AWS GuardDuty Reviews

Name: AWS GuardDuty
Brand: Amazon Web Services (AWS)
Rating: 4 (20 reviews)

4.1 out of 5

20 reviews
90% willing to recommend

273 followers

What is AWS GuardDuty?

Amazon Guard Duty is a continuous cloud security monitoring service that consistently monitors and administers several data sources. These include AWS CloudTrail data events for EKS (Elastic Kubernetes Service) audit logs, VPC (Virtual Private Cloud) flow logs, DNS (Domain Name System) logs, S3 (Simple Cloud Storage), and AWS CloudTrail event logs.

Amazon GuardDuty intuitively uses threat intelligence data - such as lists of malicious domains and IP addresses - and ML (machine learning) to quickly discover suspicious and problematic activity in a user's AWS ecosystem. Activities may include concerns such as interactions with malicious IP addresses or domains, exposed credentials usage, or changes and/or escalation of privileges.

GuardDuty is able to easily determine problematic AWS EC2 (Elastic Compute Cloud) instances delivering malware or mining bitcoin. It is also able to trace AWS account access history for evidence of destabilization. such as suspicious API calls resulting in changing password policies to minimize password strength or anomalous infrastructure deployments in new or different never-used regions.

Get the AWS GuardDuty Buyer's Guide and find out what your peers are saying about AWS GuardDuty, Wiz, Microsoft Defender for Cloud and more!

AWS GuardDuty is the #5 ranked solution in Cloud Workload Protection Platforms. PeerSpot users give AWS GuardDuty an average rating of 8.2 out of 10. AWS GuardDuty is most commonly compared to Wiz: AWS GuardDuty vs Wiz. AWS GuardDuty is popular among the large enterprise segment, accounting for 67% of users researching this solution on PeerSpot. The top industry researching this solution are professionals from a financial services firm, accounting for 17% of all views.

Helped 814,763 peers since 2012

Featured reviews

Betika Brandon

Cloud Engineer at Epsilon

AWS GuardDuty helps by providing continuous threat detection and signaling potential threats. Its most valuable feature is continuous monitoring. The tool's integration with other AWS services has improved security. It provides continuous monitoring and intelligent threat detection, quickly signaling any issues. I would rate this improvement a seven out of ten. The solution's machine learning capabilities help identify threats by continuously collecting data such as IP addresses, user agents, API calls, and network traffic patterns. This data is used to train machine learning models, which can then identify normal activity patterns and detect variations that indicate security threats. AWS GuardDuty is crucial in identifying security threats in the AWS environment.

Read full review

Agron Demiraj

Cloud System Specialist at a financial services firm with 51-200 employees

It helps us detect brute-force attacks based on machine learning. It alerts the security team for possible attacks as well The product detects 100% brute force attacks using all legitimate testing methods. It gives the exact source IP of the attacks. The product's most valuable feature is…

Read full review

Pratik-Savla

Security and Compliance Architect at a manufacturing company with 1,001-5,000 employees

Because it's a threat detection service, they need to keep up with the various threat factors because new threat factors and attack factors come up all the time. Sometimes they may detect a certain behavior. But if that behavior morphs into something else, GuardDuty may not pick up on that specifically if something new comes up which hasn't been found or uncovered before. If Amazon doesn't update the service to reflect that or address that or factor that in, it may not detect the threat. The end user then is obviously at the mercy of whatever it flags. GuardDuty must ensure they cover everything, including the latest threats.

Read full review

AWS GuardDuty mindshare

As of November 2024, the mindshare of AWS GuardDuty in the Cloud Workload Protection Platforms (CWPP) category stands at 9.9%, down from 10.1% compared to the previous year, according to calculations based on PeerSpot user engagement data.

