What is Amazon GuardDuty? - Amazon GuardDuty
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

What is Amazon GuardDuty?

Amazon GuardDuty is a threat detection service that continuously monitors your Amazon environment for potential security risks. GuardDuty analyzes and processes Foundational data sources, such as Amazon CloudTrail management events, Amazon CloudTrail event logs, VPC flow logs (from Amazon EC2 instances), and DNS logs. GuardDuty also offers monitoring logs and events from other Amazon services. These sources include Kubernetes audit logs, RDS login activity, S3 logs, EBS volumes, Runtime monitoring, and Lambda network activity logs. GuardDuty consolidates these log and event sources under the term - Features.

GuardDuty uses threat intelligence feeds, such as lists of malicious IP addresses and domains, and machine learning (ML) models to identify unexpected, potentially unauthorized, and malicious activity within your Amazon environment. This includes issues such as escalation of privileges, use of exposed credentials, or communication with malicious IP addresses, domains, presence of malware on your Amazon EC2 instances and container workloads, or discovery of unusual patterns of login events on your database.

For example, GuardDuty can detect potentially compromised EC2 instances and container workloads serving malware, or mining bitcoin. It also monitors Amazon account access behavior for signs of potential compromise, such as unauthorized infrastructure deployments – instances deployed in a Region that hasn't been used before, or unusual API calls – password policy changed to reduce password strength.

When enabled, GuardDuty provides visibility into the security posture of your Amazon environment. When it identifies a potential security risk, it generates a finding and provides further details. You can also set up Amazon EventBridge to receive notifications when GuardDuty generates a finding. GuardDuty also recommends steps to remediate the indicative security issues in your environment.

You can export the generated findings to an Amazon Simple Storage Service (Amazon S3) bucket. GuardDuty also integrates with other Amazon security-related services, such as Amazon Security Hub and Amazon Detective, that can further help you analyze and investigate the security trends in your environment.

Using GuardDuty

You can use GuardDuty in any of the following ways:

GuardDuty console


The console is a browser-based interface to access and use GuardDuty. The GuardDuty console provides access to your GuardDuty account, data, and resources.


You can access GuardDuty and Amazon programmatically by using the GuardDuty HTTPS API, which lets you issue HTTPS requests directly to the service. For more information, see the GuardDuty API Reference.

Amazon SDKs

Amazon provides software development kits (SDKs) that consist of libraries and sample code for various programming languages and platforms (Java, Python, Ruby, .NET, iOS, Android, and more). The SDKs provide a convenient way to create programmatic access to GuardDuty. For information about the Amazon SDKs, including how to download and install them, see Tools for Amazon Web Services.

Pricing for GuardDuty

When using GuardDuty for the first time, there is a 30-day free trial for each Amazon account per Amazon Region. For more information, see Pricing.

Supported Amazon Regions

For information about Amazon Regions where you can enable GuardDuty, see Regions and endpoints.