Security

Threat Detection with Amazon GuardDuty - ML-Based Anomaly Detection and Incident Response

Learn how GuardDuty detects threats, classifies findings, and integrates with Security Hub for incident response.

約 3 分で読めます

Overview of GuardDuty

GuardDuty is a service that continuously detects threats to your AWS accounts and workloads, identifying over 200 threat patterns. It automatically analyzes CloudTrail events, VPC Flow Logs, and DNS query logs to detect unauthorized API calls, cryptocurrency mining, communication with C&C servers, brute-force attacks, and more. Enabling it takes a single click, with no changes required to your existing log configurations.

Findings and Response

Findings are classified into types such as Recon (reconnaissance), UnauthorizedAccess, CryptoCurrency (mining), and Trojan. High-severity findings require immediate action. You can use EventBridge rules to trigger Lambda functions that automatically revoke compromised IAM credentials or isolate EC2 instances. By integrating with Security Hub, you can consolidate GuardDuty findings with results from other security services and manage your security posture from a single pane of glass.

Protection Plans and Organizations Integration

In addition to basic threat detection, GuardDuty offers protection plans including S3 Protection (analysis of S3 data events), EKS Protection (analysis of Kubernetes audit logs), Malware Protection (malware scanning for EC2 and ECS), RDS Protection (analysis of RDS login activity), Lambda Protection (analysis of Lambda network activity), and Runtime Monitoring (runtime threat detection for EC2/ECS/EKS). Using the Organizations delegated administrator, you can centrally manage GuardDuty across all accounts and configure automatic enablement for new accounts. Findings are automatically aggregated in Security Hub. For a systematic study of GuardDuty, related books on Amazon can be a helpful resource.

Optimizing GuardDuty Costs

GuardDuty's base pricing is based on the volume of CloudTrail management events and VPC Flow Logs analyzed. CloudTrail events cost approximately $4 per million events, and VPC Flow Logs cost approximately $1 per GB. Each protection plan incurs additional charges; for example, S3 Protection costs approximately $0.80 per million S3 data events. Use the 30-day free trial to assess actual costs before enabling the service. Malware Protection is charged based on the volume of data scanned, so limit scan targets to critical workloads to manage costs.

Summary

GuardDuty is a service that automatically detects threats in your AWS environment using ML and threat intelligence. Its protection plans for S3, EKS, Lambda, RDS, and Runtime Monitoring provide multi-layered threat detection, while Organizations integration enables centralized security management across all accounts. By building automated remediation actions through EventBridge integration, you can automate your security operations.

Related Services

Amazon GuardDutyA machine learning-powered threat detection serviceAWS Security HubCentrally manage your AWS security posture and automatically check compliance with best practicesAmazon DetectiveA service that automatically analyzes security findings and investigates root causes

Related Articles

Investigating Security Incidents with Amazon Detective - Root Cause Identification Through Graph AnalysisLearn about investigating GuardDuty findings with Detective, entity profiles, and leveraging behavior graphs.Detecting Excessive Permissions with IAM Access Analyzer - External Access and Unused Permission AnalysisDetect unused permissions on IAM roles using CloudTrail-based analysis and auto-generate least-privilege policies. This guide covers external access detection and integrating custom policy checks into your CI/CD pipeline.Automated Vulnerability Scanning with Amazon Inspector - Continuous Security Assessment for EC2, Lambda, and ECRAutomatically scan EC2 instances, ECR container images, and Lambda functions for vulnerabilities and prioritize them with CVE-based risk scores. Learn how to achieve agentless scanning through Systems Manager integration.

More on This Topic

Detecting Excessive Permissions with IAM Access Analyzer - External Access and Unused Permission AnalysisDetect unused permissions on IAM roles using CloudTrail-based analysis and auto-generate least-privilege policies. This guide covers external access detection and integrating custom policy checks into your CI/CD pipeline.Automating SSL/TLS Certificate Management with AWS Certificate Manager - From Issuance to RotationLearn how ACM handles free public certificate issuance, DNS validation, automatic renewal, and deployment to ALB and CloudFront.Retrieving Compliance Reports with AWS Artifact - Audit Response and Agreement ManagementLearn how to retrieve SOC, PCI DSS, and ISO audit reports on demand and apply BAA and GDPR DPA agreements across your entire AWS Organizations structure.Automating Audits - Continuously Collecting Compliance Evidence with AWS Audit ManagerLearn how to automate audit evidence collection with AWS Audit Manager. This guide covers automated assessments based on frameworks such as SOC 2, PCI DSS, and GDPR, centralized evidence management, and audit report generation.The Hidden Structure of AWS Account IDs' 12 Digits - Why 12 Digits, and What Can You Infer?A trivia-style exploration of why AWS account IDs are 12-digit numbers, the design intent embedded in the ARN structure, and the security considerations around what can be inferred from an account ID.Why the AWS Account Root User Is Dangerous - The Design Philosophy of Privilege Separation and Practical LockdownWe explain why the AWS root user holds privileges that cannot be restricted by IAM, list the operations only the root user can perform, cover MFA setup methods, and describe the lockdown strategy using Organizations' centralized root access management.Certificate Management and HTTPS - Automated TLS Certificate Operations with AWS Certificate ManagerLearn about TLS/SSL certificate issuance, automatic renewal, and deployment using AWS Certificate Manager (ACM). Covers integration with CloudFront, ALB, and API Gateway, DNS validation, and Private CA usage.Dedicated Key Management with AWS CloudHSM - FIPS 140-2 Level 3 Compliant EncryptionAchieve FIPS 140-2 Level 3 compliant key management with dedicated HSM instances. Learn when to choose CloudHSM over KMS and how to integrate both through KMS custom key stores.

Similar Articles and Services

Amazon GuardDutyA managed threat detection service that uses machine learning and threat intelligence to continuously monitor and detect threats across AWS accounts and workloadsData Privacy Protection - Automated Sensitive Data Discovery and Threat Defense with Amazon Macie and GuardDutyLearn practical data privacy protection techniques combining Amazon Macie's automated sensitive data discovery in S3 with Amazon GuardDuty's threat intelligence. This article covers comprehensive security measures from identifying personal information to real-time threat detection.Vulnerability Assessment and Threat Detection - Continuous Security Monitoring with Amazon Inspector and GuardDutyLearn how to design and operate vulnerability assessment and threat detection using Amazon Inspector and Amazon GuardDuty.AWS Security Service Integration - Native Threat Detection from GuardDuty to Detective Without a SIEMWe explain the native threat detection mechanism through the integration of GuardDuty, Security Hub, Detective, and Macie, and compare the design philosophy differences with Azure Sentinel.