> ## Documentation Index
> Fetch the complete documentation index at: https://resources.devweekends.com/llms.txt
> Use this file to discover all available pages before exploring further.

# AWS GuardDuty

> Intelligent threat detection service for protecting your AWS accounts and workloads

<Frame>
  <img src="https://mintcdn.com/devweeekends/sTu6A4whRFPJo0_g/images/aws/guardduty-architecture.svg?fit=max&auto=format&n=sTu6A4whRFPJo0_g&q=85&s=f2dbdda6e81d94381f43556fa5acf4be" alt="AWS GuardDuty Architecture" width="1080" height="1080" data-path="images/aws/guardduty-architecture.svg" />
</Frame>

## Module Overview

<Info>
  **Estimated Time**: 2-3 hours | **Difficulty**: Intermediate | **Prerequisites**: AWS Security fundamentals
</Info>

AWS GuardDuty is an intelligent threat detection service that continuously monitors your AWS accounts and workloads for malicious activity and delivers detailed security findings for visibility and remediation. Think of GuardDuty as a security analyst who never sleeps -- it watches your VPC flow logs, CloudTrail events, and DNS queries 24/7, looking for patterns that indicate compromise: crypto-mining on your EC2 instances, data exfiltration from S3, brute-force attempts against your databases, or API calls from known malicious IP addresses. The key advantage over building your own detection: GuardDuty uses machine learning trained on threat intelligence from across all of AWS, which means it catches threats most custom rule-based systems would miss.

**What You'll Learn:**

* GuardDuty data sources and finding types
* Enabling and configuring GuardDuty
* Understanding and responding to findings
* Multi-account management
* Automated remediation patterns

***

## How GuardDuty Works

```
┌─────────────────────────────────────────────────────────────────────────┐
│                        GuardDuty Architecture                            │
├─────────────────────────────────────────────────────────────────────────┤
│                                                                          │
│   Data Sources                   GuardDuty                Outputs       │
│   ────────────                   ─────────               ────────        │
│                                                                          │
│   ┌──────────────┐          ┌─────────────────┐     ┌────────────────┐  │
│   │ VPC Flow Logs│─────────▶│                 │────▶│ Security Hub   │  │
│   └──────────────┘          │   Machine       │     └────────────────┘  │
│                              │   Learning      │                         │
│   ┌──────────────┐          │       +         │     ┌────────────────┐  │
│   │ CloudTrail   │─────────▶│   Threat        │────▶│ EventBridge    │  │
│   │ Events       │          │   Intelligence  │     └────────────────┘  │
│   └──────────────┘          │       +         │                         │
│                              │   Anomaly       │     ┌────────────────┐  │
│   ┌──────────────┐          │   Detection     │────▶│ S3 Export      │  │
│   │ DNS Logs     │─────────▶│                 │     └────────────────┘  │
│   └──────────────┘          └─────────────────┘                         │
│                                                                          │
│   ┌──────────────┐                                  ┌────────────────┐  │
│   │ S3 Data      │─────────▶   (Protection         │ Detective      │  │
│   │ Events       │              Features)          │ Investigation  │  │
│   └──────────────┘                                  └────────────────┘  │
│                                                                          │
│   ┌──────────────┐          ┌─────────────────┐     ┌────────────────┐  │
│   │ EKS Audit    │─────────▶│ Runtime         │────▶│ Lambda Auto   │  │
│   │ Logs         │          │ Monitoring      │     │ Remediation   │  │
│   └──────────────┘          └─────────────────┘     └────────────────┘  │
│                                                                          │
│   ┌──────────────┐                                                      │
│   │ Lambda       │─────────▶   Network Activity                         │
│   │ Network      │              Monitoring                              │
│   └──────────────┘                                                      │
│                                                                          │
│   ┌──────────────┐                                                      │
│   │ EC2 Runtime  │─────────▶   Malware Protection                       │
│   └──────────────┘                                                      │
│                                                                          │
└─────────────────────────────────────────────────────────────────────────┘
```

