Most engineers think…
Most engineers think enabling GuardDuty means installing agents, turning on VPC Flow Logs, building log pipelines, and then writing detection rules — so they put it off as a big project.
Wrong — GuardDuty is a one-click managed service. It reads CloudTrail management & data events, VPC Flow Logs and Route 53 DNS query logs directly from inside AWS, with no agents and no log plumbing you have to build (those optional logs don't even need to be enabled on your side for GuardDuty to see them). It runs ML + threat-intel feeds for you and just hands back findings. The real work isn't turning it on — it's reading the findings, cutting the noise, and wiring the response. That's this lesson.
① GuardDuty — the agentless watchman
Picture Sneha, an L1 cloud engineer at Flipkart, getting a 2 a.m. page: the monthly AWS bill is climbing fast and a fleet of GPU instances she never launched is running in a region nobody uses. By the time she logs in, an attacker has been mining cryptocurrency on her account for six hours. The question every team asks after this: why didn't anything catch it in real time? That is precisely the gap Amazon GuardDuty fills.
GuardDuty is a managed threat-detection service. You enable it once per account/region from AWS Console → GuardDuty → Get Started → Enable GuardDuty, and from that moment it continuously reads three foundational data sources for you: CloudTrail (the API audit trail — who called what), VPC Flow Logs (network connection metadata — who talked to whom), and Route 53 DNS query logs (what domains your instances looked up). The trick that surprises people: GuardDuty reads these independently — you don't have to enable VPC Flow Logs or DNS logging on your side, and there are no agents to install on EC2.
On top of those raw logs GuardDuty layers ML/anomaly models (it learns the normal behaviour of your principals and instances) and threat-intelligence feeds (known-bad IPs, mining pools, malware domains). That combination is what lets it catch the things prefix-based monitoring misses: a credential used from a brand-new country (impossible-travel), an instance suddenly talking to a mining pool, an IAM user calling APIs it has never called, or an outside host using credentials stolen from an instance.
Beyond the three free foundational sources, you can switch on extra protection plans for deeper coverage: EKS Protection (Kubernetes audit logs), S3 Protection (CloudTrail S3 data events), Malware Protection (scans EBS volumes), RDS Protection (login-activity monitoring), Lambda Protection and Runtime Monitoring (an eBPF agent for in-host visibility). In December 2025 AWS also turned on Extended Threat Detection for EC2/ECS, which stitches several weak signals into a single AttackSequence Critical finding.
What GuardDuty catches that plain logs miss
Tap each card — these are the four attack patterns interviewers and the SCS-C02 exam love to test.
Instance suddenly talks to a known mining pool or queries a Bitcoin domain. So: your bill becomes the attacker's profit.
An outside host uses keys stolen from an instance role. So: the blast radius is everything that role can touch.
Same IAM user calls APIs from Mumbai and Brazil minutes apart. So: the credentials are almost certainly shared/stolen.
Port scans, Tor callers, anonymising IPs probing you. So: it's the early footstep before the real break-in.
GuardDuty is the security guard at your housing society's gate who keeps a register. He doesn't follow every resident around (no agents inside the flats). He just watches three things at the gate — who entered and what they did (CloudTrail), who visited whom (VPC Flow Logs), and which addresses people asked directions to (DNS). He also keeps a blacklist of known troublemakers (threat intel) and notices when a 'resident' suddenly behaves nothing like usual (ML). One guard, three watch-points, no cameras inside every flat — that's the model.
Rahul at TCS says: "Before we enable GuardDuty I'll first turn on VPC Flow Logs and DNS query logging and ship them to S3." What's the issue with his plan?
Pause & Predict
Predict: GuardDuty needs no agents for its three foundational sources. So which kind of threat can it NOT see from CloudTrail, VPC Flow and DNS alone — and which add-on plan covers it? Type your guess.
② Reading findings — type, severity & cutting the noise
A GuardDuty finding looks scary until you learn to read its name. The name follows a fixed grammar: ThreatPurpose:ResourceTypeAffected/ThreatFamilyName.DetectionMechanism!Artifact. Read it left to right and it tells you the whole story. Take CryptoCurrency:EC2/BitcoinTool.B!DNS — the ThreatPurpose is CryptoCurrency (someone is mining), the resource affected is an EC2 instance, the threat family is BitcoinTool variant B, and the !DNS artifact says GuardDuty saw it via a DNS query to a crypto domain.
