for potential threats across your AWS environment.
Expose threats quickly using anomaly detection, machine learning (ML), behavioral modeling, and threat intelligence feeds from AWS and leading third parties.
Accurately detect and respond to threats earlier, helping you detect them before they escalate to broader business-impacting events.
Scale threat detection across all accounts in your AWS environment without requiring manual effort or third-party tooling.
Safeguard your accounts, data, and resources across various AWS compute types, spanning Amazon Elastic Compute Cloud (Amazon EC2), serverless workloads, and container workloads—including those on AWS Fargate.

What is GuardDuty?

Amazon GuardDuty combines ML and integrated threat intelligence from AWS and leading third parties to help protect your AWS accounts, workloads, and data from threats.

What is GuardDuty?

GuardDuty combines ML and integrated threat intelligence from AWS and leading third parties to help protect your AWS accounts, workloads, and data from threats.

What is Amazon GuardDuty? (1:23)

GuardDuty for AWS workload protection

Learn more about how you can apply the broad threat detection coverage in GuardDuty to workloads and resources across your AWS environment.

GuardDuty for AWS workload protection

Learn more about how you can apply the broad threat detection coverage in GuardDuty to workloads and resources across your AWS environment.

  • GuardDuty is capable of analyzing over a trillion Amazon Simple Storage Service (Amazon S3) events per day. Continuously monitor and profile Amazon S3 data access events and S3 configurations to detect suspicious activities such as requests coming from an unusual geolocation, disabling of preventative controls like S3 block public access, or API call patterns consistent with an attempt to discover misconfigured bucket permissions.

    Learn more »

  • GuardDuty EKS Protection is a GuardDuty feature that monitors Amazon Elastic Kubernetes Service (Amazon EKS) cluster control plane activity by analyzing Amazon EKS audit logs.

    Learn more »

  • Detect runtime threats from over 30 security findings to protect your Amazon EKS clusters. EKS Runtime Monitoring uses a fully-managed EKS add-on that adds visibility into individual container runtime activities, such as file access, process execution, and network connections.

    Learn more »

  • Gain visibility into on-host operating system–level activities and container-level context into potential threats to your Amazon Elastic Container Service (Amazon ECS) workloads—including serverless workloads on AWS Fargate.

    Learn more »

  • GuardDuty EC2 Runtime Monitoring gives you fully managed threat detection visibility for Amazon EC2 instances at runtime, and complements the anomaly detection that GuardDuty already provides by continuously monitoring VPC Flow Logs, DNS query logs, and AWS CloudTrail management events.

    GuardDuty EC2 Runtime Monitoring continuously monitors for malicious activity and unauthorized behavior. It gives you near real-time visibility into on-host, operating system-level activities occurring across your Amazon EC2 workloads.

    Learn more »

  • Scan workloads for malware when GuardDuty detects that one of your Amazon EC2 instances or container workloads running on Amazon EC2 is doing something suspicious.

    Learn more »

  • Using tailored machine learning models and integrated threat intelligence, GuardDuty can detect potential threats in Amazon Relational Database Service (Amazon RDS), starting with Amazon Aurora, such as high-severity brute force attacks, suspicious logins, and access by known threat actors.

    Learn more »

  • Continuously monitor network activity, starting with VPC Flow Logs, from your serverless workloads to detect threats such as AWS Lambda functions maliciously repurposed for unauthorized cryptocurrency mining, or compromised Lambda functions that are communicating with known threat actor servers.

    Learn more »

Use cases

Gain insight of compromised credentials, unusual data access in Amazon S3, suspicious logins in Aurora, and API calls from known malicious IP addresses.

Receive findings with context, metadata, and impacted resource details. Determine root cause with Amazon Detective. Route findings to AWS Security Hub and Amazon EventBridge.

Initiate scans of your Amazon Elastic Block Store (Amazon EBS) volumes associated with your Amazon EC2 instances and container workloads to detect the presence of malware, such as backdoor intrusions, cryptocurrency-related activity, and trojans.

Remove complexity for security and application teams with a single place to identify, profile, and manage threats to your AWS container environments across Amazon EKS and Amazon ECS—including both instance and serverless container workloads

Demonstrate ability to meet intrusion detection requirements mandated by certain compliance frameworks. 


Explore more of AWS