As businesses move more operations to the cloud, security challenges continue to grow. The dynamic nature of cloud environments makes it harder to detect threats, monitor activity, and respond to potential risks, especially if you are relying on traditional tools.
To address these challenges, cloud providers offer dedicated security solutions engineered specifically for their platforms. For AWS users, this solution is Amazon GuardDuty. This guide covers everything you need to know about it.
An overview of Amazon GuardDuty
Amazon GuardDuty is a cloud-based threat detection service that continuously monitors AWS accounts, workloads, and data for malicious activity. Once activated, it automatically starts scanning all AWS accounts linked to your organization.
Here’s an overview of how it works in the AWS ecosystem:
GuardDuty monitors all your important AWS resources, including Amazon S3, Amazon EKS, EC2 instances, databases, IAM accounts, users, containers, and serverless applications. It checks for unauthorized access, unusual behavior, and security threats across all these areas.
It detects unusual patterns in network traffic, login attempts, and API usage. For example, if an IAM user suddenly logs in from an unfamiliar country, GuardDuty flags it as suspicious.
It scans workloads for signs of malware, such as crypto-mining scripts or trojans. For example, if it finds malware on an EC2 instance, it alerts you so you can isolate the compromised system. You can also configure it to automate the remediation, such as stopping the affected instance or blocking its network access.
GuardDuty uses threat intelligence feeds to recognize known malicious IPs, domains, and attack patterns. For example, if an EC2 instance tries to communicate with a server linked to botnet activity, GuardDuty issues an alert.
GuardDuty provides detailed findings about detected threats, including severity levels and recommended actions. This helps reduce threat fatigue and improve response efficiency.
Key features of GuardDuty
Next, let’s explore some noteworthy features of Amazon GuardDuty:
GuardDuty is able to quickly detect compromised accounts that perform suspicious events such as logins from unusual locations, attempts to disable CloudTrail logging, or unauthorized database snapshots.
GuardDuty collects and analyzes logs from CloudTrail, VPC Flow Logs, and DNS logs without requiring any additional infrastructure. It consolidates security findings across multiple AWS accounts to make threat detection more efficient and holistic.
The primary threat detection categories for GuardDuty are:
Reconnaissance: Unusual API activity, suspicious login attempts, and internal network scanning.
Instance compromise: Crypto-mining, malware infections, and outbound traffic to known malicious IPs.
Account compromise: API calls from suspicious locations, unauthorized infrastructure changes, and credential theft.
Bucket compromise: Unauthorized access to S3 buckets, unusual API activity, and data exfiltration attempts.
Malware detection: Identifies trojans, worms, rootkits, and crypto miners in EC2 instances, containers, and S3 buckets.
Container security: Monitors EKS and ECS workloads for suspicious activity, such as unauthorized API calls or unusual runtime behavior.
GuardDuty assigns severity levels (Low, Medium, High, Critical) to detected threats. For example, a Low severity alert may indicate a blocked attack attempt, while a Critical alert could signal an active breach.
GuardDuty integrates with AWS services like EventBridge and Lambda to automate responses. Organizations can set up workflows to isolate compromised resources, revoke access, or trigger alerts based on GuardDuty findings.
GuardDuty automatically adjusts its resource usage based on AWS activity. Organizations only pay for the detection capacity they use.
You can enable GuardDuty via a few clicks in the AWS Management Console or a single API call. There’s no need for any complicated configurations.
Using AI and machine learning, GuardDuty identifies multi-stage attacks and correlates security events for better incident response. It provides high-confidence insights into potentially compromised resources, along with MITRE ATT&CK® mappings and prescriptive remediation recommendations based on AWS best practices.
Amazon GuardDuty use cases
Here are some ways in which organizations can bolster their cloud security with GuardDuty:
Speed up investigations and automate responses
GuardDuty helps security teams triage incidents quickly by correlating threat signals and providing remediation recommendations. It integrates with Amazon Detective for root cause analysis and routes findings to AWS Security Hub, EventBridge, or third-party tools for automated response.
Detect and mitigate ransomware and malware
Organizations use GuardDuty to protect their cloud environments from the rising threats of malware and ransomware. GuardDuty scans Amazon EBS volumes linked to EC2 instances and container workloads to detect ransomware, trojans, and other malware. It also continuously monitors file uploads to Amazon S3 for any signs of malicious activity.
Simplify threat detection for AWS containers
GuardDuty helps organizations simplify threat detection in containerized environments. Through its centralized threat detection, it helps security teams monitor and manage risks across container workloads in Amazon EKS and ECS, whether running on instances or serverless environments.
Support compliance requirements like PCI DSS
Continuous monitoring, threat detection, and automated response capabilities from GuardDuty help organizations meet compliance standards like PCI DSS. Without GuardDuty, organizations would need to deploy multiple security tools to achieve the same level of protection.
Strengthen network security with real-time threat detection
Organizations use GuardDuty to monitor VPC Flow Logs and DNS logs, which allows them to detect and respond to network-based threats in real time. Security teams can identify port scanning attempts, data exfiltration, and connections to known malicious domains before they lead to a full-scale breach.
