What is Amazon GuardDuty? - Amazon GuardDuty

What is Amazon GuardDuty?

Amazon GuardDuty is a threat detection service that continuously monitors, analyzes, and processes specific AWS data sources and logs in your AWS environment. GuardDuty uses threat intelligence feeds, such as lists of malicious IP addresses and domains, and machine learning (ML) models to identify unexpected, and potentially unauthorized activity in your AWS environment. This includes the following issues:

  • Escalation of privileges, use of exposed credentials, or communication with malicious IP addresses and domains.

  • Presence of malware on your Amazon EC2 instances and container workloads, and newly uploaded files in your Amazon S3 buckets.

  • Discovery of unusual patterns of login events on your database.

For example, GuardDuty can detect potentially compromised EC2 instances and container workloads serving malware, or mining bitcoin. It also monitors AWS account access behavior for signs of potential compromise, such as unauthorized infrastructure deployments – instances deployed in a Region that has not been used before, or unusual API calls that suggest a change to the password policy to reduce password strength.

Features of GuardDuty

Here are some of the key ways in which Amazon GuardDuty can help you monitor, detect, and manage potential threats in your AWS environment.

Continuously monitors specific data sources and event logs
  • Automatically monitors foundational data sources – When you enable GuardDuty in an AWS account, GuardDuty automatically starts ingesting the foundational data sources associated with that account. These data sources include AWS CloudTrail management events, AWS CloudTrail event logs, VPC flow logs (from Amazon EC2 instances), and DNS logs. You don't need to enable anything else for GuardDuty to start analyzing and processing these data sources to generate associated security findings. For more information, see Foundational data sources.

  • Enable optional GuardDuty protection plans – For enhanced visibility into the security posture of your AWS environment, GuardDuty offers various protection plans that you can choose to enable. Protection plans help you monitor logs and events from other AWS services. These sources include EKS audit logs, RDS login activity, S3 logs, EBS volumes, Runtime monitoring, and Lambda network activity logs. GuardDuty consolidates these log and event sources under the term - Features. You can enable one or more optional protection plans in a supported AWS Region at any time. GuardDuty will start monitoring, processing, and analyzing the activities based on which protection plan you enable. For more information about each protection plan and how it works, see the corresponding protection plan document.


    GuardDuty offers flexibility to use Malware Protection for S3 independently, without enabling the Amazon GuardDuty service. For more information about getting started with only Malware Protection for S3, see GuardDuty Malware Protection for S3. To use all other protection plans, you must enable the GuardDuty service.

Detects presence of malware and generates security findings

When GuardDuty detects potential security threats associated with your AWS resources, it starts generating security findings that provide information about the potentially compromised resource. You may explore generating Sample findings and view the associated Finding details. For information about a complete list of security findings that may be generated against each resource type as identified by GuardDuty, see Finding types.

Manage generated security findings

You may want to set up Amazon EventBridge to receive notifications when GuardDuty generates a finding, use recommended steps to remediate the finding, filter through generated findings to identify trends, or export the findings to an S3 bucket. For more information, see Managing GuardDuty findings.

Integrate with related AWS security services

To further help you analyze and investigate the security trends in your AWS environment, consider using the following AWS security-related services in combination with GuardDuty.

  • Amazon Detective – This service helps you analyze, investigate, and quickly identify the root cause of security findings or suspicious activities. Detective automatically collects log data from your AWS resources. It then uses machine learning, statistical analysis, and graph theory to generate visualizations that help you to conduct faster and more efficient security investigations. The Detective prebuilt data aggregations, summaries, and context help you analyze and determine the nature and extent of potential security issues.

    For information about using GuardDuty and Detective together, see Integrating GuardDuty with Amazon Detective. To learn more about Detective, see the Amazon Detective User Guide.

  • AWS Security Hub – This service gives you a comprehensive view of the security state of your AWS resources and helps you check your AWS environment against security industry standards and best practices. It does this partly by consuming, aggregating, organizing, and prioritizing your security findings from multiple AWS services (including Amazon Macie) and supported AWS Partner Network (APN) products. Security Hub helps you analyze your security trends and identify the highest priority security issues across your AWS environment.

    For information about using GuardDuty and Security Hub together, see Integrating GuardDuty with AWS Security Hub. To learn more about Security Hub, see the AWS Security Hub User Guide.

Manage multiple-account environment

You can manage a multiple-account AWS environment by either using AWS Organizations (recommended) or by the method of invitation. For more information, see Managing multiple accounts.

PCI DSS Compliance

GuardDuty supports the processing, storage, and transmission of credit card data by a merchant or service provider, and has been validated as being compliant with Payment Card Industry (PCI) Data Security Standard (DSS). For more information about PCI DSS, including how to request a copy of the AWS PCI Compliance Package, see PCI DSS Level 1.