AWS GuardDuty for threat detection

Amazon GuardDuty serves as a threat detection solution that employs machine learning and various methodologies to detect malevolent activities and unauthorized conduct within your AWS accounts and workloads.
July 13, 2023
min read
Yehonatan Rumyantsev
Cloud Specialist
Tags
No items found.
Related Resources
No items found.

TL;DR

Amazon GuardDuty serves as a threat detection solution that employs machine learning and various methodologies to detect malevolent activities and unauthorized conduct within your AWS accounts and workloads. By integrating with other AWS security offerings, GuardDuty delivers a complete perspective on your security standing and enables swift responses to security hazards. The service allows you to identify and address numerous security threats, such as account breaches, infrastructure dangers, data leakage, and unsanctioned access to confidential information. GuardDuty persistently scrutinizes your AWS ecosystem, leveraging machine learning techniques to pinpoint potential risks. Upon identifying a threat, the service generates an alert accessible through the AWS Management Console, or delivered via Amazon CloudWatch events and Amazon SNS notifications. GuardDuty seamlessly integrates with other AWS security tools, including Amazon CloudTrail, Amazon VPC Flow Logs, and AWS WAF, ensuring a holistic understanding of your security position.

Read here to see an example of a GuadDuty detection.

How will GuardDuty impact the AWS bill:

The expense associated with using GuardDuty is determined by the quantity of AWS accounts and the volume of data processed. Data processing charges are based on the number of AWS CloudTrail log files processed and the amount of data examined by Amazon GuardDuty. A single GuardDuty deployment in an AWS account is referred to as an active detector. In the case of multiple AWS accounts, GuardDuty must be deployed in each account, and you will incur charges for every active detector.

Costs are usage based and include:

  • Per event for PaidS3DataEventsAnalyzed in a region
  • Per GB for the initial 500 GB/month of data analyzed in a region
  • Per CloudTrail event examined in a region
  • Per S3 Data Event for the first 500,000,000 events/month analyzed in a region

To enable Amazon GuardDuty, follow these steps:

  1. Sign in to the AWS Management Console: Navigate to https://aws.amazon.com/ and sign in using your AWS credentials.
  2. Open the GuardDuty console: Once logged in, access the GuardDuty console by typing "GuardDuty" in the "Find Services" search bar, then click on "Amazon GuardDuty" from the search results.
  3. Enable GuardDuty: In the GuardDuty console, click the "Get Started" button. Then, click the "Enable GuardDuty" button to activate the service.
  4. (Optional) Enable GuardDuty in multiple accounts: If you have multiple AWS accounts and want to enable GuardDuty in each, follow the AWS Organizations and multi-account setup guide: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_accounts.html

After enabling GuardDuty, it will automatically start analyzing AWS CloudTrail events, Amazon VPC Flow Logs, and DNS logs to identify potential threats in your AWS environment.