***

## Data Sources

<CardGroup cols={2}>
  <Card title="VPC Flow Logs" icon="network-wired">
    Network traffic patterns, unusual ports, crypto mining
  </Card>

  <Card title="CloudTrail Events" icon="file-lines">
    API calls, unauthorized access, privilege escalation
  </Card>

  <Card title="DNS Logs" icon="globe">
    Command & control communication, DNS tunneling
  </Card>

  <Card title="S3 Data Events" icon="bucket">
    Suspicious S3 access patterns, data exfiltration
  </Card>

  <Card title="EKS Audit Logs" icon="dharmachakra">
    Kubernetes API calls, container escape attempts
  </Card>

  <Card title="Lambda Network" icon="function">
    Unusual Lambda network activity, cryptomining
  </Card>
</CardGroup>

***

## Enabling GuardDuty

### Console or CLI

```bash theme={null}
# Enable GuardDuty
aws guardduty create-detector \
  --enable \
  --finding-publishing-frequency FIFTEEN_MINUTES \
  --features '[
    {"Name": "S3_DATA_EVENTS", "Status": "ENABLED"},
    {"Name": "EKS_AUDIT_LOGS", "Status": "ENABLED"},
    {"Name": "RUNTIME_MONITORING", "Status": "ENABLED"},
    {"Name": "LAMBDA_NETWORK_LOGS", "Status": "ENABLED"}
  ]'

# List detectors
aws guardduty list-detectors

# Get detector status
aws guardduty get-detector --detector-id abc123
```

### CloudFormation

```yaml theme={null}
AWSTemplateFormatVersion: '2010-09-09'
Description: Enable GuardDuty with all protection features

Resources:
  GuardDutyDetector:
    Type: AWS::GuardDuty::Detector
    Properties:
      Enable: true
      FindingPublishingFrequency: FIFTEEN_MINUTES
      Features:
        - Name: S3_DATA_EVENTS
          Status: ENABLED
        - Name: EKS_AUDIT_LOGS
          Status: ENABLED
        - Name: EBS_MALWARE_PROTECTION
          Status: ENABLED
        - Name: RDS_LOGIN_EVENTS
          Status: ENABLED
        - Name: EKS_RUNTIME_MONITORING
          Status: ENABLED
          AdditionalConfiguration:
            - Name: EKS_ADDON_MANAGEMENT
              Status: ENABLED
        - Name: LAMBDA_NETWORK_LOGS
          Status: ENABLED
        - Name: EC2_RUNTIME_MONITORING
          Status: ENABLED
```

***

## Protection Features

### 1. S3 Protection

Monitors CloudTrail S3 data events for anomalous access:

* Unusual API calls from known malicious IPs
* S3 data exfiltration patterns
* Anonymous access attempts
* Access from Tor exit nodes

```bash theme={null}
# Enable S3 protection
aws guardduty update-detector \
  --detector-id abc123 \
  --features '[{"Name": "S3_DATA_EVENTS", "Status": "ENABLED"}]'
```

### 2. EKS Protection

Monitors Kubernetes workloads:

```yaml theme={null}
# EKS Protection detects:
# - Privileged container launched
# - Container with root access
# - Kubernetes Dashboard exposed
# - Anonymous API access
# - Pod using host network

Features:
  - Name: EKS_AUDIT_LOGS
    Status: ENABLED
  - Name: EKS_RUNTIME_MONITORING
    Status: ENABLED
    AdditionalConfiguration:
      - Name: EKS_ADDON_MANAGEMENT
        Status: ENABLED  # Auto-deploy security agent
```

### 3. Malware Protection

Scans EBS volumes for malware:

```bash theme={null}
# Trigger on-demand malware scan
aws guardduty start-malware-scan \
  --detector-id abc123 \
  --resource-arn arn:aws:ec2:us-east-1:123456789012:instance/i-1234567890abcdef0
```

