Amazon GuardDuty Cheat Sheet

• An intelligent threat detection service. It analyzes billions of events across your AWS accounts from AWS CloudTrail (AWS user and API activity in your accounts), Amazon VPC Flow Logs (network traffic data), and DNS Logs (name query patterns).

How It Works

• Backdoor: Compromised resource contacting a C&C server.
• CryptoCurrency: Mining software detected.
• Trojan: Silent malicious activity.
• Stealth: Attempting to hide actions/tracks.
• PenTest: Intentional testing tools or vulnerability scanners.
• EKS Protection: Monitors Kubernetes audit logs and uses Runtime Monitoring (via a security agent) to detect threats inside pods and nodes.
• Lambda Protection: Monitors network activity logs from serverless functions to detect malicious code or unauthorized crypto-mining.
• RDS Protection: Analyzes login attempts to Amazon Aurora databases to detect credential compromise or brute-force attacks.
• S3 Protection: Monitors S3 data events to detect anomalous access patterns or exfiltration.

• Malware Protection:
• For EC2: Automatically scans Amazon EBS volumes when suspicious activity is detected.
• For S3: Can be configured to scan new objects uploaded to specific buckets for malware.
• Zero-Performance Impact: Scans are performed on snapshots or in a separate environment, ensuring no impact on workload performance.
  • Persistence: Unusual changes to permissions or configurations to maintain access.
  • Reconnaissance: Activity suggesting an attacker is scoping out your environment (e.g., unusual API activity, port scanning, failed login patterns).
  • Instance Compromise: Indicators that an EC2 instance is compromised (e.g., cryptocurrency mining, C&C communication, denial of service attacks).
  • Account Compromise: Indicators that IAM credentials are compromised (e.g., API calls from unusual geolocations, disabling CloudTrail, launching unusual instances).
  • Bucket Compromise: Suspicious S3 activity indicating data exfiltration or unauthorized access.
  • Malware: Presence of malware on EBS volumes or in S3 buckets.
• Runtime Security: Threats detected inside the operating system or container (e.g., rootkits, fileless malware, suspicious process spawning).Data Sources & Event Analysis GuardDuty analyzes events from multiple foundational and optional data sources:
  • AWS CloudTrail Management Events: Analyzes API calls and user activity.
  • Amazon VPC Flow Logs: Captures information about IP traffic going to and from network interfaces.
  • DNS Logs: Analyzes name query patterns (if using AWS DNS resolvers).
  • AWS CloudTrail Data Events (S3): Monitors object-level activity in S3 buckets.
  • Kubernetes Audit Logs: Monitors control plane activity for Amazon EKS clusters.
  • RDS Login Activity: Analyzes login attempts to Amazon Aurora databases.
  • Runtime Monitoring: Uses a lightweight security agent to monitor operating system-level events (file access, process execution, network connections) in real-time.
• Threat Detection CategoriesGuardDuty identifies threats across these primary vectors:

  • Reconnaissance: Activity suggesting an attacker is scoping out your environment (e.g., unusual API activity, port scanning, failed login patterns).

  • Instance Compromise: Indicators that an EC2 instance is compromised (e.g., cryptocurrency mining, C&C communication, denial of service attacks).

  • Account Compromise: Indicators that IAM credentials are compromised (e.g., API calls from unusual geolocations, disabling CloudTrail, launching unusual instances).

  • Bucket Compromise: Suspicious S3 activity indicating data exfiltration or unauthorized access.

  • Malware: Presence of malware on EBS volumes or in S3 buckets.

  • Runtime Security: Threats detected inside the operating system or container (e.g., rootkits, fileless malware, suspicious process spawning).

GuardDuty Findings

GuardDuty generates findings when it detects unexpected and potentially malicious activity. These are viewable via Console, CLI, or API.

A Finding’s summary includes:

• Finding type: A concise yet readable description of the potential security issue.

• Severity: Assigned severity level (High, Medium, or Low).

• Region: The AWS region where the finding was generated.

• Count: Number of times this finding was generated.

• Account ID / Resource ID: Identifiers for the affected account and resource.

• Threat list name: Name of the threat list (if applicable).

• Last seen: Time the activity took place.

Detailed Finding Sections:

• Resource Affected: Includes Resource role (Target), Resource type (AccessKey, Instance, S3Bucket, etc.), Instance ID, Port, Access Key ID, Principal ID, User type/name.

• Action: Describes the activity type (NETWORK_CONNECTION, AWS_API_CALL, PORT_PROBE, DNS_REQUEST), API name, Connection direction (INBOUND, OUTBOUND), and Protocol.

• Actor: Location (IP geolocation), Organization (ISP/ASN), IP address, Port, and Domain.

Threat Purpose Definitions (The “Why”):

• Backdoor: Compromised resource contacting a C&C server.

• Behavior: Activity patterns differing from the established baseline.

• Cryptocurrency: Mining software detected.

• PenTest: Intentional testing tools (vulnerability scanners) detected.

• Persistence: Unusual changes to permissions/network configs to maintain access.

• Policy: Behavior violating security best practices.

• PrivilegeEscalation: Principal trying to gain higher privileges indicatively.

• Recon: Scoping out vulnerabilities (port probing, listing users).

• ResourceConsumption: Unusual launch of resources (e.g., launching many EC2 instances).

