Understanding Amazon GuardDuty Findings
Start course
1h 3m

During AWS re:Invent 2017, AWS launched its 11th security service in the on-going drive to help its customers protect and secure their applications, environments, and accounts. This service was Amazon GuardDuty, a regionally based, intelligent, threat-detection service. This service allows users to monitor their AWS account for unusual and unexpected behavior by analyzing AWS CloudTrail Event Logs, VPC Flow Logs, and DNS Logs. It then uses the data from logs and assesses them against multiple security and threat detection feeds, looking for anomalies and known malicious sources, such as IP addresses and URLs. This course will introduce you to this Amazon GuardDuty and explain how it works and how to configure it, allowing you to be able to enable this service within your own AWS accounts to provide automatic and continuous security analysis for safeguarding your entire AWS environment.

Learning Objectives

By the end of this course you will be able to:

  • Describe the Amazon GuardDuty service
  • Manage and configure GuardDuty for single and multiple accounts
  • Implement the correct permissions to both enable and manage GuardDuty
  • Manage and resolve findings generated
  • Explain how GuardDuty can play an important role within your organization

This course has been designed for individuals in the following roles:

  • Security consultant/specialist
  • Security analyst
  • Security auditor
  • Cloud architect
  • Cloud operational support analyst

This course would also be valuable to anyone looking to learn more about AWS security and threat detection within AWS.


As a prerequisite to this course, you should have a basic understanding of the fundamentals of AWS along with an awareness of different security measures and mechanisms that are offered by different AWS services, such as within IAM, specifically IAM policies.


If you have thoughts or suggestions for this course, please contact Cloud Academy at


Hello, and welcome to this lecture. I'm going to take a deeper look at the findings generated by Amazon GuardDuty, and how to look into the details further to help you remediate the issues you find.

In an earlier lecture, I briefly provided an overview of the findings section, however, in this lecture I want to look at these findings in a bit more detail and also the findings area of the dashboard to show you some additional features that it has. To do this, I feel it would best to demonstrate this form within the management console, so let's take a look.

Okay, so I'm at the dashboard of Amazon GuardDuty. And, as you can see, I have a number of sample findings, which is what we went through earlier in a previous demonstration. So, let's take more of a look around this section of the findings dashboard.

On the far left-hand side of this table you can we have a number of check boxes, and we can select individual findings. Now, what we can do with these selected findings, is we can go to actions at the top here, and either archive those findings or export them. So let's just run through each of those. If we click on archive, it says our findings have now been archived. So, if we go over to the left-hand side and select archive, we can see those findings that we archived there. Now you might do this for ease of management, or for general housekeeping, just keepin' a record of the findings that you've had. And if you want to select all findings in a table, you simply click on the top check box, there. Pretty standard stuff.  I'm going to move those findings back into current.

Okay, and the other option we had under actions was export. And this will export the JSON data for all of those findings. And you simply click on download and it will export the JSON file. If you need to refresh your findings list, there's the refresh button at the top, here, simply click on that and it'll refresh your findings.

Over on the right-hand side, at the top, we have indicators that let you know how many findings are of a particular severity. So, at the moment, I have zero findings that are low severity, 32 findings that are medium and 1 finding that is high. That is a very quick way to have a look at your dashboard to see your most critical findings, and you can simply click on each of these to filter on these findings. So, that's the high, and there's all your medium, and obviously, we don't have any low. You can add additional filters to your findings. So, for example, if we looked at this top finding, here, that would bring up all the details for this finding. Now, if there's any hyperlinks on this screen, as you can see here with the plus or minus or the actual resource id, here or the instance, if you click on the plus, then that will add that as a filter. As you can see, here, in this row we have a filter row with severity of medium. Now I can select, exclude that, or currently, it's included.

So, if we go back into that same finding and I want to filter on this account id only, I can click on the plus, and again add it into the filter. And, one more, if I filter on resource type of instance. And now that's filtered all the findings that have a severity of medium, with this account id, and this resource type. Now you can see that it now only showing 19 of the total 33 findings. If you like, you can save this as a set filter. So, I'm just going to call this, instance. If I remove all my filters now, I can then revert back to that filter at anytime by clicking on the dropdown box, clicking on the name and it will bring up the filter. So, you can set up many different filters if you have different accounts, especially if you're filtering for member to master accounts or you can filter on resource types, or severities. Anything that has a hyperlink within the details of that finding, you can add a filter against. For example, again here, an action type of DNS_REQUEST, so if I go ahead and add that, we now have only eight findings of the 33 that match this filter.

