Module Overview Estimated Time : 2-3 hours | Difficulty : Intermediate | Prerequisites : AWS Security fundamentals
AWS GuardDuty is an intelligent threat detection service that continuously monitors your AWS accounts and workloads for malicious activity and delivers detailed security findings for visibility and remediation.
What You’ll Learn:
GuardDuty data sources and finding types
Enabling and configuring GuardDuty
Understanding and responding to findings
Multi-account management
Automated remediation patterns
How GuardDuty Works ┌─────────────────────────────────────────────────────────────────────────┐ │ GuardDuty Architecture │ ├─────────────────────────────────────────────────────────────────────────┤ │ │ │ Data Sources GuardDuty Outputs │ │ ──────────── ───────── ──────── │ │ │ │ ┌──────────────┐ ┌─────────────────┐ ┌────────────────┐ │ │ │ VPC Flow Logs│─────────▶│ │────▶│ Security Hub │ │ │ └──────────────┘ │ Machine │ └────────────────┘ │ │ │ Learning │ │ │ ┌──────────────┐ │ + │ ┌────────────────┐ │ │ │ CloudTrail │─────────▶│ Threat │────▶│ EventBridge │ │ │ │ Events │ │ Intelligence │ └────────────────┘ │ │ └──────────────┘ │ + │ │ │ │ Anomaly │ ┌────────────────┐ │ │ ┌──────────────┐ │ Detection │────▶│ S3 Export │ │ │ │ DNS Logs │─────────▶│ │ └────────────────┘ │ │ └──────────────┘ └─────────────────┘ │ │ │ │ ┌──────────────┐ ┌────────────────┐ │ │ │ S3 Data │─────────▶ (Protection │ Detective │ │ │ │ Events │ Features) │ Investigation │ │ │ └──────────────┘ └────────────────┘ │ │ │ │ ┌──────────────┐ ┌─────────────────┐ ┌────────────────┐ │ │ │ EKS Audit │─────────▶│ Runtime │────▶│ Lambda Auto │ │ │ │ Logs │ │ Monitoring │ │ Remediation │ │ │ └──────────────┘ └─────────────────┘ └────────────────┘ │ │ │ │ ┌──────────────┐ │ │ │ Lambda │─────────▶ Network Activity │ │ │ Network │ Monitoring │ │ └──────────────┘ │ │ │ │ ┌──────────────┐ │ │ │ EC2 Runtime │─────────▶ Malware Protection │ │ └──────────────┘ │ │ │ └─────────────────────────────────────────────────────────────────────────┘
Data Sources
VPC Flow Logs Network traffic patterns, unusual ports, crypto mining
CloudTrail Events API calls, unauthorized access, privilege escalation
DNS Logs Command & control communication, DNS tunneling
S3 Data Events Suspicious S3 access patterns, data exfiltration
EKS Audit Logs Kubernetes API calls, container escape attempts
Lambda Network Unusual Lambda network activity, cryptomining
Enabling GuardDuty Console or CLI # Enable GuardDuty aws guardduty create-detector \ --enable \ --finding-publishing-frequency FIFTEEN_MINUTES \ --features '[ {"Name": "S3_DATA_EVENTS", "Status": "ENABLED"}, {"Name": "EKS_AUDIT_LOGS", "Status": "ENABLED"}, {"Name": "RUNTIME_MONITORING", "Status": "ENABLED"}, {"Name": "LAMBDA_NETWORK_LOGS", "Status": "ENABLED"} ]' # List detectors aws guardduty list-detectors # Get detector status aws guardduty get-detector --detector-id abc123
AWSTemplateFormatVersion : '2010-09-09' Description : Enable GuardDuty with all protection features Resources : GuardDutyDetector : Type : AWS::GuardDuty::Detector Properties : Enable : true FindingPublishingFrequency : FIFTEEN_MINUTES Features : - Name : S3_DATA_EVENTS Status : ENABLED - Name : EKS_AUDIT_LOGS Status : ENABLED - Name : EBS_MALWARE_PROTECTION Status : ENABLED - Name : RDS_LOGIN_EVENTS Status : ENABLED - Name : EKS_RUNTIME_MONITORING Status : ENABLED AdditionalConfiguration : - Name : EKS_ADDON_MANAGEMENT Status : ENABLED - Name : LAMBDA_NETWORK_LOGS Status : ENABLED - Name : EC2_RUNTIME_MONITORING Status : ENABLED
Protection Features 1. S3 Protection Monitors CloudTrail S3 data events for anomalous access:
Unusual API calls from known malicious IPs
S3 data exfiltration patterns
Anonymous access attempts
Access from Tor exit nodes
# Enable S3 protection aws guardduty update-detector \ --detector-id abc123 \ --features '[{"Name": "S3_DATA_EVENTS", "Status": "ENABLED"}]'
2. EKS Protection Monitors Kubernetes workloads:
