Amazon GuardDuty

Amazon GuardDuty is AWS's managed threat detection service. It continuously analyses VPC Flow Logs, DNS query logs, CloudTrail management events, EKS audit logs, S3 data events, RDS login attempts, and Lambda activity, then fuses them with AWS-curated threat intelligence and machine-learning anomaly models to produce actionable findings — without any agents to deploy.

1. Overview & Pipeline

GuardDuty consumes log telemetry from across the account, evaluates it against threat-intelligence lists (malicious IPs, known C2 domains) and ML baselines (per-principal API behavior, per-bucket access patterns), and emits structured findings to Security Hub and EventBridge for downstream automation.

┌──────────────────────────────────────────────────────────────────────────────┐
│                       DETECTION SOURCES                                      │
│  ┌──────────────┐  ┌──────────────┐  ┌──────────────────────────┐            │
│  │ VPC Flow Log │  │ DNS Query Log│  │     CloudTrail Mgmt      │            │
│  └──────────────┘  └──────────────┘  └──────────────────────────┘            │
│  ┌──────────────┐  ┌──────────────┐  ┌──────────────────────────┐            │
│  │ S3 Data Evt  │  │  EKS Audit   │  │  RDS Login / Lambda Logs │            │
│  └──────────────┘  └──────────────┘  └──────────────────────────┘            │
└──────────────────────────────────────────────────────────────────────────────┘
                                       │
                                       ▼
┌──────────────────────────────────────────────────────────────────────────────┐
│                       GUARDDUTY ENGINE                                       │
│  ┌────────────────────┐ ┌────────────────────┐ ┌──────────────┐              │
│  │  Threat Intel +    │ │  ML Anomaly Detect │ │  Signature   │              │
│  │  Curated IP Lists  │ │  (User / API / Net)│ │   Matching   │              │
│  └────────────────────┘ └────────────────────┘ └──────────────┘              │
└──────────────────────────────────────────────────────────────────────────────┘
                                       │
                                       ▼
┌──────────────────────────────────────────────────────────────────────────────┐
│                      FINDINGS & SEVERITY                                     │
│  ┌──────────────┐  ┌──────────────┐  ┌──────────────────────────┐            │
│  │ Recon, Trojan│  │ Crypto-Mining│  │  UnauthorizedAccess /    │            │
│  │  Backdoor    │  │  Exfiltration│  │  PenTest / Policy        │            │
│  └──────────────┘  └──────────────┘  └──────────────────────────┘            │
└──────────────────────────────────────────────────────────────────────────────┘
                                       │
                                       ▼
┌──────────────────────────────────────────────────────────────────────────────┐
│                    AUTOMATED RESPONSE                                        │
│  ┌──────────────┐  ┌──────────────┐  ┌──────────────────────────┐            │
│  │ Security Hub │  │ EventBridge  │  │  Lambda / SSM / SNS      │            │
│  │ Aggregation  │  │   Routing    │  │  Quarantine, Page, Tag   │            │
│  └──────────────┘  └──────────────┘  └──────────────────────────┘            │
└──────────────────────────────────────────────────────────────────────────────┘

2. Detection Sources

GuardDuty enables sources independently — you pay only for what you turn on. The defaults cover the common attack surface; the optional protections (S3, EKS, RDS, Lambda, Malware) target specific workloads.

VPC Flow Logs: network-level recon, port scans, traffic to/from known-bad IPs (Tor exit nodes, threat-list peers).
DNS Logs: queries to malware C2 domains, DGA-style domain patterns, DNS tunneling indicators. Only Route 53 Resolver queries are analysed.
CloudTrail Management Events: anomalous API behavior — first-time region access, IAM enumeration spikes, disabling of security services.
S3 Data Events: reads of sensitive prefixes from external IPs, abnormal volume of GetObject calls, public-bucket discovery patterns.
EKS Audit Logs: suspicious kubectl exec, anonymous API server access, privilege escalation via service accounts.
RDS Login Activity: brute-force on Aurora, login from anomalous geos, successful login after many failures.
Lambda Network Activity: functions reaching out to malicious IPs — useful for catching compromised function dependencies.
Malware Protection: agentless scans of EBS volumes attached to EC2 with suspicious findings, plus on-upload S3 object scans.

