Amazon GuardDuty features

GuardDuty gives you accurate threat detection of compromised accounts, which can be difficult to detect quickly if you are not continuously monitoring factors in near real time. GuardDuty can detect signs of account compromise, such as AWS resource access from an unusual geolocation at an atypical time of day. For programmatic AWS accounts, GuardDuty checks for unusual API calls, such as attempts to obscure account activity by disabling CloudTrail logging or taking snapshots of a database from a malicious IP address.

GuardDuty continuously monitors and analyzes your AWS account and workload event data found in CloudTrail, VPC Flow Logs, and DNS logs. There is no additional security software or infrastructure to deploy and maintain for the foundational protections in GuardDuty. By associating your AWS accounts together, you can aggregate threat detection instead of working on an account-by-account basis. In addition, you do not have to collect, analyze, and correlate large volumes of AWS data from multiple accounts. Focus on how to respond quickly, how to keep your organization secure, and continuing to scale and innovate on AWS.

GuardDuty helps you access built-in detection techniques developed and optimized for the cloud. AWS Security continuously maintains and improves these detection algorithms. The primary detection categories include:

• Reconnaissance: Activity suggesting reconnaissance by an attacker, such as unusual API activity, suspicious database login attempts, intra-VPC port scanning, unusual failed login request patterns, or unblocked port probing from a known bad IP.
• Instance compromise: Activity indicating an instance compromise, such as cryptocurrency mining, backdoor command and control (C&C) activity, runtime activity for Amazon EC2, malware using domain generation algorithms (DGA), outbound denial of service activity, unusually high network traffic volume, unusual network protocols, outbound instance communication with a known malicious IP, temporary Amazon EC2 credentials used by an external IP address, and data exfiltration using DNS.
• Account compromise: Common patterns indicative of account compromise include API calls from an unusual geolocation or anonymizing proxy, attempts to disable AWS CloudTrail logging, changes that weaken the account password policy, unusual instance or infrastructure launches, infrastructure deployments in an unusual region, credential theft, suspicious database login activity, and API calls from known malicious IP addresses.
• Bucket compromise: Activity indicating a bucket compromise, such as suspicious data access patterns indicating credential misuse, unusual Amazon S3 API activity from a remote host, unauthorized S3 access from known malicious IP addresses, and API calls to retrieve data in S3 buckets from a user with no prior history of accessing the bucket or invoked from an unusual location. Amazon GuardDuty continuously monitors and analyzes AWS CloudTrail S3 data events (e.g. GetObject, ListObjects, DeleteObject) to detect suspicious activity across all of your Amazon S3 buckets.
• Malware: GuardDuty can detect the presence of malware—such as trojans, worms, crypto miners, rootkits, or bots—that may be used to compromise your Amazon EC2 instance or container workloads, or that is uploaded to your Amazon S3 buckets.
• Container compromise: Activity identifying possible malicious or suspicious behavior in container workloads is detected by continuously monitoring and profiling Amazon EKS clusters by analyzing its EKS audit logs and container runtime activity in Amazon EKS or Amazon ECS.

Here is a full list of GuardDuty finding types.

GuardDuty provides three severity levels (Low, Medium, and High) to help customers prioritize their response to potential threats. A Low severity level indicates suspicious or malicious activity that was blocked before it compromised your resource. A Medium severity level indicates suspicious activity. An example would be a large amount of traffic returned to a remote host hiding behind the Tor network or activity that deviates from normally observed behavior. A High severity level indicates that the resource in question (for example, an EC2 instance or a set of IAM user credentials) is compromised and is actively being used for unauthorized purposes.

GuardDuty offers HTTPS APIs and command line interface (CLI) tools, as well as integration with Amazon EventBridge to support automated security responses to security findings. For example, you can automate the response workflow by using EventBridge as an event source to invoke a Lambda function.

GuardDuty is designed to automatically manage resource utilization based on the overall activity levels within your AWS accounts, workloads, and data. GuardDuty adds detection capacity only when necessary and reduces utilization when capacity is no longer needed. You now have a cost-effective architecture that maintains the security processing power that you need while minimizing expenses. You only pay for the detection capacity that you use, when you use it. GuardDuty gives you security at scale, no matter your size.

With one action in the AWS Management Console or a single API call, you can activate GuardDuty on a single account. With a few more steps in the console, you can activate GuardDuty across multiple accounts. GuardDuty supports multiple accounts through AWS Organizations integration as well as natively within GuardDuty. Once turned on, GuardDuty immediately starts analyzing continuous streams of account and network activity in near real time and at scale. There are no additional security software, sensors, or network appliances to deploy or manage. Threat intelligence is pre-integrated into the service and is continuously updated and maintained.

GuardDuty provides comprehensive protection for container workloads across your AWS compute estate that would otherwise be difficult and complex to achieve. Whether you're running workloads with server-level control on Amazon EC2 or serverless modern application workloads on Amazon ECS with AWS Fargate, GuardDuty detects potentially malicious and suspicious activity, gives you container-level context with runtime monitoring, and helps you identify security coverage gaps in your container workloads across your AWS environment.