Amazon GuardDuty

It’s a continuous security monitor service.

It continuously reads from Data Sources and uses Machine Learning, Artificial Intelligence and threat intellicenge feeds to learn what is your account’s normal activity and identify any unexpected or unauthorized behavior. You can also drive its learning by whitelisting IPs and perform normal operations.

Findings can be used to notify (SNS) or start an event-driven remediation (Lambda) via EventBridge Rules.

GuardDuty supports multiple accounts via a Master-Member setup. You enable it on the master account and invite other accounts.

It’s extremely useful to protect against cryptocurrency-related attacks, it has got a DEDICATED Finding.

Data Sources

  • Route53 DNS Logs (DNS requests)

  • VPC Flow Logs (traffic metadata)

  • CloudTrail Event Logs (API Calls in the account)

  • CloudTrail Management Events (Control-plane level events)

  • CloudTrail S3 Data Events (Interaction with S3 Objects)

Optional Data Sources

  • EKS Audit Logs

  • RDS

  • Aurora

  • EBS

  • Lambda