Amazon Guard Duty is a continuous cloud security monitoring service that consistently monitors and administers several data sources. These include AWS CloudTrail data events for EKS (Elastic Kubernetes Service) audit logs, VPC (Virtual Private Cloud) flow logs, DNS (Domain Name System) logs, S3 (Simple Cloud Storage), and AWS CloudTrail event logs.
Amazon GuardDuty intuitively uses threat intelligence data - such as lists of malicious domains and IP addresses - and ML (machine learning) to quickly discover suspicious and problematic activity in a user's AWS ecosystem. Activities may include concerns such as interactions with malicious IP addresses or domains, exposed credentials usage, or changes and/or escalation of privileges.
GuardDuty is able to easily determine problematic AWS EC2 (Elastic Compute Cloud) instances delivering malware or mining bitcoin. It is also able to trace AWS account access history for evidence of destabilization. such as suspicious API calls resulting in changing password policies to minimize password strength or anomalous infrastructure deployments in new or different never-used regions.
The most valuable features of AWS GuardDuty, according to the reviews, include:
1. Discovers suspicious users and checks their login locations and API calls.
2. Collects and correlates all data on the back end.
3. Consumes multiple log sources, such as AWS CloudTrail and VPC Flow Logs, to analyze traffic for security anomalies.
4. Threat detection feature provides timely notifications and helps monitor for malicious activity.
5. Monitors AWS accounts across multiple accounts without additional costs.
6. Fulfills networking and auditing requirements by providing additional logs.
7. Provides threat response and remediation capabilities.
8. Serves as a single system for data collection and alerts.
The reviews for AWS GuardDuty suggest several areas for improvement.
1. Integration with new services: Users express the need for GuardDuty to be integrated with additional services like QuickSight, Managed Airflow, AppFlow, and MWAA. This integration would save time and make it more convenient for users.
2. Automatic patching and mapping: The process of patching and mapping alerts sent to email is currently manual. Users would like GuardDuty to automate this process, making their job easier. They also suggest that alerts sent to the mailbox should be in a human-readable format instead of JSON.
3. Enhanced threat intelligence: Users feel that GuardDuty could be better enriched with threat intelligence data. They recommend leveraging the internal AWS threat intelligence team to stay up-to-date with new attacks, security vulnerabilities, and exploitations.
4. Cost management: Some users find the cost of GuardDuty to be a pain point, especially when monitoring a large number of accounts.
5. Dashboard analytics and recommendations: Users desire an overall dashboard analytics function in GuardDuty that provides insights into the current environment. They also suggest the inclusion of best practices, recommendations, and sample code configurations for implementing new features. Additionally, they would like to see more security analytics, reporting, and monitoring, along with cost projections associated with new features.
6. Mobile version and visualization: Remote workers would benefit from a mobile version of GuardDuty for monitoring and fixing issues. Users also request a pane to visualize all seven layers of security in the next release.
AWS GuardDuty improves an organization's overall security posture, leading to increased trust from customers and potential growth in services and solutions. The ROI is not easily quantifiable, but it positively impacts users' security environments and meets customer demands for better security.
The license of AWS GuardDuty is based on a pay-as-you-go model. The cost is determined by the number of events sent and is competitive. The licensing is part of the AWS license, and there are no additional costs. One good thing about the pricing model is that it allows companies to be in one tier for a set period, avoiding overestimation and under-utilization of usage.
The primary use case of AWS GuardDuty is to detect anomalies in the environment, rectify issues, and improve security. It is used to monitor AWS accounts, identify malicious activity, and assist in incident response processes. GuardDuty can be utilized for compliance purposes, providing additional protection and helping with login capabilities. It collects logs and data on user login information and permissions.
The customer service and support for AWS GuardDuty have been efficient and effective. AWS offers various channels available for assistance such as chat support, phone support, and web support. Although there may be a slight delay in connecting with a support representative via phone, overall the response time has been fairly quick. The support team is responsive, acknowledges requests, and acts promptly. Users have rarely needed to escalate issues to higher-level support. Some users have not required technical support at all, while others have received significant support from the Amazon support team.
The setup process for AWS GuardDuty is described as straightforward and can be completed in a few minutes. Deployment across multiple AWS accounts is also smooth and efficient, particularly when using AWS Organization. Users simply need to sign in to the AWS Management Console and choose the desired account to be added to GuardDuty. The complexity of the initial setup largely depends on the architecture, specific requirements, and integration with other solutions.
Reviewers say that AWS GuardDuty is scalable and can accommodate a large number of users. Scalability is essential for companies that run across multiple accounts in AWS, with some companies having close to a thousand accounts. The reviewers have also noted that over time, the product has improved and become more scalable to meet the growing demands of their organizations.
The stability of the solution of AWS GuardDuty is highly praised by users. They mention that it is a stable product compared to other solutions like Azure or GCP. Users have not experienced significant downtime or outages while using Amazon GuardDuty. Its stability is regarded as wonderful, and there are no issues with networking or BPC connections.
GuardDuty will continually alert users regarding their AWS environment status and will send the security discoveries to the GuardDuty dashboard or Amazon CloudWatch events for users to view.
Users can access GuardDuty via:
Amazon Elastic Kubernetes Service (Amazon EKS)
Kubernetes protection is an optional add-on in Amazon GuardDuty. This tool is able to discover malicious behavior and possible destabilization of an organization's Kubernetes clusters inside of Amazon Elastic Kubernetes Service (Amazon EKS).
When Amazon EKS is activated, GuardDuty will actively use various data sources to discover potential risks against Kubernetes API. When Kubernetes protection is enabled, GuardDuty uses optional data sources to detect threats against Kubernetes API.
Kubernetes audit logs are a Kubernetes feature that captures historical API activity from applications, the control plane, users, and endpoints. GuardDuty collates these logs from Amazon EKS to create Kubernetes discoveries for the organization's Amazon EKS assets; there is no need to store or turn on the logs.
As long as Kubernetes protection remains activated, GuardDuty will continuously dissect Kubernetes data sources from the Amazon EKS clusters to ensure no suspicious or anomalous behavior is taking place.
Amazon Simple Cloud Storage (S3) Protection
Amazon S3 allows Amazon GuardDuty to actively audit object-level API processes to discover possible security threats to data inside an organization's S3 buckets. GuardDuty continually audits risk to the organization’s S3 assets by carefully dissecting AWS CloudTrail management events and AWS CloudTrail S3 data events. These tools are continually auditing various CloudTrail management events for potential suspicious activities that affect S3 buckets, such as PutBucketReplication, DeleteBucket, ListBucket, and data events for S3 object-level API processes, such as PutObject, GetObject, ListObject, and DeleteObject.
Reviews from Real Users
“The most valuable features are the single system for data collection and the alert mechanisms. Prior to using GuardDuty, we had multiple systems to collect data and put it in a centralized location so we could look into it. Now we don't need to do that anymore as GuardDuty does it for us.” - Arunkumar A., Information Security Manager at Tata Consultancy Services
autodesk, mapbox, fico, webroot