GuardDuty

  • It is a managed threat detection service

  • Continuously monitors multiple AWS accounts for malicious activity or unusual behavior

  • Detection types

    • Reconnaissance attacks - brute force, port scans, port probes, etc

    • Instance compromises - malicious communications, spambot activities, outbound SSH brute force attacks, EC2 credential exfiltration, etc

    • Account compromises - malicious API calls, disabled CloudTrail, password compromises

  • Simple dashboard view

  • CloudWatch event triggers, with further partner integrations: Splunk, CrowdStrike, SumoLogic, etc.

  • Behavioral anomalies

  • Monitors CloudTrail, VPC flow logs and more

  • Continually updated

    • Public Security intelligence feeds

    • Malicious IP addresses

    • Partner intelligence feeds

    • Machine learning models

    • Abnormal behavior

PreviousKMSNextCompliance

Last updated