A Five Minute Overview of AWS Guard Duty

(If you would prefer to listen to this article, click this link to hear it using Amazon Polly. It will also be available in iTunes: search for LabR Learning Resources.)


Every organization with any form of internet presence wants to be aware of malicious behavior associated with their infrastructure. AWS Guard Duty is a threat detection service available to provide insights into this activity.

Guard Duty monitors your account and workloads for activity such as suspicious API calls, and unauthorized deployments. Guard Duty can also identify compromised instances. By using AWS Guard Duty, organizations have continuous monitoring without any additional complexity, as Guard Duty is implemented directly in the AWS infrastructure.

How does Guard Duty Work

Like other AWS services, Guard Duty is activated through the AWS console, and starts monitoring all of the resources in your account.

Image for post
Image for post

Once enabled, Guard Duty will start monitoring the account and resources. Guard Duty analyzes VPC Flow logs, CloudTrail logs and DNS logs. Additionally, Guard Duty needs permission to also describe any EC2 instances and EC2 images.

Once Guard Duty is operational, it will start monitoring the account and reporting any findings in the Findings view of the Guard Duty console.

Looking at Guard Duty Findings

It is also possible in the Settings view to generate sample findings for you to get a sense of what Guard Duty will generate in terms of information.

Image for post
Image for post

Clicking on any of the findings allows you to see details on the specific event.

Image for post
Image for post

In the findings detail, Guard Duty will explain what action was taken in response to the event, such as blocking the specific activity from occurring. If you only have a few resources configured in your account, it may take some time for Guard Duty to generate an event. Each of the findings has a severity level including low, medium and high. This allows organizations to choose which events they are going to focus on.

Why Should you use Guard Duty

Eventually, all infrastructure will be subject to some form of malicious activity, especially if that infrastructure is publicly exposed and accessible from the Internet. However, Guard Duty is watching all activity within the account, so any suspicious activity which is happening within the account can also be identified.

Guard Duty uses rulesets created by AWS from information collected by the AWS Security teams, third party intelligence partners, other anomaly detection sources, and machine learning technology to identify other potential malicious activity.

Aside from the automated responses Guard Duty can take, the findings can also be integrated into other workflows such as AWS Lambda for automated remediation and prevention.

Finally, there is no additional infrastructure or software to deploy, making AWS Guard Duty an easy “one-click” deployment.


When you first enable Guard Duty, you have a 30 day free trial. After that, charges are based upon the amount of activity in the log files and quantity of infrastructure. The free trial page provides some insight on the anticipated monthly costs.

Image for post
Image for post

In Conclusion

AWS Guard Duty is an essential tool in the security suite to identify potentially malicious activity in your account and workloads. Organizations should enable the service to identify these activities and either allow Guard Duty to take automated action against the event, or combine the finding with services like AWS Lambda for additional responses.


[AWS Guard Duty Overview][https://aws.amazon.com/guardduty/]

UPDATE April 9, 2019: An AWS Online Tech Talk on how to remediate Security Hub and Guard Duty findings is available on YouTube.

Copyright 2019, Chris Hare

Written by

Chris is the co-author of seven books and author of more than 70 articles and book chapters in technical, management, and information security publications.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store