### 4. RDS Protection

Detects suspicious database login activity:

* Brute force attempts
* Login from unusual locations
* Anomalous database access patterns

### 5. Lambda Protection

Monitors Lambda network activity:

* Cryptocurrency mining
* Communication with malicious IPs
* Unusual network patterns

***

## Finding Types

### Severity Levels

| Severity | Range    | Description         | Response Time |
| -------- | -------- | ------------------- | ------------- |
| Critical | 8.9-10.0 | Imminent threat     | Immediate     |
| High     | 7.0-8.9  | Active compromise   | Hours         |
| Medium   | 4.0-6.9  | Suspicious activity | Days          |
| Low      | 1.0-3.9  | Informational       | Review        |

### Finding Categories

```
┌─────────────────────────────────────────────────────────────────────────┐
│                     GuardDuty Finding Categories                         │
├─────────────────────────────────────────────────────────────────────────┤
│                                                                          │
│   Reconnaissance              Persistence                                │
│   ──────────────              ───────────                               │
│   Recon:IAMUser/              Persistence:IAMUser/                      │
│     MaliciousIPCaller           NetworkPermissions                      │
│   Recon:EC2/PortProbeUnprotected                                        │
│                                                                          │
│   Initial Access              Credential Access                          │
│   ──────────────              ─────────────────                         │
│   UnauthorizedAccess:         CredentialAccess:                         │
│     IAMUser/ConsoleLogin        Kubernetes/                             │
│   InitialAccess:                SuccessfulAnonymousAccess               │
│     IAMUser/AnomalousBehavior                                           │
│                                                                          │
│   Privilege Escalation        Impact                                     │
│   ────────────────────        ──────                                    │
│   PrivilegeEscalation:        CryptoCurrency:                           │
│     Kubernetes/               Impact:EC2/WinRMBruteForce                │
│     PrivilegedContainer       Impact:S3/MaliciousIPCaller               │
│                                                                          │
│   Exfiltration                Trojan                                     │
│   ────────────                ──────                                    │
│   Exfiltration:               Trojan:EC2/DNSDataExfiltration            │
│     S3/MaliciousIPCaller      Trojan:Lambda/BlackholeTraffic            │
│                                                                          │
│   Backdoor                    Behavior                                   │
│   ────────                    ────────                                  │
│   Backdoor:EC2/               Behavior:EC2/                             │
│     C&CActivity.B             NetworkPortUnusual                        │
│                                                                          │
└─────────────────────────────────────────────────────────────────────────┘
```

### Example Findings

```json theme={null}
{
  "Finding": {
    "Type": "UnauthorizedAccess:IAMUser/MaliciousIPCaller",
    "Severity": 5,
    "Title": "API GenerateDataKey was invoked from a known malicious IP",
    "Description": "An API was invoked from IP address 198.51.100.0 associated with known malicious activity",
    "Resource": {
      "ResourceType": "AccessKey",
      "AccessKeyDetails": {
        "AccessKeyId": "AKIAIOSFODNN7EXAMPLE",
        "UserName": "admin",
        "UserType": "IAMUser"
      }
    },
    "Service": {
      "Action": {
        "ActionType": "AWS_API_CALL",
        "AwsApiCallAction": {
          "Api": "GenerateDataKey",
          "ServiceName": "kms.amazonaws.com",
          "RemoteIpDetails": {
            "IpAddressV4": "198.51.100.0",
            "Country": {"CountryName": "Example Country"},
            "City": {"CityName": "Example City"},
            "GeoLocation": {"Lat": 0.0, "Lon": 0.0}
          }
        }
      },
      "Evidence": {
        "ThreatIntelligenceDetails": [{
          "ThreatListName": "ProofPoint",
          "ThreatNames": ["Malware"]
        }]
      }
    }
  }
}
```

