Amazon GuardDuty Documentation

Amazon GuardDuty is an intelligent threat detection service that is designed to provide customers with an accurate and easy way to continuously monitor and protect their Amazon Web Services accounts, workloads, container applications, and data stored in Amazon S3. GuardDuty analyzes events across multiple Amazon Web Services data sources, such as Amazon CloudTrail Management Events (Amazon Web Services user and API activity in your accounts), Amazon CloudTrail S3 Data Events (Amazon S3 activity), Amazon VPC Flow Logs (network traffic data), Amazon Elastic Kubernetes Service (Amazon EKS) audit logs, and DNS Logs (name query patterns).

Amazon GuardDuty threat detection can help you identify activity that can be associated with account compromise, instance compromise, malicious reconnaissance, and bucket compromise. For example, GuardDuty can detect unusual API calls, suspicious outbound communications to known malicious IP addresses, or possible data theft using DNS queries as the transport mechanism. GuardDuty is designed to deliver more accurate findings using machine learning enriched by threat intelligence, such as lists of malicious IPs and domains.

Amazon GuardDuty is designed to give you accurate threat detection of account compromise which can be particularly difficult to detect quickly if you are not continuously monitoring for factors in near real-time. GuardDuty can help you detect signs of account compromise, such as access of Amazon Web Services resources from an unusual geo-location at an atypical time of day. For programmatic Amazon Web Services accounts, GuardDuty is designed to check for unusual API calls, such as attempts to obscure account activity by disabling CloudTrail logging or taking snapshots of a database from a malicious IP address.

Amazon GuardDuty is designed to continuously monitor and analyze your Amazon Web Services account and workload event data found in Amazon CloudTrail, VPC Flow Logs, and DNS Logs. There is no additional security software or infrastructure to deploy and maintain. By associating your Amazon Web Services accounts together you can aggregate threat detection instead of having to work on an account-by-account basis. In addition, you do not have to collect, analyze, and correlate large volumes of Amazon Web Services data from multiple accounts. 

Amazon GuardDuty gives you access to built-in detection techniques that are developed for the cloud. The detection algorithms are maintained and continuously improved upon by Amazon Security. The primary detection categories include:

Reconnaissance -- Activity suggesting reconnaissance by an attacker, such as unusual API activity, intra-VPC port scanning, unusual patterns of failed login requests, or unblocked port probing from a known bad IP.

Instance compromise -- Activity indicating an instance compromise, such as cryptocurrency mining, backdoor command and control (C&C) activity, malware using domain generation algorithms (DGA), outbound denial of service activity, unusually high volume of network traffic, unusual network protocols, outbound instance communication with a known malicious IP, temporary Amazon EC2 credentials used by an external IP address, and data exfiltration using DNS.

Account compromise -- Common patterns indicative of account compromise include API calls from an unusual geolocation or anonymizing proxy, attempts to disable Amazon CloudTrail logging, changes that weaken the account password policy, unusual instance or infrastructure launches, infrastructure deployments in an unusual region, and API calls from known malicious IP addresses.

Bucket compromise – Activity indicating a bucket compromise, such as suspicious data access patterns indicating credential misuse, unusual S3 API activity from a remote host, unauthorized S3 access from known malicious IP addresses, and API calls to retrieve data in S3 buckets from user that had no prior history of accessing the bucket or invoked from an unusual location. Amazon GuardDuty continuously monitors and analyzes Amazon CloudTrail S3 data events (e.g. GetObject, ListObjects, DeleteObject) to detect suspicious activity across all of your Amazon S3 buckets.

GuardDuty offers these advanced detections by using machine learning and anomaly detection to help identify previously difficult to find threats, such as unusual patterns of API calls or malicious IAM user behavior. Also, GuardDuty has integrated threat intelligence, which includes lists of malicious domains or IP addresses from Amazon Security and third-party security partners, including Proofpoint and CrowdStrike.

GuardDuty can help remove the undifferentiated heavy lifting and unnecessary complexity of monitoring and protecting your Amazon Web Services accounts and workloads.

Amazon GuardDuty provides three severity levels (Low, Medium, and High) to help customers prioritize their response to potential threats. A “Low” severity level indicates suspicious or malicious activity that was blocked before it compromised your resource. A “Medium” severity level indicates suspicious activity. For example, a large amount of traffic being returned to a remote host that is hiding behind the Tor network, or activity that deviates from normally observed behavior. A “High” severity level indicates that the resource in question (e.g. an EC2 instance or a set of IAM user credentials) is compromised and is actively being used for unauthorized purposes.

Amazon GuardDuty offers HTTPS APIs, CLI tools, and Amazon CloudWatch Events to support automated security responses to security findings. For example, you can automate the response workflow by using CloudWatch Events as an event source to trigger an Amazon Lambda function.

Amazon GuardDuty is designed to manage resource utilization based on the overall activity levels within your Amazon Web Services accounts, workloads, and data stored in Amazon S3. GuardDuty is designed to add detection capacity only when necessary and reduces utilization when capacity is no longer needed. 

Through the Amazon Web Services Management Console or using a single API call, you can enable Amazon GuardDuty on a single account. With a few more clicks in the console, you can enable GuardDuty across multiple accounts. Amazon GuardDuty supports multiple accounts through Amazon Organizations integration as well as natively within GuardDuty. Once enabled, GuardDuty starts analyzing continuous streams of account and network activity at scale. There are no additional security software, sensors, or network appliances to deploy or manage. Threat intelligence is pre-integrated into the service and is updated and maintained.

For additional information about service controls, security features and functionalities, including, as applicable, information about storing, retrieving, modifying, restricting, and deleting data, please see https://docs.amazonaws.cn/en_us/. This additional information does not form part of the Documentation for purposes of the Sinnet Customer Agreement for Amazon Web Services (Beijing Region), Western Cloud Data Customer Agreement for Amazon Web Services (Ningxia Region) or other agreement between you and Sinnet or NWCD governing your use of services of Amazon Web Services China Regions.