What is Amazon GuardDuty?;

Security becomes the prime factor when users store their data in the cloud. Everyone wants that their data must be safe and secure. So they look upon the platform which is cost-efficient also and the services provided by them can secure their data. Amazon proves to be providing these types of services. Amazon GuardDuty is one of them.

Amazon GuardDuty is a service that detects the threats by continuously analyzing and monitoring the unusual and unexpected behavior to protect your AWS account, workloads, and your data which is stored in amazon s3. It monitors all this by analyzing billions of requests across multiple AWS data sources such as AWS CloudTrail Event Logs, VPC Flow Logs, and DNS Logs. It then uses these data logs further for knowing malicious sources such as IP addresses and URLs because these are more prone to threat and than manipulating them in detecting the multiple security techniques in order to solve the problem. GuardDuty is an intelligent and also the cost-efficient service provided by the AWS in order to detect the threats because it becomes very time-consuming for an individual user to analyze all the data logs and then monitor their data and after that protect their data from the threats. Within a few clicks, you can enable the GuardDuty from the Amazon Management Console without taking care of the deployment of the underlying hardware or the software and with the minimal cost. This service uses the inbuilt services Machine Learning, anomaly detection techniques, and various integrated threat intelligence techniques to identify and prioritize potential threats.


There are several changes that have been made after the release of the GuardDuty in order to improve the quality of the service and the ease in use. Some of them are AWS increases the number of IP addresses in order to better communicate and scale up quality. Added some of the latest threat intelligence techniques for more security. Added some new usage details for monitoring purposes and accordingly cost estimation. There is something which also removes from the GuardDuty that is backdoor which actually tells that your EC2 instance in the AWS environment is trying to communicate with some IP addresses which are associated with some sorts of malware. It is now made available to some more regions which were earlier limited to a few regions, A feature of Recon is added which actually used to inform that an EMR-related sensitive port on an EC2 Instance is not blocked and is being actively probed. So these are the features that AWS continuously works upon to give a better quality of service to its users and whereas security becomes the prime factor.


  1. It can continuously monitor multiple accounts at the same time without added cost and complexity.
  2. Its efficiency is commendable.
  3. It automatically can respond and remediate the threat.
  4. The accuracy level is high.
  5. It can comprehensively identify the threats. It continuously monitors the incoming data, network activity for the better result by using other AWS services.
  6. It strengthens security through automation. As it is capable of automatically responding the threat detection. It can remediate actions by leveraging Amazon cloudwatch events and other services.
  7. It can be centrally managed. It can manage all users ‘ new accounts and the existing account centrally.

How GuardDuty Works?

As already mentioned that GuardDuty continuously analyzes the cloud events by using the other multiple AWS services such as AWS CloudTrail Events logs, Amazon Virtual Private Cloud (VPC) Flow Logs, and domain name system (DNS) logs for analyzing the malicious activities.

There are three types of detects that GuardDuty can detect-

  1. Compromised accounts: It is a threat in which a person is not allowed to access the account but by unauthorized means, it is using. In the cloud, these threats include API calls from an odd location and try to attempt to make changes in the infrastructure or disabling CloudTrail so that it can make a barrier in analyzing data log.
  2. Attacker reconnaissance: It includes the threat in which attacks begin with a scan of the network from the infected endpoint to locate the asset and services on which the attacker wants to target it basically know as the port scanning.
  3. Compromised resources: It basically includes the threat in which resources are hijacked such as EC2 instances by an external IP address and there are unusual spikes in the network traffic.

GuardDuty admin has to provide their IP addresses in order to detect the threat because GuardDuty does not have the feature of the customized support detection rules. In order to work more efficiently, users can respond to the thumbs up or thumbs down provided by the GuardDuty in order to improve. In the management console it is in JSON format, which enables the user to take actions by identifying the threat detected by GuardDuty.

Companies using GuardDuty

The leading companies which are using this service for their security purposes are FICO, webroot, Mapbox, Autodesk.

Here is the list of more companies that are using GuardDuty:

  1. Shelf.
  2. Primer.
  3. Alexandria.
  5. Chico Rei.
  6. BeachBody.
  7. Healthians.
  8. Wisteria.


  1. Central Management: It allows multiple accounts monitoring using GuardDuty. You can aggregate all your accounts into a single GuardDuty administrator account for ease and management purposes. It is beneficial when it is of large enterprise and having their security team separately, so they can directly focus on this as a whole for the full business.
  2. Fully automated: You just need to provide your IP addresses nothing else within few clicks you can enable this and don’t have to look upon the underlying hardware or the configuration, setup, or the management. It is all automated.
  3. Cost-Efficient: Its prize is based on analysis of the CloudTrail events and the amazon VPC workflow and DNS log i.e according to your data and the workload it will be charged. There is no flat price. According to your usage, it will be charged.
  4. Comprehensive threat Identification: GuardDuty comes with the up to date integrated threat intelligence techniques and tools to monitor your data. It helps in monitoring the unexpected, unusual access to your data, crypto-currency, and other malicious activities.


There are not as such drawbacks of GuardDuty that make users not use it but yes it needs several other services of AWS like CloudTrail events, DNS logs, VPC flow logs in order to analyze the data and then accordingly it works by the outputs of these services. 

Attention reader! Don’t stop learning now. Get hold of all the important CS Theory concepts for SDE interviews with the CS Theory Course at a student-friendly price and become industry ready.

My Personal Notes arrow_drop_up

Check out this Author's contributed articles.

If you like GeeksforGeeks and would like to contribute, you can also write an article using contribute.geeksforgeeks.org or mail your article to contribute@geeksforgeeks.org. See your article appearing on the GeeksforGeeks main page and help other Geeks.

Please Improve this article if you find anything incorrect by clicking on the "Improve Article" button below.

Article Tags :

Be the First to upvote.

Please write to us at contribute@geeksforgeeks.org to report any issue with the above content.