Skip to main content

Amazon GuardDuty Documentation

GuardDuty is a threat detection service that is designed to monitor for malicious activity and unauthorized behavior across your AWS environments. GuardDuty combines machine learning (ML), anomaly detection, and malicious file discovery, using both AWS and third-party sources to help protect workloads and data. GuardDuty analyzes events across multiple AWS data sources. GuardDuty is designed to identify unusual activity within your accounts, analyze the security relevance of the activity, and give the context in which it was invoked.

Account-level threat detection

GuardDuty is designed to give you threat detection of account compromise. GuardDuty can help you detect signs of account compromise, such as access of AWS resources from an unusual geolocation at an atypical time of day. For programmatic AWS accounts, GuardDuty is designed to check for unusual API calls, such as attempts to obscure account activity by disabling CloudTrail logging or taking snapshots of a database from a malicious IP address.

Monitoring across AWS accounts

GuardDuty is designed to monitor and analyze your AWS account and workload event data. By associating your AWS accounts together you can aggregate threat detection.

Threat detections developed for the cloud

GuardDuty is designed to give you access to built-in detection techniques that are developed for the cloud. The primary detection categories include:                                            

Reconnaissance 

This activity suggests reconnaissance by an attacker, such as unusual API activity, intra-VPC port scanning, unusual patterns of failed login requests, or unblocked port probing from a known bad IP.

Instance compromise

This activity indicates an instance compromise, such as cryptocurrency mining, backdoor command and control (C&C) activity, malware using domain generation algorithms (DGA), outbound denial of service activity, unusually high volume of network traffic, unusual network protocols, outbound instance communication with a known malicious IP, temporary Amazon EC2 credentials used by an external IP address, and data exfiltration using DNS.

Account compromise

Common patterns indicative of account compromise include API calls from an unusual geolocation or anonymizing proxy, attempts to disable AWS CloudTrail logging, changes that weaken the account password policy, unusual instance or infrastructure launches, infrastructure deployments in an unusual region, and API calls from known malicious IP addresses.

Bucket compromise

This activity indicates a bucket compromise, such as suspicious data access patterns indicating credential misuse, unusual S3 API activity from a remote host, unauthorized S3 access from known malicious IP addresses, and API calls to retrieve data in S3 buckets from user that had no prior history of accessing the bucket or invoked from an unusual location. Amazon GuardDuty continuously monitors and analyzes CloudTrail S3 data events (for example, GetObject, ListObjects, DeleteObject) to detect suspicious activity across all of your Amazon S3 buckets.

Malware detection

GuardDuty begins a malware detection scan when it identifies suspicious behavior indicative of malicious software in EC2 instance or container workloads. GuardDuty generates temporary replicas of Amazon EBS volumes attached to such EC2 instance or container workloads and scans the volume replicas for trojans, worms, crypto miners, rootkits, bots, and more that might be used to compromise the workloads, repurpose resources for malicious use, and gain unauthorized access to data. GuardDuty Malware Protection generates contextualized findings that can validate the source of the suspicious behavior. These findings can be routed to the proper administrators and initiate automated remediation.

Container compromise

Activity identifying possible malicious or suspicious behavior in container workloads is detected by continuously monitoring and profiling EKS clusters by analyzing its EKS audit logs and container runtime activity in EKS or ECS.

Threat severity levels for prioritization

GuardDuty provides severity levels  to help customers prioritize their response to potential threats.

Threat response and remediation

GuardDuty offers HTTPS APIs and command line interface (CLI) tools, as well as integration with Amazon EventBridge to support security responses to security findings.

Scalable threat detection

GuardDuty is designed to manage resource utilization based on the overall activity levels within your AWS accounts, workloads, and data stored in Amazon S3. GuardDuty is designed to add detection capacity when necessary and reduce utilization when capacity is no longer needed.

Deployment

You can enable Amazon GuardDuty on a single account or across multiple accounts. Amazon GuardDuty supports multiple accounts through AWS Organizations integration as well as natively within GuardDuty. Once enabled, GuardDuty is designed to start analyzing streams of account and network activity at scale.

Broad, container-aware protection

GuardDuty provides protection for container workloads across your AWS compute estate.

Extended Threat Detection

GuardDuty is designed to use artificial intelligence (AI) and machine learning (ML) to identify complex, multi-stage attack sequences targeting your AWS accounts, workloads, and data. By correlating disparate signals and providing insights into potentially compromised resources, the generated attack sequence findings also delivers mappings and prescriptive remediation recommendations based on AWS best practices.

GuardDuty protection plans

GuardDuty offers protection plans that are designed to extend threat detection beyond foundational log sources. By enabling these plans, you are enabled to tailor threat detection capabilities to your specific AWS environment.

Malware Protection for AWS Backup

GuardDuty Malware Protection for AWS Backup enables you to detect malware in Amazon EC2, Amazon EBS, and Amazon S3 backups. This managed capability allows you to scan backups after creation, run scans of past backups, and helps verify backup integrity before restoration. The feature employs incremental scanning that analyzes net-new data between subsequent backups.

Additional Information

For additional information about service controls, security features and functionalities, including, as applicable, information about storing, retrieving, modifying, restricting, and deleting data, please see https://docs.aws.amazon.com/index.html. This additional information does not form part of the Documentation for purposes of the AWS Customer Agreement available at http://aws.amazon.com/agreement, or other agreement between you and AWS governing your use of AWS’s services.