1. Introduction to Amazon GuardDuty and Its Purpose

• As cloud security grows in importance, even DevOps and Cloud Operations engineers are taking on more security-related tasks.
• Amazon GuardDuty is designed to intelligently detect threats and enable security automation to protect AWS accounts from unauthorized or malicious activity.
• GuardDuty is a fully managed threat detection service that leverages machine learning, anomaly detection, and threat intelligence to identify and prioritize threats effectively.
• Once enabled (single-click setup), it requires ongoing monitoring, alert configuration, and remediation processes.
• It continuously analyzes suspicious activities at different levels — account, instance, network, and S3 buckets — such as:
  • Unusual API calls and unauthorized deployments
  • Compromised EC2 instances used for crypto mining, malware, C2 communications, etc.
  • Abnormal outbound network traffic or DoS-like patterns
  • Failed login attempts from specific geographies or malicious IPs
  • Disabling of CloudTrail logging to cover tracks
  • Data exfiltration and credential misuse
• GuardDuty is a native AWS service with usage-based pricing.

2. Capabilities and Protection Scope

• Once activated, GuardDuty can monitor compromised accounts, abnormal behavior, and malware across:
  • EC2, S3, OS, Networking, EKS, ECS, Fargate
• Expanded support from earlier limited service coverage.
• Detects:
  • Crypto mining activity
  • Unusual network behavior

Two levels of threat detection:

• Foundational Threat Detection:
  • Monitors CloudTrail events, VPC Flow Logs, and DNS logs
  • Categorizes findings by severity: Low, Medium, High, Critical
• Extended Threat Detection:
  • Offers broader, multi-stage attack detection
  • Useful for event correlation across accounts
  • Preferred by enterprises, though pricing varies

GuardDuty aggregates and analyzes data from multiple sources to deliver a comprehensive threat assessment. It can be configured to protect sensitive resources like RDS, S3, EBS, and containerized workloads (ECS, EKS, Lambda).

3. Console Walkthrough and Findings Overview

• Access GuardDuty via AWS Console by searching “GuardDuty.”
• The dashboard provides a centralized view of findings — including from other tools like Macie and Inspector, via Security Hub.