Continuous Threat Detection: Amazon GuardDuty
In today’s cloud-driven world, security is a day 0 priority. Not being prepared for security events can lead to significant consequences such as:
- Loss of customer trust and market value
- Legal and regulatory costs
- Reputational damages and financial losses
Amazon GuardDuty is a managed threat detection service that plays a critical role in identifying potential security threats across our AWS accounts. Leveraging GuardDuty can significantly improve our organization’s security posture by providing continuous monitoring and automated threat detection.
It helps us prevent security events from turning into security incidents.
- Example security event: some type of attack to discover unauthorized access to workload.
- Example security incident: usage of a compromised password that was discovered over an attack.
But how?
Let’s first focus on what is Amazon GuardDuty in a few words;
It’s a
- managed threat detection service
- that continuously monitors and analyzes AWS account(s)
- for malicious activity, unauthorized behavior, and potential security threats
- by leveraging machine learning, anomaly detection, and integrated threat intelligence
- to provide real-time security insights.
GuardDuty integrates with services like
- CloudTrail
- VPC Flow Logs
- DNS logs
- EKS Protection (through Audit Logs)
- S3 / RDS / Lambda Protection.
Automation is key to maintaining a secure AWS environment, and GuardDuty’s integration with AWS Lambda and EventBridge allows us to automate responses to security threats. By setting up triggers in EventBridge based on GuardDuty findings, we can automatically initiate predefined remediation actions, such as isolating compromised instances or revoking suspicious IAM credentials.
Using Amazon GuardDuty in an AWS Organization for a multi-account environment allows for centralized security monitoring. GuardDuty can be enabled at the organizational level with a delegated admin account.
This architecture allows for:
- Efficient management of security across a distributed environment, reducing the need for separate configurations in each account.
- Consistent policies and protection across accounts.
- Visibility into all GuardDuty findings from one dashboard, enabling more rapid responses to high-severity threats.
Cost & Pricing
We should also go over the cost considerations. According to our data flow to the Amazon GuardDuty, the cost will increase. It’s important to understand its cost implications, before enabling all logging services in all regions and accounts.
On the other hand, we need to know that it will be a worthy trade-off;
AWS has already published detailed documentation to understand how pricing works for Amazon GuardDuty; Estimating GuardDuty cost
- Data Sources: GuardDuty primarily analyzes data from CloudTrail, VPC Flow Logs, and DNS query logs. The more services and regions we monitor, the higher the volume of logs ingested, which directly impacts cost. If we already have logging set up, there won’t be additional costs for log generation, but we will incur costs for the analysis performed by GuardDuty.
- Cost Management Strategies:
- Enable GuardDuty selectively: We can enable GuardDuty in specific regions and accounts that are most critical or exposed to potential threats, minimizing costs where security risks are lower.
- Optimize VPC Flow Logs: VPC Flow Logs can generate large volumes of data, so using sampling techniques or filtering out less critical logs (e.g., internal traffic) can help reduce costs.
I suggest using the AWS Pricing Calculator for more detailed estimation.
We can go over an example setup in the Frankfurt (eu-central-1) region;
+--------------------------------------------------+----------------------------+------------------------+
| Category | Value | Cost |
+--------------------------------------------------+----------------------------+------------------------+
| AWS CloudTrail Management Event Analysis | 50,000 per month | 0.23 USD |
| EC2 VPC Flow Log Analysis | 100 GB per month | |
| EC2 DNS Query Log Analysis | 50 GB per month | |
| Total EC2 VPC Flow Log and DNS Log Analysis | 150 GB per month | 172.50 USD |
| GuardDuty Foundational Threat Detection | | |
| - Total Foundational Threat Detection Cost | | 172.73 USD |
+--------------------------------------------------+----------------------------+------------------------+
| GuardDuty S3 Protection | | |
| - S3 Data Event Analysis | 10,000 per month | 0.01 USD |
| - Total S3 Protection Cost | | 0.01 USD |
+--------------------------------------------------+----------------------------+------------------------+
| GuardDuty EKS Protection | | |
| - EKS Audit Logs Analysis | 500,000 per month | 1.13 USD |
| - Total EKS Protection Cost | | 1.13 USD |
+--------------------------------------------------+----------------------------+------------------------+
| GuardDuty Malware Protection for EC2 | | |
| - EBS Volume Data Scan Analysis | 200 GB per month | 8.00 USD |
| - Total EBS Data Scan Cost | | 8.00 USD |
+--------------------------------------------------+----------------------------+------------------------+
| GuardDuty Malware Protection for S3 | | |
| - S3 Objects Scanned | 150 GB per month | 129.00 USD |
| - Total S3 Malware Scan Analysis Cost | | 129.00 USD |
+--------------------------------------------------+----------------------------+------------------------+
| GuardDuty RDS Protection | | |
| - RDS Provisioned instance vCPU | 20 vCPUs per month | 24.60 USD |
| - Total RDS Protection Cost | | 24.60 USD |
+--------------------------------------------------+----------------------------+------------------------+
| GuardDuty Lambda Protection | | |
| - Lambda VPC Flow Log Analysis | 20 GB per month | 23.00 USD |
| - Total Lambda Protection Cost | | 23.00 USD |
+--------------------------------------------------+----------------------------+------------------------+
| Runtime Protection | | |
| - EKS Runtime Monitoring Analysis | 240 vCPUs per month | 460.80 USD |
| - Total Runtime Protection Cost | | 460.80 USD |
+--------------------------------------------------+----------------------------+------------------------+
| GuardDuty Total Cost (monthly) | | 819.27 USD |
+--------------------------------------------------+----------------------------+------------------------+Same setup at
- Ohio (us-east-2) costs: 647.01 USD
- Ireland (eu-west-1) costs: 676.40 USD
- Mumbai (ap-south-1) costs: 767.04 USD
More details are available at PricingCalculator (valid until August 15, 2025).
Here is an example Usage detail from the Amazon GuardDuty Console;
This lets us know the cost factor of each component used for the analysis.
Amazon GuardDuty Service Dashboard
The service dashboard gives us the overall summary of our workload. It’s important to know what to look out for, and identifying the most common and least occurring findings is important on identify primary threats. After finding which issue is the priority for us we can follow the lead for in-depth analysis.
The service dashboard provides an overview of our workload’s security status. Understanding what to look out for and identifying both the most frequent and rarest findings is crucial for pinpointing primary threats. After finding which issue is the priority for us we can follow the lead for in-depth analysis.
Here is the breakdown of what’s happening in each panel of the GuardDuty dashboard:
- Overview: Highlights month-to-month (MoM) changes, showing a significant increase in findings and affected resources.
- Findings by Severity: Visualizes the distribution and timing of findings based on their severity.
- Most Common Finding Types: Displays the types of security issues most frequently encountered.
- Least Occurring Findings: Lists rare but high-severity findings, pointing to potential emerging threats.
- Resources with Most Findings: Identifies the resources with the highest number of findings, indicating areas needing attention.
Take action today by starting with an assessment of your current security posture and consider how Amazon GuardDuty can be integrated to deliver the most advantage with the appropriate amount of data ingestion.
Being proactive is the key to preventing incidents before they happen.