# EKS Protection detects: # - Privileged container launched # - Container with root access # - Kubernetes Dashboard exposed # - Anonymous API access # - Pod using host network Features : - Name : EKS_AUDIT_LOGS Status : ENABLED - Name : EKS_RUNTIME_MONITORING Status : ENABLED AdditionalConfiguration : - Name : EKS_ADDON_MANAGEMENT Status : ENABLED # Auto-deploy security agent
3. Malware Protection Scans EBS volumes for malware:
# Trigger on-demand malware scan aws guardduty start-malware-scan \ --detector-id abc123 \ --resource-arn arn:aws:ec2:us-east-1:123456789012:instance/i-1234567890abcdef0
4. RDS Protection Detects suspicious database login activity:
Brute force attempts
Login from unusual locations
Anomalous database access patterns
5. Lambda Protection Monitors Lambda network activity:
Cryptocurrency mining
Communication with malicious IPs
Unusual network patterns
Finding Types Severity Levels Severity Range Description Response Time Critical 8.9-10.0 Imminent threat Immediate High 7.0-8.9 Active compromise Hours Medium 4.0-6.9 Suspicious activity Days Low 1.0-3.9 Informational Review
Finding Categories ┌─────────────────────────────────────────────────────────────────────────┐ │ GuardDuty Finding Categories │ ├─────────────────────────────────────────────────────────────────────────┤ │ │ │ Reconnaissance Persistence │ │ ────────────── ─────────── │ │ Recon:IAMUser/ Persistence:IAMUser/ │ │ MaliciousIPCaller NetworkPermissions │ │ Recon:EC2/PortProbeUnprotected │ │ │ │ Initial Access Credential Access │ │ ────────────── ───────────────── │ │ UnauthorizedAccess: CredentialAccess: │ │ IAMUser/ConsoleLogin Kubernetes/ │ │ InitialAccess: SuccessfulAnonymousAccess │ │ IAMUser/AnomalousBehavior │ │ │ │ Privilege Escalation Impact │ │ ──────────────────── ────── │ │ PrivilegeEscalation: CryptoCurrency: │ │ Kubernetes/ Impact:EC2/WinRMBruteForce │ │ PrivilegedContainer Impact:S3/MaliciousIPCaller │ │ │ │ Exfiltration Trojan │ │ ──────────── ────── │ │ Exfiltration: Trojan:EC2/DNSDataExfiltration │ │ S3/MaliciousIPCaller Trojan:Lambda/BlackholeTraffic │ │ │ │ Backdoor Behavior │ │ ──────── ──────── │ │ Backdoor:EC2/ Behavior:EC2/ │ │ C&CActivity.B NetworkPortUnusual │ │ │ └─────────────────────────────────────────────────────────────────────────┘
Example Findings { "Finding" : { "Type" : "UnauthorizedAccess:IAMUser/MaliciousIPCaller" , "Severity" : 5 , "Title" : "API GenerateDataKey was invoked from a known malicious IP" , "Description" : "An API was invoked from IP address 198.51.100.0 associated with known malicious activity" , "Resource" : { "ResourceType" : "AccessKey" , "AccessKeyDetails" : { "AccessKeyId" : "AKIAIOSFODNN7EXAMPLE" , "UserName" : "admin" , "UserType" : "IAMUser" } }, "Service" : { "Action" : { "ActionType" : "AWS_API_CALL" , "AwsApiCallAction" : { "Api" : "GenerateDataKey" , "ServiceName" : "kms.amazonaws.com" , "RemoteIpDetails" : { "IpAddressV4" : "198.51.100.0" , "Country" : { "CountryName" : "Example Country" }, "City" : { "CityName" : "Example City" }, "GeoLocation" : { "Lat" : 0.0 , "Lon" : 0.0 } } } }, "Evidence" : { "ThreatIntelligenceDetails" : [{ "ThreatListName" : "ProofPoint" , "ThreatNames" : [ "Malware" ] }] } } } }
Multi-Account Management Organization Setup ┌─────────────────────────────────────────────────────────────────────────┐ │ Multi-Account Architecture │ ├─────────────────────────────────────────────────────────────────────────┤ │ │ │ ┌─────────────────────┐ │ │ │ Management Account │ │ │ │ (Delegated Admin) │ │ │ └─────────┬───────────┘ │ │ │ │ │ ┌─────────────┼─────────────┐ │ │ │ │ │ │ │ ┌─────▼─────┐ ┌─────▼─────┐ ┌─────▼─────┐ │ │ │ Account │ │ Account │ │ Account │ │ │ │ Dev │ │ Staging │ │ Prod │ │ │ └─────┬─────┘ └─────┬─────┘ └─────┬─────┘ │ │ │ │ │ │ │ └─────────────┼─────────────┘ │ │ │ │ │ ▼ │ │ ┌──────────────────────┐ │ │ │ Aggregated Findings │ │ │ │ in Security Account │ │ │ └──────────────────────┘ │ │ │ └─────────────────────────────────────────────────────────────────────────┘
