Amazon GuardDuty
Protect your AWS accounts with intelligent threat detection
Start your 30-day free trial
with the AWS Free Tier
Continuously monitor your AWS accounts, instances, serverless and container workloads, users, databases, and storage for potential threats.
Expose threats quickly using anomaly detection, ML, behavioral modeling, and threat intelligence feeds from AWS and leading third parties.
Mitigate threats early by initiating automated responses.
Quickly and easily scale threat detection across your environment.
How it works
This diagram details GuardDuty’s features and integration with different AWS workload and resource types. The diagram is divided into five sections that display from left to right.
The first section is titled “Amazon GuardDuty,” and says, “A threat detection service that continuously monitors for compromised accounts, anomalous behavior, and malware.”
The second section is titled “Activate GuardDuty.” The second section says, “With a few steps in the console, monitor all your AWS accounts without additional software to deploy or manage.”
The third section explains the different workload and resource types that you can continuously monitor for threats using Amazon GuardDuty. The items outlined are: Amazon S3, databases, container workloads, instance workloads, accounts and users, and serverless.
In the third section, under the workload and resource types, there is a box titled “Continuously analyze.” The box then says, “Automatically and continuously monitor AWS workloads and resources for potential threats at scale.”
The fourth section has an illustration depicting crosshairs, with an alert or warning icon. This section describes how GuardDuty intelligently detects threats, and says “GuardDuty uses machine learning, anomaly detection, malware scanning, and integrated threat intelligence to identify and prioritize potential threats.”
Amazon GuardDuty for AWS workload protection
Amazon GuardDuty analyzes and processes data from foundational data sources to detect anomalies involving AWS Identity and Access Management (IAM) access keys and Amazon Elastic Compute Cloud (Amazon EC2). You can also activate GuardDuty protection plans to analyze additional data from other AWS services in your AWS environment to protect workloads using Amazon S3, Amazon EKS, Amazon RDS, and AWS Lambda.
GuardDuty S3 Protection
Continuously monitor and profile Amazon S3 data access events and Amazon S3 configurations to detect suspicious activities such as requests coming from an unusual geo-location, disabling of preventative controls such as Amazon S3 block public access, or API call patterns consistent with an attempt to discover misconfigured bucket permissions.
GuardDuty EKS Protection
GuardDuty EKS Protection is a GuardDuty feature that monitors Amazon EKS cluster control plane activity by analyzing Amazon EKS audit logs.
GuardDuty EKS Runtime Monitoring
Detect runtime threats from over 30 security findings to protect your Amazon EKS clusters. EKS Runtime Monitoring uses a fully-managed EKS add-on that adds visibility into individual container runtime activities, such as file access, process execution, and network connections.
GuardDuty Malware Protection
Scan workloads for malware when GuardDuty detects that one of your Amazon EC2 instances or container workloads running on Amazon EC2 is doing something suspicious.
GuardDuty RDS Protection
Using tailored machine learning models and integrated threat intelligence, GuardDuty can detect potential threats in Amazon Relational Database Service (Amazon RDS), starting with Amazon Aurora, such as high-severity brute force attacks, suspicious logins, and access by known threat actors.
GuardDuty Lambda Protection
Continuously monitor network activity, starting with VPC Flow Logs, from your serverless workloads to detect threats such as AWS Lambda functions maliciously repurposed for unauthorized cryptocurrency mining, or compromised Lambda functions that are communicating with known threat actor servers.
Use cases
Improve security operations visibility
Gain insight of compromised credentials, unusual data access in Amazon Simple Storage Service (S3), suspicious logins in Amazon Aurora, and API calls from known malicious IP addresses.
Assist analysts in investigations and automate remediation
Receive findings with context, metadata, and impacted resource details. Determine root cause with Amazon Detective. Route findings to AWS Security Hub and Amazon EventBridge.
Identify files containing malware
Scan Amazon Elastic Block Store (EBS) for files that might have malware creating suspicious behavior on instance and container workloads running on Amazon Elastic Compute Cloud (EC2).
Detect and mitigate threats in your container environment
Identify and profile possible malicious or suspicious behavior in container workloads by analyzing Amazon EKS audit logs and container runtime activity.
Customers
How to get started
Find out how Amazon GuardDuty works
Learn more about the features and capabilities that GuardDuty offers.
Learn about customers using GuardDuty
See how global companies are using GuardDuty to protect their AWS accounts with intelligent threat detection.
Get started with GuardDuty on the AWS Free Tier
Try GuardDuty for 30 days at no cost and get full access to GuardDuty features and detection findings.