What is Amazon GuardDuty? Definition, Pricing & Comparison
With the cloud, the collection and aggregation of accounts and network logs is simplified, but the security team's continuous analysis and inspection of event log data for potential threats can be difficult and time-consuming. AWS (Amazon Web Services) offers a service in the form of Amazon GuardDuty, which helps with automation and analysis of a vast amount of CloudTrail events and VPC, S3, and DNS Query logs. GuardDuty has evolved significantly with advanced AI and machine learning capabilities that now detect complex, multistage attacks across your entire AWS infrastructure
What is Amazon GuardDuty?
Amazon GuardDuty uses intelligent and continuous threat detection of your AWS accounts, data stored in Amazon S3, and workloads to reduce risk.
It's essentially a security service that keeps an eye on everything happening in your account at an infrastructure level, alerting you to any undesirable behavior.
Enable GuardDuty and start monitoring:
- Abnormal API activity: monitor for unusual API calls coming from an unknown malicious IP or domain.
- Attempts to disable AWS CloudTrail logging: the attacker is trying to cover their tracks by disabling logging so you can't see where the attackers come from or exactly what they've done.
- Potential unauthorized deployment and compromised instances: an attacker launching an EC2 instance into your VPC that could actually be a backdoor into your VPC.
- S3 bucket compromise: activity indicating an S3 bucket compromise, such as suspicious patterns indicating credential misuse, unusual S3 API activity, unauthorized S3 access from known malicious IP addresses, and API calls to retrieve data in S3 buckets.
- Amazon Elastic Kubernetes Service (Amazon EKS) clusters: continuously identify malicious behavior targeting container workloads. Amazon GuardDuty for EKS analyzes Kubernetes audit logs and runtime behavior from existing and new Amazon EKS clusters in your accounts.
- EC2 instances and ECS tasks: detect multistage attack sequences across your compute infrastructure using advanced AI/ML correlation.
Use cases
- Protect your compute workloads: detect when your EC2 instance is used to mine cryptocurrency or communicate with IP addresses and domains associated with known malicious actors.
- Protect your AWS credentials: detect when your AWS credentials are used in a suspicious way, such as from IP addresses associated with known malicious actors, or in a way that deviates from their expected behavior.
- Protect your data stored in Amazon S3 buckets: detect when data stored in your Amazon S3 buckets are accessed in a highly suspicious manner, such as when an unusual volume of objects is retrieved from an unusual location, or when the S3 bucket is accessed from IP addresses associated with known malicious actors.
- Detect complex attack sequences: identify sophisticated multistage attacks that span multiple resources and data sources using AI/ML correlation.
GuardDuty machine learning
GuardDuty uses machine learning to detect anomalies in the behavior of your account. So when you first set up GuardDuty it takes between seven and 14 days to set a baseline as it needs to establish what is normal behavior in your account. Once the baseline has been created GuardDuty can then actively begin monitoring your account. When active, you will only see findings if GuardDuty detects behavior that it considers a threat.
Amazon GuardDuty implementation
Implementation in the AWS Management Console
1. Set up and log into AWS account.
2. Open the GuardDuty console at https://console.aws.amazon.com/guardduty/
3. Click on the "Get Started" button.
4. You are able to use GuardDuty and its threat detection with a 30-day free trial.
Amazon GuardDuty integrates with AWS Security Hub for unified security monitoring. Learn more in our blog post: What is AWS Security Hub? Definition, Benefits & Pricing
Modern GuardDuty Capabilities
GuardDuty now provides advanced features that enhance threat detection and response:
- CloudWatch Integration: Real-time metrics and usage tracking directly in CloudWatch dashboards
- Automated Remediation: Integrate with AWS Lambda to automatically respond to findings
- Third-party Integration: Export findings to SIEM solutions (Splunk, ServiceNow) and security orchestration platforms
- Custom Threat Lists: Define organization-specific malicious IPs and domains for enhanced detection
- Runtime Monitoring: Deep visibility into process and network activity on EC2 and ECS workloads (optional paid feature)
Amazon GuardDuty findings
The GuardDuty findings represent potential security issues detected in your AWS environment. You can view and manage your GuardDuty results on the "Findings" page of the GuardDuty console or using the GuardDuty CLI or API operations.
Severity levels for GuardDuty findings
Each GuardDuty finding has an assigned severity level (Low, Medium, High, and Critical) and value (0.1 to 10.0) that reflects the potential risk.
- A "Low" (0.1–3.9) level indicates suspicious or malicious activity that was blocked before it compromised your resource.
- A "Medium" (4–6.9) level indicates suspicious activity. For example, a large amount of traffic is being returned to a remote host that is hiding behind a network.
- A "High" (7–8.9) level indicates that the resource in question (e.g. an EC2 instance or a set of IAM user credentials) is compromised and used for unauthorized purposes.
