Cyber Intelligence
Threat Detection and Incident Response · 14% of exam

L14. Amazon GuardDuty: Threat Detection Fundamentals

Video generating

Check back soon for the video lesson on Amazon GuardDuty: Threat Detection Fundamentals

Agentless, always-on threat detection across CloudTrail, VPC Flow Logs, DNS, EKS, RDS, and Lambda, plus the optional protection plans that extend GuardDuty's coverage.

Agentless by Design

Amazon GuardDuty is a managed threat detection service that continuously analyzes existing log sources rather than requiring you to deploy or manage any agents. It ingests CloudTrail management and S3 data events, VPC Flow Logs, DNS query logs, EKS audit logs, RDS login activity, and Lambda network activity. Because it works off logs and API activity AWS already generates, enabling GuardDuty is a control-plane setting, not a fleet-wide software rollout, which is exactly why it shows up so often in exam scenarios about detection at scale with minimal operational overhead.

How Findings Get Generated

GuardDuty combines three techniques to produce findings: machine learning models trained on known attack patterns, anomaly detection against a baseline of normal account behavior, and integrated threat intelligence feeds (including AWS-curated lists and feeds from partners) that flag known-malicious IPs and domains. Every finding carries a severity rating of low, medium, or high, which lets a SOC triage a flood of findings by impact instead of reading each one individually. A high-severity finding might indicate an EC2 instance communicating with a command-and-control server; a low-severity finding might just be a port scan against an instance that never responded.

Centralized, Org-Wide Management

GuardDuty is enabled on a per-account basis, but it does not have to be managed account by account. A delegated administrator account, designated at the AWS Organizations level, can centrally configure GuardDuty for every member account, including automatically enabling it for accounts that join the organization later. Member accounts inherit that configuration without an administrator having to log into each one separately, which is the pattern the exam expects for any multi-account GuardDuty question.

Acting on Findings Automatically

GuardDuty findings are published as events to Amazon EventBridge, and an EventBridge rule can match on finding type or severity to trigger an automated response: a Lambda function that revokes credentials or isolates a resource, a Step Functions workflow for a multi-step playbook, or an SNS notification that pages the on-call team. This finding-to-EventBridge-to-response pattern is the backbone of automated remediation across GuardDuty and Security Hub alike.

Optional Protection Plans

GuardDuty's core analysis is free of extra configuration, but five optional protection plans extend coverage into specific services:

Protection PlanWhat It Monitors
S3 ProtectionS3 data events for suspicious access patterns
EKS ProtectionEKS audit logs plus runtime monitoring of cluster workloads
RDS ProtectionRDS login activity for anomalous authentication attempts
Lambda ProtectionLambda network activity for suspicious connections
Malware ProtectionOn-demand scans of EBS volumes attached to a flagged EC2 instance or container workload
Malware Protection deserves special attention: it does not scan everything continuously. It triggers a scan of the EBS volumes attached to an EC2 instance or container workload specifically after GuardDuty has already flagged that resource as potentially compromised through another finding, giving responders malware evidence without them having to snapshot and scan manually. Exam tip: If a scenario says "no agents" and "across many accounts" in the same sentence, GuardDuty with a delegated administrator is almost always the intended answer.

Exam Focus Points
  • GuardDuty is agentless: it analyzes CloudTrail events, VPC Flow Logs, DNS query logs, EKS audit logs, RDS login activity, and Lambda network activity without any agent deployment
  • Findings carry a severity rating (low, medium, high) generated from machine learning, anomaly detection, and integrated threat intelligence feeds
  • GuardDuty can be centrally enabled and managed across an entire AWS Organization via a delegated administrator account
  • GuardDuty findings can be routed through EventBridge to automatically trigger Lambda, Step Functions, or SNS-based responses
  • GuardDuty Malware Protection scans EBS volumes attached to an EC2 instance or container workload that another GuardDuty finding has already flagged as potentially compromised
Knowledge Check

1. A company wants threat detection across 30 AWS accounts without deploying any agents to EC2 instances. Which service fits this requirement?

2. How should a company with a multi-account AWS Organization enable GuardDuty consistently across all current and future member accounts?

3. GuardDuty generates a high-severity finding that an EC2 instance is likely compromised and communicating with a known command-and-control IP. Which GuardDuty protection plan would additionally scan that instance's attached EBS volumes for malware?

Recommended: Pluralsight

This free course covers the theory. Pluralsight adds structured SCS-C02 learning paths, hands-on AWS security labs, and timed practice exams to make it stick before exam day.

Start Security Specialty prep free10-day free trial available