Amazon GuardDuty is a continuous security monitoring service that can help identify unexpected, and possibly unauthorised or malicious, activity in AWS environments.

The service can identify issues like:

  • Privilege escalation
  • Exposed credentials
  • Communication with malicious hosts
  • Compute instances mining cryptocurrency


  • Member accounts are AWS accounts considered members of the GuardDuty service. Up to 5,000 member accounts can be added to a single GuardDuty administrator account.
  • Detectors are regional objects that represent the GuardDuty service.
  • Data sources provide data to the GuardDuty service for analysis.
  • Findings are potential security issues identified during analysis.
  • Suppression rules allow specific combinations of attributes to be excluded from findings.
  • Trusted IP lists
  • Threat lists are known-bad lists of IP addresses and domains gathered through threat intelligence.

Data sources

The following data sources are ingested:

  • CloudTrail:
    • Event Logs
    • Management Events
    • S3 Data Events
  • VPC Flow Logs
  • DNS logs from the AWS resolver service