Amazon GuardDuty

• Amazon GuardDuty is a threat detection service that continuously monitors the AWS accounts and workloads for malicious activity and delivers detailed security findings for visibility and remediation.
• is a continuous security monitoring service that analyzes and processes the following foundational data sources:
  • CloudTrail management event logs,
  • CloudTrail S3 data event logs,
  • DNS logs,
  • EKS audit logs,
  • VPC flow logs,
  • Amazon EBS volume data, and
  • Runtime activity from container workloads (Amazon EKS, Amazon ECS including Fargate, and Amazon EC2 instances).
• uses threat intelligence feeds, such as lists of malicious IP addresses and domains, and machine learning to identify unexpected and potentially unauthorized and malicious activity within the AWS environment.
• combines machine learning, anomaly detection, network monitoring, and malicious file discovery, utilizing both AWS-developed and industry-leading third-party sources to help protect workloads and data on AWS.
• uses artificial intelligence (AI), machine learning (ML), and anomaly detection using both AWS and industry-leading threat intelligence to help protect AWS accounts, workloads, and data.
• is a Regional service and is recommended to be enabled in all supported AWS Regions. This helps generate findings of unauthorized or unusual activity even in Regions not actively used.
• does not look at historical data, it monitors only the activity that starts after it is enabled.
• operates completely independent of the AWS resources and therefore has no impact on the performance or availability of the accounts or workloads.
• GuardDuty supports
  • Suppression rules, allow the creation of very specific combinations of attributes to suppress findings. Supports wildcards (* and ?) and filtering on any finding field.
  • Trusted Entity Lists (previously Trusted IP Lists) for highly secure communication with the AWS environment. Now supports both IP addresses and domain names. Findings are not generated based on trusted entity lists.
  • Threat Entity Lists (previously Threat Lists) for known malicious IP addresses and domain names. Findings are generated based on threat entity lists.
• Security findings are retained and made available through the GuardDuty console and APIs for 90 days, after which they are discarded.
• Findings are assigned a severity (Critical, High, Medium, Low), and actions can be automated by integrating with Security Hub, EventBridge, Lambda, and Step Functions.
• Amazon Detective is also tightly integrated with GuardDuty which helps perform deeper forensic and root cause investigations.
• GuardDuty supports AWS PrivateLink (VPC endpoints) for private connectivity without traversing the public internet.
• offers a 30-day free trial. After the free trial ends, cost is based on the volume of data analyzed.

GuardDuty Protection Plans

• GuardDuty offers multiple protection plans that can be independently enabled or disabled:
  1. Foundational GuardDuty – Core threat detection that cannot be disabled. Monitors CloudTrail management events, VPC Flow Logs, and DNS logs.
  2. S3 Protection – Monitors Amazon S3 data events for potential threats to data, such as data exfiltration and destruction.
  3. Runtime Monitoring – Monitors operating system-level events for EKS, ECS, and EC2 workloads using a GuardDuty security agent.
  4. EKS Audit Logs – Monitors Amazon EKS audit logs for potential threats to Kubernetes clusters.
  5. RDS Protection – Monitors RDS login activity for potential threats to databases. Supports Aurora MySQL, Aurora PostgreSQL (including Limitless Database), and RDS for PostgreSQL.
  6. Lambda Protection – Monitors Lambda function network activity for potential threats.
• Each protection plan can be auto-enabled for new AWS Organizations accounts.
• GuardDuty offers the flexibility to customize how new accounts inherit protection plans.

GuardDuty Extended Threat Detection

• Introduced at AWS re:Invent 2024, Extended Threat Detection automatically detects multi-stage attacks that span data sources, multiple types of AWS resources, and time within an AWS account.
• Uses sophisticated AI/ML algorithms trained at AWS scale to automatically correlate security signals and detect critical threats.
• Enabled automatically for all GuardDuty accounts at no additional cost.
• Correlates multiple events (called “Signals”) including API activities and GuardDuty findings to identify attack sequences.
• Can detect weak signals that individually don’t present as clear threats but when combined reveal suspicious activity patterns.
• Operates within a 24-hour rolling time window to detect in-progress or recent attacks.
• All attack sequence findings are assigned Critical severity.
• Attack sequence finding types include:
  • AttackSequence:S3/CompromisedData – Detects credential misuse leading to S3 data compromise.
  • AttackSequence:IAM/CompromisedCredentials – Detects multi-stage attacks using compromised IAM credentials.
  • AttackSequence:EKS/CompromisedCluster – Detects compromised EKS clusters (June 2025).
  • AttackSequence:EC2/CompromisedInstanceGroup – Detects compromised EC2 instance groups (December 2025).
  • AttackSequence:ECS/CompromisedCluster – Detects compromised ECS clusters (December 2025).
• Enabling additional protection plans (S3 Protection, EKS Protection, Runtime Monitoring) widens the range of event sources and enables more comprehensive attack sequence detection.

GuardDuty Runtime Monitoring

• Runtime Monitoring uses a lightweight GuardDuty security agent that adds visibility into runtime behavior including file access, process execution, command line arguments, and network connections.
• Supports three resource types:
  • Amazon EKS – Uses an EKS add-on (aws-guardduty-agent) deployed on EKS clusters.
  • Amazon ECS (Fargate) – Monitors ECS workloads running on Fargate.
  • Amazon EC2 – Monitors EC2 instances using SSM-based agent deployment (GA March 2024).
• Supports automated agent configuration that permits GuardDuty to install and manage the security agent automatically.
• Supports inclusion/exclusion tags to control which resources get the security agent.
• Detects threats such as crypto-mining, malicious file execution, suspicious shell creation, privilege escalation, reverse shells, and defense evasion techniques.
• Supports Amazon EKS Auto Mode.

