Threat Detection: GuardDuty, Macie & Amazon Detective
Difficulty: hard
Overview
AWS threat detection services continuously monitor for malicious activity.
Amazon GuardDuty:
- Managed threat detection analyzing: CloudTrail management events, VPC Flow Logs, DNS logs, S3 data events (optional), EKS audit logs, RDS login activity, Lambda network activity
- NO agents required; fully managed
- Finding format:
ThreatPurpose:ResourceType/FindingType
Key Finding Types:
| Finding | Meaning |
|---|---|
| UnauthorizedAccess:IAMUser/ConsoleLoginSuccess.B | Console login from malicious IP |
| Recon:IAMUser/MaliciousIPCaller | API recon from known malicious IP |
| CryptoCurrency:EC2/BitcoinTool.B | EC2 communicating with crypto mining server |
| Trojan:EC2/DGADomainRequest.C | DNS for dynamically generated domains (C2) |
| UnauthorizedAccess:EC2/SSHBruteForce | SSH brute-force to EC2 |
| Exfiltration:S3/ObjectRead.Unusual | Unusual S3 data access pattern |
| Policy:IAMUser/RootCredentialUsage | Root account credentials used |
| Discovery:S3/MaliciousIPCaller | S3 API calls from known malicious IP |
| InstanceCredentialExfiltration | Instance credentials used outside EC2 |
Multi-Account GuardDuty (Organizations):
- Designate a GuardDuty administrator account (via Organizations or manual invitation)
- Member accounts are enrolled; findings flow to the administrator account
- Administrator can view/manage all member findings from one console
GuardDuty Suppression Rules:
- Filter out known-benign findings (e.g., penetration test activity)
- Suppressed findings are archived (not alerted); still retained for audit
Amazon Macie:
- Discovers and protects sensitive data (PII, PHI, financial) in S3 using ML
- Detects: credit card numbers, SSNs, passport numbers, AWS credentials
- Also identifies: unencrypted buckets, publicly accessible buckets, shared buckets
- Findings sent to Security Hub and EventBridge
Amazon Detective:
- Investigates security findings — does NOT detect (that's GuardDuty)
- Ingests: GuardDuty findings, CloudTrail management events, VPC Flow Logs, EKS audit logs
- Builds a behavior graph of relationships over time (up to a year of data)
- Use: trace the full timeline of an incident, identify affected resources, understand blast radius
Practice Linked Questions
Q1. What are the PRIMARY data sources that Amazon GuardDuty analyzes for threat detection? (Select the most comprehensive answer.)
Select one answer before revealing.
Q2. GuardDuty generates the finding "CryptoCurrency:EC2/BitcoinTool.B!DNS". What does this finding indicate?
Select one answer before revealing.
Q3. A company uses AWS Organizations with 30 member accounts. They want centralized GuardDuty management where a security team in a dedicated account can view ALL member findings. What is the CORRECT architecture?
Select one answer before revealing.
Q4. Amazon Macie is configured to scan S3 buckets. Which type of information can Macie AUTOMATICALLY detect?
Select one answer before revealing.
Q5. A security analyst receives a GuardDuty high-severity finding. They need to investigate the FULL scope of the incident: which resources were accessed, the sequence of events, network connections, and relationships between entities. Which service provides this investigation capability?
Select one answer before revealing.
Q6. A security team wants to suppress GuardDuty findings generated during an authorized penetration test. What is the AWS-recommended approach?
Select one answer before revealing.
Q7. Amazon Detective automatically ingests security data from which sources to build behavioral graphs for investigation? (More than one answer may be correct — Select THREE.)
Select one answer before revealing.
Q8. Which GuardDuty finding types indicate a POTENTIALLY COMPROMISED IAM credential being misused? (More than one answer may be correct — Select TWO.)
Select one answer before revealing.