Amazon GuardDuty is a threat detection service that enables you to monitor and protect your accounts and workloads. GuardDuty analyze events across AWS data sources, such as AWS CloudTrail event logs (Mgmt. and S3 data events) , Amazon VPC Flow Logs, and DNS log.
It also uses integrated threat intelligence such as known malicious IP addresses, anomaly detection and machine learning to identify threats more accurately. Activity started automatically when you enable GuardDuty and no more additional configurations required except adding IPs (Trusted/Threat) if required.
Trusted IP lists consist of IP addresses that are trusted for secure communication with your AWS environment. GuardDuty does not generate findings for IP addresses that are included in trusted IP list
Threat IP lists consist of known malicious IP addresses. GuardDuty generates findings for IP addresses that are included in threat lists.
S3 protection enables Amazon GuardDuty to monitor object-level API operations to identify potential security risks for data within your S3 buckets
To manage multiple accounts in Amazon GuardDuty, you must choose a single AWS account to be the master account for GuardDuty. You can then associate other AWS accounts with the master account as member accounts. There are two ways to associate accounts with a GuardDuty master account: either through an AWS Organizations organization that both accounts are members of, or by sending an invitation through GuardDuty.
Features:
- You can monitor all your AWS accounts without additional security software.
- Automatically analyze network and account activity at scale providing continuous monitoring of your AWS account and uses machine learning to intelligently detect malicious or unauthorized behaviour
- We can review findings in the console, integrate into event management or workflow systems or trigger AWS Lambda for automated remediation or prevention