Amazon GuardDuty
💡 Definition
Amazon GuardDuty is a threat detection service that continuously monitors your AWS accounts and workloads for malicious activity and unauthorized behavior to protect your AWS resources.
🔑 Key Concepts
- Continuous Monitoring: Uses machine learning, anomaly detection, and integrated threat intelligence to monitor for threats.
- Data Sources: Analyzes data from AWS CloudTrail event logs, VPC Flow Logs, and DNS logs.
- Findings: Generates security findings with varying levels of severity (Low, Medium, High) when potential threats are detected.
- Fully Managed: No software to deploy or manage. It's enabled with a few clicks.
⚙️ How it Works
When enabled, GuardDuty immediately starts monitoring activity across your AWS account using its internal threat intelligence feeds. For example, it can detect if an EC2 instance is communicating with a known malicious IP address, or if there's an unusual API call made from an unauthorized location through CloudTrail. Findings are delivered to the GuardDuty console, AWS Security Hub, and Amazon EventBridge (formerly CloudWatch Events).
🎯 Use Cases
- Malicious IP Detection: Identifying instances or accounts communicating with blacklisted IPs.
- Anomaly Detection: Notifying about unusual API activity (e.g., calls from a foreign country at an odd hour).
- Compromised Instances: Detecting cryptocurrency mining, denial of service attacks, or port scanning from within your instances.
💰 Pricing Model
- Data Volume: Primarily charged based on the volume of AWS CloudTrail event logs, VPC Flow Logs, and DNS logs analyzed by GuardDuty.
📝 Exam Tips (CLF-C02)
- Keywords: "Threat detection", "Continuous monitoring", "Malicious activity", "Unauthorized behavior".
- It's a smart threat detection service, providing findings that can be aggregated in AWS Security Hub.
- Fully managed and uses machine learning.
See Also: * AWS Security Hub * CloudTrail * VPC Flow Logs * AWS Config