L14. Amazon GuardDuty: Threat Detection Fundamentals
Video generating
Check back soon for the video lesson on Amazon GuardDuty: Threat Detection Fundamentals
Agentless, always-on threat detection across CloudTrail, VPC Flow Logs, DNS, EKS, RDS, and Lambda, plus the optional protection plans that extend GuardDuty's coverage.
Agentless by Design
Amazon GuardDuty is a managed threat detection service that continuously analyzes existing log sources rather than requiring you to deploy or manage any agents. It ingests CloudTrail management and S3 data events, VPC Flow Logs, DNS query logs, EKS audit logs, RDS login activity, and Lambda network activity. Because it works off logs and API activity AWS already generates, enabling GuardDuty is a control-plane setting, not a fleet-wide software rollout, which is exactly why it shows up so often in exam scenarios about detection at scale with minimal operational overhead.
How Findings Get Generated
GuardDuty combines three techniques to produce findings: machine learning models trained on known attack patterns, anomaly detection against a baseline of normal account behavior, and integrated threat intelligence feeds (including AWS-curated lists and feeds from partners) that flag known-malicious IPs and domains. Every finding carries a severity rating of low, medium, or high, which lets a SOC triage a flood of findings by impact instead of reading each one individually. A high-severity finding might indicate an EC2 instance communicating with a command-and-control server; a low-severity finding might just be a port scan against an instance that never responded.
Centralized, Org-Wide Management
GuardDuty is enabled on a per-account basis, but it does not have to be managed account by account. A delegated administrator account, designated at the AWS Organizations level, can centrally configure GuardDuty for every member account, including automatically enabling it for accounts that join the organization later. Member accounts inherit that configuration without an administrator having to log into each one separately, which is the pattern the exam expects for any multi-account GuardDuty question.
Acting on Findings Automatically
GuardDuty findings are published as events to Amazon EventBridge, and an EventBridge rule can match on finding type or severity to trigger an automated response: a Lambda function that revokes credentials or isolates a resource, a Step Functions workflow for a multi-step playbook, or an SNS notification that pages the on-call team. This finding-to-EventBridge-to-response pattern is the backbone of automated remediation across GuardDuty and Security Hub alike.
Optional Protection Plans
GuardDuty's core analysis is free of extra configuration, but five optional protection plans extend coverage into specific services:
| Protection Plan | What It Monitors |
|---|---|
| S3 Protection | S3 data events for suspicious access patterns |
| EKS Protection | EKS audit logs plus runtime monitoring of cluster workloads |
| RDS Protection | RDS login activity for anomalous authentication attempts |
| Lambda Protection | Lambda network activity for suspicious connections |
| Malware Protection | On-demand scans of EBS volumes attached to a flagged EC2 instance or container workload |
- ✓GuardDuty is agentless: it analyzes CloudTrail events, VPC Flow Logs, DNS query logs, EKS audit logs, RDS login activity, and Lambda network activity without any agent deployment
- ✓Findings carry a severity rating (low, medium, high) generated from machine learning, anomaly detection, and integrated threat intelligence feeds
- ✓GuardDuty can be centrally enabled and managed across an entire AWS Organization via a delegated administrator account
- ✓GuardDuty findings can be routed through EventBridge to automatically trigger Lambda, Step Functions, or SNS-based responses
- ✓GuardDuty Malware Protection scans EBS volumes attached to an EC2 instance or container workload that another GuardDuty finding has already flagged as potentially compromised
1. A company wants threat detection across 30 AWS accounts without deploying any agents to EC2 instances. Which service fits this requirement?
2. How should a company with a multi-account AWS Organization enable GuardDuty consistently across all current and future member accounts?
3. GuardDuty generates a high-severity finding that an EC2 instance is likely compromised and communicating with a known command-and-control IP. Which GuardDuty protection plan would additionally scan that instance's attached EBS volumes for malware?
Recommended: Pluralsight
This free course covers the theory. Pluralsight adds structured SCS-C02 learning paths, hands-on AWS security labs, and timed practice exams to make it stick before exam day.