Skip to content
Gallery
14. Security in the Cloud
AWS Directory Service
Identity Providers and Federation
Encryption Primer
AWS Key Management Service
AWS Certificate Manager
AWS Security Hub
AWS Web Application Firewall (WAF)
AWS Shield and Shield Advanced
Amazon Inspector
Amazon Macie
Amazon GuardDuty
AWS Audit Manager
More
Share
Explore

icon picker
Amazon GuardDuty

Amazon GuardDuty is a threat detection service that continuously monitors, analyzes, and processes specific AWS data sources and logs in your AWS environment. GuardDuty uses threat intelligence feeds, such as lists of malicious IP addresses and domains, and machine learning (ML) models to identify unexpected, and potentially unauthorized activity in your AWS environment. This includes the following issues:
Escalation of privileges, use of exposed credentials, or communication with malicious IP addresses and domains.
Presence of malware on your Amazon EC2 instances and container workloads, and newly uploaded files in your Amazon S3 buckets.
Discovery of unusual patterns of login events on your database.
For example, GuardDuty can detect potentially compromised EC2 instances and container workloads serving malware, or mining bitcoin. It also monitors AWS account access behavior for signs of potential compromise, such as unauthorized infrastructure deployments – instances deployed in a Region that has not been used before, or unusual API calls that suggest a change to the password policy to reduce password strength.

When you enable GuardDuty in an AWS account, GuardDuty automatically starts ingesting the foundational data sources associated with that account. These data sources include AWS CloudTrail management events, AWS CloudTrail event logs, VPC flow logs (from Amazon EC2 instances), and DNS logs. You don't need to enable anything else for GuardDuty to start analyzing and processing these data sources to generate associated security findings.

GuardDuty for AWS workload protection

GuardDuty S3 Protection
GuardDuty is capable of analyzing over a trillion
Amazon Simple Storage Service
(Amazon S3) events per day. Continuously monitor and profile Amazon S3 data access events and S3 configurations to detect suspicious activities such as requests coming from an unusual geolocation, disabling of preventative controls like Amazon S3 Block Public Access, or API call patterns consistent with an attempt to discover misconfigured bucket permissions.
GuardDuty EKS Protection
GuardDuty EKS Protection is a GuardDuty feature that monitors
Amazon Elastic Kubernetes Service
(Amazon EKS) cluster control plane activity by analyzing
Amazon EKS audit logs
.
GuardDuty Runtime Monitoring
Gain visibility into on-host, operating system-level activity and detect runtime threats from over 30 security findings to help protect your Amazon EKS clusters, Amazon ECS workloads—including serverless workloads on AWS Fargate, and Amazon EC2 instances.
Learn more about
GuardDuty EKS Runtime Monitoring
,
ECS Runtime Monitoring
, and
EC2 Runtime Monitoring
.
GuardDuty Malware Protection for Amazon EC2
Scan EBS volumes attached to Amazon EC2 instances for
malware
when GuardDuty detects that one of your EC2 instances or container workloads running on Amazon EC2 is doing something suspicious.
GuardDuty Malware Protection for Amazon S3
Detect potentially harmful uploads to your Amazon S3 buckets with integrated, scalable, and fully managed malware scanning.
GuardDuty RDS Protection
Using tailored ML models and integrated threat intelligence, GuardDuty can detect potential threats in
Amazon Relational Database Service
(Amazon RDS), starting with
Amazon Aurora
, such as high-severity brute force attacks, suspicious logins, and access by known threat actors.
GuardDuty Lambda Protection
Continuously monitor network activity, starting with VPC Flow Logs, from your serverless workloads to detect threats such as
AWS Lambda
functions maliciously repurposed for unauthorized cryptocurrency mining or compromised Lambda functions that are communicating with known threat actor servers.


Loading
docs.aws.amazon.com

GuardDuty for AWS workload protection
Want to print your doc?
This is not the way.
Try clicking the ⋯ next to your doc name or using a keyboard shortcut (
CtrlP
) instead.