Detecting Cloud Threats with GuardDuty

When to Use

• When establishing continuous threat detection for new or existing AWS accounts
• When investigating GuardDuty findings related to compromised instances, credential abuse, or data exfiltration
• When building automated incident response playbooks triggered by GuardDuty findings
• When extending threat coverage to container workloads running on EKS, ECS, or Fargate
• When enabling malware scanning for EBS volumes attached to suspicious EC2 instances

Do not use for Azure or GCP threat detection (see securing-azure-with-microsoft-defender or auditing-gcp-security-posture), for static code analysis, or for compliance posture monitoring (see implementing-aws-security-hub).

Prerequisites

• AWS account with GuardDuty administrative permissions (guardduty:*)
• AWS CloudTrail, VPC Flow Logs, and DNS query logs enabled (GuardDuty consumes these automatically)
• AWS Organizations configured if deploying GuardDuty across a multi-account estate
• EventBridge and Lambda configured for automated response workflows