Amazon GuardDuty (Enable, Monitor, Dectect Threats, & Remediation Actions) | Overview.

Amazon GuardDuty (Enable, Monitor, Dectect Threats, & Remediation Actions) - Overview.

Scope:

• Intro,
• Key Features and Capabilities,
• Getting Started,    
• The concept of GuardDuty (Deep Dive),
• Core Architecture Data Flow,
• Table for Data Sources,Telemetry & Purposes,
• Table for Detection Categories (types), Samples & Description,
• Integration Architecture,
• Table of Integration & Automation Purposes, 
• Multi-Account Architecture (with AWS Organizations),
• GuardDuty Malware Protection (Newer Component),
• Integrating GuardDuty with Amazon EKS for Container Threat Detection,
• Findings Lifecycle,
• Table of Best Practices for Operations & Key Areas,
• Sample Visual Architecture Flow.

Intro:

• Amazon GuardDuty is a managed threat detection service that continuously monitors for malicious activity and unauthorized behavior to protect AWS accounts and workloads. 
• Amazon GuardDuty uses machine learning, anomaly detection, and integrated threat intelligence to identify and prioritize potential security risks. 

Key Features and Capabilities

• Continuous Monitoring: It analyzes data from foundational sources including:
•  AWS CloudTrail management / data events, 
• VPC Flow Logs,
• DNS logs.
• Broad Protection: GuardDuty provides protection plans for various AWS services, including:
•  Amazon EC2, Amazon S3, 
• Amazon RDS, 
• AWS Lambda, 
• Amazon EKS.
• Intelligent Detections: It can identify high-severity threats such as:
•  cryptocurrency mining, 
• credential exfiltration, 
• communication with known malicious IP addresses or domains.
• Malware Protection: It can initiate malware scans on:
•  Amazon EBS volumes, 
• Amazon S3 objects to detect presence of malicious files.
• Zero Performance Impact: The service operates independently of:
•  twtech workloads, 
• meaning it does not impact the performance, 
• or availability of twtech applications. 

Getting Started

• Enable the Service: twtech enables GuardDuty with a single click in the AWS Management Console. 
• GuardDuty begins analyzing twtech environment immediately without requiring agent installation for its core monitoring.
• Review Findings: Detected threats are generated as findings in the dashboard, categorized by severity (Low, Medium, High) to help prioritize remediation.
• Automate Response: Findings can be routed to AWS Security Hub or Amazon EventBridge to trigger automated remediation actions, such as isolating a compromised instance.

1.  The concept of GuardDuty (Deep Dive).

• Amazon GuardDuty is an intelligent threat detection service that continuously monitors AWS accounts, workloads, and data stores for malicious or unauthorized activity.
• Amazon GuardDuty is agentless, serverless, and fully managed.
• Amazon GuardDuty leverages machine learning (ML), anomaly detection, and threat intelligence feeds to surface actionable findings.

NB:

•   GuardDuty doesn’t affect resource performance.
•   Amazon GuardDuty  Requires no inline traffic inspection or network reconfiguration.
•  Amazon GuardDuty consumes data sources passively from AWS services.

 2. Core Architecture Data Flow

1. Data Ingestion Layer
• Pulls telemetry from multiple AWS sources (see below).
• Enriched with contextual metadata (account IDs, region, VPC, instance details).
2. Threat Detection Engine
• Applies detector models based on:
• AWS-managed ML models
• Deterministic rules (pattern-based)
• AWS and third-party threat intelligence feeds (e.g., known bad IPs/Domains)
• Uses behavioral baselining per account.
3. Findings Aggregation and Correlation
• Generates findings with severity (Low, Medium, High)
• Correlates related activities to reduce noise.
4. Publishing Layer
• Delivers findings to:
• GuardDuty console / API
• EventBridge (CloudWatch Events)
• Security Hub
• S3 / SIEM systems

3. Table for Data Sources,Telemetry & Purposes

Category	Source	Purpose
Network Visibility	VPC Flow Logs	Detects reconnaissance, data exfiltration, command-and-control activity.
Access and Identity	CloudTrail Management & S3 Data Events	Detects IAM abuse, anomalous API calls, unusual geographic access.
DNS Layer	Route 53 DNS Query Logs	Detects communication with known malicious domains.
Container Workloads	EKS Audit Logs	Detects container-level threats (e.g., privilege escalation, pod execution).
Malware Detection (GuardDuty Malware Protection)	EBS volume snapshots (temporary, internal scan)	Detects malware artifacts and binaries on compromised EC2 instances.
RDS Protection	RDS Login Activity	Detects anomalous or brute-force login attempts.
Lambda Protection	Lambda CloudTrail & VPC Flow	Detects abuse of serverless functions.

