What is Amazon GuardDuty? - Amazon GuardDuty
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

What is Amazon GuardDuty?

Amazon GuardDuty is a threat detection service that continuously monitors, analyzes, and processes specific Amazon data sources and logs in your Amazon environment. GuardDuty uses threat intelligence feeds, such as lists of malicious IP addresses and domains, and machine learning (ML) models to identify unexpected, and potentially unauthorized activity in your Amazon environment. This includes the following issues:

  • Escalation of privileges, use of exposed credentials, or communication with malicious IP addresses and domains.

  • Presence of malware on your Amazon EC2 instances and container workloads, and newly uploaded files in your Amazon S3 buckets.

  • Discovery of unusual patterns of login events on your database.

For example, GuardDuty can detect potentially compromised EC2 instances and container workloads serving malware, or mining bitcoin. It also monitors Amazon account access behavior for signs of potential compromise, such as unauthorized infrastructure deployments – instances deployed in a Region that has not been used before, or unusual API calls that suggest a change to the password policy to reduce password strength.

Features of GuardDuty

Here are some of the key ways in which Amazon GuardDuty can help you monitor, detect, and manage potential threats in your Amazon environment.

Continuously monitors specific data sources and event logs
  • Automatically monitors foundational data sources – When you enable GuardDuty in an Amazon Web Services account, GuardDuty automatically starts ingesting the foundational data sources associated with that account. These data sources include Amazon CloudTrail management events, Amazon CloudTrail event logs, VPC flow logs (from Amazon EC2 instances), and DNS logs. You don't need to enable anything else for GuardDuty to start analyzing and processing these data sources to generate associated security findings. For more information, see Foundational data sources.

  • Enable optional GuardDuty protection plans – For enhanced visibility into the security posture of your Amazon environment, GuardDuty offers various protection plans that you can choose to enable. Protection plans help you monitor logs and events from other Amazon services. These sources include EKS audit logs, RDS login activity, S3 logs, EBS volumes, Runtime monitoring, and Lambda network activity logs. GuardDuty consolidates these log and event sources under the term - Features. You can enable one or more optional protection plans in a supported Amazon Web Services Region at any time. GuardDuty will start monitoring, processing, and analyzing the activities based on which protection plan you enable. For more information about each protection plan and how it works, see the corresponding protection plan document.

    Note

    GuardDuty offers flexibility to use Malware Protection for S3 independently, without enabling the Amazon GuardDuty service. For more information about getting started with only Malware Protection for S3, see GuardDuty Malware Protection for S3. To use all other protection plans, you must enable the GuardDuty service.

Detects presence of malware and generates security findings

When GuardDuty detects potential security threats associated with your Amazon resources, it starts generating security findings that provide information about the potentially compromised resource. You may explore generating Sample findings and view the associated Finding details. For information about a complete list of security findings that may be generated against each resource type as identified by GuardDuty, see Finding types.

Manage generated security findings

You may want to set up Amazon EventBridge to receive notifications when GuardDuty generates a finding, use recommended steps to remediate the finding, filter through generated findings to identify trends, or export the findings to an S3 bucket. For more information, see Managing GuardDuty findings.

Integrate with related Amazon security services

To further help you analyze and investigate the security trends in your Amazon environment, consider using the following Amazon security-related services in combination with GuardDuty.

  • Amazon Detective – This service helps you analyze, investigate, and quickly identify the root cause of security findings or suspicious activities. Detective automatically collects log data from your Amazon resources. It then uses machine learning, statistical analysis, and graph theory to generate visualizations that help you to conduct faster and more efficient security investigations. The Detective prebuilt data aggregations, summaries, and context help you analyze and determine the nature and extent of potential security issues.

    For information about using GuardDuty and Detective together, see Integrating GuardDuty with Amazon Detective. To learn more about Detective, see the Amazon Detective User Guide.

  • Amazon Security Hub – This service gives you a comprehensive view of the security state of your Amazon resources and helps you check your Amazon environment against security industry standards and best practices. It does this partly by consuming, aggregating, organizing, and prioritizing your security findings from multiple Amazon services (including Amazon Macie) and supported Amazon Partner Network (APN) products. Security Hub helps you analyze your security trends and identify the highest priority security issues across your Amazon environment.

    For information about using GuardDuty and Security Hub together, see Integrating GuardDuty with Amazon Security Hub. To learn more about Security Hub, see the Amazon Security Hub User Guide.

Manage multiple-account environment

You can manage a multiple-account Amazon environment by either using Amazon Organizations (recommended) or by the method of invitation. For more information, see Managing multiple accounts.

PCI DSS Compliance

GuardDuty supports the processing, storage, and transmission of credit card data by a merchant or service provider, and has been validated as being compliant with Payment Card Industry (PCI) Data Security Standard (DSS). For more information about PCI DSS, including how to request a copy of the Amazon Web Services PCI Compliance Package, see PCI DSS Level 1.