GuardDuty AWS

avatar
Created by
Ivan

Cards (30)

  • Amazon GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior across your AWS environment.
  • GuardDuty combines machine learning (ML), anomaly detection, and malicious file discovery, using both AWS and industry-leading third-party sources to help protect your AWS accounts, workloads, and data.
  • GuardDuty is capable of analyzing tens of billions of events across multiple AWS data sources, including AWS CloudTrail logs, Amazon Virtual Private Cloud (Amazon VPC) Flow Logs, and DNS query logs.
  • GuardDuty also monitors Amazon Simple Storage Service (Amazon S3) data events, Amazon Aurora login events, and runtime activity for Amazon Elastic Kubernetes Service (Amazon EKS), Amazon Elastic Compute Cloud (Amazon EC2) (Preview), and Amazon Elastic Container Service (Amazon ECS)—including serverless container workloads on AWS Fargate.
  • A Low severity level indicates suspicious or malicious activity that was blocked before it compromised your resource.
  • The primary detection categories include Reconnaissance, Instance compromise, Account compromise, Bucket compromise, Malware detection, and Container compromise.
  • GuardDuty continuously monitors and analyzes your AWS account and workload event data found in CloudTrail, VPC Flow Logs, and DNS logs.
  • For programmatic AWS accounts, GuardDuty checks for unusual API calls, such as attempts to obscure account activity by disabling CloudTrail logging or taking snapshots of a database from a malicious IP address.
  • GuardDuty helps you access built-in detection techniques developed and optimized for the cloud.
  • A Medium severity level indicates suspicious activity.
  • GuardDuty provides three severity levels (Low, Medium, and High) to help customers prioritize their response to potential threats.
  • GuardDuty provides continuous monitoring across AWS accounts without added cost and complexity.
  • GuardDuty gives you accurate threat detection of compromised accounts, which can be difficult to detect quickly if you are not continuously monitoring factors in near real time.
  • GuardDuty can detect signs of account compromise, such as AWS resource access from an unusual geolocation at an atypical time of day.
  • Threat intelligence is pre-integrated into the service and is continuously updated and maintained.
  • Once turned on, GuardDuty immediately starts analyzing continuous streams of account and network activity in near real time and at scale.
  • With a few more steps in the console, you can activate GuardDuty across multiple accounts.
  • An example of a high severity level security finding is a large amount of traffic returned to a remote host hiding behind the Tor network or activity that deviates from normally observed behavior.
  • GuardDuty provides comprehensive protection for container workloads across your AWS compute estate that would otherwise be difficult and complex to achieve.
  • GuardDuty supports multiple accounts through AWS Organizations integration as well as natively within GuardDuty.
  • GuardDuty adds detection capacity only when necessary and reduces utilization when capacity is no longer needed.
  • For example, you can automate the response workflow by using EventBridge as an event source to invoke a Lambda function.
  • There are no additional security software, sensors, or network appliances to deploy or manage.
  • GuardDuty gives you security at scale, no matter your size.
  • With one action in the AWS Management Console or a single API call, you can activate GuardDuty on a single account.
  • GuardDuty offers HTTPS APIs and command line interface (CLI) tools, as well as integration with Amazon EventBridge to support automated security responses to security findings.
  • GuardDuty is designed to automatically manage resource utilization based on the overall activity levels within your AWS accounts, workloads, and data.
  • Whether you're running workloads with server-level control on EC2 or serverless modern application workloads on ECS with Fargate, GuardDuty detects potentially malicious and suspicious activity, gives you container-level context with runtime monitoring, and helps you identify security coverage gaps in your container workloads across your AWS environment.
  • A High severity level indicates that the resource in question (for example, an EC2 instance or a set of IAM user credentials) is compromised and is actively being used for unauthorized purposes.
  • GuardDuty - Continuous monitoring for events across:
    • AWS CloudTrail Management Events
    • AWS CloudTrail S3 Data Events
    • Amazon VPC Flow Logs
    • DNS Logs