AWS GuardDuty: Threat Detection and Response

Part of the Cybersecurity Skills Guide — This article is one deep-dive in our complete guide series.

By HADESS Team | February 28, 2026 | Updated: February 28, 2026 | 5 min read

GuardDuty is AWS’s managed threat detection service. It analyzes CloudTrail logs, VPC Flow Logs, DNS logs, EKS audit logs, and S3 data events to identify malicious activity. It is one of the few AWS security services you can enable with a single click and immediately get value from.

How It Works

GuardDuty uses a combination of threat intelligence feeds, anomaly detection, and machine learning models to generate findings. It does not require you to write detection rules — AWS maintains the detection logic. Your job is to enable it everywhere, tune the noise, and build response workflows.

Enable GuardDuty in every AWS region, even regions you do not use. Attackers use inactive regions specifically because they know monitoring is sparse there. Use AWS Organizations with a delegated administrator account to manage GuardDuty across all accounts from a single pane.

Finding Types

GuardDuty findings fall into categories: Reconnaissance, Instance Compromise, Account Compromise, S3 Compromise, and Kubernetes findings.

High-priority findings to build response playbooks for:

• UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration — An instance role’s credentials are being used from outside AWS. This almost always means compromise.
• CryptoCurrency:EC2/BitcoinTool.B!DNS — An instance is querying cryptocurrency mining pool domains. Cryptominers are the most common payload after initial access.
• Trojan:EC2/DNSDataExfiltration — DNS is being used to exfiltrate data. Check the DNS queries in VPC flow logs.
• Policy:S3/BucketPublicAccessGranted — Someone made a bucket public. Determine if it was intentional immediately.

Suppression Rules

Not every finding requires action. GuardDuty will generate findings for legitimate activity like vulnerability scanners, penetration tests, or expected cross-account access. Use suppression rules to filter these out rather than ignoring them manually.

Be specific with suppression rules. Suppress by finding type, resource, and account — not just finding type alone. A broad suppression rule will hide real attacks behind legitimate-looking activity.

Multi-Account Strategy

In an AWS Organization, designate a security account as the GuardDuty delegated administrator. This account receives all findings from all member accounts. Enable auto-enable so new accounts are automatically enrolled.

Send findings to a central S3 bucket for long-term storage and to EventBridge for real-time processing. Use EventBridge rules to route critical findings to PagerDuty or your SIEM and medium findings to a Slack channel.

Automated Response

Connect GuardDuty findings to Step Functions through EventBridge for automated remediation. Common automations:

• Isolate an EC2 instance by replacing its security group with one that blocks all traffic
• Disable an IAM access key associated with credential exfiltration
• Snapshot an EBS volume for forensic analysis before terminating a compromised instance

Test your automations regularly. An automated response that has not been tested will fail when you need it most.

Next Steps

• Take a skills assessment to evaluate your threat detection capabilities
• Explore detection and response skills in the skills library
• Review cloud security certifications on the certificate roadmap

Related Guides in This Series

• Active Directory Security: Attack Paths and Hardening — HADESS | 2026
• AWS ALB Security: TLS, Authentication, and Access Controls — HADESS | 2026
• AWS CloudTrail: Log Analysis and Security Monitoring — HADESS | 2026

Take the Next Step

Browse 80+ skills on HADESS. Go to the browse 80+ skills on hadess on HADESS.

See your certification roadmap. Check out the see your certification roadmap.

Get started free — Create your HADESS account and access all career tools.

Frequently Asked Questions

How long does it take to learn this skill?

Most practitioners build working proficiency in 4-8 weeks of dedicated study with hands-on practice. Mastery takes longer and comes primarily through on-the-job experience.

Do I need certifications for this skill?

Certifications validate your knowledge to employers but are not strictly required. Hands-on experience and portfolio projects often carry more weight in technical interviews. Check the certification roadmap for relevant options.

What career paths use this skill?

Explore the career path explorer to see which roles require this skill and how it fits into different cybersecurity specializations.

—

HADESS Team consists of cybersecurity practitioners, hiring managers, and career strategists who have collectively spent 50+ years in the field.