Course Summary


Amazon GuardDuty
Start course
1h 3m

During AWS re:Invent 2017, AWS launched its 11th security service in the on-going drive to help its customers protect and secure their applications, environments, and accounts. This service was Amazon GuardDuty, a regionally based, intelligent, threat-detection service. This service allows users to monitor their AWS account for unusual and unexpected behavior by analyzing AWS CloudTrail Event Logs, VPC Flow Logs, and DNS Logs. It then uses the data from logs and assesses them against multiple security and threat detection feeds, looking for anomalies and known malicious sources, such as IP addresses and URLs. This course will introduce you to this Amazon GuardDuty and explain how it works and how to configure it, allowing you to be able to enable this service within your own AWS accounts to provide automatic and continuous security analysis for safeguarding your entire AWS environment.

Learning Objectives

By the end of this course you will be able to:

  • Describe the Amazon GuardDuty service
  • Manage and configure GuardDuty for single and multiple accounts
  • Implement the correct permissions to both enable and manage GuardDuty
  • Manage and resolve findings generated
  • Explain how GuardDuty can play an important role within your organization

This course has been designed for individuals in the following roles:

  • Security consultant/specialist
  • Security analyst
  • Security auditor
  • Cloud architect
  • Cloud operational support analyst

This course would also be valuable to anyone looking to learn more about AWS security and threat detection within AWS.


As a prerequisite to this course, you should have a basic understanding of the fundamentals of AWS along with an awareness of different security measures and mechanisms that are offered by different AWS services, such as within IAM, specifically IAM policies.


If you have thoughts or suggestions for this course, please contact Cloud Academy at


Hello and welcome to this final lecture of the course. We want to summarize the key points from each of the lectures.

I started the course by explaining what the Amazon GuardDuty is and what it does, and I explained that Amazon GuardDuty is a regional based intelligent threat detection service. It allows users to monitor their AWS Account for unual and unexpected behavior by analyzing AWS CloudTrail event logs, VPC flow logs, and DNS logs. The logs that were assessed against multiple security and threat detection feeds, looking for anomalies and known malicious sources. The service itself is powered by machine learning, and Amazon GuardDuty provides automatic and continuous security analysis for safeguarding your entire AWS environment. Findings are presented with a priority level that enables you to investigate the issue further, and the service does not require any agents or software on your resources. It's also possible to link your AWS accounts together to perform a threat detection layer across all of your accounts. And this service has zero impact of the performance of your existing resources.

Following this, I then discussed the different component and the elements of the service itself. Within this lecture, we learned that there are three data sources that Amazon GuardDuty uses to perform its analysis: AWS CloudTrail event logs, VPC flow logs, and DNS query logs. Machine learning is interwoven with Amazon GuardDuty, allowing it to learn and adapt to what it classes as unusual behavior within your account at the time to then highlight it as a potential threat. List management allows you to upload your own list with trusted IPs and threat list, and any IP information that is add to the trusted IP list is whitelisted. Threat lists contain a known list of malicious IP addresses on networks that you want to ensure guide you to generate findings for if any traffic it detected with this information. GuardDuty findings are listing within the GuardDuty dashboard and allow you to take the appropriate actions against them to resolve any security vulnerabilities that may exist. The content of the finding itself can be broken down into five parts: the finding summary, the resource affected, the action, actor, and additional information. Each finding is associated with a severity level and score. The score value will affect the severity. I also gave a demonstration that introduced you to the service portion and how to enable the service, configure trusted IP and threat lists, and an overview of the different options within the Amazon GuardDuty dashboard.

Next, I spoke about how to link multiple AWS accounts for Amazon GuardDuty, allowing for centralized management. In a multi-account scenario, one account can act as a master account and then all others can act as members. Findings from member accounts send a copy of the results to the dashboard of the master account. And this allows you to view all accounts in a central location. Trusted IP lists and threat lists within the master account are not used within the member accounts, and the master account has additional control and administrative functions such as having the ability of being able to suspend Amazon GuardDuty within its own account and other member accounts. To set up your AWS accounts in a master-member configuration it's a simple three-stage process. Add an AWS account from within the master account, send an invitation to the member account, and then accept the invitation from within the member account. Ie then performed a simple demonstration showing you how to carry out these steps.

Next, I focused on how to manage permissions with Amazon GuardDuty and here I covered the following points. To enable the Amazon GuardDuty service, the user will need some specific IAM permissions that allows them to create a service-linked role that allows GuardDuty to retrieve information about some of your resources. AWS has created an AWS management policy to allow you to enable GuardDuty within a region called Amazon GuardDuty full access. This policy allows full access to Amazon GuardDuty plus the ability to create a service-linked role. For full permissions to Amazon GuardDuty, you can create a custom policy which allows a full access to Amazon GuardDuty, the ability to enable the service, and permissions to update and manage trusted IP and threat lists. AWS offers another management policy entitled Amazon GuardDuty read-only access, and this provides read-only permissions to GuardDuty's findings.

Following this section covering permissions, I then provided a demonstration where I looked at GuardDuty findings in greater detail.

Next, I looked at how Amazon GuardDuty can be used to bring benefit to the enterprise which included that it's an intelligent threat detection service, it provides high-level security, regardless of deployment size, it has centralized management, there are no agents required, there are no upfront costs, and you can perform automation of remediation.

Next, I focused on the costing of the service which offers a very simple charging method. Pricing for this service is broken down into two parts: CloudTrail event analysis and VPC flow log and DNS log analysis. CloudTrail event analysis is charged at one million events per month, and VPC flow logs and DNS logs are charged at per gig of log analyzed per month. And the cost varies depending on which region you have GuardDuty in. When you first enable Amazon GuardDuty, you are able to use the service free for the first 30 days. As an example of cost, the following table shows you the cost for the London, EU region. And the charges for this service are very simple to understand and estimate.

Finally, I looked at a number of different partners that seamlessly interact the services with Amazon GuardDuty. Some of these included Alert Logic Cloud Insight Essentials for AWS, CrowdStrike, and Trend Micro. For more information on these partners and others, the full listing can be found here. That now brings me to the end of this lecture and to the end of the course.

You should now have a greater understanding of Amazon GuardDuty, what it is, what it can do, and how it can offer additional intelligence to secure your AWS accounts and resources within them. If you have any feedback on this course, positive or negative, please do contact us at Your feedback is greatly appreciated. Thank you for your time, and good luck with your continued learning of POW computing. Thank you.

About the Author
Learning Paths

Stuart has been working within the IT industry for two decades covering a huge range of topic areas and technologies, from data center and network infrastructure design, to cloud architecture and implementation.

To date, Stuart has created 150+ courses relating to Cloud reaching over 180,000 students, mostly within the AWS category and with a heavy focus on security and compliance.

Stuart is a member of the AWS Community Builders Program for his contributions towards AWS.

He is AWS certified and accredited in addition to being a published author covering topics across the AWS landscape.

In January 2016 Stuart was awarded ‘Expert of the Year Award 2015’ from Experts Exchange for his knowledge share within cloud services to the community.

Stuart enjoys writing about cloud technologies and you will find many of his articles within our blog pages.