AWS Debuts Amazon GuardDuty for Cloud Threat Detection

Amazon Web Services announces a new managed threat detection service that can help detect potential security risks.

Amazon GuardDuty

Amazon Web Services kicked off its annual re:Invent conference on Nov. 28 announcing the new GuardDuty managed threat detection service.

The GuardDuty service is enabled via the AWS Management Console that helps cloud users to manage their deployments. The GuardDuty system analyzes API calls made to running virtual resources in a customer's account, to help detect anomalous activity that could be indicative of a potential security risk.

"We designed Amazon GuardDuty to be so simple and cost effective that turning it on would be an easy choice for every AWS customer, regardless of their security expertise or the existing security services they use," Stephen Schmidt, Chief Information Security Officer, Amazon Web Services wrote in a statement. "Amazon GuardDuty intelligently identifies hard-to-detect threats that might slip through the cracks of other security products and easily scales to meet the needs of any organization, whether they have two AWS accounts or two thousand."

GuardDuty works with existing AWS services including CloudTrail, which provides activity and API usage monitoring. Data from Amazon VPC Flow Logs, which captures information from network traffic flowing from Virtual Private Cloud (VPC) instances, is also collected by GuardDuty to help detect potential threats.

"GuardDuty operates completely on AWS infrastructure and does not affect the performance or reliability of your workloads," Jeff Barr, chief evangelist for AWS wrote in a blog post. "This clean, zero-footprint model should appeal to your security team and allow them to green-light the use of GuardDuty across all of your AWS accounts."

Alerts generated by GuardDuty can be sent to the AWS CloudWatch service, which provides monitoring of AWS resources. There is also an API to integrate GuardDuty with multiple third party cloud security systems, including Alert Logic,, Palo Alto Networks, Rapid7, Redlock, Splunk, Sumo Logic, and Trend Micro. Beyond just comparing cloud activity to a baseline of known good actions, GuardDuty also benefits from multiple threat intelligence feeds that come from security vendors including Proofpoint and Crowdstrike, to help further detect potential risks.

Another key integration point for GuardDuty is with the AWS Lambda serverless service. With Lambda, GuardDuty users can automate threat remediation based on alert conditions.

"With GuardDuty, when an instance is suspected of having data stolen the service will alert you to be able to automatically create an access control entry restricting outbound access for that instance," the AWS GuardDuty service page states.

The new GuardDuty service builds on multiple efforts that AWS has already announced in 2017 to help improve cloud security. On Aug. 14, Amazon announced its Macie Machine Learning Service that can be used to automatically detect personally identifiable information in public cloud instances. On Nov. 8, Amazon announced enhanced capabilities to help protect S3 storage buckets and virtual private cloud (VPC) endpoint connections.

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.