AWS GuardDuty Reviews

GuardDuty is predominantly used to find anomalies, particularly security anomalies when trying to probe a hosted public cloud service. For example, we work with Zuora, and have many public services running at AWS, and our concern is external parties. So, if a hacker or an attacker tries to probe our systems, Amazon GuardDuty tries to find anomalies or any vulnerabilities within our systems.

GuardDuty takes multiple sources of logs. In AWS, we have several logging services like AWS CloudTrail and VPC Flow Logs. VPC Flow Logs involve incoming and outgoing traffic from the internet, so if someone tries to get into a system or access one of our publicly hosted AWS, we are able to get that traffic via VPC Flow Logs. AWS CloudTrail is within the public cloud infrastructure, and AWS-specific API calls are involved. So, if someone tries to do some API activity specific to AWS within the infrastructure, this will be a source. These are multiple sources of logs that Amazon GuardDuty consumes as input to analyze the traffic for any security anomalies. So, based on these sources, the solution helps us report findings if security anomalies occur in our systems from the internet or within the cloud infra, cloud account, or AWS account.

AWS is account-specific, and last year, I believe AWS included something related to Kubernetes monitoring or Kubernetes Logs. So if we use EKS within the Kubernetes service and an anomaly occurs, some anomaly traffic is seen in the Kubernetes cluster, and it will be able to identify. That is a good feature they recently added in testable APIs.

Amazon GuardDuty could be better enriched in threat intelligence data. An internal AWS threat intelligence team works 24 hours to enrich customers. That service could be leveraged if there is any new attack, new security vulnerability, or exploitation. Day-to-day hackers find new vulnerabilities, so Amazon GuardDuty should be up to date and help customers find issues.

Kubernetes Logs was missing but is now included. The solution covers most incoming sources in an S3 bucket, storage level, public internet traffic, the cloud infrastructure, the AWS account, and multiple accounts in Kubernetes. So there aren't any missing pieces with Amazon GuardDuty, especially from a monitoring perspective.

Another valuable feature is the delegation service. Even if there are hundreds of accounts, some part of the account is for security, some for DevOps, and some for developers. Certain accounts are assigned within AWS. For example, for Amazon GuardDuty, a master account of the administrator assigns Amazon GuardDuty's administration and full access to our secure account. Once the delegation is done, we work with the tool, the findings, and what it reports to then validate the findings. So, in this situation case, AWS has efficient features.

We have been using this solution for three years. 

It is a stable solution, especially if you compare it to Azure or GCP, so we don't have any complaints about the stability. Other solutions have similar features, but we don't know how enriched those features are.

We have around five people on the security team, and it is very small. However, for large companies like Google or Microsoft that invest a large number of resources, they may have about 50 to 75 people on their team.

Another useful feature is the ability for Amazon GuardDuty to manage hundreds of accounts. There is usually a master account, and the remaining 99 accounts are member accounts. So if you push an order via the master account everything takes place in those 99 member accounts. Most companies don't want to give people access to the master account even to their operations, DevOps, infrastructure or development teams.

With Amazon GuardDuty, most of the tools have a delegation feature. So, from the master account, the administrator can delegate administrator access to a security account. So on our security team, we have our account in AWS, which is part of the master account. Under the master account, the administrator will give us access as a delegated administrator. Once the administrator delegates the security account, our five people team takes care of all the tasks around the solution. 

We have full access to configuring, monitoring and automation. The administrator can delegate the DevOps tool or service and the AWS office to the DevOps team account. So the DevOps team can take care of building automation, managing, and administering that particular service around the DevOps service. So, in this case, Amazon GuardDuty is delegated to our security account, and we manage it completely.

Scalability is good. Companies will usually run across multiple accounts in AWS, and their resources run about a hundred accounts. However, one of the past companies I absolved ran close to a thousand accounts, and in that situation, the Amazon GuardDuty scalability factor was important. 

