AWScloud~5 mins

GuardDuty for threat detection in AWS - Commands & Configuration

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

Introduction

GuardDuty helps find bad activity in your cloud accounts and workloads. It watches for threats like hackers or malware and alerts you so you can fix problems quickly.

When you want to automatically detect suspicious activity in your AWS account without manual checks

When you need alerts about possible security threats like unauthorized access or unusual network traffic

When you want to improve your cloud security by continuously monitoring for risks

When you want to protect your data and resources from attacks without setting up complex tools

When you want a simple way to see security findings in one place for quick action

Commands

This command turns on GuardDuty in your AWS account to start monitoring for threats.

Terminal

aws guardduty create-detector --enable

Expected OutputExpected

{"DetectorId":"12345678abcd1234efgh5678ijkl9012"}

→

--enable - Activates the GuardDuty detector immediately upon creation

This command lists all GuardDuty detectors in your account to confirm GuardDuty is active.

Terminal

aws guardduty list-detectors

Expected OutputExpected

{"DetectorIds":["12345678abcd1234efgh5678ijkl9012"]}

This command retrieves detailed information about current security findings detected by GuardDuty.

Terminal

aws guardduty get-findings --detector-id 12345678abcd1234efgh5678ijkl9012 --finding-ids $(aws guardduty list-findings --detector-id 12345678abcd1234efgh5678ijkl9012 --query 'FindingIds' --output text)

Expected OutputExpected

{"Findings":[{"Id":"abcd1234-5678-efgh-9012-ijkl3456mnop","Type":"Recon:EC2/PortProbeUnprotectedPort","Severity":5.0,"Resource":{"InstanceDetails":{"InstanceId":"i-0123456789abcdef0"}},"Description":"Port probe detected on EC2 instance."}]}

→

--detector-id - Specifies which GuardDuty detector to query

→

--finding-ids - Specifies which findings to get details for

Key Concept

If you remember nothing else from this pattern, remember: GuardDuty automatically watches your AWS environment for threats and alerts you so you can act fast.

Common Mistakes

Not enabling GuardDuty after creating the detector

GuardDuty won't start monitoring or generate findings if it is not enabled

Always use the --enable flag when creating the detector or enable it afterward

Using wrong detector ID when checking findings

Commands will fail or return no data if the detector ID is incorrect

List detectors first to get the correct detector ID before querying findings

Ignoring findings and not investigating alerts

Threats remain undetected and can cause damage if findings are not reviewed and acted upon

Regularly check GuardDuty findings and respond to alerts promptly

Summary

Create and enable a GuardDuty detector to start threat detection in your AWS account.

List detectors to verify GuardDuty is active and get the detector ID.

Retrieve and review findings to see details about detected security threats.