セキュリティ

Amazon GuardDuty

A managed threat detection service that uses machine learning and threat intelligence to continuously monitor and detect threats across AWS accounts and workloads

About 5 min read

Overview

Amazon GuardDuty is an intelligent threat detection service that continuously monitors and detects malicious activity and anomalous behavior across your AWS accounts, workloads, and data. It automatically analyzes data sources such as VPC Flow Logs, CloudTrail event logs, DNS logs, S3 data events, EKS audit logs, and Lambda network activity logs, using machine learning, anomaly detection, and integrated threat intelligence to identify threats. It detects a wide range of threat patterns including unauthorized API calls, cryptocurrency mining, communication with command-and-control servers, brute-force attacks, and suspicious S3 bucket access. Findings are classified by severity (High, Medium, Low) and can trigger automated remediation actions through EventBridge integration. Enabling GuardDuty takes a single click and requires no changes to your existing infrastructure.

Finding Type Classification and Reading Severity Levels

GuardDuty generates over 100 finding types, broadly categorized into four groups. Recon findings detect pre-attack reconnaissance activities such as port scanning and API enumeration. UnauthorizedAccess findings detect console logins from unusual locations and anomalous API call patterns. Trojan findings detect EC2 instances communicating with command-and-control servers or showing signs of cryptocurrency mining. Exfiltration findings detect signs of data theft, such as large-scale data downloads from S3 buckets. Each finding is assigned a severity level - High (7.0-8.9), Medium (4.0-6.9), or Low (1.0-3.9) - based on the potential impact. High-severity findings such as cryptocurrency mining or access from known malicious IPs demand immediate investigation, while Low-severity findings like unusual API calls may indicate misconfiguration rather than an active threat. Understanding these severity bands helps teams prioritize their response efforts effectively.

Automated Remediation via EventBridge Integration

The recommended approach for responding to GuardDuty findings is to use EventBridge rules that trigger Lambda functions for automated remediation. For High-severity findings, Lambda can automatically isolate compromised EC2 instances by modifying security groups, disable unauthorized IAM access keys, and send notifications to Slack or PagerDuty via SNS. A typical EventBridge rule filters on detail-type GuardDuty Finding and routes based on severity, so Critical actions execute immediately while Medium-severity findings create tickets for manual review. For a systematic study of threat detection and response, related books (Amazon) are also a useful reference. Enabling Malware Protection adds automatic EBS volume scanning when malware indicators are detected on EC2 instances or ECS containers, extending GuardDuty's detection beyond network-level threats.

Multi-Account Environments and Additional Protection Features

In multi-account environments, GuardDuty integrates with AWS Organizations to enable centralized management of findings across all member accounts from a dedicated security account. The delegated administrator account can enable GuardDuty automatically for new accounts as they join the organization, ensuring consistent coverage without manual setup. Beyond the core threat detection capabilities, GuardDuty offers additional protection features that can be enabled independently: S3 Protection monitors data plane events for suspicious bucket access patterns, EKS Protection analyzes Kubernetes audit logs for container-level threats, and Runtime Monitoring deploys a lightweight agent to detect host-level and container-level threats in real time. While Microsoft Defender for Cloud offers a broader security posture management suite, GuardDuty's strength lies in its deep integration with AWS-native data sources like VPC Flow Logs, CloudTrail, and DNS logs, delivering highly accurate threat detection tailored specifically to AWS environments. On pricing, GuardDuty uses volume-based billing at approximately $4.72 per million CloudTrail events and $1.18 per GB of VPC Flow Logs analyzed.

共有するXB!

Related Terms

AWS IAMAWS WAFAWS KMSAmazon Cognito

Related Services

AWS IAMAWS CloudTrailAmazon EventBridge

Related Articles

Detecting Excessive Permissions with IAM Access Analyzer - External Access and Unused Permission AnalysisDetect unused permissions on IAM roles using CloudTrail-based analysis and auto-generate least-privilege policies. This guide covers external access detection and integrating custom policy checks into your CI/CD pipeline.Multi-Account Strategy and AWS Organizations - The Optimal Approach to Cloud GovernanceEstablish security boundaries and optimize cost allocation through OU hierarchy design and SCP governance controls in Organizations. This article covers the full picture of multi-account operations, including Control Tower guardrails and consolidated billing.How AWS Keeps Time Internally - Amazon Time Sync Service and Leap Second Smearing DesignLearn how Amazon Time Sync Service works, how GPS and atomic clocks provide high-precision time sources, the design decision to absorb leap seconds through smearing, and why time synchronization matters in distributed systems.SaaS Data Integration with Amazon AppFlow - Connecting Salesforce, Slack, and Google AnalyticsSync data from Salesforce and Slack to S3 and Redshift with no code. Learn about event-driven triggers, PII masking, and secure transfers via PrivateLink.Automating Audits - Continuously Collecting Compliance Evidence with AWS Audit ManagerLearn how to automate audit evidence collection with AWS Audit Manager. This guide covers automated assessments based on frameworks such as SOC 2, PCI DSS, and GDPR, centralized evidence management, and audit report generation.

Similar Terms and Articles

Threat Detection with Amazon GuardDuty - ML-Based Anomaly Detection and Incident ResponseLearn how GuardDuty detects threats, classifies findings, and integrates with Security Hub for incident response.Amazon GuardDutyA machine learning-powered threat detection serviceVulnerability Assessment and Threat Detection - Continuous Security Monitoring with Amazon Inspector and GuardDutyLearn how to design and operate vulnerability assessment and threat detection using Amazon Inspector and Amazon GuardDuty.Data Privacy Protection - Automated Sensitive Data Discovery and Threat Defense with Amazon Macie and GuardDutyLearn practical data privacy protection techniques combining Amazon Macie's automated sensitive data discovery in S3 with Amazon GuardDuty's threat intelligence. This article covers comprehensive security measures from identifying personal information to real-time threat detection.AWS Security Service Integration - Native Threat Detection from GuardDuty to Detective Without a SIEMWe explain the native threat detection mechanism through the integration of GuardDuty, Security Hub, Detective, and Macie, and compare the design philosophy differences with Azure Sentinel.