What is Amazon GuardDuty?
Amazon GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior to protect your AWS accounts, workloads, and data stored in the cloud. It uses machine learning, anomaly detection, and integrated threat intelligence to identify and prioritize potential threats. GuardDuty analyzes various data sources such as VPC flow logs, CloudTrail event logs, and DNS logs, enabling it to detect activities like unusual API calls, potentially unauthorized deployments, and communication with malicious IP addresses.
GuardDuty can be integrated with other AWS services such as AWS Security Hub, Amazon CloudWatch, and third-party SIEM tools to automate responses and improve your overall security.
How does GuardDuty work?
AWS GuardDuty operates by continuously monitoring and analyzing event data from your AWS account, specifically looking at AWS CloudTrail event logs, Amazon VPC Flow Logs, and DNS logs.
GuardDuty automatically aggregates and correlates this data across all associated AWS accounts, consolidating and prioritizing potential threats as low, medium or high priority.
Primary detection categories include:
- Reconnaissance: Detects activities like unusual API activity, suspicious database logins, intra-VPC port scanning, failed login patterns, and port probing from known malicious IPs.
- Instance Compromise: Identifies signs such as cryptocurrency mining, command and control activities, malware, outbound denial of service attacks, high network traffic, unusual network protocols, and communication with malicious IPs using Amazon Elastic Compute Cloud (EC2) credentials.
- Account Compromise: Monitors for API calls from atypical geolocations or proxies, attempts to disable CloudTrail logging, weak password policy changes, unusual launches, and calls from malicious IPs.
- Bucket Compromise: Observes Amazon S3 for unusual data access, unauthorized accesses, and API calls suggesting potential credential misuse.
- Malware: Detects malware on EC2 instances or container workloads, including trojans, worms, and crypto miners.
- Container Compromise: Analyzes Amazon EKS and ECS by monitoring EKS audit logs and container runtime activities to identify suspicious behavior in container workloads.
You can consult the AWS documentation for a full list of threat types or access GuardDuty directly in the AWS Management Console.
What are the key benefits of Amazon GuardDuty?
The key benefits of Amazon GuardDuty include:
Continuous, ML-Powered Threat Detection: Utilizes machine learning, anomaly detection, behavioral modeling, and third-party threat intelligence to quickly expose threats across your AWS accounts. This enables faster response to minimize the impact of security incidents before they escalate.
Detect Suspicious AI Workload Activity: Identifies abnormal behaviors such as the removal of AI security guardrails, unusual model usage, or misuse of EC2 credentials in Amazon Bedrock, Amazon SageMaker, or other AI platforms.
Enhanced Protection Against Malware: Automatically scans Amazon EBS volumes and monitors Amazon S3 bucket uploads to detect malware, including ransomware, backdoor intrusions, and crypto-related activities.
Centralized Threat Detection for Containers: Provides a unified solution to manage threats in a containerized AWS environment, including Amazon Elastic Kubernetes Service (EKS) and Elastic Container Service (ECS_, for both instance and serverless container workloads.
Compliance Support: Aids in meeting compliance requirements such as PCI DSS by demonstrating robust intrusion detection capabilities.
AWS Integrations to Investigate and Remediate: Delivers detailed findings with context and metadata. Integrates with Amazon Detective for root cause analysis and routes alerts to AWS Security Hub and Amazon EventBridge for streamlined remediation.
What are GuardDuty protection plans?
GuardDuty protection plans help you monitor logs and events from other AWS services (EKS audit logs, RDS login activity, Amazon S3 data events in CloudTrail, network activity logs, etc).
When you enable GuardDuty for the first time, it will automatically enable all GuardDuty protection plans (except Runtime Monitoring and Malware Protection for S3) both of which you can enable by using the GuardDuty console or APIs.
How does Amazon GuardDuty pricing work?
Main cost factors:
GuardDuty pricing is primarily based on (1) volume of data analyzed and (2) extra features like malware scanning. You can view estimated costs by:
- AWS Account ID
- Data sources (like AWS CloudTrail management events, VPC flow logs, and Route53 Resolver DNS query logs)
- Features (like CloudTrail data events for S3, EKS Audit Log Monitoring, EBS volume data, RDS login activity, EKS Runtime Monitoring, Fargate Runtime Monitoring, EC2 Runtime Monitoring, or Lambda Network Activity Monitoring)
- S3 buckets
How to estimate, view and manage costs
- During a 30-day free trial, use the GuardDuty console or API to estimate daily average usage costs.
