Tuesday, October 28, 2025

Amazon GuardDuty | Deep Dive.

Intro:

Here’s twtech deep dive into Amazon GuardDuty.

  •        This deep dive includes the architecture, data sources, detection logic, integrations, and operational best practices.

Breakdown:

  •        Overview of GuardDuty.
  •        Core Architecture,
  •        Data Sources and Telemetry,
  •        Detection Categories,
  •        Integration and Automation,
  •        Multi-Account Architecture (with AWS Organizations),
  •        GuardDuty Malware Protection (Newer Component),
  •        EKS Protection (Container Threat Detection),
  •        Findings Lifecycle,
  •        Best Practices for Operations,
  •        Sample Visual Architecture Flow.

1. Overview of GuardDuty.

  •        Amazon GuardDuty is an intelligent threat detection service that continuously monitors AWS accounts, workloads, and data stores for malicious or unauthorized activity.
  •        Amazon GuardDuty is agentless, serverless, and fully managed.
  •        Amazon GuardDuty leverages machine learning (ML), anomaly detection, and threat intelligence feeds to surface actionable findings.

NB:

  •        GuardDuty doesn’t affect resource performance.
  •        Amazon GuardDuty  Requires no inline traffic inspection or network reconfiguration.
  •        Amazon GuardDuty consumes data sources passively from AWS services.

 2. Core Architecture

 Data Flow

  1. Data Ingestion Layer
    • Pulls telemetry from multiple AWS sources (see below).
    • Enriched with contextual metadata (account IDs, region, VPC, instance details).
  2. Threat Detection Engine
    • Applies detector models based on:
      • AWS-managed ML models
      • Deterministic rules (pattern-based)
      • AWS and third-party threat intelligence feeds (e.g., known bad IPs/Domains)
    • Uses behavioral baselining per account.
  3. Findings Aggregation and Correlation
    • Generates findings with severity (Low, Medium, High)
    • Correlates related activities to reduce noise.
  4. Publishing Layer
    • Delivers findings to:
      • GuardDuty console / API
      • EventBridge (CloudWatch Events)
      • Security Hub
      • S3 / SIEM systems

 3. Data Sources and Telemetry

Category

Source

Purpose

Network Visibility

VPC Flow Logs

Detects reconnaissance, data exfiltration, command-and-control activity.

Access and Identity

CloudTrail Management & S3 Data Events

Detects IAM abuse, anomalous API calls, unusual geographic access.

DNS Layer

Route 53 DNS Query Logs

Detects communication with known malicious domains.

Container Workloads

EKS Audit Logs

Detects container-level threats (e.g., privilege escalation, pod execution).

Malware Detection (GuardDuty Malware Protection)

EBS volume snapshots (temporary, internal scan)

Detects malware artifacts and binaries on compromised EC2 instances.

RDS Protection

RDS Login Activity

Detects anomalous or brute-force login attempts.

Lambda Protection

Lambda CloudTrail & VPC Flow

Detects abuse of serverless functions.

 4. Detection Categories

Detection Type

Examples

Description

Reconnaissance

Port scanning, DNS probes.

Identifies network scanning or enumeration attempts.

Unauthorized Access

Compromised IAM user/role.

Detects anomalous API usage, key leakage, or credential theft.

Instance Compromise

Bitcoin mining, C2 traffic.

Detects infected EC2s communicating with external C2 infrastructure.

Bucket Exfiltration

Unusual S3 data download.

Identifies data theft or misconfiguration leading to data leaks.

Privilege Escalation

New high-privilege roles.

Detects attempts to gain higher permissions.

Anomalous Behavior

Geographical/API deviation.

Uses ML baselines to detect deviation from normal patterns.

Malware Findings

EICAR test file, ransomware signature.

From EBS scan results tied to EC2 volumes.

 5. Integration and Automation

Integration

Purpose

AWS Security Hub

Centralized view of all findings, compliance mapping (CIS, PCI DSS).

Amazon Detective

Deep forensic investigation using linked evidence from CloudTrail, VPC Flow, and GuardDuty.

AWS Lambda + EventBridge

Automated remediation workflows (e.g., isolate EC2, revoke credentials).

AWS Organizations

Multi-account management via delegated administrator and auto-enrollment.

AWS Config

Cross-check compliance and detect drifts causing findings.

SIEM (Splunk, QRadar, Datadog)

Stream findings to enterprise SOC.

 

 6. Multi-Account Architecture (with AWS Organizations)

  • Delegated Administrator Account (Security Account) runs GuardDuty centrally.
  • Member Accounts automatically enabled through Organization integration.
  • Findings are aggregated to the delegated administrator for global visibility.
  • Cross-region aggregation possible to a primary region for unified analysis.

 7. GuardDuty Malware Protection (Newer Component)

  • Creates ephemeral snapshots of EC2 instance EBS volumes for scan.
  • Detects malware families, cryptominers, ransomware.
  • Results integrated into GuardDuty findings under EC2_MalwareFinding.
  • Does not modify original volumes or store user data post-scan.
  • Optional enable per-account or per-organization.

 8. EKS Protection (Container Threat Detection)

GuardDuty integrates with Amazon EKS to:

  • Monitor API server audit logs.
  • Detect suspicious Kubernetes API calls (e.g., exec, create pod).
  • Identify containers running on compromised EC2 nodes.
  • Detect anomalous inter-pod communication or lateral movement.

 9. Findings Lifecycle

  1. Generated: Detected by GuardDuty engine.
  2. Enriched: With contextual data (tags, resources, geolocation).
  3. Delivered: To Security Hub / EventBridge.
  4. Acted Upon: Automated isolation, IAM key revocation, ticket creation.
  5. Archived: Optionally sent to S3 or SIEM for retention.

 10. Best Practices for Operations

Area

Best Practice

Enable Across Org

Use AWS Organizations to automatically enable GuardDuty in all accounts and regions.

Baseline & Tune

Review findings regularly to understand normal vs anomalous behavior.

Automation

Build EventBridge + Lambda remediation for critical findings (e.g., isolate EC2).

Integration

Forward findings to Security Hub and SIEM for correlation.

Compliance Alignment

Map findings to frameworks (CIS, NIST 800-53, ISO 27001).

Malware & EKS

Enable both for complete workload coverage.

Cost Optimization

Exclude non-critical VPCs or accounts if needed, monitor cost per data source.

 11. Sample Visual Architecture Flow


at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Amazon EventBridge | Overview.

Amazon EventBridge - Overview. Scope: Intro, Core Concepts, Key Benefits, Link to official documentation, Insights. Intro: Amazon EventBridg...