AWS

3 Mins Read

Amazon GuardDuty Adds Extended Threat Detection for Amazon EC2 and Amazon ECS

Voiced by Amazon Polly

Cloud security is no longer just about perimeter protection or log monitoring – it’s about understanding workload behavior in real time. As attackers become more sophisticated, traditional signal-based detection alone is no longer sufficient. Recognizing this shift, Amazon GuardDuty has introduced Extended Threat Detection for Amazon EC2 and Amazon ECS, significantly enhancing its ability to detect advanced threats closer to where applications actually run.

This enhancement marks a major step forward in AWS’s native threat detection capabilities, offering deeper visibility into compute and container workloads without requiring additional agents or complex integrations.

Start Learning In-Demand Tech Skills with Expert-Led Training

  • Industry-Authorized Curriculum
  • Expert-led Training
Enroll Now

What Is Amazon GuardDuty?

Amazon GuardDuty is a managed threat detection service that continuously monitors AWS accounts and workloads for malicious activity and unauthorized behavior. It analyses multiple data sources, including:

  • AWS CloudTrail events
  • VPC Flow Logs
  • DNS query logs
  • Kubernetes audit logs
  • Runtime behavior signals

Using machine learning, anomaly detection, and threat intelligence, GuardDuty generates security findings that help teams quickly identify and respond to potential threats.

From Log-Based to Workload-Aware Detection

Traditionally, GuardDuty focused on control-plane and network-level signals, such as suspicious API calls, unusual traffic patterns, or known malicious IP addresses. While effective, these signals often lack runtime context – what is actually happening inside EC2 instances or container workloads.

With Extended Threat Detection for EC2 and ECS, GuardDuty moves closer to workload-level intelligence, correlating signals across multiple layers to detect sophisticated attack patterns that might otherwise go unnoticed.

What Is Extended Threat Detection?

Extended Threat Detection enhances GuardDuty’s capabilities by correlating multiple low-level signals into high-confidence findings. Instead of flagging isolated events, GuardDuty now understands attack sequences-how an intrusion unfolds over time.

For example, a single API call or network anomaly might not be alarming on its own. But when combined with runtime behavior such as suspicious process execution or unexpected container activity, GuardDuty can identify complex, multi-stage attacks.

Extended Threat Detection for Amazon EC2

For Amazon EC2, the new capabilities provide deeper insight into host-level behavior. GuardDuty can now detect patterns that indicate compromise or malicious activity within EC2-based workloads.

Key Benefits for EC2

  • Improved detection of compromised instances

Identify EC2 instances that may be running unauthorized processes or exhibiting abnormal behavior.

  • Detection of lateral movement attempts

Spot attackers attempting to pivot from one EC2 instance to others within the environment.

  • Context-aware threat correlation

Combine API activity, network traffic, and runtime signals to reduce false positives.

Example EC2 Threat Scenarios

  • An EC2 instance makes unusual outbound connections after a suspicious login attempt.
  • A workload suddenly starts communicating with known command-and-control endpoints.
  • A previously dormant instance begins scanning internal network resources

GuardDuty correlates these signals to raise actionable findings, enabling faster investigation and response.

Extended Threat Detection for Amazon ECS

Containerized environments introduce new security challenges due to their dynamic and ephemeral nature. With extended threat detection for Amazon ECS, GuardDuty now understands container-specific behavior and attack patterns.

Key Benefits for ECS

  • Container-aware threat detection

GuardDuty can analyse ECS tasks and container metadata to identify abnormal behavior.

  • Better visibility into runtime attacks

Detect suspicious activity that occurs after a container is successfully deployed.

  • Reduced blind spots in microservices architectures

Correlate events across containers, tasks, and underlying infrastructure.

Example ECS Threat Scenarios

  • A container begins executing commands inconsistent with its intended purpose.
  • An ECS task accesses sensitive resources that it has never accessed before
  • Suspicious outbound traffic originates from a specific container image

This level of visibility is critical for modern microservices and DevOps-driven environments.

Security Closer to the Workload

The introduction of extended threat detection addresses several long-standing challenges in cloud security:

  1. Reduced Alert Fatigue

By correlating signals into higher-confidence findings, GuardDuty reduces noisy alerts and helps security teams focus on real threats.

  1. Faster Incident Response

With richer context and clearer attack narratives, teams can investigate and respond more quickly, minimizing potential damage.

  1. No Additional Operational Overhead

The feature is fully managed-no agents to install, no infrastructure to manage, and no complex tuning required.