- A "Critical" (9.0-10.0) level indicates sophisticated multistage attack sequences with high confidence, representing active compromise across multiple resources. These findings require immediate investigation.
Where to locate findings
Use the following procedure to view and analyze your GuardDuty findings.
1. Open the GuardDuty console at https://console.aws.amazon.com/guardduty/
2. Choose Findings and then select a specific finding to view its details.
The details for each finding will depend on the Finding type, resources involved, and nature of the activity.
Testing Amazon GuardDuty
If you want to test Amazon GuardDuty, try the following and generate findings.
1. AWS GuardDuty tester tool for Linux
You can find the CloudFormation template for GuardDuty tester on AWS lab GitHub page with everything prepared: https://github.com/awslabs/amazon-guardduty-tester
Just follow the basic steps for creating an AWS environment with EC2 instances, VPC and everything will be set up for you. Then you will connect to one of the EC2 instances and start the script.
There are six tests provided that will be started by the guardduty_tester.sh script:
1. Internal port scanning
2. SSH Brute Force with Compromised Keys
3. RDP Brute Force with Password List
4. CryptoCurrency Mining Activity
5. DNS Exfiltration
6. Fake domain to prove that GuardDuty is working
After running this script a couple of times, you will see findings appear in the GuardDuty Findings console:
2. Generate sample Findings in GuardDuty Console
You can find the sample findings function in the GuardDuty console to help visualize the different Findings types that GuardDuty generates.
Sample findings can also be used to test notifications or automation that you have configured for findings.
After using this function, you will see these results in the GuardDuty findings.
Comparison of Amazon GuardDuty
Is Amazon GuardDuty an IDS or IPS?
No, it is not an Intrusion Prevention System (IPS) since it only alerts about an activity. You could build your actions on top of GuardDuty alerts with AWS Lambda, but it is not part of the service itself.
And it is not an Intrusion Detection System (IDS) either. IDS are usually aware of what is happening on the virtual instances and the better ones are even application-aware. GuardDuty acts on Cloudtrail logs, VPC flow logs, DNS query logs, and runtime telemetry. It has no idea what is running on your instances and has no understanding of what is normal behavior for you or your business. Extended Threat Detection uses AI/ML to correlate these signals into comprehensive attack sequences.
What is the difference between Amazon Inspector and Amazon GuardDuty?
Amazon Inspector provides you with security assessments of your applications settings and configurations on your EC2 instances while Amazon GuardDuty helps with analyzing your entire AWS environment for potential threats.
Inspector only covers EC2 at the moment. GuardDuty, on the other hand, will continuously monitor your "AWS accounts, workloads, and data stored in Amazon S3" and alert you.
Amazon GuardDuty vs Amazon Macie
GuardDuty is different from Amazon Macie. Macie only looks into S3 buckets and intelligently classifies data to help you ensure the proper access controls are applied to those data.
GuardDuty provides comprehensive threat detection across your entire AWS environment, while Macie focuses on data classification and protection within S3.
Amazon GuardDuty pricing
You get the first 30 days for free so you can try out every function. After this period is up, you'll be charged based on the quantity of CloudTrail Events and also on the volume of DNS Logs and Flow Logs as well. You only have to pay for the detection capacity you use, when you use it.
Find more about GuardDuty pricing on the AWS official page.
You can find your current estimated total daily costs on the "Usage" page in the GuardDuty Console.
Pricing example per month in the EU Central (Frankfurt) region:
GuardDuty Integration with AWS Security Operations
GuardDuty findings now integrate seamlessly with modern security operations through:
- AWS Security Hub: Unified security findings from GuardDuty, Inspector, Macie, and other AWS services with near real-time risk analytics
- Amazon EventBridge: Route findings to Lambda, SNS, or third-party SIEM solutions for automated response
- AWS Lambda: Trigger custom remediation workflows (e.g., automatically isolate compromised instances, revoke credentials)
- Third-party SIEM: Export findings to Splunk or other security platforms for centralized monitoring
Conclusion
Amazon GuardDuty has evolved from a foundational threat detection service to an intelligent, ML-powered security platform. With Extended Threat Detection, GuardDuty now identifies sophisticated, multistage attacks that would be nearly impossible to detect through manual analysis.
Stormit team helps organizations protect their cloud infrastructure against modern threats by leveraging the full capabilities of AWS security services, including GuardDuty's advanced threat detection.
An AWS Solutions Architect with over 5 years of experience in designing, assessing, and optimizing AWS cloud architectures. At Stormit, he supports customers across the full cloud lifecycle — from pre-sales consulting and solution design to AWS funding programs such as AWS Activate, Proof of Concept (PoC), and the Migration Acceleration Program (MAP).