Also, suppose a company is not leveraging AWS Organization which is very rare, AWS still provides risk APIs or their SD case, where a developer can write a script or automation to deploy seamlessly within a short time. Our security team predominantly uses Amazon GuardDuty. The cybersecurity team monitors the anomalies that occur using Amazon GuardDuty.

The technical support is great. I've contacted AWS support multiple times, and they've resolved the query. They have three technical support features, namely chat support, phone support, and web support, where we can raise a query, and they reply to us. Most of the time, we leverage the phone call feature, and once we input our concerns for the queries, they'll reach out to us over the phone and share a chime link screen sharing service. They try to understand our problems and the areas of concern and provide a solution.

The only concern is that it takes some time to assign someone when we reach out for technical support via phone service. It takes at least 45 minutes to get connected, and time is spent on hold waiting for someone to join from AWS.

Deployment does not take long if it is an account-specific or AWS organization level. My company has around a hundred AWS accounts, so deploying across a hundred AWS accounts was pretty easy. AWS also provides AWS Organization, where one account acts as a master, and the rest of the 19 accounts are member accounts under this master. So once you give an order to the master, you can invoke Amazon GuardDuty across all the accounts. So deployment is great, and we didn't face any big challenges.

I rate this solution an eight out of ten. Amazon GuardDuty is a very good service, and we are not planning to change it any time soon.

Regarding advice, it would be good to have data events for Amazon GuardDuty and Kubernetes for monitoring. Data events mean you have an S3 bucket for storing objects or files, and if someone tries to access or monitor those files, API calls will occur, and those transactions will be monitored. So until you enable the data event feature within the Amazon GuardDuty, if someone makes a call at the object or file level, it is something we might miss. Also, there are certain features that are not enabled by default on Amazon GuardDuty.

We are only using it for a client's requirements; we are simply building it and selling it to the client.

Amazon GuardDuty is used on private infrastructure for our clients. The application is not publicly accessible; it is hosted internally.

GuardDuty has been used to set the CloudWatch alarms. Assume that both scans are detected, or something similar, we have just enabled CloudWatch alarms for those use cases so that any such use case is detected. The alert will be triggered, and we have configured and integrated Amazon GuardDuty with all of the other seven accounts to have the central HPU.

The correlation back end is the solution's most valuable feature. Like in the backend, it is collecting all the data, which I think is pretty interesting, and coordinating everything, which is another good thing.

While sending the alerts to the email, they are not being patched. we have to do the patching and mapping manually. If GuardDuty could include a feature to do this automatically, it will make our job easier. That is something I believe can be improved.

For example, suppose you want to know when an alert is sent to your mailbox. The information is in JSON format. It would be helpful if that could be sent to the mailbox in a human-readable format.

I believe it can be improved in a variety of ways. If we can build our own use cases instead of using Microsoft Sentinel alone, that would be ideal.

I have been using Amazon GuardDuty for two to three years.

I have used it for the last 12 months.

Amazon GuardDuty is a stable product.

Amazon GuardDuty is scalable.

We have not had any issues that required us to contact the GuardDuty AWS vendor. It's straightforward and effective.

The initial setup is straightforward. We simply click on the app, and that's it.

The deployment can be done in a few minutes. We don't have to spend a lot of time there. It will take some time, to integrate everything one by one, which is why we did it manually, otherwise everything else was straightforward.

Pricing is determined by the number of events sent. It's fine, and it's not a problem from our perspective.

My recommendation is to go for the master setup that will be beneficial to you.

There are some limitations where we cannot modify use cases to meet our needs; we must do additional work, such as setting up CloudWatch alarms and SNS, and things are not patched. There are some restrictions. I'll just suggest that you have some skilled resources with patching knowledge.

It's good, I would rate Amazon GuardDuty a seven out of ten.

We use the tool for threat detection. AWS includes AI features as well. AWS GuardDuty gives us reports. 

AWS GuardDuty needs to be more customer-oriented. 

I have been working with the tool for three years. 

The tool is stable. 

