What is Amazon GuardDuty?
Amazon GuardDuty is an intelligent threat detection service that continuously monitors your AWS accounts and workloads for malicious activity and unauthorized behavior. It uses Machine Learning, anomaly detection, and integrated threat intelligence to identify threats.
How It Works
GuardDuty analyzes the following data sources (metadata only, not your actual content):
- CloudTrail Management Events: (Who is logging in? Who is creating users?)
- CloudTrail S3 Data Events: (Who is reading my S3 buckets?)
- VPC Flow Logs: (Who is talking to my EC2 instances?)
- DNS Logs: (What websites are my instances trying to visit? Malicious domains?)
- EKS Audit Logs: (Kubernetes activity).
Key Concepts
- Findings: When GuardDuty detects a threat, it creates a "Finding" with a severity level (Low, Medium, High).
- Threat Intelligence: Uses feeds from AWS and third-party partners (CrowdStrike, Proofpoint) to know which IP addresses are "bad".
- Remediation: Can trigger EventBridge events to automatically fix issues (e.g., invoke a Lambda function to block an IP/Port).
Exam Tips
[!IMPORTANT] Source Data: GuardDuty analyzes CloudTrail, VPC Flow Logs, and DNS Logs. You do NOT need to enable these services explicitly for GuardDuty to work; it pulls the data directly from the backend.
[!NOTE] Cryptocurrency Mining: A classic exam question involves "An EC2 instance is being used for cryptocurrency mining." GuardDuty detects this.
[!WARNING] GuardDuty is Regional. You must enable it in each region (though you can aggregate findings to a master account).
Common Use Cases
- Detecting Compromised Instances: An EC2 instance communicating with a known command-and-control server (Botnet).
- Detecting Account Compromise: Unusual API calls from a country you don't operate in.
- S3 Protection: Detecting unusual patterns of S3 bucket access (e.g., trying to list all objects).