Enable Organization # Designate delegated admin aws guardduty enable-organization-admin-account \ --admin-account-id 111122223333 # From delegated admin, enable auto-enable for org aws guardduty update-organization-configuration \ --detector-id abc123 \ --auto-enable ALL \ --auto-enable-organization-members ALL \ --features '[ {"Name": "S3_DATA_EVENTS", "AutoEnable": "ALL"}, {"Name": "EKS_AUDIT_LOGS", "AutoEnable": "ALL"} ]' # List member accounts aws guardduty list-members --detector-id abc123
Filtering and Suppression Trusted IP Lists # Create trusted IP list aws guardduty create-ip-set \ --detector-id abc123 \ --name corporate-ips \ --format TXT \ --location s3://my-bucket/trusted-ips.txt \ --activate # trusted-ips.txt format: # 10.0.0.0/8 # 192.168.1.0/24 # 203.0.113.50
Threat IP Lists # Add custom threat intelligence aws guardduty create-threat-intel-set \ --detector-id abc123 \ --name my-threat-list \ --format TXT \ --location s3://my-bucket/threat-ips.txt \ --activate
Suppression Rules # Create filter to suppress findings aws guardduty create-filter \ --detector-id abc123 \ --name suppress-dev-findings \ --action ARCHIVE \ --finding-criteria '{ "Criterion": { "resource.instanceDetails.tags.key": { "Equals": ["Environment"] }, "resource.instanceDetails.tags.value": { "Equals": ["development"] }, "severity": { "LessThan": 5 } } }'
EventBridge Rule # CloudFormation for auto-remediation Resources : GuardDutyEventRule : Type : AWS::Events::Rule Properties : Name : guardduty-high-severity Description : Trigger remediation for high severity findings EventPattern : source : - aws.guardduty detail-type : - GuardDuty Finding detail : severity : - numeric : [ ">=" , 7 ] Targets : - Arn : !GetAtt RemediationLambda.Arn Id : RemediationFunction
# remediation.py import boto3 import json ec2 = boto3.client( 'ec2' ) iam = boto3.client( 'iam' ) def lambda_handler ( event , context ): finding = event[ 'detail' ] finding_type = finding[ 'type' ] severity = finding[ 'severity' ] print ( f "Processing: { finding_type } (severity: { severity } )" ) # Compromised EC2 instance if 'EC2' in finding_type and severity >= 7 : instance_id = finding[ 'resource' ][ 'instanceDetails' ][ 'instanceId' ] isolate_instance(instance_id) # Compromised IAM credentials if 'IAMUser' in finding_type and 'UnauthorizedAccess' in finding_type: access_key = finding[ 'resource' ][ 'accessKeyDetails' ][ 'accessKeyId' ] disable_access_key(access_key) # Compromised S3 bucket if 'S3' in finding_type and 'Exfiltration' in finding_type: bucket_name = finding[ 'resource' ][ 's3BucketDetails' ][ 'name' ] block_public_access(bucket_name) return { 'statusCode' : 200 } def isolate_instance ( instance_id ): """Move instance to isolation security group""" print ( f "Isolating instance: { instance_id } " ) # Create or get isolation security group isolation_sg = get_isolation_sg() # Get current security groups response = ec2.describe_instances( InstanceIds = [instance_id]) instance = response[ 'Reservations' ][ 0 ][ 'Instances' ][ 0 ] vpc_id = instance[ 'VpcId' ] # Replace with isolation SG ec2.modify_instance_attribute( InstanceId = instance_id, Groups = [isolation_sg] ) # Create snapshot for forensics for volume in instance.get( 'BlockDeviceMappings' , []): if 'Ebs' in volume: volume_id = volume[ 'Ebs' ][ 'VolumeId' ] ec2.create_snapshot( VolumeId = volume_id, Description = f 'Forensic snapshot for { instance_id } ' , TagSpecifications = [{ 'ResourceType' : 'snapshot' , 'Tags' : [ { 'Key' : 'Forensic' , 'Value' : 'true' }, { 'Key' : 'InstanceId' , 'Value' : instance_id} ] }] ) def disable_access_key ( access_key_id ): """Disable compromised access key""" print ( f "Disabling access key: { access_key_id } " ) # Find the user response = iam.list_access_keys() # Can also use get-access-key-last-used to find user # Then disable the key iam.update_access_key( AccessKeyId = access_key_id, Status = 'Inactive' ) def block_public_access ( bucket_name ): """Block public access to bucket""" s3 = boto3.client( 's3' ) s3.put_public_access_block( Bucket = bucket_name, PublicAccessBlockConfiguration = { 'BlockPublicAcls' : True , 'IgnorePublicAcls' : True , 'BlockPublicPolicy' : True , 'RestrictPublicBuckets' : True } ) def get_isolation_sg (): """Get or create isolation security group""" # Implementation to create/get SG with no ingress/egress pass
Integration with Security Hub # Enable Security Hub integration Resources : SecurityHub : Type : AWS::SecurityHub::Hub Properties : Tags : Environment : Production # GuardDuty automatically sends findings to Security Hub # when both are enabled in the same region
# Query findings in Security Hub aws securityhub get-findings \ --filters '{ "ProductName": [{"Value": "GuardDuty", "Comparison": "EQUALS"}], "SeverityLabel": [{"Value": "HIGH", "Comparison": "EQUALS"}] }'
Best Practices
Enable All Regions Attackers target inactive regions—enable GuardDuty everywhere
Use Organizations Centralize management with a delegated administrator account
Automate Response Use EventBridge + Lambda for automated remediation
Tune Carefully Use suppression rules sparingly—don’t miss real threats
Cost Optimization ┌─────────────────────────────────────────────────────────────────────────┐ │ GuardDuty Pricing Model │ ├─────────────────────────────────────────────────────────────────────────┤ │ │ │ Data Source Pricing Basis │ │ ─────────── ───────────── │ │ VPC Flow Logs Per GB analyzed (tiered pricing) │ │ CloudTrail Events Per million events │ │ DNS Logs Per million queries │ │ S3 Data Events Per million events │ │ EKS Audit Logs Per million events │ │ EBS Malware Scan Per GB scanned │ │ Runtime Monitoring Per vCPU hour │ │ │ │ Cost Estimation: │ │ ─ Small workload (~100 EC2): $50-100/month │ │ ─ Medium workload (~500 EC2): $200-500/month │ │ ─ Large enterprise: $1,000-5,000/month │ │ │ │ Tips: │ │ ─ 30-day free trial for new detectors │ │ ─ Disable unnecessary protection features │ │ ─ Use usage metrics to forecast costs │ │ │ └─────────────────────────────────────────────────────────────────────────┘
🎯 Interview Questions
Q1: How does GuardDuty differ from other AWS security services?
GuardDuty = Threat detection (finds active threats)
Uses ML and threat intelligence
Analyzes VPC Flow Logs, CloudTrail, DNS
Generates findings for active threats
Inspector = Vulnerability scanning
Security Hub = Aggregation and compliance
Macie = Data classification (PII detection)
Detective = Investigation and forensics
Q2: How would you respond to a high-severity GuardDuty finding?
Immediate : Review finding details and affected resourcesContainment : Isolate compromised resources (quarantine SG)Investigation : Use Detective or CloudTrail for forensicsRemediation : Remove malware, rotate credentialsRecovery : Restore from known-good stateLessons Learned : Update automation, add preventive controls
Q3: How do you handle false positives?
Validate : Confirm it’s truly a false positiveTrusted IPs : Add corporate IPs to trusted IP listSuppression Rules : Create filters for known patternsAvoid Over-Suppression : Don’t suppress severity levelsDocument : Keep records of suppression decisions Hands-On Lab
Enable GuardDuty
Enable GuardDuty with all protection features in your account
Generate Sample Findings
Use aws guardduty create-sample-findings to generate test findings
Create EventBridge Rule
Set up a rule to send high-severity findings to SNS
Build Remediation Lambda
Create a Lambda that isolates compromised EC2 instances
Test End-to-End
Trigger sample finding and verify remediation executes
Next Module
AWS Security Hub Centralized security posture management and compliance