***

## Multi-Account Management

### Organization Setup

```
┌─────────────────────────────────────────────────────────────────────────┐
│                    Multi-Account Architecture                            │
├─────────────────────────────────────────────────────────────────────────┤
│                                                                          │
│                        ┌─────────────────────┐                          │
│                        │  Management Account │                          │
│                        │  (Delegated Admin)  │                          │
│                        └─────────┬───────────┘                          │
│                                  │                                       │
│                    ┌─────────────┼─────────────┐                        │
│                    │             │             │                         │
│              ┌─────▼─────┐ ┌─────▼─────┐ ┌─────▼─────┐                 │
│              │  Account  │ │  Account  │ │  Account  │                 │
│              │    Dev    │ │  Staging  │ │   Prod    │                 │
│              └─────┬─────┘ └─────┬─────┘ └─────┬─────┘                 │
│                    │             │             │                         │
│                    └─────────────┼─────────────┘                        │
│                                  │                                       │
│                                  ▼                                       │
│                     ┌──────────────────────┐                            │
│                     │ Aggregated Findings  │                            │
│                     │ in Security Account  │                            │
│                     └──────────────────────┘                            │
│                                                                          │
└─────────────────────────────────────────────────────────────────────────┘
```

### Enable Organization

```bash theme={null}
# Designate delegated admin
aws guardduty enable-organization-admin-account \
  --admin-account-id 111122223333

# From delegated admin, enable auto-enable for org
aws guardduty update-organization-configuration \
  --detector-id abc123 \
  --auto-enable ALL \
  --auto-enable-organization-members ALL \
  --features '[
    {"Name": "S3_DATA_EVENTS", "AutoEnable": "ALL"},
    {"Name": "EKS_AUDIT_LOGS", "AutoEnable": "ALL"}
  ]'

# List member accounts
aws guardduty list-members --detector-id abc123
```

***

## Filtering and Suppression

### Trusted IP Lists

```bash theme={null}
# Create trusted IP list
aws guardduty create-ip-set \
  --detector-id abc123 \
  --name corporate-ips \
  --format TXT \
  --location s3://my-bucket/trusted-ips.txt \
  --activate

# trusted-ips.txt format:
# 10.0.0.0/8
# 192.168.1.0/24
# 203.0.113.50
```

### Threat IP Lists

```bash theme={null}
# Add custom threat intelligence
aws guardduty create-threat-intel-set \
  --detector-id abc123 \
  --name my-threat-list \
  --format TXT \
  --location s3://my-bucket/threat-ips.txt \
  --activate
```

### Suppression Rules

```bash theme={null}
# Create filter to suppress findings
aws guardduty create-filter \
  --detector-id abc123 \
  --name suppress-dev-findings \
  --action ARCHIVE \
  --finding-criteria '{
    "Criterion": {
      "resource.instanceDetails.tags.key": {
        "Equals": ["Environment"]
      },
      "resource.instanceDetails.tags.value": {
        "Equals": ["development"]
      },
      "severity": {
        "LessThan": 5
      }
    }
  }'
```

***

## Automated Remediation

### EventBridge Rule

```yaml theme={null}
# CloudFormation for auto-remediation
Resources:
  GuardDutyEventRule:
    Type: AWS::Events::Rule
    Properties:
      Name: guardduty-high-severity
      Description: Trigger remediation for high severity findings
      EventPattern:
        source:
          - aws.guardduty
        detail-type:
          - GuardDuty Finding
        detail:
          severity:
            - numeric: [">=", 7]
      Targets:
        - Arn: !GetAtt RemediationLambda.Arn
          Id: RemediationFunction
```

