You are currently viewing What is AWS GuardDuty? Everything You Need to Know

What is AWS GuardDuty? Everything You Need to Know

AWS GuardDuty is a threat detection service offered by Amazon that regularly monitors for malicious activity and unauthorized behavior to protect AWS accounts, workloads, and data stored in Amazon S3. The managed cloud-hosted service immediately begins with analyzing the AWS environment once an IT or security administrator enables GuardDuty within the AWS Management Console. 

In this article we will know about Amazon GuardDuty, Its features, advantages and everything you should know about it.

What Is AWS GuardDuty?

Amazon GuardDuty is a managed threat detection service that leverages machine learning, malware detection and integrated threat intelligence to identify and prioritize potential threats. AWS is the most popular cloud platform for technical organizations. Amazon has massive infrastructure around the world, and many years of experience with it. Whether your network is completely on the cloud or you are having a hybrid network. AWS saves your business a lot of money and physical space. But still you must carefully and thoroughly monitor your AWS network for both functionality and cybersecurity reasons.

Key Features of Amazon GuardDuty

Once you enable Amazon GuardDuty GuardDuty starts processing the corresponding Foundational data sources within your AWS’s environment. GuardDuty uses these data sources to process a stream of events, including VPC flow logs, DNS logs, and AWS CloudTrail event and management logs. It then analyzes these events to identify potential security threats and generates findings in your account.In addition to log data sources, GuardDuty can use additional data from other AWS services in your AWS environment to monitor and analyze for potential security threats. Key features of GuardDuty include:

1. Accuracy and Effectiveness

    Amazon GuardDuty delivers effective and accurate threat detection of compromised accounts, which is not easy to notice quickly if you are not continuously monitoring factors in near real-time. GuardDuty can detect signs of account compromise or threats, such as AWS resource access from an uncommon location at an unusual time of day.

    2. Continuous Monitoring

      AWS GuardDuty regularly monitors and evaluates AWS account & workload data from AWS CloudTrail, VPC Flow Logs, and DNS Logs on a continuous basis. You can aggregate threat detection by joining your AWS accounts, instead of working account by account. Moreover you are not obliged to collect, analyze, or correlate massive amounts of AWS data from numerous accounts.

      2. Severity Levels

        Amazon GuardDuty has three severity categories to assist clients to prioritize their response to possible attacks.Low, Medium and High. “Low” sensitivity means that suspicious or malicious activity was discovered and kept from endangering your resource. A “Medium” level severity denotes dubious nature. A resource with a “High” risk indicates that it is actively being used for nefarious purposes.

        3. High available threat detection

          Amazon GuardDuty is designed to automatically monitor resource utilisation in your AWS accounts, workloads, and Amazon S3 data. GuardDuty increases detection capacity precisely when it is required and decreases usage when it is no longer required.

          4. One-click Deployment

            Amazon GuardDuty can be configured on a single account with a single AWS Management Console click or API request.With a few additional steps, you may enable GuardDuty in the console for several accounts. Amazon GuardDuty has native support for multiple accounts as well as AWS Organizations connection.

            Advantages Of Amazon GaurdDuty

            Centralized Management

            GuardDuty allows monitoring of multiple accounts. You can aggregate all your accounts into a single IT administrator account for easy management. It is beneficial when it is a large enterprise and having their security team separately, so they can directly focus on this as a whole for the full business.

            Completely Automated

            It provides fully automated monitoring. You just need to provide your IP addresses, nothing else. Within a few clicks you can enable this and don’t need to look upon the underlying hardware or the configuration, setup, or the management. 


            Its price is based on analysis of the CloudTrail events and the amazon VPC workflow and DNS log hence according to your data and the workload you will be charged. You will be charged according to usage, there is no flat price.

            Comprehensive Threat Identification

            GuardDuty offers up-to-date integrated or comprehensive threat identification techniques and tools for monitoring your data. It helps in monitoring the unexpected, unusual access to your data, crypto-currency, and other malicious activities.

            Disadvantages of GuardDuty

            There are not as such drawbacks of GuardDuty that make users not use it but yes it needs several other services of AWS like CloudTrail events, DNS logs, VPC flow logs in order to analyze the data and then accordingly it works by the outputs of these services.

            Cost Concerns

            GuardDuty’s unfixed pricing model based on the volume of analyzed data can lead to unpredictable and potentially high costs, especially in large or highly active environments.


            GuardDuty is designed to work within the AWS environment, limiting its effectiveness if your infrastructure spans multiple cloud providers or includes significant on-premises resources.

            Alert Fatigue

            Service can generate a high volume of alerts, including false positives, leading to alert fatigue and potentially causing security teams to miss critical alerts.

            Limited Customization

            GuardDuty offers limited customization options for detect rules and logic, restricting users compared to more customizable SIEM tools.

            Detection-Only, No Prevention

            GuardDuty focuses only on threat detection without providing direct preventive controls, necessitating additional tools and mechanisms for responding to and mitigating identified threats.

            How GuardDuty Works?

