Service Overview

Q: What is Amazon GuardDuty?

Amazon GuardDuty offers threat detection that enables you to continuously monitor and protect your AWS accounts and workloads. GuardDuty analyzes continuous streams of meta-data generated from your account and network activity found in AWS CloudTrail Events, Amazon VPC Flow Logs, and DNS Logs. It also uses integrated threat intelligence such as known malicious IP addresses, anomaly detection, and machine learning to identify threats more accurately.

Q: What are the key benefits of Amazon GuardDuty?

Amazon GuardDuty makes it easy for you to enable continuous monitoring of your AWS accounts and workloads. It operates completely independently from your resources so there is no risk of performance or availability impacts to your workloads. It’s fully managed with integrated threat intelligence, anomaly detection, and machine learning. Amazon GuardDuty delivers detailed and actionable alerts that are easy to integrate with existing event management and workflow systems. There are no upfront costs and you pay only for the events analyzed, with no additional software to deploy or subscriptions to threat intelligence feeds required.

Q: How much does Amazon GuardDuty cost?

Amazon GuardDuty is priced along two dimensions. The dimensions are based on the quantity of AWS CloudTrail Events analyzed (per 1,000,000 events) and the volume of Amazon VPC Flow Logs and DNS Logs analyzed (per GB).

  • AWS CloudTrail Event analysis – GuardDuty continuously analyzes AWS CloudTrail management events, monitoring all access and behavior of your AWS accounts and infrastructure. CloudTrail Event analysis is charged per 1,000,000 events per month and pro-rated.
  • VPC Flow Log and DNS Log analysis – GuardDuty continuously analyzes VPC Flow Logs and DNS requests and responses to identify malicious, unauthorized, or unexpected behavior in your Amazon EC2 instances. Flow log and DNS log analysis is charged per Gigabyte (GB) per month. Flow log and DNS log analysis is offered with tiered volume discounts.

There are no upfront charges and you pay only for the data analyzed.

See Amazon GuardDuty pricing for details and pricing examples.

Q. Does the estimated cost in the Amazon GuardDuty payer account show the total aggregated costs for linked accounts, or just that individual payer account?

The estimated cost represents only the cost for the individual payer account. In the case of the Master account, you will only see the estimated cost for the Master account.

Q: Is there a free trial?

Yes, any new account to Amazon GuardDuty can try the service for 30-days at no cost. You will have access to the full feature set and detections during the free trial. GuardDuty will display the volume of data processed and estimated daily average service charges for your account. This makes it easy for you to experience Amazon GuardDuty at no cost and forecast the cost of the service beyond the free trial.

Q: What is the difference between Amazon GuardDuty and Amazon Macie?

Amazon GuardDuty provides broad protection of your AWS accounts, workloads, and data by helping to identify threats such as attacker reconnaissance, instance compromise, and account compromise. Amazon Macie helps you protect your data in Amazon S3 by helping you classify what data you have, the value that data has to the business, and the behavior associated with access to that data. Both services incorporate user behavior analysis, machine learning, and anomaly detection to detect threats in their respective categories.

Q: Is Amazon GuardDuty a regional or global service?

Amazon GuardDuty is a regional service. Even when multiple accounts are enabled and multiple regions are used, the Amazon GuardDuty security findings remain in the same regions where the underlying data was generated. This ensures all data analyzed is regionally based and doesn’t cross AWS regional boundaries. Customers can choose to aggregate security findings produced by Amazon GuardDuty across regions by utilizing AWS CloudWatch Events, pushing findings to a data store in the customer’s control, like Amazon S3, and then aggregating findings as they see fit.

Q: What regions does Amazon GuardDuty support?

The regional availability of Amazon GuardDuty is listed here: AWS Region Table

Q: What partners work with Amazon GuardDuty?

There are many technology partners that have integrated and built on Amazon GuardDuty. There are also consulting, system integrator, and managed security service providers with expertise in GuardDuty. See Amazon GuardDuty partners.

