AWS GuardDuty
Overview of AWS GuardDuty managed threat detection including data sources, finding types, multi-account deployment, and automated response integration.
Continue your mission
Overview of AWS GuardDuty managed threat detection including data sources, finding types, multi-account deployment, and automated response integration.
# AWS GuardDuty
PDM Domain(s): TID, VSD
---
AWS GuardDuty is a managed threat detection service that continuously monitors AWS accounts and workloads for malicious activity without requiring infrastructure deployment or management overhead. GuardDuty exists because cloud environments generate telemetry volumes that exceed human analysis capacity while adversaries operate at machine speed and scale across multiple attack vectors simultaneously.
The service automatically ingests and analyzes VPC Flow Logs, DNS query logs, CloudTrail API logs, and EKS audit logs using machine learning models, anomaly detection algorithms, and integrated threat intelligence feeds. This multi-source correlation approach enables GuardDuty to surface sophisticated attack patterns like credential compromise, lateral movement, data exfiltration, and cryptomining that single-point monitoring solutions miss entirely.
GuardDuty fits into the broader AWS security ecosystem as the primary threat detection layer, designed to complement preventive controls like Identity and Access Management (IAM), Security Groups, and AWS Config. While preventive controls establish boundaries and rules, GuardDuty provides continuous behavioral analysis to detect when those boundaries have been circumvented or when authorized access is being abused for malicious purposes.
The service operates as a regional deployment that can aggregate findings across multiple accounts through AWS Organizations integration. This architecture allows enterprises to maintain centralized threat visibility while preserving account isolation for compliance and operational boundaries. GuardDuty's managed nature eliminates the operational overhead of maintaining threat detection infrastructure, updating threat intelligence feeds, and tuning machine learning models, which are significant barriers to effective threat detection in most organizations.
GuardDuty operates through automated data ingestion, multi-layered analysis engines, and structured finding generation. The service activates with a single API call or console click per region and immediately begins analyzing existing log streams without requiring log forwarding configuration or agent deployment.
GuardDuty automatically accesses four primary data sources within each enabled account. VPC Flow Logs provide network traffic metadata including source and destination IP addresses, ports, protocols, packet counts, and byte transfers for all network interfaces. DNS query logs capture domain resolution requests and responses, revealing communication patterns with external services and potential command-and-control infrastructure. CloudTrail event logs contain all API calls made within the account, including authentication events, resource modifications, and administrative actions. For accounts running Amazon EKS, GuardDuty also analyzes Kubernetes audit logs to detect container-specific threats.
The service accesses these logs through service-linked roles that provide read-only permissions to the underlying data streams. This access model ensures GuardDuty receives comprehensive telemetry without organizations needing to configure log forwarding, manage storage costs, or maintain data processing infrastructure.
GuardDuty applies three analysis techniques to incoming telemetry: threat intelligence matching, machine learning-based anomaly detection, and rule-based behavioral analysis. Threat intelligence feeds include AWS Security's proprietary research, commercial threat intelligence providers, and open-source feeds like the Spamhaus Project and Proofpoint Emerging Threats. These feeds contain known malicious IP addresses, domain names, and other indicators of compromise.
Machine learning models establish baseline behaviors for each account and identify deviations that suggest malicious activity. For example, GuardDuty learns normal API usage patterns for each IAM principal and flags unusual activity like a service role being used interactively or administrative actions performed from geographic locations outside established patterns. The models also analyze network traffic patterns to identify behaviors like data exfiltration, where large volumes of data are transferred to previously unseen external destinations.
Rule-based detection identifies specific attack techniques mapped to the MITRE ATT&CK framework. These rules detect activities like cryptocurrency mining based on network connections to mining pools, credential stuffing attacks based on high-volume failed authentication patterns, and backdoor installation based on specific API call sequences that modify IAM policies or create new access credentials.
When GuardDuty detects suspicious activity, it generates structured findings that include threat type, affected resources, severity scoring, and contextual details. Each finding receives a severity rating from 0.1 to 8.9 in three bands: Low (0.1-3.9), Medium (4.0-6.9), and High (7.0-8.9). The scoring considers factors like the confidence level of the detection, the sensitivity of affected resources, and the potential impact of the identified threat.
GuardDuty organizes findings by resource type and attack category. EC2 instance findings include threats like instances communicating with command-and-control servers, instances performing network scans, or instances exhibiting cryptomining behavior. IAM credential findings detect activities like credentials being used from unusual geographic locations, compromised credentials performing reconnaissance activities, or credentials being used to escalate privileges. S3 bucket findings identify threats like data being accessed from Tor exit nodes, unusual data access patterns suggesting reconnaissance, or bucket configuration changes that reduce security controls.
For organizations using AWS Organizations, GuardDuty supports delegated administrator functionality that centralizes threat detection management across hundreds or thousands of accounts. The delegated administrator can enable GuardDuty across all member accounts, configure organization-wide threat intelligence feeds, and aggregate findings in a central security account. This architecture maintains account isolation while providing enterprise-wide threat visibility.
Member accounts retain the ability to view findings for their resources and configure account-specific suppression rules, but cannot disable GuardDuty or modify organization-level configuration. This design prevents individual business units from creating security blind spots while maintaining operational autonomy for non-security functions.
