Amazon GuardDuty : An Intelligent Threat Detection Service

October Cyber Security Awareness Month

continuation to my previous post on understanding security services available on #AWS, in this article let us discuss ML-powered threat detection service #GuardDuty.

Amazon GuardDuty is a threat detection service that continuously monitors, analyzes, and processes AWS data sources and logs in AWS environment using intelligence feeds and machine learning (ML) models to identify suspicious and potentially malicious activity in AWS environment.

Let us consider few potential threat scenarios where GuardDuty can be used

• Compromised and exfiltrated AWS credentials.
• Data exfiltration and destruction that can lead to a ransomware event. Unusual patterns of login events in the supported engine versions of Amazon Aurora and Amazon RDS databases, that indicate anomalous behavior.
• Unauthorized crypto mining activity in Amazon Elastic Compute Cloud (Amazon EC2) instances and container workloads.
• Presence of malware in your Amazon EC2 instances and container workloads, and newly uploaded files in your Amazon Simple Storage Service (Amazon S3) buckets.

This short video https://youtu.be/ng14ToMXnTA can give introduction about Guard Duty.

Basic Architecture

summary of Guard Protection plan

S3 Protection

Identifies potential security risks such as data exfiltration and destruction attempt in your Amazon S3 buckets.

EKS Protection

EKS Audit Log Monitoring analyzes Kubernetes audit logs from your Amazon EKS clusters for potentially suspicious and malicious activities.

Runtime Monitoring

Monitors and analyzes operating system-level events on your Amazon EKS, Amazon EC2, and Amazon ECS (including AWS Fargate), to detect potential runtime threats.

Malware Protection for EC2

Detects potential presence of malware by scanning the Amazon EBS volumes associated with your Amazon EC2 instances. There is an option to use this feature on-demand.

Malware Protection for S3

Detects potential presence of malware in the newly uploaded objects within your Amazon S3 buckets.

RDS Protection

Analyzes and profiles your RDS login activity for potential access threats to the supported Amazon Aurora and Amazon RDS databases.

Lambda Protection

Monitors Lambda network activity logs, starting with VPC flow logs, to detect threats to your AWS Lambda functions. Examples of these potential threats include crypto mining and communicating with malicious servers.

For more details on Amazon Guard Duty Please visit :

GuardDuty Features

Guard Duty Resources demo

#CyberSecurityAwarenessMonth #Aws #GuardDuty #AIinCyberSecurity

Bosch Global Software Technologies Bosch Amazon Web Services (AWS)

Hema Mohan Parth Trivedi Dattatraya Gokhale Vishnu Sharma Arunkumar VR Anish T S Prakash Thangavelu Aditya Adavi Sagar Kanta Rajashree Chakraborty Priyamvadha Vembar Sumitra Biswal Salil Inamdar Keerthana Karthikeyan Gagan Jain Himanshu Hemrajani Major Satish Bhatt Santosh Kumar, PMP, CISSP,CISA,CISM, CHFI,CEH, CIPP/E,CIPM Muni kumar Pappoppula Darshan Dwarkanath Ramakrishna Nyayapathi