Amazon GuardDuty Comprehensive

When you enable GuardDuty, it automatically starts ingesting three foundational data sources: AWS CloudTrail management events (control plane operations), VPC Flow Logs (network traffic metadata), and Route53 Resolver DNS query logs. You don't need to enable anything else for GuardDuty to analyze these sources.

S3 Protection monitors AWS CloudTrail data events for S3, which includes object-level API operations like GetObject, PutObject, ListObjects, and DeleteObject. This is different from CloudTrail management events (control plane). You don't need to explicitly enable S3 data event logging in CloudTrail for this to work.

Runtime Monitoring uses a GuardDuty security agent that adds visibility into runtime behavior, such as file access, process execution, command line arguments, and network connections. It supports Amazon EKS, AWS Fargate (ECS), and Amazon EC2 resources. The agent can be managed automatically or manually.

Malware Protection for EC2 performs agentless GuardDuty-initiated malware scans by scanning Amazon EBS volumes attached to EC2 instances and container workloads. When GuardDuty generates a finding indicating potential malware presence, it automatically initiates a scan. You can also trigger On-demand malware scans manually.

RDS Protection analyzes and profiles RDS login activity for potential access threats. It detects anomalous login behavior such as previously unseen external actors gaining unauthorized access, or brute-force attempts. It supports Amazon Aurora (MySQL and PostgreSQL compatible) and Amazon RDS for PostgreSQL databases.

Lambda Protection monitors Lambda network activity logs, including VPC Flow Logs from all Lambda functions (even those that don't use VPC networking). It detects potential threats like cryptomining and communication with malicious servers. Note: Lambda@Edge functions are not included.

For multi-account environments, AWS recommends using AWS Organizations and designating a delegated GuardDuty administrator account. This account can manage GuardDuty for all member accounts, configure protection plans organization-wide, and view consolidated findings. The legacy invitation method is also available but Organizations is recommended.

Trusted IP lists and threat lists allow you to customize GuardDuty's threat detection. Trusted IP lists contain IP addresses that should not trigger findings (e.g., your known infrastructure). Threat lists contain known malicious IPs to enhance detection. These are stored in S3 buckets and referenced by GuardDuty.

GuardDuty integrates with Amazon EventBridge to enable automated responses. You can create EventBridge rules that match GuardDuty finding events and trigger targets like Lambda functions, Step Functions, SNS topics, or other AWS services. This enables automated monitoring, custom notification frequency, and incident response workflows.

Suppression rules filter low-value, false positive findings, or threats you don't intend to act on. Matching findings are automatically archived, making it easier to focus on impactful security threats. Common use cases include suppressing findings from vulnerability scanners, bastion hosts, or intentionally exposed instances.

GuardDuty offers a 30-day free trial when you first enable it in an account/Region. Each protection plan (S3, EKS, Lambda, RDS, Runtime Monitoring, Malware Protection) also has its own 30-day free trial when first enabled. During the trial, you can estimate usage costs before charges begin.

GuardDuty offers flexibility to use Malware Protection for S3 independently, without enabling the core Amazon GuardDuty service. This allows you to scan newly uploaded S3 objects for malware without the full GuardDuty deployment. All other protection plans require the GuardDuty service to be enabled first.

GuardDuty uses four severity levels: Low (1.0-3.9), Medium (4.0-6.9), High (7.0-8.9), and Critical (9.0-10.0). Critical findings indicate attack sequences or active compromise. High indicates actively compromised resources. Medium indicates suspicious activity. Low indicates attempted suspicious activity that didn't succeed.

AWS Security Hub provides a comprehensive view of your security state across AWS accounts and integrates findings from GuardDuty, Amazon Inspector, Amazon Macie, and other AWS security services. GuardDuty automatically sends findings to Security Hub when both services are enabled. Amazon Detective is used for investigation/root cause analysis.

Extended Threat Detection automatically detects multi-stage attacks that span data sources, multiple types of AWS resources, and time within an account. It correlates "signals" (including weak signals like individual API activities) to identify attack sequences. It's enabled by default at no additional cost when GuardDuty is enabled.

Foundational threat detection (using CloudTrail, VPC Flow Logs, and DNS logs) can detect compromised and exfiltrated AWS credentials, unauthorized cryptomining activity, communication with known malicious IP addresses and domains, and reconnaissance activities. Protection plans add specialized detection for specific services.

When GuardDuty consumes CloudTrail Global Service Events (like IAM, STS, S3, CloudFront, Route 53), it replicates those events and processes them in each Region where GuardDuty is enabled. This helps maintain user and role profiles in each Region, vital for detecting anomalous events consistently across all regions.

Malware Protection for S3 scans newly uploaded objects within your configured Amazon S3 buckets for potential malware. It provides a 12-month free tier and can be used independently without enabling the full GuardDuty service. This is different from Malware Protection for EC2 which scans EBS volumes.

The five attack sequence finding types are: AttackSequence:EKS/CompromisedCluster, AttackSequence:ECS/CompromisedCluster, AttackSequence:EC2/CompromisedInstanceGroup, AttackSequence:IAM/CompromisedCredentials, and AttackSequence:S3/CompromisedData. All are classified as Critical severity.

Runtime Monitoring supports Amazon EKS, AWS Fargate (Amazon ECS), and Amazon EC2 resources. Note that GuardDuty does NOT support Amazon EKS clusters running on AWS Fargate. The security agent can be managed automatically or manually depending on the resource type.

GuardDuty Extended Threat Detection is designed to identify potential in-progress or recent attack behaviors within a 24-hour rolling time window in your account. This allows detection of attack sequences where different stages may occur over several hours.

Extended Threat Detection doesn't consider archived findings, including those automatically archived because of suppression rules. This ensures only active, relevant signals contribute to attack sequence detection. You should review existing suppression rules to ensure you're not missing important signals.

For maximum EKS coverage, GuardDuty recommends enabling both EKS Protection and Runtime Monitoring. EKS Protection monitors control plane activities through audit logs (RBAC changes, privileged pod creation), while Runtime Monitoring observes container-level behaviors (cryptomining, malicious processes). Together, they detect complex attack patterns.

Amazon Detective helps you investigate and perform root cause analysis on GuardDuty findings. It automatically collects log data from AWS resources and uses machine learning, statistical analysis, and graph theory to build interactive visualizations that help you analyze and investigate security issues.

When you configure GuardDuty to export findings to S3, active findings are automatically exported in near real-time. The findings are encrypted using an AWS KMS key that you specify. This provides longer data retention beyond GuardDuty's 90-day limit and enables integration with SIEM tools.