Amazon GuardDuty のアイコン

Amazon GuardDuty Popular2017年〜

A machine learning-powered threat detection service

About 2 min read

What It Does

Amazon GuardDuty is a managed service that continuously monitors and detects threats to your AWS accounts and workloads. It analyzes CloudTrail logs, VPC Flow Logs, and DNS logs using machine learning and threat intelligence to automatically detect threats like unauthorized access, malware, and cryptocurrency mining.

Use Cases

It is used for detecting unauthorized access to AWS accounts, identifying malware infections on EC2 instances, detecting abnormal access patterns to S3 buckets, and identifying leaked IAM credentials.

Everyday Analogy

Think of it like a building's security cameras with an AI monitoring system. Cameras (logs) monitor 24/7, and AI (machine learning) automatically detects suspicious behavior and alerts the security guard (administrator).

What Is GuardDuty?

Amazon GuardDuty is a threat detection service that can be enabled with a single click. No agent installation or log configuration is needed - just enable it and monitoring of your AWS environment begins. Detected threats are reported as 'findings' with severity levels (low, medium, high).

Detectable Threats

GuardDuty detects three categories of threats: reconnaissance (port scanning, abnormal API calls), instance compromise (malware communication, cryptocurrency mining, C&C server connections), and account compromise (API calls from unusual regions, unauthorized use of IAM credentials). Additional protection for EKS, S3, RDS, and Lambda can also be enabled. For a comprehensive overview of detectable threats, reference books (Amazon) are a helpful resource.

Getting Started

Simply click 'Enable GuardDuty' in the GuardDuty console to get started. A 30-day free trial is provided. Findings can be integrated with EventBridge for automated Lambda responses, or aggregated in Security Hub for centralized management. Integration with Organizations enables bulk enablement across all accounts.

Things to Watch Out For

  • GuardDuty only detects threats - it does not automatically block or remediate. Automate responses with EventBridge + Lambda integration
  • Pricing is based on the volume of logs analyzed, so estimate costs in advance for large environments. The 30-day free trial lets you see actual costs
共有するXB!

Related Services

AWS Security Hub iconAWS Security HubCentrally manage your AWS security posture and automatically check compliance with best practicesAmazon Detective iconAmazon DetectiveA service that automatically analyzes security findings and investigates root causesAWS Organizations iconAWS OrganizationsA service for centrally managing multiple AWS accountsAmazon EventBridge iconAmazon EventBridgeA serverless event bus that routes events from AWS services and SaaS applications

Related Articles

API Audit Logging with AWS CloudTrail - Trail Design and Security AnalysisRecord all API activity and run advanced analysis with SQL queries in CloudTrail Lake. This article covers automatic anomaly detection with Insights and real-time detection through EventBridge integration.Data Privacy Protection - Automated Sensitive Data Discovery and Threat Defense with Amazon Macie and GuardDutyLearn practical data privacy protection techniques combining Amazon Macie's automated sensitive data discovery in S3 with Amazon GuardDuty's threat intelligence. This article covers comprehensive security measures from identifying personal information to real-time threat detection.Investigating Security Incidents with Amazon Detective - Root Cause Identification Through Graph AnalysisLearn about investigating GuardDuty findings with Detective, entity profiles, and leveraging behavior graphs.Threat Detection with Amazon GuardDuty - ML-Based Anomaly Detection and Incident ResponseLearn how GuardDuty detects threats, classifies findings, and integrates with Security Hub for incident response.Centralized Security Posture Management with AWS Security Hub - Aggregating Findings and Automated ResponseAggregate findings from GuardDuty, Inspector, and Macie using ASFF, quantify your security score through automated security standard evaluations, and set up automated remediation via EventBridge.

More in This Category

IAM Access Analyzer iconIAM Access Analyzer SpecializedA service that detects externally accessible resources and unused access permissionsAWS Certificate Manager iconAWS Certificate Manager EssentialA service that automates provisioning, management, and deployment of SSL/TLS certificatesAWS Artifact iconAWS Artifact SpecializedA service for on-demand access to AWS compliance reports and agreementsAWS Audit Manager iconAWS Audit Manager SpecializedA service that automates evidence collection and assessment for compliance auditsAWS CloudHSM iconAWS CloudHSM SpecializedA service for managing encryption keys using dedicated hardware security modulesAmazon Cognito iconAmazon Cognito PopularA service that provides authentication, authorization, and user management for web and mobile applicationsAmazon Detective iconAmazon Detective SpecializedA service that automatically analyzes security findings and investigates root causesAWS Directory Service iconAWS Directory Service SpecializedA service that provides managed Active Directory on AWS

Similar Articles and Services

Amazon GuardDutyA managed threat detection service that uses machine learning and threat intelligence to continuously monitor and detect threats across AWS accounts and workloadsThreat Detection with Amazon GuardDuty - ML-Based Anomaly Detection and Incident ResponseLearn how GuardDuty detects threats, classifies findings, and integrates with Security Hub for incident response.Vulnerability Assessment and Threat Detection - Continuous Security Monitoring with Amazon Inspector and GuardDutyLearn how to design and operate vulnerability assessment and threat detection using Amazon Inspector and Amazon GuardDuty.Data Privacy Protection - Automated Sensitive Data Discovery and Threat Defense with Amazon Macie and GuardDutyLearn practical data privacy protection techniques combining Amazon Macie's automated sensitive data discovery in S3 with Amazon GuardDuty's threat intelligence. This article covers comprehensive security measures from identifying personal information to real-time threat detection.AWS Security Service Integration - Native Threat Detection from GuardDuty to Detective Without a SIEMWe explain the native threat detection mechanism through the integration of GuardDuty, Security Hub, Detective, and Macie, and compare the design philosophy differences with Azure Sentinel.