Enabling GuardDuty

Q: How do I enable Amazon GuardDuty?

Amazon GuardDuty can be enabled with a few clicks in the AWS Management console. Once enabled, GuardDuty immediately starts analyzing continuous streams of account and network activity in near real-time and at scale. There are no additional security software, sensors, or network appliances to deploy or manage. Threat intelligence is pre-integrated into the service and are continuously updated and maintained.  

Q: Can I manage multiple accounts with Amazon GuardDuty?

Yes, Amazon GuardDuty has a multiple account feature that allows you to associate and manage multiple AWS accounts from a single master account. When used, all security findings are aggregated to the administrator or Amazon GuardDuty master account for review and remediation. AWS CloudWatch Events are also aggregated to the Amazon GuardDuty master account when using this configuration.

Q: What data sources does Amazon GuardDuty analyze?

Amazon GuardDuty analyzes AWS CloudTrail, VPC Flow Logs, and AWS DNS logs. The service is optimized to consume large volumes of data for near real-time processing of security detections. GuardDuty gives you access to built-in detection techniques that are developed and optimized for the cloud and maintained and continuously improved upon by AWS Security.  

Q: How quickly does GuardDuty start working?

Once enabled, Amazon GuardDuty immediately starts analyzing for malicious or unauthorized activity. The timeframe to begin receiving findings depends on the activity level in your account. GuardDuty does not look at historical data, only activity that starts after it is enabled. If GuardDuty identifies any potential threats, you’ll receive a finding in the GuardDuty console.

Q: Do I have to enable AWS CloudTrail, VPC Flow Logs, and DNS logs for Amazon GuardDuty to work?

No. Amazon GuardDuty pulls independent streams of data directly from AWS CloudTrail, VPC Flow Logs, and AWS DNS logs. You don’t have to manage Amazon S3 bucket policies or modify the way you may collect and store your logs. GuardDuty permissions are managed as Service Linked Roles that you can revoke at any time by disabling GuardDuty. This makes it easy to enable the service without complex configuration and it eliminates the risk that an AWS IAM permission modification or S3 bucket policy change will affect the operation of the service. It also makes GuardDuty extremely efficient at consuming high-volumes of data in near real-time without affecting the performance or availability of your account or workloads.

Q: Is there any performance or availability impact to enabling Amazon GuardDuty on my account?

No. Amazon GuardDuty operates completely independent of your AWS resources and there is no risk of impact to your accounts or workloads. This makes it easy for GuardDuty to be enabled across many accounts in an organization without impacting existing operations.

Q: Does Amazon GuardDuty manage or keep my logs?

No. Amazon GuardDuty does not manage or retain your logs. All data consumed by GuardDuty is analyzed in near real-time and discarded. This allows GuardDuty to be highly efficient, cost effective, and reduces the risk of data remanence. For delivery and retention of logs, you should use AWS logging and monitoring services directly, which provide full-featured delivery and retention options.

Q: How can I stop Amazon GuardDuty from looking at my logs and data sources?

You can stop Amazon GuardDuty from analyzing your data sources at any time by choosing to suspend the service in the general settings. This will immediately stop the service from analyzing data, but not delete your existing findings or configurations. You can also choose to disable the service in the general settings. This will delete all remaining data, including your findings and configurations before relinquishing the service permissions and resetting the service.

GuardDuty Findings

Q: What can Amazon GuardDuty detect?