Cloud Workload Protection Platforms (CWPP)

Key learnings from peers

Valuable Features

The most valuable features of AWS GuardDuty, according to the reviews, include:

1. Discovers suspicious users and checks their login locations and API calls.

2. Collects and correlates all data on the back end.

3. Consumes multiple log sources, such as AWS CloudTrail and VPC Flow Logs, to analyze traffic for security anomalies.

4. Threat detection feature provides timely notifications and helps monitor for malicious activity.

5. Monitors AWS accounts across multiple accounts without additional costs.

6. Fulfills networking and auditing requirements by providing additional logs.

7. Provides threat response and remediation capabilities.

8. Serves as a single system for data collection and alerts.

"AWS GuardDuty helps by providing continuous threat detection and signaling potential threats. Its most valuable feature is continuous monitoring. The tool's integration with other AWS services has improved security. It provides continuous monitoring and intelligent threat detection, quickly signaling any issues. I would rate this improvement a seven out of ten."
"The product has automated protection powered by AI/ML, which is now far more powerful than before. It uses AI/ML in its detection algorithm, providing fast and quick results."
"With anomaly detection, active threat monitoring, and set correlation, GuardDuty alerts me to any unusual user behavior or traffic patterns right away, which is great for staying on top of potential security risks."

Room for Improvement

The reviews for AWS GuardDuty suggest several areas for improvement.

1. Integration with new services: Users express the need for GuardDuty to be integrated with additional services like QuickSight, Managed Airflow, AppFlow, and MWAA. This integration would save time and make it more convenient for users.

2. Automatic patching and mapping: The process of patching and mapping alerts sent to email is currently manual. Users would like GuardDuty to automate this process, making their job easier. They also suggest that alerts sent to the mailbox should be in a human-readable format instead of JSON.

3. Enhanced threat intelligence: Users feel that GuardDuty could be better enriched with threat intelligence data. They recommend leveraging the internal AWS threat intelligence team to stay up-to-date with new attacks, security vulnerabilities, and exploitations.

4. Cost management: Some users find the cost of GuardDuty to be a pain point, especially when monitoring a large number of accounts.

5. Dashboard analytics and recommendations: Users desire an overall dashboard analytics function in GuardDuty that provides insights into the current environment. They also suggest the inclusion of best practices, recommendations, and sample code configurations for implementing new features. Additionally, they would like to see more security analytics, reporting, and monitoring, along with cost projections associated with new features.

6. Mobile version and visualization: Remote workers would benefit from a mobile version of GuardDuty for monitoring and fixing issues. Users also request a pane to visualize all seven layers of security in the next release.

"The product needs to improve its cost-efficiency since it is expensive."
"There is currently no consolidated dashboard for AWS GuardDuty. It would be helpful if they could provide a dashboard based on severity levels (high, medium, low) and offer insights account-wise, especially for users utilizing automation structures."
"One improvement I would suggest for AWS GuardDuty is the ability to assign findings to specific users or groups, facilitating better communication and follow-up actions."

ROI

AWS GuardDuty improves an organization's overall security posture, leading to increased trust from customers and potential growth in services and solutions. The ROI is not easily quantifiable, but it positively impacts users' security environments and meets customer demands for better security.

Pricing

The license of AWS GuardDuty is based on a pay-as-you-go model. The cost is determined by the number of events sent and is competitive. The licensing is part of the AWS license, and there are no additional costs. One good thing about the pricing model is that it allows companies to be in one tier for a set period, avoiding overestimation and under-utilization of usage.

"The tool's licensing model is pay-as-you-go."
"80 percent of the customers are using AWS GuardDuty, and we recommend it due to its low cost, especially for small customers, ranging from five to ten dollars a month. In our policies, we enforce the usage of this service, making it a recommended practice for security."
"It can get very expensive. If you turn on every feature, it can turn into hundreds of thousands of dollars."

Popular Use Cases

The primary use case of AWS GuardDuty is to detect anomalies in the environment, rectify issues, and improve security. It is used to monitor AWS accounts, identify malicious activity, and assist in incident response processes. GuardDuty can be utilized for compliance purposes, providing additional protection and helping with login capabilities. It collects logs and data on user login information and permissions.

Service and Support

The customer service and support for AWS GuardDuty have been efficient and effective. AWS offers various channels available for assistance such as chat support, phone support, and web support. Although there may be a slight delay in connecting with a support representative via phone, overall the response time has been fairly quick. The support team is responsive, acknowledges requests, and acts promptly. Users have rarely needed to escalate issues to higher-level support. Some users have not required technical support at all, while others have received significant support from the Amazon support team.