GuardDuty with Multiple Accounts

• GuardDuty has multi-account management through AWS Organizations integration, which allows delegating an administrator account for the organization.
• The delegated administrator (DA) account is a centralized account that consolidates all findings and can configure all member accounts.
• Supports up to 50,000 member accounts through AWS Organizations (including up to 5,000 by invitation).
• All security findings are aggregated to the administrator account for review and remediation.
• EventBridge events are also aggregated to the administrator account.
• Organization configuration allows auto-enabling GuardDuty and protection plans for ALL accounts, new accounts only, or no auto-enable.

GuardDuty Automated Remediation

• GuardDuty security findings can be remediated automatically using EventBridge and AWS Lambda.
• For example, a Lambda function can be created to modify the AWS security group rules based on security findings. For a GuardDuty finding indicating one of your EC2 instances is being probed by a known malicious IP, the address can be added through an EventBridge rule, initiating a Lambda function to automatically modify the security group rules and restrict access on that port.
• Findings are exported to Amazon S3 for long-term storage and analysis.
• Integrates with AWS Security Incident Response for automated triage and investigation.

GuardDuty Malware Protection

• GuardDuty Malware Protection includes three capabilities:

Malware Protection for EC2

• Scans EBS volumes attached to EC2 instances and container workloads for malware.
• Creates a replica EBS volume from a snapshot and scans it for trojans, worms, crypto miners, rootkits, bots, and more.
• Supports two scan types:
  • GuardDuty-initiated – Automatically triggered when certain GuardDuty findings are generated.
  • On-demand – Manually initiated by providing the EC2 instance ARN.
• Supports scanning EBS volumes up to 2048 GB.
• Supports scanning EBS volumes encrypted with AWS managed keys.
• Supports Amazon EKS Auto Mode managed instances.

Malware Protection for S3

• Launched June 2024, provides built-in malware scanning for objects uploaded to designated S3 buckets.
• Automatically scans newly uploaded objects using multiple AWS-developed and industry-leading third-party malware scanning engines.
• Supports on-demand scanning of existing S3 objects via the SendObjectMalwareScan API (November 2025).
• Supports scanning objects up to 100 GB (increased from 5 GB in July 2025).
• Publishes scan results to EventBridge for downstream workflows (e.g., quarantine to a separate bucket).
• Can add tags to scanned objects indicating scan status.
• GuardDuty automatically updates malware signatures every 15 minutes.

Malware Protection for AWS Backup

• Launched November 2025, detects the potential presence of malware in backup resources.
• Scans AWS Backup-protected resources including Amazon EBS snapshots, EC2 AMIs, and Amazon S3 Recovery Points.
• Supports full and incremental scans.
• Helps identify the last known clean backup for recovery.
• Can automate malware scanning across the entire organization.

GuardDuty AI Workload Protection

• Launched August 2024, GuardDuty foundational threat detection and Lambda Protection help detect threats to AI workloads built on AWS.
• Detects when Amazon Bedrock model invocation logging is disabled (DefenseEvasion:IAMUser/BedrockLoggingDisabled finding type, November 2025).
• Monitors for unauthorized access to AI/ML resources and data exfiltration attempts.

GuardDuty Custom Threat Detection

• GuardDuty introduced custom Entity Lists (August 2025) that support both IP addresses and domain names for custom threat detection.
• Replaces the legacy IP-only threat lists with more comprehensive entity-based lists.
• Supports:
  • Trusted Entity Lists – IP addresses and domain names to suppress findings.
  • Threat Entity Lists – Known malicious IP addresses and domain names to generate findings.
• Only the GuardDuty administrator account can manage entity lists; settings apply automatically to member accounts.
• GuardDuty recommends using entity lists over the legacy IP address lists.

AWS Certification Exam Practice Questions

• Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).
• AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.
• AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated
• Open to further feedback, discussion and correction.

1. Which AWS service makes detecting and reporting unexpected and potentially malicious activity in your AWS environment easy?
   1. AWS Shield
   2. AWS Inspector
   3. AWS GuardDuty
   4. AWS WAF
2. A company needs to detect multi-stage attacks that span multiple AWS services and resources over time. Which GuardDuty capability should they rely on?
   1. GuardDuty Malware Protection
   2. GuardDuty Runtime Monitoring
   3. GuardDuty Extended Threat Detection
   4. GuardDuty RDS Protection
3. Which GuardDuty protection plan monitors operating system-level events on container and EC2 workloads? (Select TWO)
   1. Runtime Monitoring
   2. S3 Protection
   3. Lambda Protection
   4. EKS Audit Logs
   5. Malware Protection for EC2
4. A company wants to scan S3 objects for malware when they are uploaded to a bucket. Which GuardDuty feature should they enable?
   1. GuardDuty Malware Protection for EC2
   2. GuardDuty Malware Protection for S3
   3. GuardDuty S3 Protection
   4. GuardDuty Extended Threat Detection
5. What severity level do GuardDuty Extended Threat Detection attack sequence findings receive?
   1. High
   2. Critical
   3. Medium
   4. Varies based on the attack type
6. A security team wants to add their own threat intelligence containing both malicious domains and IP addresses to GuardDuty. What should they use?
   1. Trusted IP Lists
   2. Threat Entity Lists
   3. Suppression Rules
   4. Custom Finding Types

References

• Amazon GuardDuty
• Amazon GuardDuty User Guide
• GuardDuty Extended Threat Detection
• GuardDuty Runtime Monitoring
• GuardDuty Malware Protection for S3
• GuardDuty Malware Protection for AWS Backup