If you are new to AWS GuardDuty, FAQ is the best place to start from. I am currently working on a GuardDuty relevant project, and here are some bullets that I quickly summarised. Hope it is useful to you.
- GuardDuty is AWS managed continuous thread detection service. It detects the threads by analysing the VPC Flow Logs, CloudTrail Event Logs, and DNS logs in near real-time fashion.
- GuardDuty is priced along two dimensions: CloudTrail events quantity, VPC flow and DNS logs size.
- GuardDuty supports master-member setup, which allows you to aggregate multiple accounts’ GuardDuty events into one account in the same region.
- GuardDuty is regional service, and does not support cross-region master-member setup, which means you can not aggregate region A and region B findings into one region C.
- GuardDuty only does detection, you have to manage your own preventative actions. A typical solution is using Lambda.
- With the help of CloudWatch events and Lambda, you are able to aggregate multiple accounts and multiple regions findings into one single pane of glass. In my case, it is Sumologic. It also comes with a nice dashboard (beta).
- API uses different terms than the console, so don’t get confused when reading the API documentations.
Console termAPI termEnable GuardDutyCreate detectorRun GuardDutyEnable detectorSuspend GuardDutyDisable detectorDisable GuardDutyDelete detector
- Difference between Suspend and Disable GuardDuty: Suspend and Disable GuarDuty will both stop detection. Suspend GuardDuty will keep the existing data (findings), while Disable GuardDuty will remove all data.
- If you have multiple AWS accounts, it is wise to write a tool to manage GuardDuty. I actually have written a tool called AWS GuardDuty Manager which works great for us internally (we have 30+ accounts). I am currently working on open sourcing it, please be patient.