Benefits to the Enterprise
Start course
1h 3m

During AWS re:Invent 2017, AWS launched its 11th security service in the on-going drive to help its customers protect and secure their applications, environments, and accounts. This service was Amazon GuardDuty, a regionally based, intelligent, threat-detection service. This service allows users to monitor their AWS account for unusual and unexpected behavior by analyzing AWS CloudTrail Event Logs, VPC Flow Logs, and DNS Logs. It then uses the data from logs and assesses them against multiple security and threat detection feeds, looking for anomalies and known malicious sources, such as IP addresses and URLs. This course will introduce you to this Amazon GuardDuty and explain how it works and how to configure it, allowing you to be able to enable this service within your own AWS accounts to provide automatic and continuous security analysis for safeguarding your entire AWS environment.

Learning Objectives

By the end of this course you will be able to:

  • Describe the Amazon GuardDuty service
  • Manage and configure GuardDuty for single and multiple accounts
  • Implement the correct permissions to both enable and manage GuardDuty
  • Manage and resolve findings generated
  • Explain how GuardDuty can play an important role within your organization

This course has been designed for individuals in the following roles:

  • Security consultant/specialist
  • Security analyst
  • Security auditor
  • Cloud architect
  • Cloud operational support analyst

This course would also be valuable to anyone looking to learn more about AWS security and threat detection within AWS.


As a prerequisite to this course, you should have a basic understanding of the fundamentals of AWS along with an awareness of different security measures and mechanisms that are offered by different AWS services, such as within IAM, specifically IAM policies.


If you have thoughts or suggestions for this course, please contact Cloud Academy at


Hello, and welcome to this lecture, where I shall be focusing on a number of benefits that this service provides to the enterprise.

By now, you may already have a number of ways of how this service could benefit your own organization, as this is a very powerful and useful security service to have at your disposal. Any service that is able to offer assistance into the protection of your data within the public cloud is very valuable. All too often, we hear about organizations that are being probed and hacked within the cloud environment, with millions of records being stolen, containing sensitive, personally identifiable information. This is one of the reasons that cloud adoption is stalled, due to security risks and an awareness of how to secure the environment correctly.

The main benefit of the service is that it is simply an intelligent threat detection service, which performs continual and automatic analysis and threat detection within your AWS account by analyzing your cloud trail logs, DNS query logs, and VPC flow logs. Essentially, you now have an active service monitoring and detecting anomalies throughout your environment with the addition of having it powered by machine learning and utilizing multiple threat detection feeds, looking for any communications with un-trusted and malicious sources.

Whether you are running 10 instances or 10,000 instances, the service does not impose any performance issues against your resources, and will provide the same high level of detection used within huge global enterprise deployments as it does to small-scale, single availability zone deployments. Security is crucial, and having these security resources available from day one is not something a small organization would have had in a traditional datacenter deployment of a solution.

The technology, skill set, and resource to implement a threat detection system in a traditional environment will be very costly and unlikely to make it into the forefront of priority in most cases. Regardless of the size of your AWS account and the resources within it, you will be able to use the power or full force of this intelligent threat detection service for a minimal cost.

As I explained in an earlier lecture, it's possible to aggregate the findings of all your AWS accounts into a single master account. This simplifies the management for your security team by allowing them to monitor any findings through a single console. Any efficiencies such as this that can be taken advantage of saves time and reduces risk of something being missed. As with any monitoring solution, being able to assess your entire infrastructure through a single pane of glass effect pays dividends in its productivity as a service, and makes management that much easier.

With many security detection and vulnerability solutions out there today, either an agent or other software is often required to be installed onto the server that you want to monitor and detect potential security threats for. With Amazon GuardDuty, this is not required. All threat detection is performed without the need to monitor the incidents with additional software or agents.

One of the many great things about Amazon GuardDuty is that it comes with no upfront costs at all. You only pay for the processing of your log files, which I'll come onto in a later lecture of this course. Traditionally, to install and configure a scalable, intelligent threat detection solution, would require a considerable amount of capital expenditure. With Amazon GuardDuty, you simply click enable, and it starts working straightaway without any upfront costs.

Having a powerful, intelligent threat detection system such as Amazon GuardDuty is one thing, but being able to automate responses to findings to help remediate potential security loopholes is another. You can use Amazon CloudWatch event rules and targets in conjunction with AWS Lambda to help you automate a response to a particular finding. With the ability to trigger automated responses based on GuardDuty findings, you are able to quickly and easily lock down a particular resource or restrict permissions that could stop an attack. For example, if you had a resource that was the target of a brute force SSH attack, you could set an automatic response to block SSH. For more information on AWS Lambda and Amazon CloudWatch, please see our content library for labs and courses on these services.

There are many features and reasons as to why this service will be beneficial to your business, many of which could save you a lot of money, should malicious activity occur within your environment. That now brings me to the end of this lecture. Coming up next, I want to talk about how much this service costs to run.

About the Author
Learning Paths

Stuart has been working within the IT industry for two decades covering a huge range of topic areas and technologies, from data center and network infrastructure design, to cloud architecture and implementation.

To date, Stuart has created 150+ courses relating to Cloud reaching over 180,000 students, mostly within the AWS category and with a heavy focus on security and compliance.

Stuart is a member of the AWS Community Builders Program for his contributions towards AWS.

He is AWS certified and accredited in addition to being a published author covering topics across the AWS landscape.

In January 2016 Stuart was awarded ‘Expert of the Year Award 2015’ from Experts Exchange for his knowledge share within cloud services to the community.

Stuart enjoys writing about cloud technologies and you will find many of his articles within our blog pages.