AWS GuardDuty

Extended Threat Detection for multi-stage attacks

GuardDuty Extended Threat Detection automatically identifies multi-stage attacks spanning resources, data sources, and time within 24-hour rolling windows. Uses proprietary correlation algorithms to detect sophisticated attack patterns including credential misuse, data compromise in S3, and container/Kubernetes compromises.

Threat detection for Amazon EC2 instances

GuardDuty generates EC2 findings when it detects suspicious activity on EC2 instances including command-and-control communications, cryptocurrency mining, brute force attacks, port scans, Tor network usage, and various malicious behaviors. These findings are based on VPC Flow Logs and DNS logs analysis.

Threat detection for Amazon EKS clusters

EKS Protection monitors Kubernetes audit logs from Amazon EKS clusters to detect malicious activity including malicious file execution, privilege escalation, credential access, container escape, cluster deletion, defense evasion, and unauthorized access attempts. Uses ML anomaly detection and threat intelligence to identify suspicious Kubernetes API activity patterns.

Threat detection for IAM credentials and access keys

GuardDuty IAM findings detect suspicious activity related to IAM entities, access keys, and AWS credentials. These findings use machine learning anomaly detection and threat intelligence to identify credential theft, privilege escalation, defense evasion, root credential misuse, and API calls from malicious sources.

Threat detection for AWS Lambda functions

Lambda Protection monitors network activity from AWS Lambda functions to detect malicious behavior including command and control communications, cryptocurrency mining, trojan activity, malicious IP access, and Tor network usage. Uses threat intelligence and network pattern analysis to identify suspicious Lambda function behavior.

Malware detection in backups, snapshots, and recovery points

Malware Protection for Backup provides single findings for all threats detected during scans of EBS snapshots, EC2 AMIs, AWS Backup EC2 Recovery Points, and AWS Backup S3 Recovery Points. Includes total number of detections and details for top 32 threats based on severity. Findings are not updated when same resource is scanned again - new finding generated for each scan that detects malware.

Malware detection on EC2 instances and containers

Malware Protection for EC2 provides single findings for all threats detected during EBS volume scans of EC2 instances and container workloads. Includes total number of detections and details for top 32 threats based on severity. Findings include scan information and correlation with GuardDuty findings that initiated the scan.

Malware detection on S3 objects

Malware Protection for S3 generates findings when malware scans detect malicious files in uploaded S3 objects. Requires both GuardDuty and Malware Protection for S3 to be enabled. Scans are triggered when objects are uploaded to protected buckets. Includes total number of detections and details for top 32 threats based on severity.

Threat detection for Amazon RDS and Aurora databases

RDS Protection detects anomalous login behavior on Amazon Aurora, Amazon RDS, and Aurora Limitless databases through RDS login activity monitoring. Uses ML anomaly detection and threat intelligence to identify suspicious database access patterns including anomalous logins, brute force attacks, malicious IP access, and Tor network usage.

Threat detection based on OS-level runtime behavior

Runtime Monitoring analyzes operating system-level behavior from EC2 hosts and containers in EKS, ECS, and Fargate to detect malicious activity including malicious file execution, privilege escalation, container escape, process injection, cryptocurrency mining, command and control communication, Tor network usage, reverse shells, fileless execution, and defense evasion techniques. Uses runtime logs containing process, file, and network activity context.

Threat detection for S3 buckets and data

S3 Protection monitors object-level S3 APIs and bucket configurations to detect discovery, exfiltration, policy modifications, and unauthorized access. Uses ML anomaly detection and threat intelligence to identify suspicious S3 activity patterns.