Intelligent Threat Detection using Amazon GuardDuty

Intelligent Threat Detection using Amazon GuardDuty

Amazon is continuously working on helping its customers design and operate a secure cloud environment and Amazon GuardDuty is the latest addition to the list of managed services that AWS offers. Amazon GuardDuty is a managed threat detection service that continuously monitors for malicious or unauthorized behavior to help you protect your AWS accounts and workloads[1]. It means that GuardDuty is always keeping an eye out for outliers and it generates alerts that can be easily acted upon to secure your environment from a potential breach.

GuardDuty works its magic by using the following four steps:


  1. Enable GuardDuty: This is the most obvious step, if you want to use the services that GuardDuty offers, you will have to go in your AWS Management console and enable it. There is a fee associated with GuardDuty, but you can kick the tires for free for the first 30 days. It is easy to enable GuardDuty as there is no additional security software or infrastructure to deploy and manage. After the first 30 days, you will be charged for the following two things:
  • CloudTrail Event analysis: GuardDuty continuously analyzes CloudTrail Events, monitoring all access and behavior of your AWS accounts and infrastructure. CloudTrail analysis is charged per 1,000,000 events per month and pro-rated.
  • VPC Flow Log and DNS Log analysis: GuardDuty continuously analyzes VPC Flow Logs and DNS requests and responses to identify malicious, unauthorized, or unexpected behavior in your AWS accounts and workloads. Flow log and DNS log analysis are charged per Gigabyte (GB) per month. Flow log and DNS log analysis are offered with tiered volume discounts.

We will talk about how GuardDuty uses these logs and events in the next section.

  1. Continuously Analyze: Once you have enabled GuardDuty, it automatically analyzes your network and account activity. It gathers data from the following Data Sources to intelligently identify behavior patterns and generate alerts if there is any unusual activity in your account:
  • VPC Flow Logs: VPC Flow Logs enables you to capture information about the IP Traffic going to and from network interfaces in your VPC. GuardDuty monitors the VPC Flow Logs using an independent duplicate stream for all the application instances in your AWS account and then triggers alarms when it catches weird behavior. You don’t have to enable Flow Logs for GuardDuty to work, but enabling Flow Logs augments the Data Analysis done by GuardDuty.
  • DNS Logs: DNS Logs helps you capture all the queries that are made from your EC2 instances. GuardDuty observes the DNS Log queries to identify requests made to known questionable domains. And it is ok if you aren’t using Route53 as your DNS Service to get the benefit of DNS logs.
  • CloudTrail Events: CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account. Basically, CloudTrail captures any activity in your AWS account done either using the Management Console, AWS SDK, Command Line tools or any other AWS services. GuardDuty uses these CloudTrail events to capture any unauthorized user activity or any attempts to access your AWS resources from unusual source IP addresses.
  1. Intelligently Detect Threats: GuardDuty uses various machine learning algorithms in combination with the data collected from the Data Sources listed above to intelligently publish findings. GuardDuty already has an extensive list of Threat purpose details which includes:
  • Backdoor: Resource compromised and capable of contacting source home
  • Behavior: Activity that differs from the established baseline
  • Crypto Currency: Detected software associated with Crypto Currencies
  • Pentest: Activity detected that is similar to that generated by known penetration testing tools
  • Recon: Attack scooping vulnerabilities by probing ports, listening, database tables, etc.
  • Stealth: Attack trying to hide actions or tracks
  • Trojan: Program detected carrying out suspicious activity
  • Unauthorized Access: Suspicious activity or pattern by an unauthorized user.

Once GuardDuty identifies a particular threat, it generates a CloudWatch alarm which makes it easier for the user to take action. GuardDuty has the following three levels of severity:

  • Low: Suspicious or Malicious activity blocked before it compromised a resource. No need to take immediate action
  • Medium: Suspicious activity deviating from normally observed behavior. Users should look at why or what changed in their environment and then take action if the change wasn’t planned or intentional.
  • High: Resource compromised and actively being used for an unauthorized purpose. This requires immediate user action like terminating affected EC2 Instances or rotating IAM Access keys.

Once you are alerted of any suspicious behavior by GuardDuty, you can move on to the next step which is to take Action.

  1. Take Action: As a user, you should take the GuardDuty findings and then create a plan on how to act on those. It is highly recommended to use AWS Lambda to mitigate the high-risk items immediately. If your EC2 instance has been compromised and is being used for Crypto Currency mining, you should write a function that basically deletes or terminates that particular instance till you identify the root cause for the issue. You can use CloudWatch events as triggers for your Lambda functions. For the medium to low-risk findings, you should create Lambda functions to send you an SNS notification alerting you about the finding so you can investigate further.


Amazon can only help you identify security risks in your environment using services like GuardDuty, after that it is up to you and how you handle these incidents. Creating an aggressive action plan can be the difference between operating a secure environment vs a vulnerable one.

To summarize, Amazon GuardDuty is an intelligent service that analyzes your applications and AWS accounts to create a baseline and then uses Machine Learning models to identify threats against your accounts in order to generate AWS CloudWatch alarms. You can use these CloudWatch alarms to trigger different Lambda functions that can help you mitigate these threats and maintain a secure AWS environment.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s