AWS GuardDuty

Amazon AWS GuardDuty Services

Intelligent threat detection service.

Continuously monitors for malicious activity and delivers detailed security findings for visibility and remediation.

Monitors AWS accounts, workloads, and data in Amazon S3.

Detects account compromise, instance compromise, malicious reconnaissance, and bucket compromise.

Amazon GuardDuty gives you access to built-in detection techniques developed and optimized for the cloud.

AWS Security continuously maintains and improves these detection algorithms.

The primary detection categories include:

  • Reconnaissance: Activity suggesting reconnaissance by an attacker such as:
    • Unusual API activity.
    • Intra-VPC port scanning.
    • Unusual, failed login request patterns.
    • Unblocked port probing from a known bad IP.
  • Instance compromise: Activity indicating an instance compromise, such as:
    • Cryptocurrency mining
    • Backdoor command and control (C&C) activity.
    • Malware using domain generation algorithms (DGA).
    • Outbound denial of service activity.
    • Unusually high network traffic volume.
    • Unusual network protocols.
    • Outbound instance communication with a known malicious IP.
    • Temporary Amazon EC2 credentials used by an external IP address.
    • Data exfiltration using DNS.
  • Account compromise: Common patterns indicative of account compromise include:
    • API calls from an unusual geolocation or anonymizing proxy.
    • Attempts to disable AWS CloudTrail logging.
    • Changes that weaken the account password policy.
    • Unusual instance or infrastructure launches.
    • Infrastructure deployments in an unusual region.
    • API calls from known malicious IP addresses.
  • Bucket compromise: Activity indicating a bucket compromise, such as:
    • Suspicious data access patterns indicating credential misuse.
    • Unusual Amazon S3 API activity from a remote host.
    • Unauthorized S3 access from known malicious IP addresses.
    • API calls to retrieve data in S3 buckets from a user with no prior history of accessing the bucket or invoked from an unusual location.

Related posts: