GuardDuty is an intelligent threat (anomaly) detection service.
GuardDuty continuously monitors your AWS accounts and workloads and detects any unauthorized behavior using machine learning.
GuardDuty uses machine learning for threat detection.
- It takes 7~14 days to set a baseline (normal behavior).
- GuardDuty updates a database of known malicious domains or IPs using external feeds from third parties.
- It has Built-in detection for EC2, S3, and IAM
- It monitors CloudTrail, VPC, Flow Logs, and DNS logs
- Alerts appear in the GuardDuty console and CloudWatch Events.
- Unusual API calls
- API calls from known malicious domains or IPs
- Unauthorized deployments
- Port Scanning