GuardDuty integrates with Amazon EventBridge to enable automated response workflows. Organizations can configure EventBridge rules that trigger on specific finding types, severity levels, or affected resource types. These rules can invoke AWS Lambda functions that perform automated remediation like isolating compromised EC2 instances by modifying security groups, rotating suspected compromised credentials, or blocking suspicious IP addresses in Web Application Firewall rules.
Cloud environments generate telemetry volumes that exceed human analysis capacity by orders of magnitude. A mid-sized organization running 500 EC2 instances generates millions of VPC Flow Log entries daily, hundreds of thousands of DNS queries, and tens of thousands of API calls. Security teams attempting manual analysis of this data will miss threats that operate at machine speed and scale across multiple attack vectors simultaneously.
The business impact of undetected threats in cloud environments can be severe and immediate. Cloud infrastructure's API-driven nature allows adversaries who gain initial access to rapidly escalate privileges, access sensitive data, and deploy additional resources for cryptocurrency mining or other malicious purposes. The elastic nature of cloud services means that cryptomining attacks can generate hundreds of thousands of dollars in charges within days, while data exfiltration can occur at gigabit speeds once access is established.
GuardDuty addresses these challenges by providing continuous monitoring that operates at cloud scale and speed. Its multi-source correlation approach surfaces sophisticated attacks that evade single-point monitoring solutions. For example, an adversary who compromises credentials might avoid triggering CloudTrail-based detections by using normal API calls, but GuardDuty's correlation of CloudTrail events with unusual geographic locations or network traffic patterns reveals the compromise.
Organizations without effective threat detection face several critical risks. First, dwell time increases dramatically. The average time between initial compromise and detection in cloud environments without behavioral monitoring exceeds 200 days according to IBM's Cost of a Data Breach report. During this period, adversaries can establish persistence, access sensitive data, and deploy additional malicious infrastructure.
Second, insider threats and credential abuse remain undetected. Traditional perimeter security assumes that authenticated access is authorized access, but GuardDuty's behavioral analysis detects when legitimate credentials are being abused or when authorized users are performing unauthorized activities.
Third, advanced persistent threats that use living-off-the-land techniques evade signature-based detection. These attacks use legitimate tools and services in malicious ways, making them nearly impossible to detect without behavioral analysis and machine learning-based anomaly detection.
Many organizations assume that AWS's shared responsibility model means AWS handles threat detection automatically. However, AWS's responsibility covers infrastructure security, while customers remain responsible for detecting threats within their applications, data, and account usage patterns. GuardDuty fills this gap by providing managed threat detection for customer workloads and data.
Another misconception is that traditional SIEM solutions provide equivalent coverage for cloud environments. However, most SIEM deployments focus on log collection and correlation rather than behavioral analysis and machine learning. They also require significant operational overhead to maintain and tune, while GuardDuty provides threat detection as a managed service with automatic updates and model improvements.
CDA positions GuardDuty as a foundational component of the Threat Intelligence and Defense (TID) domain within our Predictive Defense Intelligence (PDI) methodology. PDI's core principle is "see the threat before it sees you," which requires continuous behavioral monitoring at scale to detect threats during reconnaissance and initial access phases rather than after impact.
GuardDuty aligns with PDI because it provides automated, continuous monitoring that detects threats based on behavioral patterns rather than known signatures. This approach enables organizations to identify threats during early attack phases when defensive actions can prevent rather than merely respond to compromise. The service's machine learning capabilities continuously improve threat detection accuracy and adapt to evolving attack techniques without requiring manual signature updates.
Our theater missions include GuardDuty deployment with custom threat intelligence integration, finding suppression tuning to reduce analyst alert fatigue, and automated response integration through EventBridge and Lambda. We implement organization-wide deployment strategies that provide centralized visibility while maintaining operational boundaries between business units.
CDA differs from conventional GuardDuty implementation in several key areas. First, we integrate custom threat intelligence feeds specific to our clients' industry verticals and threat profiles rather than relying solely on AWS's generic feeds. Second, we implement comprehensive suppression strategies that eliminate false positives without creating detection gaps, which requires deep understanding of both the client's operational patterns and the adversaries they face.
Third, we build automated response workflows that contain threats immediately while preserving forensic evidence for analysis. Conventional implementations often focus on alerting rather than response, leading to situations where threats are detected but continue operating while security teams investigate manually.
The VSD (Vulnerability and Systems Defense) domain owns GuardDuty's integration with preventive controls and incident response processes. This includes ensuring that GuardDuty findings trigger appropriate containment actions and that investigation workflows have access to the contextual information needed for rapid threat assessment.
Our approach treats GuardDuty as an intelligence collection platform rather than merely an alerting tool. Findings provide insights into adversary tactics, techniques, and procedures that inform defensive improvements and threat hunting priorities. This intelligence-driven approach enables predictive defense by identifying attack patterns before they achieve their objectives.
CDA Theater missions that address topics covered in this article.
Guide to AWS Security Hub for centralized finding aggregation, continuous compliance monitoring, and automated remediation across AWS organizations.
Vendor assessment guide for HashiCorp Vault.
Wireshark is the leading network protocol analyzer for traffic capture and security investigation.
Written by CDA Editorial
Found an issue? Help improve this article.