[AWS] Amazon GuardDuty

GuardDuty is an intelligent threat (anomaly) detection service.

GuardDuty continuously monitors your AWS accounts and workloads and detects any unauthorized behavior using machine learning.


Mechanism

GuardDuty uses machine learning for threat detection.

  • It takes 7~14 days to set a baseline (normal behavior).
  • GuardDuty updates a database of known malicious domains or IPs using external feeds from third parties.

Features

  • It has Built-in detection for EC2, S3, and IAM
  • It monitors CloudTrail, VPC, Flow Logs, and DNS logs
  • Alerts appear in the GuardDuty console and CloudWatch Events.

Use-cases

  • Unusual API calls
  • API calls from known malicious domains or IPs
  • Unauthorized deployments
  • Port Scanning

Leave a Comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s