Amazon GuardDuty is a threat detection service that helps you protect your accounts, containers, workloads, and the data with your AWS environment. By using machine learning (ML) models and anomaly and threat detection capabilities, GuardDuty continuously monitors different log sources to identify and prioritize potential security risks and malicious activities in your environment. For example, GuardDuty will detect potential threats such as unusual or suspicious access to secrets, and credential exfiltration in case it detects credentials that were created exclusively for an Amazon EC2 instance through an instance launch role but are being used from another account within AWS. For more information, see the Amazon GuardDuty User Guide.
Another example use-case for detection is anomalous behavior. For example, if AWS Secrets Manager typically gets create-secret
, get-secret-value
, describe-secret
, and list-secrets
calls from an entity using the Java SDK, and then a different entity begins calling batch-get-secret-value
and get-secret-value
using the AWS CLI from outside of the VPN, GuardDuty can report a finding that the second entity is anomalously invoking APIs. For more information, see GuardDuty IAM finding type CredentialAccess:IAMUser/AnomalousBehavior.