• Stealth: Attempting to hide actions/tracks (e.g., disabling logs).

• Trojan: Silent malicious software carrying out attacks.

• UnauthorizedAccess: Suspicious activity by an unauthorized individual.

Managing Findings

• Filters: You can create filters to view specific findings.

• Suppression Rules: Automatically archive new findings that match specific criteria (to reduce noise).

• Trusted IP Lists: Whitelist secure IP addresses (no findings generated). Limit: 1 list per region.

• Threat Lists: Custom lists of known malicious IPs (findings generated on contact). Limit: 6 lists per region.



• Exporting: Active findings are automatically exported to Amazon EventBridge (CloudWatch Events) and optionally to an S3 bucket within 5 minutes.

Amazon GuardDuty Pricing

• Foundational: Charged based on the volume of CloudTrail events, VPC Flow Logs, and DNS Logs analyzed.

• EKS Protection: Charged per vCPU per hour for Runtime Monitoring and per million audit logs.

• Lambda Protection: Charged per GB of network activity logs scanned.

• Malware Protection: Charged per GB of data scanned (EBS volumes or S3 objects).

• RDS Protection: Charged per million login events analyzed.

• Free Trial: New accounts (and new features enabled on existing accounts) typically receive a 30-day free trial.

• Note: If you are studying for the AWS Certified Security Specialty exam, we highly recommend that you take our AWS Certified Security – Specialty Practice Exams and read our Security Specialty exam study guide.
• 
• Validate Your Knowledge
• Question 1
• A company is using Amazon GuardDuty to continuously monitor its AWS resources for malicious activity, unauthorized port scanning, and other security vulnerabilities. Whenever there are pre-approved port scanning activities from specific Amazon EC2 instances owned by the IT Security team, the Operations team still receives GuardDuty events via Amazon EventBridge. There is a new requirement to suppress alerts on these authorized security tests to prevent false positives. The Security team must ensure that the alerts are still sent for any unauthorized activity in AWS.
• Which of the following is the MOST suitable solution for this scenario?

1. Exclude and filter out the IP addresses of the pre-approved EC2 instances owned by the Security team in AWS CloudTrail.
2. Attach Elastic IP addresses to the EC2 instances and then add these addresses to the Trusted IP list in GuardDuty.
3. Install the Amazon Inspector agent on the EC2 instances that execute the pre-approved port scanning activities. Configure Inspector to exclude the pre-approved port scanning activities from these instances.
4. Use the GuardDutyExcluded tag to prevent GuardDuty from generating alerts for pre-approved port scanning activities.

• Show me the answer!
• Correct Answer: 2
• Amazon GuardDuty monitors the security of your AWS environment by analyzing and processing VPC Flow Logs, AWS CloudTrail event logs, and DNS logs. You can customize this monitoring scope by configuring GuardDuty to also use your own trusted IP lists and threat lists. The IP lists described below will apply to all VPC Flow Log and CloudTrail findings but do not apply to DNS findings
• Trusted IP lists consist of IP addresses that you have whitelisted for secure communication with your AWS infrastructure and applications. GuardDuty does not generate VPC Flow Log or CloudTrail findings for IP addresses on trusted IP lists. At any given time, you can have only one uploaded trusted IP list per AWS account per Region.
• Threat lists consist of known malicious IP addresses. GuardDuty generates findings based on threat lists. At any given time, you can have up to six uploaded threat lists per AWS account per Region.
• 
• GuardDuty can send notifications based on Amazon EventBridge when any changes in the findings take place. These changes include newly generated findings or subsequent occurrences of existing findings.
• Every GuardDuty finding is assigned a finding ID. GuardDuty creates an event for every finding with a unique finding ID. All subsequent occurrences of an existing finding are always assigned a finding ID that is identical to the ID of the original finding.
• In order to receive notifications about GuardDuty findings based on EventBridge, you must create an EventBridge rule and a target for GuardDuty. This rule enables CloudWatch to send events for all findings that GuardDuty generates to the target that is specified in the rule.
• Hence, the correct answer is: Attach Elastic IP addresses to the EC2 instances and then add these addresses to the Trusted IP list in GuardDuty.
• The option that says: Exclude and filter out the IP addresses of the pre-approved EC2 instances owned by the Security team in AWS CloudTrail is incorrect because you neither exclude nor filter out the API logs based on the IP address of an EC2 instance in AWS CloudTrail. A better solution here is to use a trusted IP list in Amazon GuardDuty instead.
• The option that says: Install the Amazon Inspector agent on the EC2 instances that execute the pre-approved port scanning activities. Configure Inspector to exclude the pre-approved port scanning activities from these instances is incorrect because Inspector is simply an automated security assessment service that helps improve the security and compliance of applications deployed on AWS. Instead, you have to add the IP addresses of the EC2 instances that execute the pre-approved port scanning activities to the trusted IP list in Amazon GuardDuty.
• The option that says: Use the GuardDutyExcluded tag to prevent GuardDuty from generating alerts for pre-approved port scanning activities is incorrect because the GuardDutyExcluded tag is primarily used for malware protection exclusions and does not apply to network-based detections like port scanning.
•  
• References:
• https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_upload_lists.html
  https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings_cloudwatch.html
• Note: This question was extracted from our AWS Certified Security Specialty Practice Exams.