[AWS] Amazon GuardDuty

GuardDuty is an intelligent threat (anomaly) detection service.

Intelligent threat detection – Amazon GuardDuty – Amazon Web Services


GuardDuty continuously monitors your AWS accounts and workloads and detects any unauthorized behavior using machine learning.

  • GuardDuty uses machine learning for threat detection.
  • It takes 7~14 days to set a baseline (normal behavior).
  • GuardDuty updates a database of known malicious domains or IPs using external feeds from third parties.


  • It has Built-in detection for EC2, S3, and IAM.
  • It monitors CloudTrail, VPC, Flow Logs, and DNS logs.
  • Alerts appear in the GuardDuty console and CloudWatch Events.


  • Unusual API calls
  • API calls from known malicious domains or IPs
  • Unauthorized deployments
  • Port Scanning
  • Crypto-currency mining

Leave a Comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s