Amazon GuardDuty is a continuous security monitoring service that can help identify unexpected, and possibly unauthorised or malicious, activity in AWS environments.
The service can identify issues like:
- Privilege escalation
- Exposed credentials
- Communication with malicious hosts
- Compute instances mining cryptocurrency
- Member accounts are AWS accounts considered members of the GuardDuty service. Up to 5,000 member accounts can be added to a single GuardDuty administrator account.
- Detectors are regional objects that represent the GuardDuty service.
- Data sources provide data to the GuardDuty service for analysis.
- Findings are potential security issues identified during analysis.
- Suppression rules allow specific combinations of attributes to be excluded from findings.
- Trusted IP lists
- Threat lists are known-bad lists of IP addresses and domains gathered through threat intelligence.
The following data sources are ingested:
- Event Logs
- Management Events
- S3 Data Events
- VPC Flow Logs
- DNS logs from the AWS resolver service