Skip links

Master AWS Security: Threat Detection with Amazon GuardDuty

Jump To Section

AWS Amazon Guardduty


In today’s cloud-powered world, businesses of all sizes are migrating to AWS for its scalability, reliability, and vast array of services. 

As enterprises collect and monitor large amounts of log data across their cloud accounts and workloads securing their AWS/Cloud environment is paramount. Managing security in a cloud environment can be a daunting task. Breaches and data leaks are constant threats.  All in all, how can businesses secure their cloud environment against cyber threats and ensure reliability and scalability without disruptions?

Here’s where Amazon GuardDuty steps in – a powerful threat detection service that safeguards your valuable data and resources. 

What is Threat Detection?

Every business with sensitive information is at risk of cyber threats, no matter its size, industry, or security level. As hackers get smarter and new threats like ransomware emerge, businesses must use tools that constantly watch for potential problems. These tools give alerts if anything suspicious is happening. Without them, businesses can’t catch and stop threats before they cause harm. Detecting unusual behavior early is the key to stopping attacks and responding quickly to keep things safe.

Finding threats in AWS log data is challenging because there’s a lot of information to go through. That’s where tools for threat detection come in handy. Instead of having the IT team do the work manually, security services like Amazon GuardDuty can always keep an eye on the log data.

What is AWS GuardDuty?

AWS GuardDuty is a security service that detects threats and helps you secure your AWS environment.

An intelligent threat detection service that continuously monitors your AWS accounts for suspicious activity. Leverages machine learning (ML) to identify anomalies and potential security breaches. Integrates with AWS threat intelligence feeds to stay updated on the latest cyber threats.

How an AWS GuardDuty works
  1.1. Picture demonstrates how an AWS GuardDuty works.

The good thing about GuardDuty is that it is highly automated. It finds threats with Machine Learning, anomaly detection, and 3rd party data. It builds patterns that find potential security issues.

Note that GuardDuty doesn’t prevent issues, but only detects them. That’s why GuardDuty alone won’t protect you from issues like DDoS attacks. But you can pair GuardDuty with AWS Shield for maximum security.

Top 5 Reasons Why You Need AWS GuardDuty:

  1. Early Threat Detection: Be proactive! GuardDuty identifies potential threats before they escalate into major security incidents.
  2. Reduced Risk:  GuardDuty minimizes the risk of data breaches, unauthorized access, and other security nightmares.
  3. Simplified Security Management: Free up your IT team’s time! GuardDuty automates threat detection and analysis, letting your team focus on higher-level tasks.
  4. Enhanced Security Posture: GuardDuty strengthens your overall security posture in the AWS cloud.
  5. Continuous Monitoring & Peace of Mind: GuardDuty constantly monitors your AWS environment, giving you peace of mind.

What Logs Does GuardDuty Track?

Some of the data sources are foundational, others are optional. Here are the main log sources that GuardDuty tracks. For all 3, GuardDuty starts monitoring automatically right after you enable the service.

  • AWS CloudTrail logs capture API activity in an AWS account. GuardDuty helps find unauthorized access or compromised credentials.

VPC Flow logs show IP traffic going in and out of the Virtual Private Cloud network.

  • DNS logs that turn domain names into IP addresses.

Additionally, GuardDuty can track logs within these AWS services:

  • EKS protection includes audit log and runtime monitoring.
  • Lambda network activity logs can show malicious code in Lambda functions.
  • EBS volumes that are attached to EC2 are scanned for malware.
  • RDS login activity shows access threats.
  • S3 protection looks for security risks in API operations.

What are the key features of AWS GuardDuty?

  • Monitors CloudTrail logs, VPC Flow logs, and DNS logs.
  • Integrates with additional AWS services.
  • Assign severity levels to findings.
  • Sends automated notifications for threats.

What Happens When GuardDuty Finds a Threat

The diagram below clearly explains how GuardDuty handles a threat.

AWS GuardDuty Pipeline
  1.2. AWS GuardDuty Pipeline
  1. GuardDuty findings are sent to CloudWatch Events within 5 minutes of detection.
  2. CloudWatch Events have two destinations: SNS and Firehose. You can apply Lambda functions to refine the findings.
  3. Firehose delivers data to S3 Buckets for long-term storage and to Elasticsearch for analysis.
  4. For visualization and operational insights, you can use Kibana, which is a built-in plugin for Elasticsearch.
  5. Authentication is handled through Cognito user pools.
  6. SNS will notify via email and SMS when GuardDuty identifies a threat.

