Threat Detection with Amazon GuardDuty - ML-Based Anomaly Detection and Incident Response
Learn how GuardDuty detects threats, classifies findings, and integrates with Security Hub for incident response.
Overview of GuardDuty
GuardDuty is a service that continuously detects threats to your AWS accounts and workloads, identifying over 200 threat patterns. It automatically analyzes CloudTrail events, VPC Flow Logs, and DNS query logs to detect unauthorized API calls, cryptocurrency mining, communication with C&C servers, brute-force attacks, and more. Enabling it takes a single click, with no changes required to your existing log configurations. GuardDuty independently acquires log data, so users do not need to have VPC Flow Logs or CloudTrail manually enabled. The detection engine combines two approaches: AWS-managed threat intelligence feeds (known malicious IP addresses and domain lists) and account-specific behavioral baseline ML models.
Findings and Response
Findings are classified into types such as Recon (reconnaissance), UnauthorizedAccess, CryptoCurrency (mining), and Trojan. High-severity findings require immediate action. You can use EventBridge rules to trigger Lambda functions that automatically revoke compromised IAM credentials or isolate EC2 instances. By integrating with Security Hub, you can consolidate GuardDuty findings with results from other security services and manage your security posture from a single pane of glass. A practical automated remediation architecture involves: GuardDuty generates a High severity UnauthorizedAccess:IAMUser finding -> EventBridge -> Lambda disables all access keys for the affected IAM user and forces MFA reset ->SNS notifies the operations team.
Protection Plans and Organizations Integration
In addition to basic threat detection, GuardDuty offers protection plans including S3 Protection (analysis of S3 data events), EKS Protection (analysis of Kubernetes audit logs), Malware Protection (malware scanning for EC2 and ECS), RDS Protection (analysis of RDS login activity), Lambda Protection (analysis of Lambda network activity), and Runtime Monitoring (runtime threat detection for EC2/ECS/EKS). Using the Organizations delegated administrator, you can centrally manage GuardDuty across all accounts and configure automatic enablement for new accounts. Findings are automatically aggregated in Security Hub. Runtime Monitoring deploys a GuardDuty agent on hosts or containers to monitor file access, process execution, and network connections at the kernel level. This captures runtime threats like process injection and reverse shells that network-level detection alone would miss. For a systematic study of GuardDuty, related books on Amazon can be a helpful resource.
Optimizing GuardDuty Costs
GuardDuty's base pricing is based on the volume of CloudTrail management events and VPC Flow Logs analyzed. CloudTrail events cost approximately $4 per million events, and VPC Flow Logs cost approximately $1 per GB. Each protection plan incurs additional charges; for example, S3 Protection costs approximately $0.80 per million S3 data events. Use the 30-day free trial to assess actual costs before enabling the service. Malware Protection is charged based on the volume of data scanned, so limit scan targets to critical workloads to manage costs. If costs are higher than expected after enabling, check the Usage page in the GuardDuty console for per-data-source cost breakdowns, disable unnecessary protection plans, or review access patterns for S3 buckets with high event frequency.
Detection Accuracy Tuning and False Positive Management
Immediately after enabling GuardDuty, false positives are common, so proper tuning is needed for operational stability. Registering your corporate global IPs and VPN exit IPs in Trusted IP Lists automatically suppresses findings generated from these addresses. Similarly, you can add custom threat intelligence to Threat IP Lists to enhance detection accuracy. Repetitive findings for specific resources can be hidden using Suppression Rules, but setting overly broad rules risks missing real threats, so conditions should be as narrow as possible (specific account ID + specific resource ARN + specific finding type). Integrating findings with Amazon Detective allows GuardDuty to show "what happened" while Detective visualizes "why and how" through IP address behavioral history and API call timelines, significantly improving investigation efficiency and false positive determination.
Role Differentiation with Other Security Services
AWS security services differ in detection targets and purposes, making a defense-in-depth approach combining multiple services around GuardDuty effective. GuardDuty's primary purpose is continuous detection of anomalies in account behavior and network communications. For post-incident investigation use Amazon Detective, for vulnerability scanning use Amazon Inspector, and for IAM policy misconfiguration use IAM Access Analyzer. Security Hub serves as the central hub aggregating findings from all these services and provides compliance checks based on standards like AWS Foundational Security Best Practices. A phased approach of enabling GuardDuty first, then adding Detective or Inspector as findings arise, is rational from a cost management perspective. In multi-account environments, the AWS Well-Architected Security Pillar recommends designating a security account as the delegated administrator and aggregating GuardDuty findings from all member accounts into this account.
Summary
GuardDuty is a service that automatically detects threats in your AWS environment using ML and threat intelligence. Its protection plans for S3, EKS, Lambda, RDS, and Runtime Monitoring provide multi-layered threat detection, while Organizations integration enables centralized security management across all accounts. By building automated remediation actions through EventBridge integration, you can automate your security operations. Controlling false positives with Trusted IP Lists and Suppression Rules, and enhancing investigation efficiency through Detective integration, are key to stable production operations.