3. Finding Types

Findings follow a ThreatPurpose:ResourceType/ThreatFamilyName.DetectionMechanism!Variant taxonomy. Severity is scored 1.0–8.9 and bucketed into Low / Medium / High.

Recon: port probing, IAM enumeration (Recon:IAMUser/UserPermissions), unusual API discovery activity.
UnauthorizedAccess: credential exfiltration patterns, console login from Tor / unusual ASN, root-account use.
CryptoCurrency: EC2 instances or EKS pods communicating with known mining pools (CryptoCurrency:EC2/BitcoinTool.B).
Backdoor / Trojan: outbound connections to C2 infrastructure, beaconing patterns, DGA domain queries.
Exfiltration: abnormal data egress to external storage providers, S3 anomalous read patterns.
Policy: root user in use, S3 BlockPublicAccess disabled, IMDSv1 in use.
PenTest: use of Kali / Parrot / Pentoo distributions originating against your APIs.
Impact: attempts to disable CloudTrail or remove findings, ransomware-style mass-encryption patterns on S3.

4. Integration & Automated Response

Findings publish to EventBridge within ~5 minutes. The standard response pipeline is GuardDuty → EventBridge rule (filtered on severity / type) → Lambda or SSM Automation document → remediation action.


# EventBridge rule: page on HIGH GuardDuty findings
EventPattern:
  source: ["aws.guardduty"]
  detail-type: ["GuardDuty Finding"]
  detail:
    severity: [{ numeric: [">=", 7.0] }]
    type:
      - prefix: "UnauthorizedAccess:"
      - prefix: "CryptoCurrency:"
      - prefix: "Backdoor:"
Targets:
  - Arn: !GetAtt PagerDutyLambda.Arn
  - Arn: !Ref SecurityIncidentSnsTopic

Common automated responses:

Compromised EC2 instance: Lambda removes the instance from its Auto Scaling group, attaches a quarantine SG (deny all egress), snapshots EBS volumes for forensics, then terminates after capture.
Leaked IAM credentials: Lambda calls aws iam attach-user-policy with a deny-all policy and creates a Jira ticket for the owner.
S3 anomalous access: EventBridge fires an SSM doc that flips the bucket to BlockPublicAccess and triggers a Macie scan.

5. Pricing

CloudTrail event analysis: ~$4.00 per million events, tiered down with volume.
VPC Flow Log analysis: ~$1.00 per GB analysed, tiered.
DNS log analysis: bundled with CloudTrail at no additional charge in most regions.
S3 protection: ~$0.80 per million S3 events analysed.
EKS audit log protection: per-million-event pricing similar to CloudTrail.
Malware Protection for EC2: ~$0.05 per GB of EBS scanned.
30-day free trial with usage estimates surfaced before the trial ends — review them before going live.
Common cost surprise: a single chatty CI/CD account with millions of sts:AssumeRole calls per day will dominate the GuardDuty bill. Consider suppressing benign high-volume principals.

6. Best Practices

Enable in every region you own, even unused ones — attackers love forgotten regions. Use AWS Organizations delegated administrator to centralize.
Use suppression rules sparingly — suppress only known-benign patterns (e.g., a security scanner's IPs), and document each rule's owner and review date.
Pipe everything to Security Hub for cross-source correlation with Inspector, Macie, and Config findings.
Pair with Detective for graph-based investigation when a finding fires — Detective inherits GuardDuty findings and shows the actor's full footprint.
Test the response pipeline with the GuardDuty create-sample-findings API. If your runbook doesn't fire end-to-end on a sample, it won't fire on a real attack at 3 AM.
Tag findings with ownership at ingest time so on-call rotations can route by team without a lookup table.