The ThreatPurpose is essentially the attacker's intent and maps loosely to MITRE ATT&CK tactics: Recon (scoping you out), UnauthorizedAccess (brute force, stolen creds), CryptoCurrency (mining), Exfiltration (stealing data), Backdoor (C2 callbacks), Trojan, Impact and Discovery. Two you must know cold for the exam: UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.OutsideAWS (an outside host is using credentials stolen from an instance role — High severity) and the anomaly-based Exfiltration:IAMUser/AnomalousBehavior (an IAM principal is doing data-movement API calls the ML has never seen it do — also High).
Every finding carries a severity on a 0.1–8.9 scale, bucketed into bands: Low (1.0–3.9), Medium (4.0–6.9) and High (7.0–8.9). The newest band, Critical, is reserved for the AI-correlated AttackSequence findings from Extended Threat Detection. A rough mental model: UnauthorizedAccess:EC2/SSHBruteForce is usually Low (internet noise everyone gets), Recon:EC2/Portscan is Medium, and CryptoCurrency:EC2/BitcoinTool.B or credential exfiltration are High — drop everything.
Now the part nobody warns juniors about: noise. A real account throws hundreds of SSHBruteForce and Portscan findings a week — most are just the internet knocking. GuardDuty gives you two precise tools to cut it. A suppression rule auto-archives findings matching a filter (e.g. a specific finding type + a known-benign instance ID), and a trusted IP list tells GuardDuty not to alert on your own scanner or VPN egress. The mirror of that is a threat IP list for IPs you always want flagged.
Symptom: an engineer builds a suppression rule for Recon:EC2/Portscan, the GuardDuty console goes quiet, but Security Hub still shows the finding active. Cause: a suppression rule only auto-archives the finding inside GuardDuty — it does not delete it, and depending on timing/config the archived state may not propagate the way you expect. The right fix is to scope suppression tightly (finding type plus a resource attribute like instance ID or a trusted IP), and never blanket-suppress a whole ThreatPurpose like CryptoCurrency — you'll archive the one finding that actually matters.
Priya at ICICI sees CryptoCurrency:EC2/BitcoinTool.B!DNS on a production instance. A teammate says "just add a suppression rule for CryptoCurrency to stop the alerts." Best response?
Pause & Predict
Predict: you add the corporate VPN egress IP (203.0.113.50) to GuardDuty's trusted IP list to stop port-scan alerts from your own pen-testers. What real attack does this risk hiding? Type your guess.
③ Security Hub — the aggregator and posture score
GuardDuty isn't the only thing raising alarms in a real account. Amazon Inspector finds vulnerable packages, Amazon Macie finds exposed PII in S3, and AWS Config flags misconfigurations. Four services, four consoles, four formats. AWS Security Hub is the single pane that collects all of them into one prioritised list so your team works one queue instead of four.
The glue that makes that possible is a common schema: the AWS Security Finding Format (ASFF). Security Hub normalises every incoming finding to ASFF — GuardDuty's crypto alert, Inspector's CVE, Macie's PII finding all end up in the same JSON shape with the same fields (severity, resource, types, workflow status). That's what lets one EventBridge rule or one ticketing integration handle findings from any source without custom parsing per tool.
Security Hub's second job is compliance posture. It runs security standards as continuous automated checks against your resources. The big ones: AWS Foundational Security Best Practices (FSBP) — AWS's own opinionated baseline; the CIS AWS Foundations Benchmark (v1.2.0 and v1.4.0); PCI DSS (v3.2.1 and v4.0.1) for cardholder environments; and NIST SP 800-53. Each control (e.g. "S3 Block Public Access is on", "root has MFA") passes or fails per resource, and Security Hub rolls the pass-rate into a security score — a percentage you can show leadership and track week to week.
