AWS GuardDuty

Amazon Web Services

Managed threat-detection service for AWS accounts, workloads, and S3 data.

Identity, Cloud & Access Commercial Platform / Suite Learning saas

Cyber Kill Chain & Defender Lifecycle

Attacker — Kill Chain

1 Reconnaissance

2 Weaponization

3 Delivery

4 Exploitation

5 Installation

6 Command & Control

7 Actions on Objectives

Defender — IR Lifecycle

8 Detection / Monitoring

9 Containment & Eradication

10 Post-incident Forensics

Description

AWS GuardDuty is the AWS-native threat detection service. It continuously analyses CloudTrail, VPC Flow Logs, DNS logs, EKS audit logs, S3 data events, and (with the malware add-on) attached EBS volumes — emitting findings with severity, MITRE ATT&CK mappings, and remediation hints.

Finding categories every CySA+ candidate should recognise:

Recon (port scan, anonymising IP).
UnauthorizedAccess (IAM credential exfiltration, instance credential exfil).
CryptoCurrency (Bitcoin mining traffic).
Backdoor / Trojan / Behavior (Tor exit nodes, known C2 IPs).

Use cases

Continuous baseline detection across AWS accounts
Feeding findings into Security Hub / SIEM
Auto-remediation via EventBridge + Lambda