### Remediation Lambda

```python theme={null}
# remediation.py
import boto3
import json

ec2 = boto3.client('ec2')
iam = boto3.client('iam')

def lambda_handler(event, context):
    finding = event['detail']
    finding_type = finding['type']
    severity = finding['severity']
    
    print(f"Processing: {finding_type} (severity: {severity})")
    
    # Compromised EC2 instance
    if 'EC2' in finding_type and severity >= 7:
        instance_id = finding['resource']['instanceDetails']['instanceId']
        isolate_instance(instance_id)
    
    # Compromised IAM credentials
    if 'IAMUser' in finding_type and 'UnauthorizedAccess' in finding_type:
        access_key = finding['resource']['accessKeyDetails']['accessKeyId']
        disable_access_key(access_key)
    
    # Compromised S3 bucket
    if 'S3' in finding_type and 'Exfiltration' in finding_type:
        bucket_name = finding['resource']['s3BucketDetails']['name']
        block_public_access(bucket_name)
    
    return {'statusCode': 200}

def isolate_instance(instance_id):
    """Move instance to isolation security group.
    
    This is the most critical remediation action: replace ALL security groups
    with an isolation SG that has NO ingress or egress rules. The instance
    stays running (for forensic analysis) but cannot communicate with anything.
    
    Common mistake: terminating the instance immediately. This destroys
    evidence. Always isolate first, snapshot the volumes for forensics,
    THEN terminate after your investigation is complete.
    """
    print(f"Isolating instance: {instance_id}")
    
    # Create or get isolation security group
    isolation_sg = get_isolation_sg()
    
    # Get current security groups
    response = ec2.describe_instances(InstanceIds=[instance_id])
    instance = response['Reservations'][0]['Instances'][0]
    vpc_id = instance['VpcId']
    
    # Replace with isolation SG
    ec2.modify_instance_attribute(
        InstanceId=instance_id,
        Groups=[isolation_sg]
    )
    
    # Create snapshot for forensics
    for volume in instance.get('BlockDeviceMappings', []):
        if 'Ebs' in volume:
            volume_id = volume['Ebs']['VolumeId']
            ec2.create_snapshot(
                VolumeId=volume_id,
                Description=f'Forensic snapshot for {instance_id}',
                TagSpecifications=[{
                    'ResourceType': 'snapshot',
                    'Tags': [
                        {'Key': 'Forensic', 'Value': 'true'},
                        {'Key': 'InstanceId', 'Value': instance_id}
                    ]
                }]
            )

def disable_access_key(access_key_id):
    """Disable compromised access key"""
    print(f"Disabling access key: {access_key_id}")
    
    # Find the user
    response = iam.list_access_keys()
    
    # Can also use get-access-key-last-used to find user
    # Then disable the key
    iam.update_access_key(
        AccessKeyId=access_key_id,
        Status='Inactive'
    )

def block_public_access(bucket_name):
    """Block public access to bucket"""
    s3 = boto3.client('s3')
    
    s3.put_public_access_block(
        Bucket=bucket_name,
        PublicAccessBlockConfiguration={
            'BlockPublicAcls': True,
            'IgnorePublicAcls': True,
            'BlockPublicPolicy': True,
            'RestrictPublicBuckets': True
        }
    )

def get_isolation_sg():
    """Get or create isolation security group"""
    # Implementation to create/get SG with no ingress/egress
    pass
```

***

## Integration with Security Hub

```yaml theme={null}
# Enable Security Hub integration
Resources:
  SecurityHub:
    Type: AWS::SecurityHub::Hub
    Properties:
      Tags:
        Environment: Production

  # GuardDuty automatically sends findings to Security Hub
  # when both are enabled in the same region
```

```bash theme={null}
# Query findings in Security Hub
aws securityhub get-findings \
  --filters '{
    "ProductName": [{"Value": "GuardDuty", "Comparison": "EQUALS"}],
    "SeverityLabel": [{"Value": "HIGH", "Comparison": "EQUALS"}]
  }'
```

***

## Best Practices

<CardGroup cols={2}>
  <Card title="Enable All Regions" icon="globe">
    Attackers target inactive regions—enable GuardDuty everywhere
  </Card>

  <Card title="Use Organizations" icon="sitemap">
    Centralize management with a delegated administrator account
  </Card>

  <Card title="Automate Response" icon="robot">
    Use EventBridge + Lambda for automated remediation
  </Card>

