What is Amazon GuardDuty?
Amazon GuardDuty is a managed threat detection service that continuously monitors AWS accounts for suspicious activity. The service analyzes CloudTrail events, VPC Flow Logs, and DNS logs using machine learning and threat intelligence. GuardDuty detects attacks like cryptomining, compromised instances, or unusual API calls without manual log parsing.
Core Features
- Automatic Log Analysis: Continuous evaluation of CloudTrail, VPC Flow Logs, DNS, and S3 data events
- ML-Based Anomaly Detection: Detection of unusual behavior patterns like atypical regions or access times
- Threat Intelligence: Integration of current threat data from AWS and third-party providers
- Findings by Severity: Prioritized alerts as Low, Medium, or High for efficient response
- Multi-Account Management: Centralized management via AWS Organizations
Typical Use Cases
Detection of Compromised Credentials
GuardDuty identifies when access keys are used from unusual IPs or locations. Typical indicators: logins from new regions, API calls at unusual times, or access to sensitive services.
Cryptomining Detection
Compromised EC2 instances are often misused for cryptocurrency mining. GuardDuty recognizes characteristic network traffic patterns to mining pools.
Compliance Monitoring
For regulatory requirements, GuardDuty continuously documents security status. Findings can be exported to SIEM systems or aggregated with Security Hub.
Benefits
- One-click activation without agents or sensors
- No performance impact on running workloads
- Automatic threat intelligence updates
- Integration with EventBridge for automated responses
Integration with innFactory
As an AWS Reseller, innFactory supports you with Amazon GuardDuty: setup for multi-account environments, configuration of suppression rules for false positives, and integration with incident response workflows.