After enabling the GuardDuty service, data is collected from the aforementioned three sources and begins to be analyzed. The service can analyze tens of billions of events from multiple data sources, which are vetted for threat intelligence; it looks for abnormal activity on your account in this manner.
If GuardDuty notices anomalous or malicious activity, it will give a ranking to the item as high, medium, or low. This ranking helps you, as the security professional, decide which events you should follow up on and in which order. The findings that GuardDuty produces are delivered to Security Hub, your designated S3 bucket, and CloudWatch Events/Eventbridge simultaneously. This setup of delivering findings assumes that you have the Security Hub service up and running.
Connecting GuardDuty to Security Hub allows you to view and manage all the events from the GuardDuty service and the other security services with which Amazon Security Hub can connect. Adding a connection to Amazon EventBridge can allow near-real-time notifications using the SNS service, especially when a high-ranking event has been discovered.
Figure 6.1: The process flow of Amazon GuardDuty
With a deeper understanding of how the GuardDuty service works, you can now move on to the different types of detections that the GuardDuty service can carry out. This is what you will explore in the next section.
From the moment you enable it, Amazon GuardDuty harnesses threat intelligence from various sources. These sources include the following:
Using a combination of this intelligence from the preceding sources allows the GuardDuty service to identify the following types of threats:
Now that you know what types of detections GuardDuty can help you find, examine the differences between the two GuardDuty and Amazon Macie services to prevent confusion, especially as they relate to questions on the AWS Certified Security Specialty exam.
Amazon Macie is a fully managed security service that helps organizations enhance data protection and compliance in their AWS environment. Leveraging machine learning, Macie automatically identifies and classifies sensitive data stored in Amazon S3, enabling users to gain insights into their data security posture, detect potential threats, and implement access controls and data protection measures. With customizable policies, compliance reporting, and integration with AWS CloudTrail, Macie empowers organizations to proactively safeguard sensitive information, respond to security incidents, and adhere to data privacy regulations.
Note
You will learn a lot more about Amazon Macie in Chapter 17, Protecting Data in Flight and at Rest.
Although there are a few similarities between the GuardDuty and Macie services, they each perform different security functions. Both services use machine learning, but apart from that, their functions differ. Amazon Macie concentrates on finding Personally Identifiable Information (PII) in your account so that you do not leave PII exposed or unprotected across different services in AWS.
GuardDuty is an intelligent threat detection platform that continuously aggregates and deciphers data from log files in your account, seeing whether there are any risks that need to be addressed imminently.
See Table 6.1 for a graphical illustration of Amazon GuardDuty and Macie’s differences.
Amazon GuardDuty | Amazon Macie | |
Uses machine learning | ü | ü |
Reads your S3 bucket | ü | |
Identifies data containing PII | ü | |
Aggregates CloudTrail log events | ü | |
Aggregates VPC flow logs | ü | |
Aggregates DNS logs | ü | |
Identifies known and unknown threats | ü | |
Regional service | ü | ü |
Table 6.1: A comparison of GuardDuty versus Macie
Having understood the role of GuardDuty in your AWS account, you can now work through the process of enabling it step by step in the next section so that you can see it in action.