Amazon GuardDuty

Amazon GuardDuty is a continuous security monitoring service designed to protect your AWS accounts, workloads, and data stored in Amazon S3. It identifies potential threats based on data collected from various sources, using AI, machine learning, anomaly detection, and integrated threat intelligence feeds (e.g., known malicious IP addresses).

It is not designed for in-depth traffic filtering or traffic control. It can help detect suspicious traffic, but GuardDuty doesn’t allow you to define custom rules to allow/deny specific types of traffic.

1. Data Sources

GuardDuty analyzes continuous streams of metadata generated from your account and network activities, including:

1. VPC Flow Logs: Monitors traffic metadata within your VPC to detect suspicious network activities.
2. DNS Logs: Tracks DNS requests via Amazon Route 53, helping to identify unusual or malicious domain resolution requests.
3. CloudTrail Logs: Analyzes API activity to detect unauthorized or unusual access patterns.
4. CloudTrail S3 Data Events: Monitors object-level activities in S3 buckets for signs of malicious or unauthorized access.

2. Disable the service in the general settings

1. Disabling the service will delete all remaining data, including your findings and configurations before relinquishing the service permissions and resetting the service.
2. Stop/Suspend : This will immediately stop the service from analyzing data, but does not delete your existing findings or configurations.