Secure serverless applications from unauthorized activity
Businesses that use AWS Lambda to build serverless apps rely on GuardDuty to detect unusual execution patterns and unauthorized API calls that could signal an attack. For example, if a function suddenly starts accessing sensitive data or making outbound connections to unknown endpoints, GuardDuty alerts security teams.
Benefits of using Amazon GuardDuty
Next, let’s explore some advantages of deploying GuardDuty as your cloud security solution:
GuardDuty eliminates the need for multiple third-party security tools. This reduces licensing, maintenance, and operational costs.
Since GuardDuty requires no additional infrastructure, businesses don’t have to worry about managing sensors, maintaining security appliances, or manually analyzing logs.
Early detection of threats such as account compromises, ransomware, and data breaches helps prevent costly incidents that could lead to downtime, reputational damage, or legal consequences.
GuardDuty automatically scales as AWS environments grow to ensure that new workloads, accounts, and data sources are always monitored without requiring manual intervention.
With GuardDuty analyzing logs, detecting unauthorized access, and flagging suspicious activity, businesses can operate in AWS with greater assurance that their cloud resources remain protected.
Amazon GuardDuty issue troubleshooting guide
Even though GuardDuty is designed to be a highly reliable and self-managing service, it can sometimes run into issues. This section covers some of the most common problems and how to fix them.
Setup and configuration issues
Problems in this category usually occur when enabling GuardDuty, integrating it with AWS services, or configuring multi-account setups.
GuardDuty is not generating findings
If GuardDuty is enabled but not showing any security findings, it could be due to configuration issues or lack of relevant data.
Symptoms:
No security findings appear in the GuardDuty console.
AWS accounts linked to GuardDuty show as active but report no threats.
Troubleshooting:
Make sure your AWS environment is generating activity. If there are no API calls, network traffic, or resource usage, GuardDuty won’t have any data to analyze.
Even if activity exists, but there is no suspicious behavior, GuardDuty may not generate any findings. GuardDuty is designed to detect potentially malicious or unauthorized activity, not just any activity.
Verify that GuardDuty is enabled for the correct AWS region. Findings are region-specific, so make sure you are checking in the region where GuardDuty is monitoring resources.
Ensure GuardDuty has the necessary permissions to access AWS resources. Check IAM policies to confirm that GuardDuty has read access to CloudTrail, VPC Flow Logs, and DNS logs.
If you recently enabled GuardDuty, wait at least 15 minutes. Findings are not always immediate, and it takes time for GuardDuty to analyze data.
Unable to enable GuardDuty for all accounts in an organization
You are unable to set up GuardDuty across multiple AWS accounts due to permission or organization-related issues.
Symptoms:
Some AWS accounts do not appear under the GuardDuty master account.
Attempts to enable GuardDuty on linked accounts result in permission errors.
Troubleshooting:
Ensure that GuardDuty is set up using AWS Organizations. The master account should have permissions to manage GuardDuty for all linked accounts.
Confirm that the affected AWS accounts are properly linked to the organization. If an account was removed or re-added, it might need manual reconfiguration.
Check if Service Control Policies (SCPs) are blocking GuardDuty. If there are restrictive policies in place, they may prevent automatic enrollment.
Use the AWS CLI to check GuardDuty settings across accounts. Run aws guardduty list-detectors and aws guardduty list-members to ensure that all accounts are correctly configured.
Findings and alerts issues
These issues occur when GuardDuty generates incorrect alerts, fails to detect threats, or provides inconsistent severity levels.
GuardDuty is generating too many false positives
If GuardDuty keeps flagging normal activities as threats, it can lead to alert fatigue.
Symptoms:
Repeated alerts for common API calls, network traffic, or internal activity.
Alerts that do not indicate real threats, such as internal users accessing known services.
Troubleshooting:
Review the trusted IP list. If your organization's IPs are not on this list, GuardDuty may flag normal traffic as suspicious.
Check for legitimate activities that are triggering alerts. If certain API calls, scripts, or workflows are regularly flagged, consider creating allow rules in AWS Security Hub.
Analyze the threat intelligence sources used by GuardDuty. If external threat feeds are generating too many alerts, consider disabling the less relevant ones.
Use anomaly detection tuning. GuardDuty’s machine learning models may need time to adjust, so allow normal patterns to be established before making changes.
Investigate the IAM roles and credentials used for flagged activities. If automated scripts or services use old credentials, GuardDuty may treat them as suspicious.
GuardDuty is not detecting actual security threats
If real threats go unnoticed, there may be gaps in monitoring or incorrect configurations.
Symptoms:
No alerts for known test attacks, such as simulated brute-force login attempts.
GuardDuty does not detect suspicious API calls or network connections.
Troubleshooting:
Verify that GuardDuty has permissions to access CloudTrail, VPC Flow Logs, and DNS logs. If these logs are disabled or restricted, GuardDuty cannot analyze them.
