Amazon GuardDuty Explained: Ultimate 2025 Deep Dive into Architecture, Detections & Playbooks

Amazon GuardDuty is AWS’s managed threat detection service that continuously monitors activity across your AWS accounts and workloads for malicious or unauthorized behavior. In this post, I’ll walk you through GuardDuty’s architecture, detection types, the latest 2025 updates (like custom threat entity lists), how to operationalize detections with automation, cost considerations, and a practical SOC playbook.

This isn’t just theory. It’s a practical guide you can use today, whether you’re new to GuardDuty or looking to level up your AWS security practice.

How GuardDuty Works — Architecture & Telemetry

GuardDuty consumes, analyzes, and cross-correlates data from multiple AWS telemetry sources:

• CloudTrail — management and data events for unusual API activity.
• VPC Flow Logs — detect reconnaissance and lateral movement.
• DNS / Route 53 logs — flag suspicious domain queries.
• S3 Malware Protection — scans for malicious files in S3.
• EKS & container telemetry — detect suspicious behavior inside clusters.

Detection sources:

• Threat intelligence feeds (AWS + third-party).
• ML-based anomaly detection.
• Rule-based detections for known bad IPs/domains.
• New (2025): custom entity lists for domain/IP threat intel you provide

Example Detection Types

• UnauthorizedAccess:IAMUser/ConsoleLogin — suspicious login attempts.
• Recon:EC2/PortProbeUnprotectedPort — scanning of EC2 instances.
• Persistence:IAMUser/CredentialExfiltration — stolen IAM credentials.
• S3:ObjectMalware — malware in uploaded S3 files.
• Crypto:EC2/BitcoinMined — crypto-mining detected on EC2.

Each finding includes severity, impacted resources, and recommended remediation.

What’s New in 2025

1. Custom Threat Entity Lists

Now you can upload lists of domains and IPs. GuardDuty will trigger findings if your AWS resources interact with them. Perfect for feeding in your SOC’s intelligence or vendor-provided IOCs.

2. Protection Plans / Extended Threat Detection

AWS now offers curated detection sets for different workloads. Instead of enabling everything, you can choose a tailored plan aligned with your workload type.

3. Malware Protection for S3 (Free Tier Note)

The one-year free tier for Malware Protection for S3 (introduced June 2024) applies only for new accounts starting from that date. Always check if your account qualifies.

Hands-On: Enable GuardDuty & Automate Responses

Enable GuardDuty (single account)

For orgs, enable at the management account level and onboard all members.

Example: Auto-Notify on High-Severity Findings

• EventBridge rule filters findings with severity >= 7.
• Lambda sends Slack/Teams alerts.

Lambda handler:

Cost Model (Simplified Example)

Pricing is usage-based (per GB of telemetry analyzed + add-ons like Malware Protection).

Example monthly bill:

• 2,000 GB VPC Flow Logs + 1,000 GB DNS logs = 3,000 GB total.
• First 500 GB @ $1.00 = $500.
• Next 2,000 GB @ $0.50 = $1,000.
• Final 500 GB @ $0.25 = $125.
• Total ≈ $1,625/month.

Tips:

• Aggregate at org-level to avoid double counting.
• Filter logs carefully, but don’t sacrifice detection fidelity.

Operational Best Practices

1. Centralize GuardDuty in the management account.
2. Tune findings — don’t ignore false positives, adjust filters.
3. Ingest threat intel with custom entity lists.
4. Automate response (key rotation, EC2 quarantine).
5. Enrich context — forward findings to Security Hub or SIEM.

Incident Response Playbook (Quick Flow)

1. Detection: GuardDuty finding triggers.
2. Triage: Investigate with CloudTrail + VPC Flow Logs.
3. Contain: Isolate compromised resources.
4. Eradicate: Patch, rotate keys, close backdoors.
5. Recover: Restore from known-good state.
6. Lessons: Update playbooks & detection rules.

Limitations

• Coverage depends on enabled telemetry.
• Findings need SOC processes to avoid alert fatigue.
• Costs scale with telemetry size.

Conclusion

GuardDuty delivers AWS-native threat detection at scale, without the operational burden of building ML pipelines yourself. With the 2025 updates (custom entity lists, protection plans) it’s more flexible and useful than ever.

Use it as your AWS SOC’s “eyes and ears,” then integrate with automation for rapid containment.

References

• AWS GuardDuty docs: https://docs.aws.amazon.com/guardduty/latest/ug/what-is-guardduty.html
• GuardDuty product page: https://aws.amazon.com/guardduty/
• GuardDuty pricing: https://aws.amazon.com/guardduty/pricing/
• AWS blog: Custom entity lists announcement
• YouTube: Amazon GuardDuty — Deep dive