  1. Stronger Defense Against Advanced Threats

Multi-stage attacks that previously slipped through isolated detections can now be identified earlier in the attack lifecycle.

How This Fits into the AWS Security Ecosystem

Extended Threat Detection integrates seamlessly with existing AWS security services:

  • AWS Security Hub for centralized visibility and compliance tracking
  • Amazon EventBridge for automated remediation workflows
  • AWS Lambda for custom response actions
  • SIEM tools for broader security analytics

This allows organizations to build automated, scalable security operations using native AWS services.

Who Should Use This Feature?

This enhancement is particularly valuable for:

  • Organizations running business-critical workloads on EC2 or ECS
  • Teams adopting containerized and microservices architectures
  • Security teams looking to reduce reliance on third-party agents
  • Enterprises seeking defense-in-depth using AWS-native tooling

Whether you’re operating a small cloud environment or a large multi-account architecture, extended threat detection improves your security posture with minimal effort.

Defending Cloud Identities

With the addition of Extended Threat Detection for Amazon EC2 and Amazon ECS, Amazon GuardDuty takes a significant step toward runtime-aware cloud security. By correlating multiple signals across infrastructure, network, and workload layers, GuardDuty delivers deeper insights, fewer false positives, and faster threat detection.

As cloud environments continue to grow in scale and complexity, security solutions must evolve beyond isolated alerts. This enhancement reinforces GuardDuty’s position as a powerful, intelligent, and easy-to-use threat detection service, helping organizations stay ahead of increasingly sophisticated attacks.

Upskill Your Teams with Enterprise-Ready Tech Training Programs

  • Team-wide Customizable Programs
  • Measurable Business Outcomes
Learn More

About CloudThat

CloudThat is an award-winning company and the first in India to offer cloud training and consulting services worldwide. As a Microsoft Solutions Partner, AWS Advanced Tier Training Partner, and Google Cloud Platform Partner, CloudThat has empowered over 850,000 professionals through 600+ cloud certifications winning global recognition for its training excellence including 20 MCT Trainers in Microsoft’s Global Top 100 and an impressive 12 awards in the last 8 years. CloudThat specializes in Cloud Migration, Data Platforms, DevOps, IoT, and cutting-edge technologies like Gen AI & AI/ML. It has delivered over 500 consulting projects for 250+ organizations in 30+ countries as it continues to empower professionals and enterprises to thrive in the digital-first world.

WRITTEN BY Nitin Kamble

Nitin Kamble is a Subject Matter Expert and Champion AAI at CloudThat, specializing in Cloud Computing, AI/ML, and Data Engineering. With over 21 years of experience in the Tech Industry, he has trained more than 10,000 professionals and students to upskill in cutting-edge technologies like AWS, Azure and Databricks. Known for simplifying complex concepts, delivering hands-on labs, and sharing real-world industry use cases, Nitin brings deep technical expertise and practical insight to every learning experience. His passion for bike riding and road trips fuels his dynamic and adventurous approach to learning and development, making every session both engaging and impactful.

Share

PREV

NEXT

Comments

    Click to Comment

Related Resources

Azure

Leveraging Data Lakes in Sentinel for Effective Management of

By Foram Shah

Mar 23, 2026

Microsoft Power BI

Tabular Model Definition Language (TMDL) in Power BI: A

By Mohan Krishna Kalimisetty

Mar 23, 2026

Gen AI

Generative AI: Features, Use Cases, and Business Applications

By Mahendra Patel

Mar 23, 2026

AWS

Recent Changes to AWS Lambda: What Developers Need to

By Aditya Jha

Mar 23, 2026

AWS

Why Structured AWS Training & Certification Matters for Security,

By Abhijit Dilip Powar

Mar 23, 2026

AWS

Can an AWS Course Really Future-Proof Your Career? Here’s

By Martuj Nadaf

Mar 23, 2026

AWS

Simplifying Network Design on AWS

By Avinash Singh Bundela

Mar 23, 2026

GitHub Copilot

GitHub Copilot in Enterprise DevOps: Governance, Security, and Scalable

By Rohit Tiwari

Mar 23, 2026

Corporate Training

Designing Outcome-Driven Training and Development Programs for Enterprise Teams

By Madhuri Abhijeet Joshi

Mar 23, 2026

Case Study

Delivering a Secure Scalable and Cost-Efficient AWS Infrastructure with

By Anusha R

Mar 23, 2026

Get The Most Out Of Us

Our support doesn't end here. We have monthly newsletters, study guides, practice questions, and more to assist you in upgrading your cloud career. Subscribe to get them all!