Amazon GuardDuty
Intelligent threat detection service that continuously monitors your AWS environment for malicious activity
GuardDuty is like a security guard who never sleeps and watches everything happening in your AWS account. Instead of you manually reviewing thousands of log entries every day looking for suspicious activity, GuardDuty does it automatically using machine learning and threat intelligence. It watches who's calling your AWS APIs (CloudTrail), what traffic is flowing in and out of your servers (VPC Flow Logs), and what DNS lookups your instances are making. If an EC2 instance suddenly starts mining cryptocurrency, an IAM user logs in from Russia at 3am, or someone is quietly copying data out of your S3 buckets, GuardDuty notices and alerts you. It doesn't block anything on its own; it's a detector, not a blocker. Think of it as a smoke alarm: it tells you there's a fire, but you still need to decide how to respond.
GuardDuty automatically ingests three foundational data sources on enable: CloudTrail management events, VPC Flow Logs, and DNS logs. No configuration required. It applies ML models and threat intelligence feeds (malicious IPs, domains, file hashes) to generate findings rated Low, Medium, High, or Critical. Extended Threat Detection (automatically on, no extra cost) correlates weak signals across sources and time; events that look harmless alone can form a recognizable attack sequence, which GuardDuty surfaces as a single Critical finding. Optional protection plans add coverage for S3, EKS, EC2 malware scanning, RDS login anomalies, Lambda network activity, and runtime events. Findings flow to Security Hub for aggregation and Detective for investigation. Use AWS Organizations to manage GuardDuty across all accounts centrally.
Gotchas & Constraints
Gotcha #1: GuardDuty only detects; it never blocks. Wire up EventBridge and Lambda to act on findings, otherwise alerts go nowhere. Gotcha #2: GuardDuty is region-specific; enable it in every region, including ones you rarely use. Constraints: 30-day free trial per account per region; pricing is based on data volume ingested across foundational sources and any protection plans enabled.
A SaaS company runs workloads across 40 AWS accounts in 4 regions. Their security team is small and cannot manually review logs. They enable GuardDuty across all accounts and regions using AWS Organizations with auto-enable for new accounts. Three weeks later, GuardDuty generates a Critical finding: 'AttackSequence:IAM/CompromisedCredentials'. Extended Threat Detection correlated a sequence where an IAM access key was used from an unusual IP in Eastern Europe, followed by reconnaissance API calls (ListBuckets, DescribeInstances), creation of a new IAM user, and a large volume of S3 GetObject calls. No single event would have triggered an alert alone, but the sequence is unmistakable. An EventBridge rule fires on any High or Critical GuardDuty finding; a Lambda function automatically disables the compromised IAM access key, sends a PagerDuty alert, and posts the finding details to their #security Slack channel. The team opens Detective from the finding to trace the full scope of access in 20 minutes. They had also enabled S3 Protection and Malware Protection for S3; two days earlier, GuardDuty flagged a separate Medium finding where a newly uploaded file to a public S3 bucket matched a known malware hash, caught before anyone downloaded it.
The Result
a multi-stage credential compromise caught and contained in under 30 minutes, malware in S3 caught before distribution, and zero manual log review required.