Amazon GuardDuty is a threat detection service that continuously monitors for malicious or unauthorized behavior to help you protect your AWS accounts and workloads. It monitors for activity such as unusual API calls or potentially unauthorized deployments that indicate a possible account compromise. GuardDuty also detects potentially compromised instances or reconnaissance by attackers.
Enabled with a few clicks in the AWS Management Console, Amazon GuardDuty can immediately begin analyzing billions of events across your AWS accounts for signs of risk. GuardDuty identifies suspected attackers through integrated threat intelligence feeds and uses machine learning to detect anomalies in account and workload activity. When a potential threat is detected, the service delivers a detailed security alert to the GuardDuty console and AWS CloudWatch Events. This makes alerts actionable and easy to integrate into existing event management and workflow systems.
Amazon GuardDuty is cost effective and easy. It does not require you to deploy and maintain software or security infrastructure, meaning it can be enabled quickly with no risk of negatively impacting existing application workloads. There are no upfront costs with GuardDuty, no software to deploy, and no threat intelligence feeds required. Customers pay for the events analyzed by GuardDuty and there is a 30-day free trial available for every new account to the service.
How it works
Amazon GuardDuty gives you intelligent threat detection by collecting, analyzing, and correlating billions of events from AWS CloudTrail, Amazon VPC Flow Logs, and DNS Logs across all of your associated AWS accounts. GuardDuty detections are made more accurate by incorporating threat intelligence (such as lists of known malicious IP addresses provided by AWS Security and 3rd party threat intelligence partners). GuardDuty also uses machine learning to detect anomalous account and network activities. For example, GuardDuty will alert you if it detects remote API calls from a known malicious IP address indicating potentially compromised AWS credentials. GuardDuty also detects direct threats to your AWS environment indicating a compromised instance, such as an Amazon EC2 instance sending encoded data within DNS queries.
Many organizations use multiple AWS accounts to help provide proper cost allocation, agility, and security. With a few clicks in the AWS Management Console, you can centralize your threat detection by enabling Amazon GuardDuty across any of your AWS accounts. With GuardDuty, there is no need to install additional security software or infrastructure to analyze your account and workload activity data. Your security operations center team can easily manage and triage threats from a single console view and automate security responses using a single security account.
In addition to detecting threats, Amazon GuardDuty also makes it easy to automate how you respond to these threats, reducing your remediation and recovery time. You can set up your remediation scripts or AWS Lambda functions to trigger based on GuardDuty findings. GuardDuty security findings include the affected resource’s details, such as tags, security groups, or credentials. GuardDuty findings also include attacker information, such as IP address and geo-location. This makes GuardDuty security findings informative and actionable. For example, account compromise can be difficult to detect quickly if you are not continuously monitoring account activities in near real-time. With GuardDuty, when an instance is suspected of having data stolen the service will alert you to be able to automatically create an access control entry restricting outbound access for that instance.