AWS GuardDuty is scalable. We used the tool bi-weekly. 

I have not contacted customer support yet. 

The tool's setup is easy. You don't need any additional learning or resources to do it. You just need to enable AWS GuardDuty. The tool's deployment got completed in two to three minutes. 

The tool has no subscription charges. 

AWS GuardDuty is automated and gives alerts whenever there is an intrusion. AWS has a SMS service and you can get notifications through it if you subscribe. We have not encountered any performance issues. I would rate the tool a nine out of ten. 

Amazon GuardDuty is an AWS Managed Service. The product finds information related to potential security risks and detects our environment related findings. It is a service that helps administrators find anomalies in their environment, rectify those issues and make the environment more secure and safe.

For example, consider some S3 buckets; we have X server access login disabled and certain configurations which are recommended that we are not following that are certain IAM user regulates such as monitoring from the background. Amazon GuardDuty will give us anomaly data for that particular IAM user, advising that certain activity was suspicious.

In our environment, the most valuable feature is discovering the anomalous sign users because we have configured single sign-on in our environment, but there are some IAM users. Since our environment is cloud-based and accessible from the internet, we like the ability to check where the user has logged in from and what kind of API calls that user is doing. Finding anything suspicious with AWS recommendations is helpful.

Amazon GuardDuty is limited to certain services. The solution has to be integrated with new services that AWS adds like QuickSight, Managed Airflow, AppFlow and MWAA. By being integrated with these services, it would be handy for users and save time.

I have been using Amazon GuardDuty for six months.

Amazon GuardDuty is service based not user-based. I can have a number of users in my system because the user management is turning the different services in AWS AIM direct access management.

We have four users of the solution. It is used by system administrators, cloud administrators, and architects. 

Amazon GuardDuty is an extra security measure. We have other security measures also implemented in our environment, such as our on-premise environment and network related securities. 

The initial setup of Amazon GuardDuty is fairly easy without much complexity.

Licensing of GuardDuty is part of the AWS license. The pricing model is pay as you go and is based on the number of events per month. When you first look at the price it seems reasonable but if you look at it holistically the cost can be improved.

At a very basic level, Amazon GuardDuty is a good tool. If you are looking for advanced security that would provide higher checks to secure their environment, this may not be enough. 

Certain checks only related to the AWS environment are good, but if you are integrated with other services like Salesforce or MuleSoft it is not a good solution.

I would rate GuardDuty a six out of 10 overall. 

My company uses AWS GuardDuty to develop the software and provide services to clients. I use the solution to monitor the service on the AWS workload or AWS instance and monitor threats or vulnerabilities.

AWS GuardDuty is easy to use and configure. I use AWS GuardDuty to check whether we are under attack or not. The solution will detect abnormalities in the AWS workload and alert us so that we can monitor and take action.

I work in a bank, and it would be good if AWS GuardDuty could be integrated with other monitoring and detection tools we use. The operation team can use a single desktop to monitor.

I have been using AWS GuardDuty for less than one month.

In my department, around seven to eight users are using AWS GuardDuty.

I previously used Google Cloud for three to four years. AWS GuardDuty has more features and can be customized more than Google Cloud.

I have heard that the solution's price is quite high. Sometimes, they need to fine-tune the service on AWS. For example, Amazon Simple Storage Service (S3) is used for static content because it is cheaper.

Overall, I rate AWS GuardDuty an eight out of ten.

We have over 1,000 employees, and we monitor their activity through AWS GuardDuty.

The solution's user interface could be improved because it will help users to understand multiple options. Currently, we have multiple options on AWS GuardDuty, which may confuse new users.

I have been using AWS GuardDuty for two years.

We faced some issues with AWS GuardDuty because sometimes we don't get proper loss from the solution.

I rate the solution an eight out of ten for stability.

I rate the solution ten out of ten for scalability.

The solution’s initial setup is not very difficult.

We have a whole bunch of information on various things in AWS GuardDuty.

Overall, I rate the solution a nine out of ten.