  <Card title="Tune Carefully" icon="sliders">
    Use suppression rules sparingly -- every suppressed finding type is a blind spot. Document the business justification for each suppression rule and review them quarterly
  </Card>
</CardGroup>

***

## Cost Optimization

```
┌─────────────────────────────────────────────────────────────────────────┐
│                      GuardDuty Pricing Model                             │
├─────────────────────────────────────────────────────────────────────────┤
│                                                                          │
│   Data Source                 Pricing Basis                              │
│   ───────────                 ─────────────                             │
│   VPC Flow Logs              Per GB analyzed (tiered pricing)           │
│   CloudTrail Events          Per million events                          │
│   DNS Logs                   Per million queries                         │
│   S3 Data Events             Per million events                          │
│   EKS Audit Logs             Per million events                          │
│   EBS Malware Scan           Per GB scanned                             │
│   Runtime Monitoring         Per vCPU hour                               │
│                                                                          │
│   Cost Estimation:                                                       │
│   ─ Small workload (~100 EC2): $50-100/month                           │
│   ─ Medium workload (~500 EC2): $200-500/month                         │
│   ─ Large enterprise: $1,000-5,000/month                               │
│                                                                          │
│   Tips:                                                                  │
│   ─ 30-day free trial for new detectors (use this to estimate costs)   │
│   ─ The biggest cost driver is VPC Flow Log volume -- reduce noise      │
│     by using VPC endpoints (traffic to AWS services stays off flow logs)│
│   ─ Use the GuardDuty usage page to see cost breakdown by data source  │
│   ─ S3 and EKS protection have separate pricing tiers                                 │
│                                                                          │
└─────────────────────────────────────────────────────────────────────────┘
```

***

## 🎯 Interview Questions

<AccordionGroup>
  <Accordion title="Q1: How does GuardDuty differ from other AWS security services?">
    **GuardDuty** = Threat detection (finds active threats)

    * Uses ML and threat intelligence
    * Analyzes VPC Flow Logs, CloudTrail, DNS
    * Generates findings for active threats

    **Inspector** = Vulnerability scanning
    **Security Hub** = Aggregation and compliance
    **Macie** = Data classification (PII detection)
    **Detective** = Investigation and forensics
  </Accordion>

  <Accordion title="Q2: How would you respond to a high-severity GuardDuty finding?">
    1. **Immediate**: Review finding details and affected resources
    2. **Containment**: Isolate compromised resources (quarantine SG)
    3. **Investigation**: Use Detective or CloudTrail for forensics
    4. **Remediation**: Remove malware, rotate credentials
    5. **Recovery**: Restore from known-good state
    6. **Lessons Learned**: Update automation, add preventive controls
  </Accordion>

  <Accordion title="Q3: How do you handle false positives?">
    1. **Validate**: Confirm it's truly a false positive
    2. **Trusted IPs**: Add corporate IPs to trusted IP list
    3. **Suppression Rules**: Create filters for known patterns
    4. **Avoid Over-Suppression**: Don't suppress severity levels
    5. **Document**: Keep records of suppression decisions
  </Accordion>
</AccordionGroup>

***

## Hands-On Lab

<Steps>
  <Step title="Enable GuardDuty">
    Enable GuardDuty with all protection features in your account
  </Step>

  <Step title="Generate Sample Findings">
    Use `aws guardduty create-sample-findings` to generate test findings
  </Step>

  <Step title="Create EventBridge Rule">
    Set up a rule to send high-severity findings to SNS
  </Step>

  <Step title="Build Remediation Lambda">
    Create a Lambda that isolates compromised EC2 instances
  </Step>

  <Step title="Test End-to-End">
    Trigger sample finding and verify remediation executes
  </Step>
</Steps>

***

## Next Module

<Card title="AWS Security Hub" icon="building-shield" href="/aws/security-hub">
  Centralized security posture management and compliance
</Card>