aws securityhub enable-security-hub \
--enable-default-standards \
--region ap-south-1
aws securityhub get-findings \
--filters '{"SeverityLabel":[{"Value":"HIGH","Comparison":"EQUALS"}],"WorkflowStatus":[{"Value":"NEW","Comparison":"EQUALS"}]}' \
--query 'Findings[].{Title:Title,Sev:Severity.Label,Res:Resources[0].Id}' \
--region ap-south-1{
"HubArn": "arn:aws:securityhub:ap-south-1:123456789012:hub/default"
}
[
{ "Title": "EC2 instance i-0a1b2c3d communicating with crypto mining pool",
"Sev": "HIGH", "Res": "arn:aws:ec2:ap-south-1:123456789012:instance/i-0a1b2c3d" }
]Enabling both services isn't enough — confirm the integration is on under Security Hub → Integrations → Amazon GuardDuty → Accept findings. Then in the Security Hub Findings tab, filter Product name = GuardDuty and Severity = High. If your crypto finding shows up there with an ASFF body (it'll have a ProductFields and Resources block), the detect→aggregate hop works and you can safely build automation off Security Hub instead of GuardDuty directly.
An auditor at Wipro asks Karthik: "Show me one number for how compliant our prod account is against AWS's own baseline." Which Security Hub feature answers that directly?
Pause & Predict
Predict: Security Hub normalises GuardDuty, Inspector and Macie findings to one format (ASFF). Why does that single design choice make automated response dramatically easier? Type your guess.
④ From finding to response — auto-isolate a mining instance
Detecting and aggregating is only half the job; the value is in responding fast. The standard AWS pattern is event-driven: a finding (from GuardDuty, or from Security Hub) is an event on the EventBridge bus. You write an EventBridge rule that matches, say, CryptoCurrency:EC2 at High severity, and routes it to two targets at once: an SNS topic (page the on-call) and a Lambda function (or an SSM Automation runbook) that performs the fix.
The classic remediation for a compromised instance is quarantine: the Lambda reads the instance ID out of the finding's ASFF body and swaps the instance's security group for a locked-down quarantine SG with no rules. The instance stops talking to the mining pool and the attacker's C2 in seconds, but it isn't terminated — so your forensics team can still snapshot the EBS volume and investigate. That's the worked flow this whole lesson builds to: GuardDuty flags a mining instance → Security Hub aggregates it → EventBridge fires → Lambda isolates it.
In a company with 50 AWS accounts you don't enable and watch GuardDuty 50 times. You designate one account as the delegated administrator for GuardDuty (and Security Hub), enable for the whole AWS Organization with auto-enable for new accounts, and every member account's findings flow up to that one security account. AWS's guidance: use the same delegated-admin account across GuardDuty, Security Hub, Inspector and Macie so one team sees everything from one place. That's how a real SOC runs cloud detection at scale.
▶ Watch a mining instance get auto-isolated
An attacker steals an EC2 role's credentials and starts mining. Follow the signal from detection to automatic quarantine, step by step. Press Play for the healthy path, then Break it to see the failure.
import boto3
ec2 = boto3.client("ec2")
QUARANTINE_SG = "sg-0quarantine99" # no inbound, no outbound
def handler(event, context):
# GuardDuty finding arrives via EventBridge
detail = event["detail"]
instance_id = detail["resource"]["instanceDetails"]["instanceId"]
finding_type = detail["type"]
ec2.modify_instance_attribute(
InstanceId=instance_id,
Groups=[QUARANTINE_SG], # replace ALL SGs with quarantine
)
print(f"Isolated {instance_id} due to {finding_type}")
return {"isolated": instance_id, "finding": finding_type}START RequestId: 7b2c... Version: $LATEST Isolated i-0a1b2c3d due to CryptoCurrency:EC2/BitcoinTool.B!DNS END RequestId: 7b2c... REPORT Duration: 412.55 ms Billed Duration: 413 ms Memory Size: 128 MB
Arjun at Zomato faces this
Arjun, an L2 cloud-security analyst, gets a Critical AttackSequence finding at 3 a.m.: an EC2 role's keys were used from an unknown IP, GPU instances were launched, and they're now talking to a mining pool. The bill is climbing.
An app server's IMDS was reachable and an SSRF flaw let the attacker pull the instance role's temporary credentials, then use them from outside AWS (InstanceCredentialExfiltration.OutsideAWS) to spin up miners — GuardDuty's Extended Threat Detection correlated the steps into one Critical attack sequence.