AWS GuardDuty Capabilities:

  • Detection of unusual behavior: GuardDuty keeps a close eye on any unauthorized attempts to get into your network, even if it’s through API calls. It watches out for anything strange, like logins from weird places, wrong use of passwords or sudden spike in traffic.
  • Malware Detection: It keeps an eye on your network for harmful software, such as trojans and crypto miners. Essentially, it checks the EBS volumes connected to the EC2 instances and container workloads. Please note that scanning for malware costs extra – once the trial period ends, you’ll need to pay for EBS volume snapshots.
  • Data Breaches: GuardDuty watches for signs of data breaches or irregular data transfer patterns in your AWS infrastructure. It’s vigilant for large or unexpected data transfers, unusual access patterns, or any activities that could indicate unauthorized movement or potential loss of data.
  • Network Insecurities: GuardDuty monitors traffic for known malicious botnets or command-and-control servers. It flags suspicious DNS-related activities that might indicate data exfiltration.

How to get started with AWS GuardDuty?

Setting up GuardDuty is straightforward! It requires minimal configuration and integrates seamlessly with your existing AWS environment.

By employing AWS GuardDuty, you gain a powerful threat detection shield for your AWS infrastructure. Its automated analysis, continuous monitoring, and advanced ML capabilities empower you to confidently navigate the cloud security landscape.

Ready to take your security to the next level?

Book a Consultation call with Altimetrik Practitioner and learn how we secure your AWS environment with best-in-class support.

Key Questions about AWS GuardDuty?

There are many security services within AWS which can lead us to many different security options. So, let’s figure out how GuardDuty is standing tall from other security services.

  • Security Hub aggregates findings from many AWS services including GuardDuty. When GuardDuty finds a threat, it may go to the Security Hub where it can get neutralized.
  • Inspector focuses on vulnerabilities in AWS applications, while GuardDuty finds threats in event logs. In other words, GuardDuty looks at what happened, and the Inspector checks what can happen.
  • Macie protects sensitive data in S3 buckets. It can also ensure compliance with regulations like HIPAA. Yet, Macie and GuardDuty serve different purposes, and they don’t directly integrate.
  • Shield protects from DDoS attacks, while GuardDuty can add insights into the attacks to help Shield fight them. These services serve different purposes but can work together to fight DDoS.
  • WAF is a firewall that monitors HTTP and HTTPS traffic. It prevents exploits like SQL injection and XSS in web apps. While GuardDuty works like an antivirus, WAF is an intelligent firewall.
  • Trusted Advisor mainly helps to optimize costs and performance. But it also addresses the security gaps. It can ensure that you follow best practices and standards in security.
  • SIEM looks over the entire network, while GuardDuty checks the entrance to it.  While GuardDuty is not a SIEM, there are many different SIEM tools like Splunk or IBM QRadar.

GuardDuty and Machine Learning

GuardDuty uses machine learning to detect anomalies in the behavior of your account. So, when you first set up GuardDuty it takes between 7 and 14 days to set a baseline as it needs to establish what is normal behavior in your account. Once the baseline has been created, GuardDuty can then actively begin monitoring your account. When active, you will only see findings if GuardDuty detects behavior that it considers a threat.

Each GuardDuty finding has an assigned severity level (Low, Medium, and High) and value (0.1 to 8.9) that reflects the potential risk.

  • “Low” (0.1 – 3.9) level indicates suspicious or malicious activity that was blocked before it compromised your resource.
  • “Medium” (4 – 6.9) level indicates suspicious activity. For example, a large amount of traffic is being returned to a remote host that is hiding behind a network.
  • “High” (7 – 8.9) level indicates that the resource in question (e.g. an EC2 instance or a set of IAM user credentials) is compromised and used for unauthorized purposes.

Also read: Enhancing Security in Amazon Web Services Cloud Environments

AWS GuardDuty Best Practices

GuardDuty is highly automated, hence it takes care of itself. There’s a straightforward setup guide mentioned in the reference section of this blog. It only takes a few minutes to enable all foundational services. We can fine-tune GuardDuty as well. This master class by Ryan Holland, Principal, Industry Specialist, AWS, and Nathan Case, Sr. Solutions Architect, AWS shares some handy GuardDuty tips. The link to the webinar is available in reference 2.

Here are some best practices, though:

  • Link all the AWS accounts – If you have multiple accounts, set up a master member to centralize GuardDuty. You can use the multi-account script to speed up the process.
  • Update your IP Address lists – Both trusted and threat lists. You can purchase threat feeds from third-party companies like CrowdStrike or generate your lists.
  • Use filters to archive expected Findings – When you run a security assessment, you expect GuardDuty alerts. But you don’t have to clutter your findings list with them. Hide and archive them instead.

By leveraging the power of AWS GuardDuty, enterprises gain a robust threat detection solution that proactively safeguards AWS infrastructure. With its automated threat analysis, continuous monitoring, and advanced machine learning capabilities, along with seamless integration within the AWS environment, GuardDuty allows complete reliability and helps businesses focus on growth while taking care of security and scalability on the cloud.


Picture of Kommuru Venkata Pardhasaradhi

Kommuru Venkata Pardhasaradhi

Latest Reads


Suggested Reading

Ready to Unlock Your Enterprise's Full Potential?

