10 Aug 2022


Every organization with any form of internet presence wants to be aware of malicious behavior associated with their infrastructure. AWS Guard Duty is a threat detection service available to provide insights into this activity.

Guard Duty monitors your account and workloads for activity such as suspicious API calls, and unauthorized deployments. Guard Duty can also identify compromised instances. By using AWS Guard Duty, organizations have continuous monitoring without any additional complexity, as Guard Duty is implemented directly in the AWS infrastructure.

Amazon GuardDuty is a managed service which does threat detection intelligently to protect the AWS accounts and workloads. It continuously monitors for malicious or undesired activities like port scan, unauthorized penetration test, etc. GuardDuty detects unexpected behavior in the AWS environment and generates notifications called Findings which details the underlying security issue. AWS GuardDuty collects its inputs from three log streams. VPC Flow Logs, DNS logs, and CloudTrail events. Also, It can associate one AWS account with another account so that you can view and manage their GuardDuty Findings on their behalf.


How does Guard Duty Work?

Like other AWS services, Guard Duty is activated through the AWS console, and starts monitoring all of the resources in your account.

Once enabled, Guard Duty will start monitoring the account and resources. Guard Duty analyzes VPC Flow logs, CloudTrail logs and DNS logs. Additionally, Guard Duty needs permission to also describe any EC2 instances and EC2 images.

Once Guard Duty is operational, it will start monitoring the account and reporting any findings in the Findings view of the Guard Duty console.


Looking at Guard Duty Findings

It is also possible in the Settings view to generate sample findings for you to get a sense of what Guard Duty will generate in terms of information.


Clicking on any of the findings allows you to see details on the specific event.

In the findings detail, Guard Duty will explain what action was taken in response to the event, such as blocking the specific activity from occurring. If you only have a few resources configured in your account, it may take some time for Guard Duty to generate an event. Each of the findings has a severity level including low, medium and high. This allows organizations to choose which events they are going to focus on.


Why Should you use Guard Duty?

Eventually, all infrastructure will be subject to some form of malicious activity, especially if that infrastructure is publicly exposed and accessible from the Internet. However, Guard Duty is watching all activity within the account, so any suspicious activity which is happening within the account can also be identified.

Guard Duty uses rulesets created by AWS from information collected by the AWS Security teams, third party intelligence partners, other anomaly detection sources, and machine learning technology to identify other potential malicious activity.

Aside from the automated responses Guard Duty can take, the findings can also be integrated into other workflows such as AWS Lambda for automated remediation and prevention.

Finally, there is no additional infrastructure or software to deploy, making AWS Guard Duty an easy “one-click” deployment.



When you first enable Guard Duty, you have a 30 day free trial. After that, charges are based upon the amount of activity in the log files and quantity of infrastructure. The free trial page provides some insight on the anticipated monthly costs.


In Conclusion

AWS Guard Duty is an essential tool in the security suite to identify potentially malicious activity in your account and workloads. Organizations should enable the service to identify these activities and either allow Guard Duty to take automated action against the event, or combine the finding with services like AWS Lambda for additional responses.