He opens the finding in Security Hub, reads the ASFF resource block to get the source role and the new instance IDs, and confirms the EventBridge auto-isolation rule fired on the CryptoCurrency finding but NOT on the credential exfiltration (no matching rule).
AWS Console → Security Hub → Findings → filter Product=GuardDuty, Severity=CRITICAL → Investigate in DetectiveQuarantine the new instances (swap to quarantine-sg), revoke the leaked role's sessions with an IAM policy that denies based on a token-issue cutoff time, rotate/disable the role, and enforce IMDSv2 so the SSRF can't read credentials again.
Re-check Security Hub: the CryptoCurrency findings stop recurring, the isolated instances show only quarantine-sg, and a follow-up GuardDuty sample test confirms the EventBridge rule now also matches the credential-exfiltration finding type.
Think of the pipeline as your building's safety chain. GuardDuty is the smoke detector that notices something burning (the threat). Security Hub is the central fire panel in the lobby that shows every detector's status on one board and a 'how safe is the building' rating. EventBridge → Lambda is the sprinkler that opens automatically over the room that's on fire — without waiting for a human — while the alarm (SNS) wakes the guard. Detect, show on one board, act automatically: that's the whole lesson in one mental picture.
For your AWS Certified Security – Specialty (SCS-C02) path, this lesson sits dead-centre of the Threat Detection and Incident Response domain (14% of the exam) and overlaps Security Logging and Monitoring (18%). The exam loves multi-service scenarios: a finding type is given, and you pick the right service (GuardDuty detects, Security Hub aggregates, Detective investigates) and the right automated response (EventBridge → Lambda/SSM). Nail detect→aggregate→respond and you've covered a big slice of two domains.
Cold, in 60 seconds: name GuardDuty's three foundational data sources and say why no agents are needed; decode CryptoCurrency:EC2/BitcoinTool.B!DNS into its four parts; state what Security Hub adds that GuardDuty doesn't (aggregate + ASFF + standards + score); and draw the detect → aggregate → respond pipeline ending in a quarantine SG. If you can do that without notes, you're ready for the next lesson and for the SCS-C02 Threat Detection domain.
An interviewer asks Neha: "GuardDuty flags a High-severity crypto-mining finding on a prod EC2 instance at 2 a.m. and no one's online. Design the fastest safe response." Best answer?
🤖 Ask the AI Tutor
Tap any question — instant, scoped to this lesson. No login, no waiting.
Pre-curated from AWS docs + community Q&A, scoped to this lesson. For a live prod issue, paste your export into chat.techclick.in.
📝 Wrap-up assessment — six more
You've answered 4 inline. Six left. 70% (7 of 10) marks the lesson complete on your profile. Tap Submit all answers at the end.
🧠 In your own words
Type one line: In one line, what does Security Hub add on top of GuardDuty that GuardDuty alone can't give you? Then compare to the expert version.
🗣 Teach a friend
Best way to lock it in — explain it in one line to a teammate. Tap to generate a paste-ready summary.
📖 Glossary
- Amazon GuardDuty
- Managed threat-detection service. Reads CloudTrail, VPC Flow Logs and DNS logs with ML + threat intel to raise findings — no agents.
- Foundational data sources
- The three logs GuardDuty analyses automatically with no setup: CloudTrail, VPC Flow Logs, Route 53 DNS query logs.
- Finding
- A GuardDuty notification of suspicious activity, with a type, a severity (0.1–8.9) and a JSON evidence body.
- Finding-name grammar
- ThreatPurpose:ResourceTypeAffected/ThreatFamilyName.DetectionMechanism!Artifact — read left to right to understand the threat.
- Severity bands
- Low (1.0–3.9), Medium (4.0–6.9), High (7.0–8.9); Critical is reserved for AI-correlated AttackSequence findings.
- Suppression rule
- A filter that auto-archives matching findings to cut noise — they're hidden, not deleted. Scope tightly.
- Trusted IP list
- IPs GuardDuty won't alert on (e.g. your scanner/VPN). The opposite is a threat IP list that always flags.