Vikas Krishan

Chief Digital Business Officer and Head of the EMEA region

Vikas (Vik) Krishan serves as the Chief Digital Business Officer and Head of the EMEA region for Altimetrik. He is responsible for leading and growing the company’s presence across new and existing client relationships within the region.

Vik is a seasoned executive and brings over 25 years of global experience in Financial Services, Digital, Management Consulting, Pre- and Post-deal services and large/ strategic transformational programmes, gained in a variety of senior global leadership roles at firms such as Globant, HCL, Wipro, Logica and EDS and started his career within Investment Banking. He has developed significant cross industry experience across a wide variety of verticals, with a particular focus on working with and advising the C-Suite of Financial Institutions, Private Equity firms and FinTech’s on strategy and growth, operational excellence, performance improvement and digital adoption.

He has served as the engagement lead on multiple global transactions to enable the orchestration of business, technology, and operational change to drive growth and client retention.

Vik, who is based in London, serves as a trustee for the Burma Star Memorial Fund, is a keen photographer and an avid sportsman.

Megan Farrell Herrmanns

Chief Digital Officer, US Central

Megan is a senior business executive with a passion for empowering customers to reach their highest potential. She has depth and breadth of experience working across large enterprise and commercial customers, and across technical and industry domains. With a track record of driving measurable results, she develops trusted relationships with client executives to drive organizational growth, unlock business value, and internalize the use of digital business as a differentiator.

At Altimetrik, Megan is responsible for expanding client relationships and developing new business opportunities in the US Central region. Her focus is on digital business and utilizing her experience to create high growth opportunities for clients. Moreover, she leads the company’s efforts in cultivating and enhancing our partnership with Salesforce, strategically positioning our business to capitalize on new business opportunities.

Prior to Altimetrik, Megan spent 10 years leading Customer Success at Salesforce, helping customers maximize the value of their investments across their technology stack. Prior to Salesforce, Megan spent over 15 years with Accenture, leading large transformational projects for enterprise customers.

Megan earned a Bachelor of Science in Mechanical Engineering from Marquette University. Beyond work, Megan enjoys playing sand volleyball, traveling, watching her kids soccer games, and is actively involved in a philanthropy (Advisory Council for Cradles to Crayons).

Adaptive Clinical Trial Designs: Modify trials based on interim results for faster identification of effective drugs.Identify effective drugs faster with data analytics and machine learning algorithms to analyze interim trial results and modify.
Real-World Evidence (RWE) Integration: Supplement trial data with real-world insights for drug effectiveness and safety.Supplement trial data with real-world insights for drug effectiveness and safety.
Biomarker Identification and Validation: Validate biomarkers predicting treatment response for targeted therapies.Utilize bioinformatics and computational biology to validate biomarkers predicting treatment response for targeted therapies.
Collaborative Clinical Research Networks: Establish networks for better patient recruitment and data sharing.Leverage cloud-based platforms and collaborative software to establish networks for better patient recruitment and data sharing.
Master Protocols and Basket Trials: Evaluate multiple drugs in one trial for efficient drug development.Implement electronic data capture systems and digital platforms to efficiently manage and evaluate multiple drugs or drug combinations within a single trial, enabling more streamlined drug development
Remote and Decentralized Trials: Embrace virtual trials for broader patient participation.Embrace telemedicine, virtual monitoring, and digital health tools to conduct remote and decentralized trials, allowing patients to participate from home and reducing the need for frequent in-person visits
Patient-Centric Trials: Design trials with patient needs in mind for better recruitment and retention.Develop patient-centric mobile apps and web portals that provide trial information, virtual support groups, and patient-reported outcome tracking to enhance patient engagement, recruitment, and retention
Regulatory Engagement and Expedited Review Pathways: Engage regulators early for faster approvals.Utilize digital communication tools to engage regulatory agencies early in the drug development process, enabling faster feedback and exploration of expedited review pathways for accelerated approvals
Companion Diagnostics Development: Develop diagnostics for targeted recruitment and personalized treatment.Implement bioinformatics and genomics technologies to develop companion diagnostics that can identify patient subpopulations likely to benefit from the drug, aiding in targeted recruitment and personalized treatment
Data Standardization and Interoperability: Ensure seamless data exchange among research sites.Utilize interoperable electronic health record systems and health data standards to ensure seamless data exchange among different research sites, promoting efficient data aggregation and analysis
Use of AI and Predictive Analytics: Apply AI for drug candidate identification and data analysis.Leverage AI algorithms and predictive analytics to analyze large datasets, identify potential drug candidates, optimize trial designs, and predict treatment outcomes, accelerating the drug development process
R&D Investments: Improve the drug or expand indicationsUtilize computational modelling and simulation techniques to accelerate drug discovery and optimize drug development processes