            GuardDuty analyzes billions of events across multiple AWS data sources, such as AWS CloudTrail event logs, Amazon VPC Flow Logs, and DNS logs. 

            GuardDuty detects three main types of threats

            1. Compromised instances

              GuardDuty detects unusual spikes in network traffic, as well as hijacked resources such as an external IP address hijacking EC2 instances.

              2. Reconnaissance

                When attackers get all the information about the network it is called reconnainssance. GuardDuty detects activity that suggests reconnaissance, such as unblocked port probing from a known malicious IP, VPC port scanning, and unusual API activity.

                3. Compromised Accounts

                  GuardDuty detects common patterns such as API calls from unusual locations, updates that weaken the account’s password policy and API calls from known malicious IPs.

                  Why Should You Use Guard Duty?

                  Possibly, all infrastructures may be affected by malicious activity, especially if that infrastructure is publicly exposed and accessible from the Internet. However, GuardDuty watches all activity within the account, so any suspicious activity which is happening within the account can also be identified. Guard Duty uses a set of rules created by AWS from information collected by the AWS Security teams, third party intelligence partners, other anomaly detection sources, and machine learning technology to identify other potential malicious activity.

                  In addition GuardDuty can perform automated responses, its findings can be integrated into other workflows, such as using AWS Lambda for automated remediation and prevention. Finally, AWS GuardDuty requires no additional infrastructure or software deployment, making it easy to set up with a simple “one-click” activation.

                  AWS GuardDuty Use Cases

                  1. Protect your Workloads

                    It can detect whether your EC2 instance is mining cryptocurrency or communicating with IP addresses and domains connected with known dangerous actors.

                    2. Protect your AWS Credentials

                      It detects whether your AWS credentials are used in an unusual or suspicious manner, such as from IP addresses connected with known malicious actors.

                      3. Protect Your Data stored in Amazon S3 buckets

                        Identify when data stored in your Amazon S3 buckets are accessed in an unusually suspicious manner, such as when an unusual volume of items is obtained from an odd location, or when the S3 bucket is visited from IP addresses connected with known malicious actors.

                        What is the Pricing Model of AWS GuardDuty?

                        • Amazon or AWS GuardDuty offers a pay-as-you-go pricing model for threat detection service. GuardDuty prices are based on the volume of service logs, events, workloads, or data analyzed.
                        • When you activate GuardDuty for the first time in an account, default GuardDuty threat detection coverage, as well as available protection plan coverage, will automatically be enabled.
                        • You can customize how any new account inherits different protection plans in GuardDuty, except Runtime Monitoring, every account will have to manually enable the Runtime Monitoring feature in the console.
                        • With GuardDuty protection plans, you have the flexibility and choice of deciding which plans to turn on or off at any time. The default threat detection in GuardDuty cannot be disabled, however, in active GuardDuty accounts.

                        GuardDuty Accounts Management with AWS Organizations

                        • Using GuardDuty with an AWS Organization, you can assign administration to any account inside the organization.
                        • Only the organization management account has the authority to designate GuardDuty delegation administrators.
                        • The delegated administrator account may be linked with additional organization accounts for inspection and addition as GuardDuty partner accounts.

                        Important Considerations For GuardDuty Delegated Administrators

                        • The maximum number of member accounts for each delegated administrator on GuardDuty is 5000. You will be alerted if you have 5000 plus member accounts via CloudWatch, the AWS Health Dashboard, and an email sent to the delegated administrator account.
                        • Unlike AWS Organizations, GuardDuty is a regional service. To enable account management across all desired Regions using AWS Organizations, GuardDuty delegated administrators and their member accounts must be added in each specific Region.
                        • There can be only one delegated administrator for each account. An account must serve as your delegated administrator in all other regions if you have designated it as such in one location.
                        • It is not recommended to make your organization’s management account the delegated administrator. The management account can be served as the delegated administrator, AWS Security best practices advise against this based on the principle of least privilege.
                        • When a delegated administrator is changed, GuardDuty remains enabled for member accounts. Although all associated member accounts are terminated as GuardDuty members when the delegated administrator is removed, GuardDuty itself is not disabled in those accounts.

                        Choose Supportfly For AWS Services Management

                        We provide Managed AWS Professional Services including GuardDuty with expert guidance and support to help you to unlock the full potential of your AWS cloud environment. With our dedicated team of experts you can get to understand the numerous benefits and solutions of AWS professional services and how it can boost your business growth.

                        Keep your AWS environment running at peak performance with our continous AWS Monitoring and Support services. Our experts provide 24×7 monitoring, real-time alerts, and swift incident response to ensure your AWS infrastructure remains healthy and secure. Monitoring your EC2 instances is essential for identifying and resolving issues before they escalate. Our regular EC2 Monitoring service provides real-time insights into your instances’ health, performance, and resource utilization.


                        Ultimately, AWS GuardDuty is an essential tool in the security suite for identifying potentially malicious activities within your accounts and workloads. Organizations should enable this service to detect such activities and either let GuardDuty take automated actions or integrate its findings with services. If you have more doubts feel free to contact us.