☁️
AWS Solutions Architect Associate SAA-C03 Study Notes/
🔶
Amazon GuardDuty
🔶

Amazon GuardDuty

Overview

Amazon GuardDuty is a managed threat detection service that continuously monitors AWS accounts, workloads, and data for malicious or unauthorized activity. It analyzes AWS-native log sources and applies machine learning, anomaly detection, and threat intelligence feeds to detect suspicious behavior. It requires no infrastructure setup and offers a 30-day free trial.

Core Data Sources

  • CloudTrail Event Logs – Detect unusual API calls, privilege escalation attempts, or unauthorized actions.
  • CloudTrail S3 Data Events – Monitor object-level operations (GET, LIST, DELETE) for potential data exfiltration.
  • VPC Flow Logs – Identify abnormal network patterns, port scanning, or connections to known malicious IPs.
  • DNS Logs (AWS DNS) – Detect attempts to communicate with suspicious or newly registered domains.

Optional Data Sources

  • EKS Audit Logs and Runtime Monitoring – Detect threats in Kubernetes workloads.
  • RDS & Aurora Login Activity – Spot brute-force attempts or anomalous database logins.
  • S3 Data Events (extended) – Gain deeper insight into object access activity.
  • EBS Volume Activity – Identify suspicious access to volume data.
  • Lambda Network Activity – Detect unusual outbound connections from serverless workloads.

Architecture & Operation

The GuardDuty engine ingests and correlates data from its sources, applies continuous analysis, and generates security findings. Findings are categorized by severity and type, then sent to the AWS Console and can be routed via Amazon EventBridge for automated remediation. Common targets include SNS for notifications and Lambda for response actions.

Common Use Cases

  • Detecting compromised IAM credentials via unusual API usage.
  • Identifying cryptocurrency mining activity on EC2 instances.
  • Monitoring for data exfiltration attempts over DNS or S3.
  • Detecting reconnaissance activities such as port scanning.

Benefits

  • No agents to install or maintain.
  • Continuous monitoring with minimal operational overhead.
  • Integration with AWS security and automation services for rapid incident response.