hands-on lab

Detecting EC2 Threats with Amazon GuardDuty

Up to 50m
Get guided in a real environmentPractice with a step-by-step scenario in a real, provisioned environment.
Learn and validateUse validations to check your solutions every step of the way.
See resultsTrack your knowledge and monitor your progress.


Amazon GuardDuty continuously monitors and identifies threats by analyzing several types of activity in your AWS account and any invited member accounts that you link to. GuardDuty can notify you of a wide variety of threats including unauthorized access, trojans, communication with Tor anonymizing, or cryptocurrency networks.

In this Lab, you will learn how to use Amazon GuardDuty to automatically uncover malicious EC2 activity, and configure threat lists to improve the security of an AWS Lab environment.

Learning Objectives

Upon completion of this lab, you will be able to:

  • Enable, disable, and suspend Amazon GuardDuty for AWS accounts
  • Activate threat lists and trusted IP lists, and understand when to use each
  • Understand the types of security findings GuardDuty can detect
  • Prioritize and interpret GuardDuty findings in a live environment


You should be familiar with:

  • Core AWS services, particularly EC2, VPC, and S3

The following courses can be used to fulfill the prerequisite:


July 4th, 2023 - Updated the Examining Live Threats in GuardDuty lab step to reflect current expected GuardDuty findings

December 27th, 2022 - Updated the instructions and screenshots to reflect the latest UI

June 9th, 2022 - Added validation checks throughout lab

February 14th, 2022 - Clarified that there may be three instances in the EC2 Console but on the Malicious Instance and App Server are important for the lab

June 30th, 2021 - Changed to use GuardDuty in Ohio region

May 4th, 2020 - Updated screenshots to reflect the new AWS UI

January 10th, 2019 - Added a validation Lab Step to check the work you perform in the Lab

Environment before

Environment after

About the author

Logan Rakai, opens in a new tab
Lead Content Developer - Labs
Learning paths

Logan has been involved in software development and research since 2007 and has been in the cloud since 2012. He is an AWS Certified DevOps Engineer - Professional, AWS Certified Solutions Architect - Professional, Microsoft Certified Azure Solutions Architect Expert, MCSE: Cloud Platform and Infrastructure, Google Cloud Certified Associate Cloud Engineer, Certified Kubernetes Security Specialist (CKS), Certified Kubernetes Administrator (CKA), Certified Kubernetes Application Developer (CKAD), and Certified OpenStack Administrator (COA). He earned his Ph.D. studying design automation and enjoys all things tech.

LinkedIn, Twitter, GitHub

Covered topics

Lab steps

Logging In to the Amazon Web Services Console
Enabling Amazon GuardDuty
Activating a GuardDuty Threat List
Examining Sample GuardDuty Findings
Examining Live Threats in GuardDuty
Disabling Amazon GuardDuty