AWS GuardDuty Configuration

8 min read Beginner

GuardDuty is AWS's managed threat detection service. It analyzes CloudTrail, VPC Flow Logs, and DNS logs to identify malicious activity. This guide covers configuration options, operational considerations, and integration patterns.

Quick Start

Enable GuardDuty with default settings:

bash 
aws guardduty create-detector --enable

GuardDuty begins analyzing data immediately. No additional configuration is required for basic threat detection. See the AWS GuardDuty documentation for complete feature details.

Data Sources

GuardDuty analyzes multiple data sources to detect threats:

CloudTrail Events API calls and management activity
VPC Flow Logs Network traffic patterns
DNS Logs DNS query activity
S3 Data Events Object-level access patterns
EKS Audit Logs Kubernetes cluster activity

GuardDuty accesses these data sources directly from AWS. No log shipping configuration or agent installation is required.

Configuration Options

Minimal Configuration

For environments without Kubernetes or specific malware scanning requirements:

hcl 
resource "aws_guardduty_detector" "main" {
  enable = true

  tags = {
    Environment = "production"
    ManagedBy   = "terraform"
  }
}

Full Configuration

Enable all protection plans for comprehensive coverage:

hcl 
resource "aws_guardduty_detector" "main" {
  enable = true

  datasources {
    s3_logs {
      enable = true
    }
    kubernetes {
      audit_logs {
        enable = true
      }
    }
    malware_protection {
      scan_ec2_instance_with_findings {
        ebs_volumes {
          enable = true
        }
      }
    }
  }

  tags = {
    Environment = "production"
    ManagedBy   = "terraform"
  }
}

Feature Considerations

Feature Use Case Cost Impact
S3 Protection Environments with sensitive S3 data Moderate
EKS Audit Logs Kubernetes workloads Low to Moderate
Malware Protection EC2 workloads with compliance requirements Higher
RDS Protection Database-heavy environments Moderate
Recommendation: Start with the minimal configuration. The 30-day free trial allows evaluation of which additional protection plans provide value for the environment.

Operational Notes

Baseline Period GuardDuty requires approximately 7 days to establish baseline behavior. Initial findings may include false positives.
Trusted IP Lists Add known corporate IPs, VPN endpoints, and security scanning tools to reduce noise from expected activity.
Suppression Rules Configure suppression rules for expected findings such as penetration testing tools or known security scanners.
Multi-Region Enable GuardDuty in all regions. Threats can originate from any region, including those without active workloads.

Severity Levels

GuardDuty assigns severity scores from 0.0 to 10.0:

Low 0.1 - 3.9

Suspicious activity that may warrant investigation. Review weekly.

Medium 4.0 - 6.9

Potentially malicious activity. Review within 24-48 hours.

High 7.0 - 10.0

Active threat requiring immediate investigation.

Finding Categories

Category Description Example
Backdoor Compromised resource Backdoor:EC2/Spambot
Behavior Unusual API activity Behavior:EC2/NetworkPortUnusual
CryptoCurrency Mining activity CryptoCurrency:EC2/BitcoinTool.B
Recon Reconnaissance Recon:EC2/PortProbeUnprotectedPort
UnauthorizedAccess Unauthorized API calls UnauthorizedAccess:IAMUser/ConsoleLoginSuccess.B

Multi-Account Setup

For AWS Organizations, designate a security account as the delegated administrator:

bash 
# From management account
aws guardduty enable-organization-admin-account \
  --admin-account-id 123456789012

The delegated administrator can then manage GuardDuty across all member accounts from a central location.

Recommended Architecture

  • Security Account: GuardDuty administrator, aggregates findings
  • Log Archive Account: S3 bucket for findings export and long-term retention
  • Member Accounts: Auto-enrolled via Organizations integration
Rationale: Isolating security tooling from workload accounts limits blast radius if a workload account is compromised.

EventBridge Integration

Route high-severity findings to notification systems via EventBridge:

json 
{
  "source": ["aws.guardduty"],
  "detail-type": ["GuardDuty Finding"],
  "detail": {
    "severity": [{ "numeric": [">=", 7] }]
  }
}

This pattern captures findings with severity 7.0 or higher. Common targets include SNS for email notifications, Lambda for Slack integration, or Step Functions for automated response workflows.

Auto-remediation: Unlike AWS Config (which detects misconfigurations), GuardDuty detects behavioral anomalies. Automated remediation requires careful consideration to avoid service disruption from false positives.

Cost Considerations

GuardDuty pricing is based on volume of data analyzed:

Environment Typical Monthly Cost Primary Cost Drivers
Small (1-5 accounts) $10-50 CloudTrail events
Medium (5-20 accounts) $100-500 VPC Flow Logs, DNS queries
Large (20+ accounts) $500-2000+ High-volume APIs, S3 data events
Free Trial: AWS offers a 30-day free trial for all GuardDuty features. The Usage tab in the GuardDuty console displays projected costs before the trial ends.

Integration Points

GuardDuty connects with other AWS security services to form a comprehensive threat detection and response pipeline:

Security Hub Aggregates GuardDuty findings with other security services for centralized visibility
EventBridge Routes findings to notification systems and triggers automated response workflows
CloudTrail Provides API activity data that GuardDuty analyzes for suspicious patterns
AWS Config Complements GuardDuty by detecting configuration drift and compliance violations
Architecture Pattern: GuardDuty detects threats, Security Hub aggregates findings, EventBridge routes alerts, and SNS delivers notifications. This pipeline enables both real-time alerting and automated response.

Next Steps

  1. Configure trusted IP lists for known corporate and VPN addresses
  2. Integrate with Security Hub for centralized findings management
  3. Set up EventBridge rules for high-severity notifications
  4. Review findings weekly and tune suppression rules as needed