Skip to content

Amazon GuardDuty

What Is This Service?

Amazon GuardDuty is AWS’s managed continuous threat detection service that analyzes AWS telemetry and workload signals to identify malicious activity and suspicious behavior.

Mental model:
AWS-native detection engine → consumes telemetry → produces findings.

GuardDuty is:

  • Threat detection
  • Behavioral analytics
  • Threat intelligence
  • ML-assisted anomaly detection
  • Managed security monitoring

GuardDuty is NOT:

  • Firewall
  • IPS/IDS appliance
  • SIEM
  • Prevention control
  • Log storage platform

Why It Matters for Security

Most cloud attacks rarely begin with malware.

Most begin with:

  • credential compromise
  • exposed services
  • privilege escalation
  • lateral movement
  • abnormal data access
  • exfiltration

GuardDuty exists to:

  • shorten detection time
  • eliminate manual telemetry correlation
  • centralize threat visibility
  • enable automated containment

Security outcomes:

  • detect account takeover
  • detect compromised workloads
  • detect data exfiltration
  • detect command & control activity
  • support incident response automation

Exam mental model

GuardDuty = Detect
EventBridge = Trigger
Lambda = Respond
Security Hub = Aggregate
Detective = Investigate

Core Concepts

Detector

GuardDuty operates through regional detectors.

Properties:

  • one detector per account per region
  • independent regional operation
  • organization-aware

Exam implication:

GuardDuty is REGIONAL.
Enable in every required region.

Findings

GuardDuty outputs security findings.

Finding includes:

Threat Type
↓
Severity
↓
Resource
↓
Evidence
↓
Recommendation

Common categories:

Category Example
Recon Port scans
CredentialAccess IAM abuse
Persistence Backdoor activity
PrivilegeEscalation Role escalation
DefenseEvasion Detection avoidance
Exfiltration Data movement
Impact Crypto mining

Detection Sources

Source Detects
CloudTrail Management Events API abuse
VPC Flow Logs network anomalies
Route 53 DNS Logs DNS threats
S3 Data Events unusual object access
EKS Audit Logs Kubernetes abuse
Runtime Monitoring process-level compromise

Exam trap: GuardDuty consumes telemetry internally. You do not manually deliver logs.

Runtime Monitoring (Highly Tested)

Modern GuardDuty capability.

Supports:

  • EC2
  • ECS
  • EKS

Detects:

  • suspicious processes
  • container abuse
  • malware indicators
  • privilege escalation
  • runtime anomalies

Why it exists:

Logs tell you WHAT happened.
Runtime tells you WHAT IS happening.

S3 Protection

Detects:

  • unusual object reads
  • exfiltration indicators
  • anomalous access patterns

Does NOT:

  • inspect object contents
  • classify data
  • replace DLP

Malware Protection

Behavior:

Instance
↓
Snapshot
↓
Scan
↓
Finding

Characteristics:

  • scans EBS snapshot copies
  • avoids production disruption
  • no filesystem modification

Important Integrations

Service Purpose
AWS Organizations centralized management
Security Hub findings aggregation
EventBridge automation
Lambda remediation
Detective investigation
IAM identity context
CloudTrail API telemetry
VPC Flow Logs network telemetry
S3 threat detection
EKS workload detection
SNS notifications
Systems Manager automated remediation

Security Features

Threat Intelligence

GuardDuty combines:

  • AWS global telemetry
  • AWS threat intelligence
  • ML models
  • anomaly detection
  • behavior analysis

No signature maintenance.

IAM Threat Detection

Examples:

  • unusual regions
  • brute-force attempts
  • credential compromise
  • privilege escalation

EC2 Threat Detection

Examples:

  • crypto mining
  • outbound attacks
  • command and control
  • reconnaissance

Kubernetes Protection

Sources:

  • EKS audit logs
  • runtime telemetry

Findings:

  • suspicious containers
  • cluster misuse
  • privilege abuse

EKS Runtime Monitoring

Higher-value modern detection.

Provides:

  • process telemetry
  • workload visibility
  • runtime indicators

Exam nuance:

Audit logs ≠ Runtime Monitoring

Advanced Security and Operational Concepts

Detection Architecture

flowchart LR
    subgraph Org["AWS Organization"]
        Admin["Security Account: GuardDuty Delegated Admin"]
        Prod["Prod Account: Regional Detector"]
        Dev["Dev Account: Regional Detector"]
    end

    subgraph Telemetry["AWS Telemetry Sources"]
        CT["CloudTrail Management Events"]
        Flow["VPC Flow Logs"]
        DNS["Route 53 Resolver DNS Logs"]
        S3["S3 Data Events"]
        EKS["EKS Audit Logs"]
        Runtime["Runtime Monitoring"]
        Malware["EBS Snapshot Malware Scan"]
    end

    Findings["GuardDuty Findings"]
    SecurityHub["Security Hub"]
    Detective["Amazon Detective"]
    EventBridge["EventBridge"]
    Response["Lambda / SSM / SNS"]

    CT --> Prod
    Flow --> Prod
    DNS --> Prod
    S3 --> Prod
    EKS --> Prod
    Runtime --> Prod
    Malware --> Prod

    CT --> Dev
    Flow --> Dev
    DNS --> Dev
    Runtime --> Dev

    Admin -. manages .-> Prod
    Admin -. manages .-> Dev

    Prod --> Findings
    Dev --> Findings

    Findings --> SecurityHub
    Findings --> Detective
    Findings --> EventBridge
    EventBridge --> Response

Architecture Notes

Control plane:

  • GuardDuty uses a delegated admin account for centralized organization management.
  • Each member account still has its own regional detector.
  • GuardDuty must be enabled per region.
  • Findings can be centralized into a security account.