Deployment

The setup process for AWS GuardDuty is described as straightforward and can be completed in a few minutes. Deployment across multiple AWS accounts is also smooth and efficient, particularly when using AWS Organization. Users simply need to sign in to the AWS Management Console and choose the desired account to be added to GuardDuty. The complexity of the initial setup largely depends on the architecture, specific requirements, and integration with other solutions.

Scalability

Reviewers say that AWS GuardDuty is scalable and can accommodate a large number of users. Scalability is essential for companies that run across multiple accounts in AWS, with some companies having close to a thousand accounts. The reviewers have also noted that over time, the product has improved and become more scalable to meet the growing demands of their organizations.

Stability

The stability of the solution of AWS GuardDuty is highly praised by users. They mention that it is a stable product compared to other solutions like Azure or GCP. Users have not experienced significant downtime or outages while using Amazon GuardDuty. Its stability is regarded as wonderful, and there are no issues with networking or BPC connections.

These insights are based on the in-depth reviews provided by peers to help you make a better buying decision.

Download our AWS GuardDuty Buyer's Guide for additional reliable information.

Review data by company size

By reviewers

By visitors reading reviews

Top industries

By visitors reading reviews

Financial Services Firm

17%

Computer Software Company

16%

Manufacturing Company

Government

Healthcare Company

Retailer

Energy/Utilities Company

Insurance Company

Comms Service Provider

University

Educational Organization

Media Company

Transportation Company

Non Profit

Construction Company

Outsourcing Company

Legal Firm

Real Estate/Law Firm

Recreational Facilities/Services Company

Wholesaler/Distributor

Performing Arts

Pharma/Biotech Company

Logistics Company

Consumer Goods Company

Hospitality Company

Sports Company

Marketing Services Firm

Compare AWS GuardDuty with alternative products

Learn more about AWS GuardDuty

GuardDuty will continually alert users regarding their AWS environment status and will send the security discoveries to the GuardDuty dashboard or Amazon CloudWatch events for users to view.

Users can access GuardDuty via:

AWS SDKs: Amazon provides users with several software development kits (SDKs) that are made up of libraries and sample code of numerous popular programming languages and platforms, such as Android, iOS, Java, .Net, Python, and Ruby. The SDKs make it easier to develop programmatic access to GuardDuty.
GuardDuty HTTPS API: This allows users to issue HTTPS requests directly to the service.
GuardDuty Console: This is a browser-based intuitive dashboard interface where users can access and use GuardDuty.

Amazon Elastic Kubernetes Service (Amazon EKS)

Kubernetes protection is an optional add-on in Amazon GuardDuty. This tool is able to discover malicious behavior and possible destabilization of an organization's Kubernetes clusters inside of Amazon Elastic Kubernetes Service (Amazon EKS).

When Amazon EKS is activated, GuardDuty will actively use various data sources to discover potential risks against Kubernetes API. When Kubernetes protection is enabled, GuardDuty uses optional data sources to detect threats against Kubernetes API.

Kubernetes audit logs are a Kubernetes feature that captures historical API activity from applications, the control plane, users, and endpoints. GuardDuty collates these logs from Amazon EKS to create Kubernetes discoveries for the organization's Amazon EKS assets; there is no need to store or turn on the logs.

As long as Kubernetes protection remains activated, GuardDuty will continuously dissect Kubernetes data sources from the Amazon EKS clusters to ensure no suspicious or anomalous behavior is taking place.

Amazon Simple Cloud Storage (S3) Protection

Amazon S3 allows Amazon GuardDuty to actively audit object-level API processes to discover possible security threats to data inside an organization's S3 buckets. GuardDuty continually audits risk to the organization’s S3 assets by carefully dissecting AWS CloudTrail management events and AWS CloudTrail S3 data events. These tools are continually auditing various CloudTrail management events for potential suspicious activities that affect S3 buckets, such as PutBucketReplication, DeleteBucket, ListBucket, and data events for S3 object-level API processes, such as PutObject, GetObject, ListObject, and DeleteObject.

Reviews from Real Users

“The most valuable features are the single system for data collection and the alert mechanisms. Prior to using GuardDuty, we had multiple systems to collect data and put it in a centralized location so we could look into it. Now we don't need to do that anymore as GuardDuty does it for us.” - Arunkumar A., Information Security Manager at Tata Consultancy Services