Check the scope of GuardDuty monitoring. Ensure that it is enabled for all relevant AWS resources, including S3 buckets, EC2 instances, and Kubernetes workloads.
Use AWS Security Hub or Amazon Detective to cross-check for security events. If other AWS security services detect issues that GuardDuty misses, there may be gaps in its coverage.
Run a penetration test or use AWS Red Team scenarios to simulate threats. If GuardDuty fails to detect them, check whether logging and monitoring services are working correctly.
Review GuardDuty’s findings history. If findings were recently resolved or archived, it may not trigger new alerts for similar activity.
Integration and automation issues
GuardDuty findings are often used to trigger automated responses, but integration problems can prevent alerts from reaching the right systems.
GuardDuty alerts are not triggering AWS Lambda functions
If automated security responses are not executing, the integration between GuardDuty and AWS Lambda may be misconfigured.
Symptoms:
GuardDuty alerts appear in the console but do not trigger Lambda functions.
No logs in CloudWatch indicating that the Lambda function was invoked.
Troubleshooting:
Go to the EventBridge console and ensure that the rule is correctly set to trigger Lambda for GuardDuty findings.
Review Lambda execution permissions. The Lambda function must have the correct IAM role with permissions to be triggered by EventBridge.
Test the EventBridge rule manually. Use the aws events put-events command to simulate a GuardDuty event and check if Lambda executes.
Ensure that Lambda has the necessary error handling. If the function fails due to execution limits or timeout settings, it may not process GuardDuty alerts.
Verify the function’s CloudWatch logs for errors. If the function is running but not performing the expected action, review its logs to diagnose potential failures.
GuardDuty findings are not appearing in AWS Security Hub
Security Hub is commonly used to aggregate GuardDuty alerts, but sometimes findings fail to sync.
Symptoms:
GuardDuty alerts are visible in the GuardDuty console but do not show in Security Hub.
Security Hub displays outdated or partial GuardDuty findings.
Troubleshooting:
Ensure that Security Hub is enabled for all relevant AWS regions. If GuardDuty and Security Hub are running in different regions, findings may not sync.
Check for event ingestion limits. If Security Hub is receiving alerts from multiple services, it may hit API rate limits that delay GuardDuty findings.
Use AWS CloudTrail to track event delivery. If GuardDuty alerts are generated but not forwarded, CloudTrail logs may reveal processing delays or permission issues.
Refresh Security Hub manually. Findings may take time to update, so use the AWS CLI command aws securityhub get-findings to verify whether new data is available.
Getting started with Amazon GuardDuty
Amazon GuardDuty is easy to set up and requires minimal configuration. Let’s see how you can get started.
Prerequisites
Before you enable GuardDuty, make sure you:
Have an AWS account with the necessary permissions to enable GuardDuty. Administrator or Security Administrator roles typically have the required access.
Are using AWS services that GuardDuty monitors, such as EC2, S3, IAM, and VPC Flow Logs.
Have AWS CloudTrail enabled (recommended) to enhance threat detection.
Choose the “Amazon GuardDuty - All features” option and then hit “Get started”.
You should see the “Welcome to GuardDuty” page. Click “Enable GuardDuty”.
GuardDuty should now be enabled. By default, it starts analyzing logs immediately. You can configure suppression rules, trusted IP lists, and threat intelligence settings based on your requirements.
As needed, integrate GuardDuty with AWS Security Hub, EventBridge, or Lambda functions to automate responses based on detected threats.
Amazon GuardDuty best practices
Finally, here’s a list of best practices to help you get the most out of GuardDuty:
Enable GuardDuty in all AWS regions where you have resources deployed or anticipate deploying them. Threat actors are known to target less commonly monitored regions.
Don't ignore any alerts, regardless of severity. Assign security teams to investigate and respond to findings in a timely manner.
Automate incident response by routing GuardDuty findings to AWS Security Hub, Amazon EventBridge, or third-party security tools.
If GuardDuty generates too many alerts from known safe activities, configure suppression rules to focus on real threats.
Maintain an up-to-date list of trusted IPs to reduce false positives and improve detection accuracy.
Use AWS CloudTrail logs to validate suspicious activities detected by GuardDuty and get a clearer picture of security events.
Conduct security drills to ensure that your team knows how to respond to GuardDuty alerts in a timely and effective manner.
Integrate GuardDuty with a compliant monitoring tool, such as Site24x7, to centralize threat detection and response. This allows you to aggregate GuardDuty findings with security and monitoring data from the rest of your organization.
Conclusion
Amazon GuardDuty is a dedicated service for proactive threat detection and mitigation in AWS environments. If you are an AWS user, enable GuardDuty to significantly improve your security posture and gain real-time insights into potential threats and vulnerabilities.
For even better organization-wide security monitoring and incident response, don’t forget to integrate GuardDuty with Site24x7.
Was this article helpful?
Sorry to hear that. Let us know how we can improve the article.
Thanks for taking the time to share your feedback. We'll use your feedback to improve our articles.