 NB:

• Telemetry is the automatic collection and transmission of data from remote sources to a central system for:
•  analysis, 
• commonly used in software (like Windows 11) for:
• Diagnostic, 
• Performance,  
• Usage tracking. 
• Telemetry often includes:
• System information, 
• Application usage, 
• Settings, which can be managed or restricted in privacy settings for:
•  Improved, 
• Though often minimal, 
• Data privacy.

4. Table for Detection Categories (types), Samples & Description

Detection Type	Examples	Description
Reconnaissance	Port scanning, DNS probes.	Identifies network scanning or enumeration attempts.
Unauthorized Access	Compromised IAM user/role.	Detects anomalous API usage, key leakage, or credential theft.
Instance Compromise	Bitcoin mining, C2 traffic.	Detects infected EC2s communicating with external C2 infrastructure.
Bucket Exfiltration	Unusual S3 data download.	Identifies data theft or misconfiguration leading to data leaks.
Privilege Escalation	New high-privilege roles.	Detects attempts to gain higher permissions.
Anomalous Behavior	Geographical/API deviation.	Uses ML baselines to detect deviation from normal patterns.
Malware Findings	EICAR test file, ransomware signature.	From EBS scan results tied to EC2 volumes.

 5. Table of Integration & Automation Purposes

Integration	Purpose
AWS Security Hub	Centralized view of all findings, compliance mapping (CIS, PCI DSS).
Amazon Detective	Deep forensic investigation using linked evidence from CloudTrail, VPC Flow, and GuardDuty.
AWS Lambda + EventBridge	Automated remediation workflows (e.g., isolate EC2, revoke credentials).
AWS Organizations	Multi-account management via delegated administrator and auto-enrollment.
AWS Config	Cross-check compliance and detect drifts causing findings.
SIEM (Splunk, QRadar, Datadog)	Stream findings to enterprise SOC.

Integration Architecture

 6. Multi-Account Architecture (with AWS Organizations)

• Delegated Administrator Account (Security Account) runs GuardDuty centrally.
• Member Accounts automatically enabled through Organization integration.
• Findings are aggregated to the delegated administrator for global visibility.
• Cross-region aggregation possible to a primary region for unified analysis.

 7. GuardDuty Malware Protection (Newer Component)

• Creates ephemeral snapshots of EC2 instance EBS volumes for scan.
• Detects malware families, cryptominers, ransomware.
• Results integrated into GuardDuty findings under EC2_MalwareFinding.
• Does not modify original volumes or store user data post-scan.
• Optional — enable per-account or per-organization.

 8. Integrating GuardDuty with Amazon EKS for Container Threat Detection:

• Monitor API server audit logs.
• Detect suspicious Kubernetes API calls (e.g., exec, create pod).
• Identify containers running on compromised EC2 nodes.
• Detect anomalous inter-pod communication or lateral movement.

 9. Findings Lifecycle

1. Generated: Detected by GuardDuty engine.
2. Enriched: With contextual data (tags, resources, geolocation).
3. Delivered: To Security Hub / EventBridge.
4. Acted Upon: Automated isolation, IAM key revocation, ticket creation.
5. Archived: Optionally sent to S3 or SIEM for retention.

 10. Table of Best Practices for Operations & Key Areas

Key Area	Best Practice
Enable Across Org	Use AWS Organizations to automatically enable GuardDuty in all accounts and regions.
Baseline & Tune	Review findings regularly to understand normal vs anomalous behavior.
Automation	Build EventBridge + Lambda remediation for critical findings (e.g., isolate EC2).
Integration	Forward findings to Security Hub and SIEM for correlation.
Compliance Alignment	Map findings to frameworks (CIS, NIST 800-53, ISO 27001).
Malware & EKS	Enable both for complete workload coverage.
Cost Optimization	Exclude non-critical VPCs or accounts if needed, monitor cost per data source.

 11. Sample Visual Architecture Flow