Data plane:

  • GuardDuty analyzes AWS telemetry out-of-band.
  • It does not sit inline or inspect live traffic.
  • You do not need to manually deliver CloudTrail logs or VPC Flow Logs to S3 for GuardDuty core detections.
  • Runtime Monitoring adds workload-level visibility beyond API and network logs.

Exam takeaways:

Telemetry
↓
Regional GuardDuty Detector
↓
Finding
↓
Security Account
↓
Security Hub / Detective / EventBridge

GuardDuty = Detect
Security Hub = Aggregate
Detective = Investigate
EventBridge = Trigger Response

Multi-Account Security Pattern

Organizations
↓
Delegated Admin
↓
Auto-enable Members
↓
Central Findings
↓
Automated Response

Automated Containment Pattern

flowchart LR

Finding --> EventBridge

EventBridge --> Lambda

Lambda --> Quarantine

GuardDuty never isolates resources directly.

Detection vs Investigation

Service Responsibility
GuardDuty detect
Detective investigate
Security Hub aggregate
Inspector vulnerability assessment
EventBridge automate
WAF block
Shield DDoS

Cost Optimization

Cost drivers:

  • CloudTrail analysis
  • Flow analysis
  • S3 events
  • Runtime Monitoring
  • EKS protection

Exam considerations:

  • S3 monitoring scales quickly
  • runtime monitoring increases cost
  • findings filtering reduces downstream cost

Regional Design

GuardDuty is:

  • regional
  • detector-based
  • independently enabled

Best practice:

Enable GuardDuty in ALL active regions.

Architecture Example

flowchart LR

Telemetry --> GuardDuty

GuardDuty --> Findings

Findings --> EventBridge

EventBridge --> Lambda

Workflow(s)

Threat Detection Lifecycle

sequenceDiagram

participant AWS
participant GuardDuty
participant Engine
participant Finding
participant EventBridge
participant Lambda

AWS->>GuardDuty: Send telemetry

GuardDuty->>Engine: Analyze behavior

Engine->>Finding: Create finding

Finding->>EventBridge: Publish

EventBridge->>Lambda: Optional remediation

Malware Protection Workflow

sequenceDiagram

participant GuardDuty
participant Snapshot
participant Scanner
participant Finding

GuardDuty->>Snapshot: Create snapshot copy

Snapshot->>Scanner: Malware analysis

Scanner->>Finding: Generate finding

Organization Enrollment Workflow

sequenceDiagram

participant Organizations
participant DelegatedAdmin
participant Member
participant GuardDuty

Organizations->>DelegatedAdmin: Assign admin

DelegatedAdmin->>GuardDuty: Enable

GuardDuty->>Member: Auto-enable

Member->>DelegatedAdmin: Send findings

Comparisons

Service Difference
GuardDuty threat detection
Security Hub findings aggregation
Detective investigation
Inspector vulnerability scanning
CloudTrail activity logging
WAF prevention
Shield DDoS protection
Config compliance

Common Exam Traps

  1. GuardDuty detects—it does not block.

  2. GuardDuty is regional.

  3. Findings ≠ remediation.

  4. Runtime Monitoring ≠ Flow Logs.

  5. S3 Protection does not inspect content.

  6. GuardDuty does not require CloudTrail log delivery to S3.

  7. VPC Flow Logs are consumed internally.

  8. Malware Protection scans snapshots—not live disks.

  9. Security Hub does not replace GuardDuty.

  10. Detective does not generate findings.

  11. Organizations centralizes management—not telemetry.

  12. GuardDuty is not a SIEM.

  13. GuardDuty is not Inspector.

  14. EKS Audit Logs ≠ Runtime Monitoring.

  15. GuardDuty never sits inline.

5-Second Recall

  • Managed threat detection
  • Regional detector
  • CloudTrail + Flow + DNS + Runtime
  • Findings only
  • EventBridge automates
  • Security Hub aggregates
  • Detective investigates

Quick Revision Notes

  • Detect → Find → Automate
  • Out-of-band detection
  • Regional service
  • Runtime Monitoring heavily tested
  • S3 Protection ≠ DLP
  • Malware Protection → snapshot-based
  • Organizations → delegated admin
  • Security Hub aggregates
  • EventBridge responds
  • Detective investigates

Think: AWS-native managed threat detection engine.