- Post-trial, costs can be monitored and managed through the AWS Billing and Cost Management console. This includes viewing costs for individual accounts or aggregated costs for multiple accounts if operating as a GuardDuty administrator.
- In the GuardDuty console, you can view estimated costs for foundational data sources and features like CloudTrail data events, EKS Audit Log Monitoring, and more. Specific costs for monitoring S3 buckets are displayed separately under S3 Protection.
Volume pricing discounts
- GuardDuty offers volume pricing discounts that are detailed on the Amazon GuardDuty Pricing page. These discounts apply per region and are based on the last 30 days of usage.
- Note that volume discounts for combined usage between accounts within an organization are not included in the console estimates.
Frequently asked questions about Amazon GuardDuty
How do security levels in Amazon GuardDuty work?
High (7.0 – 8.9): High severity levels signify that a resource, such as an EC2 instance or IAM user sign-in credentials, is actively compromised and being used unauthorizedly. Immediate action is crucial. Remediation may involve cleaning up or terminating an EC2 instance, or rotating IAM credentials.
Medium (4.0 – 6.9): This level reflects suspicious activities that deviate from normal behavior, possibly hinting at a compromise. Immediate investigation is recommended. Remediation actions vary but generally include verifying the legitimacy of the activity and possibly securing the resource if the activity remains unexplained.
Low (1.0 – 3.9): Low severity indicates attempts at suspicious activities that have not successfully compromised your network, like port scans or failed intrusion attempts. While no immediate action is required, documenting these incidents helps in identifying potential vulnerabilities.
What other security services does GuardDuty integrate with?
AWS Security Hub: AWS Security Hub collects security data from across your AWS accounts, services, and supported marketplace products to monitor your security state. Enabling Security Hub with GuardDuty will automatically allow GuardDuty findings data to be ingested by Security Hub.
Amazon Detective uses log data from across your AWS accounts to create data visualizations for your resources and IP addresses interacting with your environment. Detective’s visualizations help you quickly and easily investigate security issues. You can pivot from GuardDuty finding details to information in the Detective console once both services are enabled.
What is the difference between GuardDuty and Macie?
AWS GuardDuty and AWS Macie are both security services that offer different capabilities for protecting AWS environments. GuardDuty is a threat detection service that continuously monitors for malicious or unauthorized behavior to help protect your AWS accounts and workloads through machine learning.
On the other hand, AWS Macie is focused on data security and privacy protection. It uses machine learning and pattern matching to discover and protect sensitive data stored in AWS S3 buckets. Macie is particularly effective for classifying data based on content, monitoring data access, and providing automated alerts for data policy violations.
Understand and optimize AWS costs with nOps
If you’re looking to understand your AWS usage and costs, nOps can help.
nOps Business Contexts transforms millions of rows of contextless data into the who, what, when and why of cloud spend — making it easy to get 100% visibility of your AWS cloud costs and usage so your bills are never a surprise or mystery.
Allocate 100% of your AWS costs, including EKS. Kubernetes costs are often a black box — no longer with nOps. Understand and allocate your unified AWS spend in one platform.
Automated resource tagging. You don’t need to have all your resources tagged to allocate costs. Create dynamic rules by region, tags, operation, accounts, and usage types to allocate costs back to custom cost centers.
40+ views & filters. Map hourly costs by any relevant engineering concept (deployment, service, namespace, label, pod, container…) or finance concept (cost unit, purchase type, line item, cost allocation tag…).
Custom reports & dashboards for the whole team. Monthly reporting and reconciliation can take hours; with nOps only minutes. Tailor dashboards and Slack/email reports to your needs, whether you’re a CFO or VP of Engineering.
The best part? nOps is an all-in-one solution for all of your AWS cloud optimization needs: automated commitment management, rightsizing, resource scheduling, workload management, Spot usage, storage optimization, and more.
Join our customers using nOps to understand your cloud costs and leverage automation with complete confidence by booking a demo today!