Amazon GuardDuty is a fully managed threat detection service that continuously monitors and analyzes event logs from your AWS account to identify potentially malicious activities or unusual behaviors. It uses ML, statistical analysis, and threat intelligence sources to help protect your resources and data on AWS.

---

1. GuardDuty Overview

• Continuous Threat Detection

GuardDuty remains active in the background, analyzing events from AWS services. It generates findings when it detects anomalies or behaviors that suggest potential threats, such as privilege escalation attempts, suspicious access from malicious IPs, or unusual network traffic patterns.

• Managed Model

As an AWS-native service, GuardDuty does not require you to manage analysis infrastructure or maintain correlation rules. It uses data obtained from multiple sources and automatically correlates behaviors, leveraging machine learning capabilities and threat intelligence insights.

• Account and Workload Focus

GuardDuty covers a broad view: from actions performed at the account level (API calls, compromised credentials, etc.) to network traffic analysis on workloads hosted on AWS (Amazon EC2, ECR, S3, EKS, among others).

---

2. Key Features

2.1 Multi-Source Monitoring

GuardDuty integrates data from different sources to have a cohesive view of security activity:

1. AWS CloudTrail: includes API events and changes to AWS resources.
2. VPC Flow Logs: information about network traffic between instances, subnets, and the internet.
3. DNS Logs (through Amazon Route 53 or AWS-managed DNS resolvers): DNS request records, allowing identification of suspicious queries (for example, to domains known to host malware).

Additionally, new features released over time further expand the scope of protection, such as:

• ECR Scanning Integration: identifies vulnerable or malicious images in Amazon Elastic Container Registry.
• Kubernetes Audit Logs (for EKS): monitors Kubernetes cluster-specific events, such as suspicious pod creation, privilege escalation attempts, etc.
• S3 Protection: scans access behaviors (list, get, put) on S3 buckets to detect suspicious access or exfiltration.

2.2 Machine Learning and Threat Intelligence

• Anomalous Behavior Detection: GuardDuty uses ML algorithms to compare current behavior with historical patterns, flagging relevant deviations such as high volume of API calls in a short period or traffic to unusual locations.
• Threat Feeds: AWS aggregates information from trusted sources (for example, AWS Threat Intel, CrowdStrike, Proofpoint) to identify IP addresses associated with malicious activities, phishing, botnets, among others.

2.3 Extended Threat Detection

• Enhancing Threat Visibility: Announced at re:Invent 2024, Extended Threat Detection enables identification of activities that evolve in stages (multi-stage). For example, an attacker who initially obtains account credentials, then performs network scans, and finally extracts data from S3.
• Threat Sequence Findings: GuardDuty correlates events over time, relating different resources (EC2, IAM, S3, EKS) to provide a comprehensive alert. This reduces false positives and minimizes investigation time.

---

3. How GuardDuty Works in Practice

1. Data Collection: GuardDuty continuously ingests logs from services such as CloudTrail, DNS, and VPC Flow Logs.
2. Analysis: The service normalizes, correlates, and analyzes this data through statistical models, ML, and threat lists (Threat Intel).
3. Findings: If something suspicious is identified, GuardDuty generates a finding, assigning a classification (severity) and including details about the cause (who, when, which resource was affected).
4. Integration: You can view findings in the GuardDuty console, in Amazon EventBridge (to trigger workflows), in AWS Security Hub, or via APIs.

---

4. Integration Architecture and Configuration

4.1 Enabling GuardDuty Across Multiple Accounts

• AWS Organizations:

- You can enable GuardDuty across all member accounts of an Organization in a centralized manner.

- Define an "administrator" account (delegated administrator) that collects all findings, facilitating management and correlation at a global level.

4.2 Integration with AWS Security Hub

• Consolidated View:

- Security Hub unifies findings from various services (GuardDuty, Inspector, Macie, and partner solutions) in one place, enabling analysis and incident prioritization.

- Create automation rules via Amazon EventBridge to initiate remediation processes. For example, blocking a suspicious IP in a Security Group or triggering a Lambda that revokes compromised keys.

---

5. Advanced Use Cases

5.1 Kubernetes Protection (EKS)

• EKS Audit Logs: GuardDuty can analyze audit logs (Kubernetes API) in EKS clusters, detecting actions such as suspicious ClusterRole creation, pods in unusual namespaces, or requests attempting to exploit known vulnerabilities.
• Network Flow Complement: By combining EKS Audit Logs and VPC Flow Logs, you get a unified view, being able to correlate internal cluster configurations with external traffic.

5.2 S3 Protection and Exfiltration Detection

• S3 Data Events: When enabling S3 protection, GuardDuty monitors bucket access, detecting suspicious patterns:

- Sudden increase in S3 downloads.

- Unusual access from uncommon geographic regions.

- Automated tasks using compromised credentials.

5.3 Automated Incident Response

• EventBridge and Lambda: Each GuardDuty finding can generate an event in EventBridge. You can configure a flow (rule) to trigger Lambda functions or Step Functions that implement immediate countermeasures:

- Revoke exposed IAM access keys.

- Adjust Security Groups to block suspicious IP addresses or ports.

- Terminate EC2 instances involved in malicious behavior.

5.4 Malware Detection

• Malware Protection: In some regions, GuardDuty offers malware analysis, inspecting data on EC2 instance disks when infection is suspected. It generates findings with details about the detection and the type of malware.

---

6. Cost Metrics and Optimization

• Pricing Model

- GuardDuty charges based on the volume of logs (events) analyzed. The GuardDuty bill includes processing of CloudTrail Events, VPC Flow Logs, and DNS Logs.

- You can activate the 30-day trial to evaluate the service. After this period, it is recommended to review metrics to adjust scope (for example, enabling or disabling certain features, such as S3 Protection, if they are not needed for all buckets).

• Reducing Cost

- If you have massive VPC Flow Logs traffic, you can segment what actually needs to be monitored. Even so, be careful not to disable important logs.

- Evaluate selective activation of GuardDuty for EKS or S3 in accounts/resources where the risk is higher, if cost is a critical factor.

---

7. Implementation Best Practices

1. Enable GuardDuty in All Accounts

- Threats can spread across multiple accounts, especially if keys or roles have been compromised.

1. Activate S3 and EKS Protection

- Even if you don't process sensitive data, monitoring access and behaviors in S3 and EKS prevents leaks or internal attacks.

1. Integrate with AWS Security Hub

- Centralize all findings in one location, creating automatic prioritization and escalation rules for your security team.

1. Automate the Response

- Use Amazon EventBridge to trigger Lambda upon receiving high-severity findings. Implementing fast responses (near real-time) reduces the exposure window.

1. Maintain Continuous Visibility

- Create dashboards or periodic reports. Some companies configure scripts to send daily/weekly notifications and reports of critical findings.

1. Educate the Team

- Ensure that the security and DevOps team understands GuardDuty's detection logic, correctly interpreting findings and knowing how to prioritize real incidents.

---

Reference Material:

• Official Amazon GuardDuty Documentation
• AWS Security Hub
• Response Automation Example with EventBridge
• AWS re:Invent 2024 Announcements – Extended Threat Detection