If you wanted to exclude any of these filters, then just simply hover over it and click on exclude. So now a filter on all findings with a medium severity, under that account id that do not include a resource type of instance. You can either include or exclude filters as you see fit. Let's just clear those filters, just by clicking on this x, here.

So, let's now take a closer look at a couple of these sample findings. Let's take a look at this one here, let's do a Bitcoin. When you click on a finding, it will open up this additional window which gives you lots more information about the finding. At the very top, here, we have the finding type, which just gives us a breakdown of what the finding's relating to. And then, from here, we can see that this EC2 instance is querying a domain name that is associated with Bitcoin-related activity.

Now, unless you're using this EC2 instance to mine for Bitcoin, then it's pretty fair to say that this instance has been compromised in some way or another. So, you could either take a look at that instance and see if it has any software on it that it shouldn't do, any kind of malware or anything like that. Failing that, it's probably best to terminate that instance and then set up a new EC2 instance. And then, when you've done that, just make sure you're applying best practices to harden that instance against any kind of security threats using the AWS security best practices.

So, looking more at this window, here, we can the Severity of the finding, and it's currently set as Medium, the Account ID that this finding is associated with, and that's helpful if you have multiple accounts feeding through to a master account. We can see when this finding was last seen, two days ago. The Region it was in, and also the Resource ID that is affected by this, and how many times this finding's come up. And if we scroll down to the Resource affected, this gives us a bit more information on the resource itself. So we can see the role of this resource was a TARGET, Resource type is set as an Instance and it gives us the Instance ID. And we can click on that instance id and it will take us into the EC2 management console direct to that instance. As this is just a sample, made-up instance id, it won't lead me anywhere if I click on it. It will take me to the EC2 console, but it'll explain that it can't find the instance.

If we go down to Action, this gives us the Action type of the threat which was a DNS_REQUEST, and as we know, the instance was drawn to a query, a domain name that's related to Bitcoin mining. And then down to Actor, this gives us the actual domain, and then in this particular finding there wasn't really much in the Additional information section. So, in this instance, I would probably terminate the instance and then launch it again. And then just ensure that we harden that instance with security best practices.

Just while I'm here, these icons at the top just simply tell you where this additional window will appear on your screen. So we can have it at the bottom, to the side, or just full screen. I tend to have it to the side, just makes it a little bit easier to read. And then when you're done with the information, just click on close.

Let's take a look at another example.Let's take a look at this one, here. This time the finding type relates to a Behavior threat, to do with an EC2 instance and Network Port Unusual. This is stating that the EC2 instance is communicating with a remote host on an unusual server port 22. So what this is telling us is, generally during the history of this instance, communicating on port 22 to this remote host hasn't happened before so it's an unusual behavior. It's flagged it as a potential threat. So, we can take a look again, it's given it a severity, you can see the account id, the region etc. This time we have a threat list name, so it's found it due to one of the configured threat lists. If you go down to the Resource affected, again we can see that the resource is the TARGET, and again it give the instance id as well. Under the Action section, we can see that it's an OUTBOUND network connection that's being made.

We can see some more information, here, about the remote host, it give the IP address, the Port that it's actually using and some information relating to the city and the country. This time under Additional information it does give us a bit more, it gives us threat list name, the unusual port, which is 22, and the protocol, UDP. So, it does depend on the finding type as to what level of information you get under these additional section such as Actor, Action and Additional information. So, again, it looks like your instance is being compromised. You want to check out the security groups and ACLs, and also the EC2 instance itself. Again, a good way if you have an EC2 instance that's been compromised, is just terminate it and launch a new instance, and harden that instance according to best practices.

So, it's very self-intuitive. The findings themselves do provide some good information as to what has been affected, what kind of threat it is, and some information to help you remediate the problem as well. It's a good idea to get familiar with these sample findings as the more familiar you become with these, the easier it will be to help you remediate real issues when you generate your own findings with your production environment.

That brings me to the end of this demonstration and the end of this lecture. Coming up next, I'm going to be talking about how you can use Amazon GuardDuty as a benefit to your enterprise environment.

About the Author
Learning Paths

Stuart has been working within the IT industry for two decades covering a huge range of topic areas and technologies, from data center and network infrastructure design, to cloud architecture and implementation.

To date, Stuart has created 150+ courses relating to Cloud reaching over 180,000 students, mostly within the AWS category and with a heavy focus on security and compliance.

Stuart is a member of the AWS Community Builders Program for his contributions towards AWS.

He is AWS certified and accredited in addition to being a published author covering topics across the AWS landscape.

In January 2016 Stuart was awarded ‘Expert of the Year Award 2015’ from Experts Exchange for his knowledge share within cloud services to the community.

Stuart enjoys writing about cloud technologies and you will find many of his articles within our blog pages.