AWS, Cloud Computing

4 Mins Read

EKS Container Protection with Amazon GuardDuty

Introduction to AWS GuardDuty

Amazon GuardDuty is a Threat Detection service offered by AWS that allows us to continuously monitor and protect our AWS accounts, workloads, and data stored in Amazon Simple Storage Service (Amazon S3). With GuardDuty, continuous metadata streams from AWS CloudTrail Events, Amazon Virtual Private Cloud (VPC) Flow Logs, and domain name system (DNS) Logs are analyzed. GuardDuty also incorporates integrated threat intelligence such as known malicious IP addresses, anomaly detection, and machine learning (ML) for enhanced threat detection and identification.

AWS GuardDuty makes it easy for us to continuously monitor our AWS accounts, workloads, and valuable data. Without worrying about performance or availability issues with GuardDuty as it operates independently of your resources. It is a fully managed threat intelligence, anomaly detection, and machine learning service. Amazon GuardDuty also delivers detailed, actionable alerts integrated with event management and workflow systems, and, unlike other threat intelligence feeds, no additional software to deploy or subscription fees are required to analyze events. There are no upfront costs.

Working of GuardDuty

The Amazon GuardDuty service was developed specifically for the cloud and optimized for it. In collaboration with industry-leading third-party security partners, we have developed a database of possible vulnerabilities and the patterns that each one presents. In addition to identifying possible threats in your IT infrastructure, this tool also classifies their severity levels.

Therefore, you can create a wide range of custom rules and your list of known malicious IP addresses. With Amazon GuardDuty, you can create your own custom automated functions based on CloudWatch Events, CLI tools, and HTTPS APIs.



GuardDuty offers three severity levels to help you determine what action to take for each alert. Let’s take a closer look at this in a moment

  • Severity Low: The severity of the threat is low because it has already been removed or blocked before compromising any resources.
  • Severity Medium: This level of severity indicates suspicious activity, such as an increase in traffic directed specifically toward bitcoin-related domains.
  • Severity High: indicates that the resource has been fully exploited.

  • Cloud Migration
  • Devops
  • AIML & IoT
Know More

AWS Guard Duty UseCases

  • Protects your EC2 Instances

AWS GuardDuty detects when your Ec2 Servers are compromised and being accessed unintentionally in a malicious way.

  • Malware Scanning

Scan Amazon Elastic Block Store (EBS) for files that might have malware creating suspicious behavior on the instance and container workloads running on Amazon Elastic Compute Cloud (EC2). Scan for malware in EBS volumes creating skeptical behavior on instances or container workloads running in EC2 and EKS.

  • Access Compromised

if your AWS credentials are used suspiciously, such as from IP addresses associated with known malicious actors, or in a way differing from their expected behavior, you will be notified.

  • Data Breach

recognize suspicious accesses to your Amazon S3 buckets, such as when a large number of objects are retrieved from an unusual location or when an IP address associated with a known malicious actor accesses the S3 bucket.

Protecting Amazon EKS Clusters

For increased protection AWS GuardDuty has extended its support for containers against potential threats to container workloads. It continuously monitors cluster activity in Amazon Elastic Kubernetes Service (Amazon EKS). To keep track of control plane activity, Amazon GuardDuty for EKS Protection examines Kubernetes audit logs from both new and existing Amazon EKS clusters in your accounts. Due to GuardDuty’s integration with Amazon EKS, you are not required to enable or store the Kubernetes audit logs for it to have direct access to them. GuardDuty creates a security finding after a threat is identified that contains container information such as the pod ID, container image ID, and associated tags. analyzes audit logs and optimizes costs by processing only events that are used for security analysis. EKS audit logs are charged per 1 million audit logs per month, are prorated, and are discounted with volume.

GuardDuty for EKS Protection offers 27 new GuardDuty finding types at launch, which can aid in the detection of threats related to user and application behavior captured in Kubernetes audit logs. Amazon EKS clusters that are accessed by known malicious actors or from Tor nodes, API operations carried out by anonymous users that might point to a misconfiguration, and misconfigurations that can lead to unauthorized access to Amazon EKS clusters are just a few of the recently added Kubernetes threat detections. GuardDuty can also spot trends that are compatible with privilege-escalation strategies using machine learning (ML) models, such as the suspicious launch of a container with root access to the underlying Amazon Elastic Compute Cloud (Amazon EC2) host. For a comprehensive list of all new detections, see Amazon GuardDuty Findings Types.


Amazon GuardDuty is an amazing threat detection service powered by ML that enables us to monitor and analyze our AWS account, workloads, Containers EC2 instances, S3 buckets, EBS volumes, and many other services. The best part is it can be seamlessly integrated with other AWS Services and provides threat detection and action call based on the level of severity.

I hope you find the blog helpful and want to explore it more. I recommend having your hands dirty and experimenting with the offered templates to modify your environment if you are just starting with AWS GuardDuty. Click on The Getting Hands-on with Amazon GuardDuty workshop

Get your new hires billable within 1-60 days. Experience our Capability Development Framework today.

  • Cloud Training
  • Customized Training
  • Experiential Learning
Read More

About CloudThat

CloudThat is also the official AWS (Amazon Web Services) Advanced Consulting Partner and Training partner and Microsoft gold partner, helping people develop knowledge of the cloud and help their businesses aim for higher goals using best in industry cloud computing practices and expertise. We are on a mission to build a robust cloud computing ecosystem by disseminating knowledge on technological intricacies within the cloud space. Our blogs, webinars, case studies, and white papers enable all the stakeholders in the cloud computing sphere.

Drop a query if you have any questions regarding Amazon GuardDuty and I will get back to you quickly.

To get started, go through our Consultancy page and Managed Services Package that is CloudThat’s offerings.


1. What is the cost associated with AWS GuardDuty?

ANS: – There is no upfront cost associated with GuardDuty, and in the supported regions we get a free 30-day full-access trial of the service to test if it’s a good fit or not. Once the trial period is over the price is calculated based on the volume of data analyzed and scanned for malware detection. Amazon GuardDuty calculates an estimated cost based on what you would have paid in the absence of the free trial.

2. Can we manage multiple Accounts with Amazon GaurdDuty?

ANS: – Yes, since Amazon GaurdDuty supports AWS organizations, we may link numerous accounts to it and monitor them. However, in these situations, we must choose one account to serve as the administrator account.

3. Can we customize GuardDuty based on trusted IPs?

ANS: – By enabling GuardDuty to halt alerts for trusted IPs from your own trusted IP lists and alert on known malicious IPs from your threat lists, you can personalize this monitoring scope. Only traffic headed for publicly routable IP addresses is affected by trusted IP lists and threat lists. All VPC Flow Log and CloudTrail discoveries are affected by a list, but DNS finds are excluded.

WRITTEN BY Shivani Gandhi

Shivani Gandhi is a Research Associate (Kubernetes) at CloudThat technologies. She holds a master's degree in Computer Application. She is passionate about cloud computing and has a strong urge to learn new cloud-native technologies. She has experience in GCP & AWS and enjoys leveraging clients with efficient cloud-based solutions. She is adaptive, a good team player, and enjoys reading.



    Click to Comment

Get The Most Out Of Us

Our support doesn't end here. We have monthly newsletters, study guides, practice questions, and more to assist you in upgrading your cloud career. Subscribe to get them all!