GuardDuty

Security Specialty

Solution Architect Associate

  • Is a threat detection service that uses Machine Learning to continually monitor your AWS infrastructure for malicious behavior
  • It monitors for things like:
    • Unusual API calls (like known malicious IP addresses)
    • Attempts to disable CloudTrail logging
    • Unauthorized deployments
    • Compromised instances
    • Reconnaissance by would be attackers
    • Port scanning, failed logins, etc.
  • Sends Alerts to the GuardDuty console when it detects things
  • Receives feeds from 3rd parties like Proofpoint, CrowdStrike, AWS Security, etc. to keep itself up to date on known malicous attacks
  • Monitors CloudTrail logs, VPC Flow Logs, and DNS Logs
  • Provides centralized thread detection across multiple AWS accounts and automate response using CloudWatch Events and Lambda
  • Machine Learning and anomaly detection are used to help with all this
  • When you first set up GuardDuty it takes between 7 and 14 days to establish a normal activity baseline
  • With that baseline established, it will be able to monitor for behavior it considerrs a threat
< Previous: Directory Service Next: IAM >