⌂ Home

Amazon GuardDuty — Intelligent Threat Detection

Continuous threat detection using CloudTrail, VPC Flow Logs, DNS, and EKS audit telemetry

What is GuardDuty?

Amazon GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior. It uses threat intelligence feeds, machine learning, and anomaly detection—with no deployed agents for its core log-based sources. You enable it per Region, optionally delegate administration from a security account, and route findings to ticketing, chat, or automation.

Data sources

  • AWS CloudTrail — Management events reveal unusual API usage, IAM abuse, and data-exfiltration-style API patterns.
  • VPC Flow Logs — Metadata about IP traffic for reconnaissance, lateral movement, and connections to suspicious hosts.
  • DNS logs — Route 53 Resolver query logs (where enabled) help spot command-and-control domains and DNS tunneling.
  • Amazon EKS control plane audit logs — Kubernetes API audit events for anomalous kubectl access, anonymous API calls, and privileged API activity.

Additional GuardDuty features (e.g. Malware Protection for EC2/EBS, S3 protection, RDS login analytics) extend coverage using AWS-managed processing of the relevant telemetry.

Finding categories

CategoryWhat it indicates
ReconnaissancePort and vulnerability scanning, probing, unusual discovery activity.
Instance / workload compromiseBrute force, cryptocurrency, backdoors, malware, suspicious outbound traffic.
Account compromiseCredential theft patterns, unusual console/API behavior, root misuse signals.
Bucket / object risk (S3)Exfiltration-style API access, suspicious data access when S3 protection is enabled.

Severity levels

GuardDuty assigns a severity score (roughly 0.1–8.9+) used for prioritization and routing. Thresholds are approximate; always read the full finding JSON.

BandScore (typical)MeaningExample handling
Low< 4.0Suspicious but often benign or early-stage.Log, tune suppressions, low-priority queue.
Medium4.0 – 6.9Likely risk; needs analyst review.Ticket, correlate with CloudTrail/VPC flow.
High7.0+Strong indicator of compromise or active threat.Immediate containment, IR playbook.

Integration with AWS Security Hub

GuardDuty publishes findings to AWS Security Hub as standardized AwsSecurityFinding objects. Security Hub becomes a single pane of glass for aggregation with Inspector, Macie, Config, IAM Access Analyzer, Firewall Manager, and partner products. Use Hub insights, automation rules, and custom actions to route severity-tagged GuardDuty findings into your SOC queue or remediation Lambdas.

Architecture (high level)

┌──────────────────────────────────────────────────────────────────────────┐ │ AWS accounts / Organization │ │ CloudTrail VPC Flow Logs Route 53 Resolver EKS audit (optional S3…) │ └───────────────────────────────┬──────────────────────────────────────────┘ │ encrypted ingestion / normalization ▼ ┌──────────────────────────────────────────────────────────────────────────┐ │ Amazon GuardDuty (per Region, per account) │ │ Threat intel + ML + anomaly models → Findings → EventBridge │ └───────────────────────────────┬──────────────────────────────────────────┘ │ ┌───────────────────────┼───────────────────────┐ ▼ ▼ ▼ Security Hub Amazon SNS Custom automation (aggregate + score) (email/chat) (Lambda, Step Functions)

Example findings (illustrative)

Reconnaissance — port scan 
{
  "type": "GuardDuty finding",
  "title": "Recon:EC2/Portscan",
  "severity": 5.2,
  "resource": { "type": "EC2 instance", "id": "i-0abc123def456789" },
  "detail": "An instance is probing a large number of distinct ports on internal IPs."
}
Instance compromise — Bitcoin mining domain 
{
  "type": "GuardDuty finding",
  "title": "CryptoCurrency:EC2/BitcoinTool.B!DNS",
  "severity": 8.4,
  "resource": { "type": "EC2 instance", "id": "i-0fedcba987654321" },
  "detail": "DNS queries to known cryptocurrency mining pool domains."
}
Account risk — API calls from unusual location 
{
  "type": "GuardDuty finding",
  "title": "UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration",
  "severity": 7.1,
  "resource": { "type": "IAMUser", "name": "ci-deploy-bot" },
  "detail": "Instance role credentials used from an IP geolocation inconsistent with normal usage."
}