Amazon GuardDuty gives you access to built-in detection techniques that are developed and optimized for the cloud. The detection algorithms are maintained and continuously improved upon by AWS Security. The primary detection categories include:

  • Reconnaissance -- Activity suggesting reconnaissance by an attacker, such as unusual API activity, intra-VPC port scanning, unusual patterns of failed login requests, or unblocked port probing from a known bad IP.
  • Instance compromise -- Activity indicating an instance compromise, such as cryptocurrency mining, malware using domain generation algorithms (DGA), outbound denial of service activity, unusually high volume of network traffic, unusual network protocols, outbound instance communication with a known malicious IP, temporary Amazon EC2 credentials used by an external IP address, and data exfiltration using DNS.
  • Account compromise -- Common patterns indicative of account compromise include API calls from an unusual geolocation or anonymizing proxy, attempts to disable AWS CloudTrail logging, unusual instance or infrastructure launches, infrastructure deployments in an unusual region, and API calls from known malicious IP addresses.

Q: What is Amazon GuardDuty threat intelligence?

Amazon GuardDuty threat intelligence is made up of IP addresses and domains known to be used by attackers. GuardDuty threat intelligence is provided by AWS Security and third party providers, such as Proofpoint and CrowdStrike. These threat intelligence feeds are pre-integrated and continuously updated in GuardDuty at no additional cost.

Q: Can I supply my own threat intelligence?

Yes. Amazon GuardDuty makes it easy to upload your own threat intelligence or IP safe list. When this feature is used, these lists are only applied to your account and not shared with other customers.

Q: How do machine learning and behavioral anomaly detections work?

The more advanced behavioral and machine learning detections take between 7 and 14 days to set a baseline of behavior in your account. After that time, the anomaly detections flip from a learning mode to an active mode. Once active, you will only see findings generated from these detections if the service observes behavior that suggests a threat.

Q: How are security findings delivered?

When a threat is detected, Amazon GuardDuty delivers a detailed security finding to the GuardDuty console and AWS CloudWatch Events. This makes alerts actionable and easy to integrate into existing event management or workflow systems. The findings include the category, resource affected, and meta-data associated with the resource, such as a severity level.

Q: What is the format of Amazon GuardDuty findings?

Amazon GuardDuty findings come in a common JSON format that is also used by Amazon Macie and Amazon Inspector. This makes it easy for customers and partners to consume security findings from all three services and incorporate them into broader event management, workflow, or security solutions.

Q: How long are security findings made available in Amazon GuardDuty?

Security findings are retained and made available through the Amazon GuardDuty console and APIs for 90-days. After 90-days, the findings are discarded. To retain findings for longer than 90-days, you can enable AWS CloudWatch Events to automatically push findings to an Amazon S3 bucket in your account or other data store for long-term retention.

Q: Can I take automated preventative actions using Amazon GuardDuty?

With Amazon GuardDuty, AWS CloudWatch Events, and AWS Lambda, you have the flexibility to set up automated preventative actions based on a security finding. For example, you can create a Lambda function to modify your AWS security group rules based on security findings. If you get a GuardDuty finding indicating one of your Amazon EC2 instances is being probed by a known malicious IP, you can address it through a CloudWatch Events rule that triggers a Lambda function to automatically modify your security group rules and restrict access on that port.

Q: How are Amazon GuardDuty detections developed and managed?

Amazon GuardDuty has a team focused on the development, management, and iteration of detections. This produces a steady cadence of new detections in the service and continuous iteration on existing detections. Several feedback mechanisms are built into the service, such as the thumbs up and thumbs down in each security finding found in the GuardDuty UI. This allows customers to provide feedback that is incorporated into future iterations of GuardDuty detections.

Q: Can I write custom detections in Amazon GuardDuty?

No. Amazon GuardDuty removes the heavy lifting and complexity of developing and maintaining your own custom rule sets. New detections are continuously added based on customer feedback and research done by AWS Security and the GuardDuty team. Customer configured customizations include adding your own Threat Lists and IP Safe Lists.

Learn more about product pricing

See pricing examples and free trial details

Learn more 
Sign up for a free trial

Get access to the Amazon GuardDuty free trial. 

Start free trial 
Start building in the console

Get started with Amazon GuardDuty in the AWS Console.

Sign in