Skip to main content
Cloud / AWS / Products / Amazon GuardDuty - Threat Detection

Amazon GuardDuty - Threat Detection

Amazon GuardDuty detects threats in AWS accounts via ML-based analysis of logs, runtime activity, and data access.

Security, Identity & Compliance
Pricing Model Pay-per-use: foundational protection billed by data volume analyzed, optional protection plans billed separately
Availability Available in most AWS regions, check availability per feature/region
Data Sovereignty EU regions available
Reliability SLA as published by the provider SLA

What is Amazon GuardDuty?

Amazon GuardDuty is a managed threat detection service that continuously monitors AWS accounts and workloads for suspicious activity. Foundational protection analyzes CloudTrail events, VPC Flow Logs, and DNS logs using machine learning and threat intelligence. Optional protection plans extend monitoring to EKS audit logs, S3 data access, RDS database activity, Lambda network traffic, and runtime activity on EC2, ECS, and EKS.

Core Features

  • Automatic Log Analysis: Continuous evaluation of CloudTrail, VPC Flow Logs, and DNS queries as part of foundational protection
  • ML-Based Anomaly Detection: Detection of unusual behavior patterns like atypical regions or access times
  • Threat Intelligence: Integration of current threat data from AWS and third-party providers
  • Optional Protection Plans: S3 Protection, EKS Protection, RDS Protection, Lambda Protection, Malware Protection, and Runtime Monitoring for EC2, ECS, and EKS can each be enabled independently
  • Findings by Severity: Prioritized alerts as Low, Medium, or High for efficient response
  • Multi-Account Management: Centralized management via AWS Organizations

Typical Use Cases

Detection of Compromised Credentials

GuardDuty identifies when access keys are used from unusual IPs or locations. Typical indicators: logins from new regions, API calls at unusual times, or access to sensitive services.

Runtime and Malware Protection for Containers and Instances

With Runtime Monitoring, GuardDuty detects suspicious behavior directly on EC2, ECS, and EKS workloads, such as cryptomining processes. Malware Protection additionally scans EBS volumes, S3 objects, and AWS Backup data for malicious software.

Compliance Monitoring

For regulatory requirements, GuardDuty continuously documents security status. Findings can be exported to SIEM systems or aggregated with Security Hub.

Benefits

  • Foundational protection can be activated without agents or sensors
  • Modular expansion through optional protection plans based on workload needs
  • Automatic threat intelligence updates
  • Integration with EventBridge for automated responses

Integration with innFactory

As an AWS Reseller, innFactory supports you with Amazon GuardDuty: setup for multi-account environments, selection of appropriate protection plans, configuration of suppression rules for false positives, and integration with incident response workflows.

Typical Use Cases

Threat detection
Anomaly detection
Compliance
Security monitoring

Frequently Asked Questions

What is Amazon GuardDuty?

Amazon GuardDuty is a managed threat detection service that continuously monitors AWS accounts for suspicious activity. It analyzes logs such as CloudTrail, VPC Flow Logs, and DNS queries using machine learning and threat intelligence.

When should you use GuardDuty?

GuardDuty is suitable for any AWS environment that needs continuous threat detection without deploying its own agents. It is especially useful in multi-account landscapes managed through AWS Organizations and for compliance evidence.

What does Amazon GuardDuty cost?

GuardDuty is billed on a pay-as-you-go basis: foundational protection is based on the volume of logs analyzed, while optional protection plans like Malware Protection or Runtime Monitoring are billed separately using their own pricing units. Current prices are listed on the official pricing page.

What protection plans does GuardDuty offer beyond foundational protection?

Besides the foundational protection, which cannot be disabled, optional plans are available for S3, EKS, RDS, and Lambda, as well as Malware Protection and Runtime Monitoring for EC2, ECS, and EKS. Each plan can be enabled independently.

How does GuardDuty integrate with existing security workflows?

Findings can be processed automatically via EventBridge and aggregated with AWS Security Hub or external SIEM systems, enabling automated responses to threats.

Note: All product information on this page has been compiled with care, but is provided without guarantee and may be outdated or incomplete. Cloud services evolve rapidly — features, pricing, SLAs, and availability change frequently. Authoritative and up-to-date information can only be found on the official product page of AWS (official documentation). This page does not represent an offer by AWS.

AWS Cloud Expertise

innFactory is an AWS Reseller with certified cloud architects. We provide consulting, implementation, and managed services for AWS.

Similar Products from Other Clouds

Other cloud providers offer comparable services in this category. As a multi-cloud partner, we help you choose the right solution.

Google Cloud

Access Approval - Google Cloud Access Control

Access Approval for Google Cloud: manual approval before support accesses your data. Transparency and control for GDPR …

Pricing No extra cost, requires at least …
SLA SLA as published by the provider
Compare →
Google Cloud

Access Transparency - Access Logging

Access Transparency logs Google personnel access to your cloud data. Transparency and compliance for regulated …

Pricing No extra cost, requires at least …
SLA SLA as published by the provider
Compare →
Google Cloud

AI Protection - AI Security

AI Protection in Security Command Center inventories AI assets, scores AI risks via attack-path simulation, and detects …

Pricing Included in SCC Premium/Enterprise, no …
SLA N/A (part of Security Command Center)
Compare →
Google Cloud

Assured Workloads - Compliance Controls for Regulated Workloads

Assured Workloads enables compliance with regulatory requirements for regulated workloads in Google Cloud.

Pricing No additional charge for the service …
SLA SLA as published by the provider
Compare →
Azure

Azure Attestation - Trusted Execution Verification

Azure Attestation verifies the trustworthiness of TEEs like Intel SGX, AMD SEV-SNP, VBS enclaves, and TPM.

Pricing Free
SLA SLA as published by the provider
Compare →
Azure

Azure Cloud HSM - Hardware Security Module

Azure Cloud HSM provides FIPS 140-3 Level 3 validated hardware security modules for cryptographic keys.

Pricing Usage-based per HSM cluster hour, …
SLA SLA as published by the provider
Compare →

39 comparable products found across other clouds.

Ready to start with Amazon GuardDuty - Threat Detection?

Our certified AWS experts help you with architecture, integration, and optimization.

Schedule Consultation