Amazon GuardDuty Features

Amazon GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior to protect your AWS accounts, Amazon Elastic Compute Cloud (EC2) workloads, container applications, Amazon Aurora databases, and data stored in Amazon Simple Storage Service (S3). GuardDuty combines machine learning, anomaly detection, network monitoring, and malicious file discovery, using both AWS and industry-leading third-party sources to help protect workloads and data on AWS. GuardDuty is capable of analyzing tens of billions of events across multiple AWS data sources, such as AWS CloudTrail event logs, Amazon Virtual Private Cloud (VPC) Flow Logs, Amazon Elastic Kubernetes Service (EKS) audit and system-level logs, and DNS query logs.

Amazon GuardDuty identifies unusual activity within your accounts, analyzes the security relevance of the activity, and gives the context in which it was invoked. This allows a responder to determine if they should spend time on further investigation. GuardDuty findings are assigned a severity, and actions can be automated by integrating with AWS Security Hub, Amazon EventBridge, AWS Lambda, and AWS Step Functions. Amazon Detective is also tightly integrated with GuardDuty, so you can perform deeper forensic and root cause investigation.

Amazon GuardDuty gives you accurate threat detection of compromised accounts, which can be difficult to detect quickly if you are not continuously monitoring factors in near real-time. GuardDuty can detect signs of account compromise, such as AWS resource access from an unusual geo-location at an atypical time of day. For programmatic AWS accounts, GuardDuty checks for unusual application programming interface (API) calls, such as attempts to obscure account activity by disabling CloudTrail logging or taking snapshots of a database from a malicious IP address.

Amazon GuardDuty continuously monitors and analyzes your AWS account and workload event data found in AWS CloudTrail, VPC Flow Logs, and DNS Logs. There is no additional security software or infrastructure to deploy and maintain. By associating your AWS accounts together, you can aggregate threat detection instead of working on an account-by-account basis. In addition, you do not have to collect, analyze, and correlate large volumes of AWS data from multiple accounts. Focus on how to respond quickly, how to keep your organization secure, and continuing to scale and innovate on AWS.

Amazon GuardDuty helps you access built-in detection techniques developed and optimized for the cloud. AWS Security continuously maintains and improves these detection algorithms. The primary detection categories include:

• Reconnaissance: Activity suggesting reconnaissance by an attacker, such as unusual API activity, suspicious database login attempts, intra-VPC port scanning, unusual failed login request patterns, or unblocked port probing from a known bad IP.
• Instance compromise: Activity indicating an instance compromise, such as cryptocurrency mining, backdoor command and control (C&C) activity, malware using domain generation algorithms (DGA), outbound denial of service activity, unusually high network traffic volume, unusual network protocols, outbound instance communication with a known malicious IP, temporary Amazon EC2 credentials used by an external IP address, and data exfiltration using DNS.
• Account compromise: Common patterns indicative of account compromise include API calls from an unusual geolocation or anonymizing proxy, attempts to disable AWS CloudTrail logging, changes that weaken the account password policy, unusual instance or infrastructure launches, infrastructure deployments in an unusual region, credential theft, suspicious database login activity, and API calls from known malicious IP addresses.
• Bucket compromise: Activity indicating a bucket compromise, such as suspicious data access patterns indicating credential misuse, unusual Amazon S3 API activity from a remote host, unauthorized S3 access from known malicious IP addresses, and API calls to retrieve data in S3 buckets from a user with no prior history of accessing the bucket or invoked from an unusual location. Amazon GuardDuty continuously monitors and analyzes AWS CloudTrail S3 data events (e.g. GetObject, ListObjects, DeleteObject) to detect suspicious activity across all of your Amazon S3 buckets.

Here is a full list of GuardDuty finding types.

GuardDuty offers these advanced detections using machine learning and anomaly detection to identify previously difficult to find threats, such as unusual API call patterns or malicious AWS Identity and Access Management (IAM) user behavior. GuardDuty also has integrated threat intelligence, which includes lists of malicious domains or IP addresses from AWS Security and industry-leading third-party security partners, including Proofpoint and CrowdStrike.

GuardDuty gives you an alternative to building in-house solutions, maintaining complex custom rules, or developing your own threat intelligence of known malicious IP addresses. GuardDuty removes the undifferentiated heavy lifting and unnecessary complexity of monitoring and protecting your AWS accounts and workloads.

Amazon GuardDuty provides three severity levels (Low, Medium, and High) to help customers prioritize their response to potential threats. A “Low” severity level indicates suspicious or malicious activity that was blocked before it compromised your resource. A “Medium” severity level indicates suspicious activity. For example, a large amount of traffic returned to a remote host hiding behind the Tor network, or activity that deviates from normally observed behavior. A “High” severity level indicates that the resource in question (e.g. an Amazon EC2 instance or a set of IAM user credentials) is compromised and is actively being used for unauthorized purposes.

Amazon GuardDuty offers HTTPS APIs, command-line interface (CLI) tools, and Amazon CloudWatch Events to support automated security responses to security findings. For example, you can automate the response workflow by using CloudWatch Events as an event source to invoke an AWS Lambda function.

Amazon GuardDuty is designed to automatically manage resource utilization based on the overall activity levels within your AWS accounts, workloads, and data stored in Amazon S3. GuardDuty adds detection capacity only when necessary, and reduces utilization when capacity is no longer needed. You now have a cost-effective architecture that maintains the security processing power you need while minimizing expenses. You only pay for the detection capacity you use, when you use it. GuardDuty gives you security at scale, no matter your size.

With one action in the AWS Management Console or a single API call, you can activate Amazon GuardDuty on a single account. With a few more steps in the console, you can activate GuardDuty across multiple accounts. Amazon GuardDuty supports multiple accounts through AWS Organizations integration as well as natively within GuardDuty. Once turned on, GuardDuty immediately starts analyzing continuous streams of account and network activity in near real time and at scale. There are no additional security software, sensors, or network appliances to deploy or manage. Threat intelligence is pre-integrated into the service and are continuously updated and maintained.