- Protection plans
- Optional GuardDuty add-ons for deeper coverage: EKS, S3, Malware, RDS, Lambda and Runtime Monitoring (billed separately).
- AWS Security Hub
- Cloud security posture aggregator. Collects findings from GuardDuty/Inspector/Macie/Config, normalises to ASFF, runs standards, scores posture.
- ASFF
- AWS Security Finding Format — the common JSON schema every finding is normalised to, so one rule handles findings from any source.
- Security standards
- Automated control checks: AWS FSBP, CIS AWS Foundations (v1.2/v1.4), PCI DSS (3.2.1/4.0.1), NIST 800-53. Each control passes/fails per resource.
- EventBridge → Lambda/SSM
- The response pipeline: a finding event matches an EventBridge rule that triggers a Lambda or SSM runbook to remediate (e.g. quarantine an instance).
- Quarantine security group
- A no-rules SG you swap onto a compromised instance to cut its network without terminating it — preserving the EBS volume for forensics.
- Delegated administrator
- A member account you delegate to run GuardDuty/Security Hub org-wide, so findings from every account aggregate to one security team.
📚 Sources
- Amazon GuardDuty User Guide — "GuardDuty finding types" and "Finding format / finding details" (the ThreatPurpose:ResourceTypeAffected/ThreatFamilyName.DetectionMechanism!Artifact naming convention, severity 0.1–8.9 bands, full active finding table incl. CryptoCurrency:EC2/BitcoinTool.B!DNS and UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.OutsideAWS). docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-active.html
- Amazon GuardDuty User Guide — "What is Amazon GuardDuty", foundational data sources (CloudTrail, VPC Flow Logs, DNS logs, no agents), protection plans (EKS/S3/Malware/RDS/Lambda/Runtime), and suppression rules + trusted/threat IP lists. docs.aws.amazon.com/guardduty/latest/ug/what-is-guardduty.html · docs.aws.amazon.com/guardduty/latest/ug/findings_suppression-rule.html
- AWS re:Post + AWS Security Blog — "Detecting and preventing crypto mining in your AWS environment" and the re:Post articles on resolving CryptoCurrency:EC2 and InstanceCredentialExfiltration findings (real production triage of the high-value finding types). aws.amazon.com/blogs/security/detecting-and-preventing-crypto-mining-in-your-aws-environment/ · repost.aws/knowledge-center/resolve-guardduty-crypto-alerts
- AWS Security Hub User Guide + FAQ — aggregation of GuardDuty/Inspector/Macie/Config, normalisation to ASFF, supported standards (FSBP, CIS AWS Foundations v1.2.0/v1.4.0, PCI DSS v3.2.1/v4.0.1, NIST), security score, and delegated administrator across security services. docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html · aws.amazon.com/security-hub/faqs/
- AWS Samples + AWS Prescriptive Guidance — "Amazon GuardDuty automated response" (EventBridge rule → Lambda/SSM Automation → quarantine security group; SNS notification), the canonical detect→aggregate→respond pattern. github.com/aws-samples/amazon-guardduty-automated-response-sample
- AWS News/Security Blog — "Amazon GuardDuty adds Extended Threat Detection for Amazon EC2 and Amazon ECS" (Dec 2025) + "GuardDuty Extended Threat Detection uncovers cryptomining campaign" — AI/ML attack-sequence correlation, new Critical AttackSequence:EC2/CompromisedInstanceGroup finding. aws.amazon.com/blogs/aws/amazon-guardduty-adds-extended-threat-detection-for-amazon-ec2-and-amazon-ecs/
- AWS Certified Security – Specialty (SCS-C02) Exam Guide — Domain 1 Threat Detection and Incident Response (14%) and Domain 2 Security Logging and Monitoring (18%): GuardDuty finding types, Security Hub aggregation, EventBridge/Lambda automated response, Detective investigation. d1.awsstatic.com/training-and-certification/docs-security-spec/AWS-Certified-Security-Specialty_Exam-Guide_C02.pdf
What's next?
GuardDuty tells you an instance is compromised — but the cleanest defence is stopping the bad traffic at the network edge before it ever reaches your workloads. Next we build that wall: VPC security architecture and AWS Network Firewall.