AWS GuardDuty Reviews

Protect your accounts, data, and assets across diverse AWS computing environments, encompassing Amazon Elastic Compute Cloud (Amazon EC2), serverless operations, and container workloads, including those utilizing AWS Fargate.

AWS GuardDuty enhances organizational security by providing automated threat detection, easy integration with other AWS services, centralized monitoring of security findings, cost-effective security, and scalability. 

The product has automated protection powered by ML, which is now far more powerful than before. It uses ML in its detection algorithm, providing fast and quick results.

If someone attempts to attack our tools, especially through brute force attacks, we receive notifications. This applies even if such attempts originate from within our teams, engaging in malicious activities.

AWS GuardDuty's integration with other AWS services, such as email addresses and support IDs helps our team members to stay informed about the activities in the account and the necessary actions to take when it triggers an alert.

It has been instrumental in identifying issues, particularly instances where EC2 instances had their ports (e.g., 22 and 3389) exposed publicly. This has helped us stay vigilant against potential attacks, and the severity classification allows us to prioritize addressing critical issues.

AWS GuardDuty has introduced several new features, including malware protection and continuous monitoring.

There is currently no insightful dashboard for AWS GuardDuty. It would be helpful if they could provide a dashboard based on severity levels (high, medium, low) and offer insights account-wise.

I have been using the product for two years. 

I rate the product's stability a nine out of ten. 

GuardDuty's scalability is beneficial for organizations with dynamic and growing cloud environments. It can handle increased data volumes, adapt to changes in network traffic, and effectively analyze logs from various AWS sources. The service is designed to maintain its effectiveness as your AWS deployment scales up, making it suitable for both small and large organizations.

The technical support is good. If I create any ticket, they reach out to us through chat or call, and they are available for support within a few minutes. I think that's great support from the AWS team.

Positive

The tool's initial deployment is easy. Anyone can do it, and it can be accomplished with just one click.

80 percent of the customers are using AWS GuardDuty, and we recommend it due to its low cost, especially for small customers, ranging from five to ten dollars a month. In our policies, we enforce the usage of this service, making it a recommended practice for security.

The responsibility also lies with the customer. We obtain written confirmation from them, stating that if they choose not to use it, they accept responsibility for any potential attacks. In such cases, we refrain from enabling it, and any financial repercussions resulting from incidents are their own accountability.

I rate the overall product a nine out of ten. Within our organization policy, AWS GuardDuty is designated as a mandatory service. Its utilization proves beneficial in the event of an intrusion into the account or servers. With AWS GuardDuty in place, you can promptly identify a compromised server, account, or user, enabling us to take necessary actions.

I mainly use GuardDuty to check user responses, collect logs, and collect data on who logs in and out and their permission and authorization. 

Prior to using GuardDuty, we had multiple systems to collect data and put it in a centralized location so we could look into it. Now we don't need to do that anymore as GuardDuty does it for us.

The most valuable features are the single system for data collection and the alert mechanisms.

An improvement would be to have a mobile version where remote workers can log in and monitor and fix issues. In the next release, I'd like Amazon to add a pane to visualize all seven layers of security.

I've been using GuardDuty for two to three years.

GuardDuty's stability is really good - we never see outages or falls in networking or BPC connections.

GuardDuty is really scalable, which is helping us to upscale our environment to the cloud. I really appreciate the scalability measures that Amazon is providing to all its customers.

We've had enormous support from the Amazon support team.

Positive

Previously, I used GCT.

GuardDuty is set up through a one-touch system, so the process was simple.

We used the AWS team to do our workload, publishing, and so on, so it took about a quarter of the time it would have otherwise.

We use a pay-as-you-use license, which is competitively priced in the market.

I'd rate GuardDuty as nine out of ten.

GuardDuty is predominantly used to find anomalies, particularly security anomalies when trying to probe a hosted public cloud service. For example, we work with Zuora, and have many public services running at AWS, and our concern is external parties. So, if a hacker or an attacker tries to probe our systems, Amazon GuardDuty tries to find anomalies or any vulnerabilities within our systems.

GuardDuty takes multiple sources of logs. In AWS, we have several logging services like AWS CloudTrail and VPC Flow Logs. VPC Flow Logs involve incoming and outgoing traffic from the internet, so if someone tries to get into a system or access one of our publicly hosted AWS, we are able to get that traffic via VPC Flow Logs. AWS CloudTrail is within the public cloud infrastructure, and AWS-specific API calls are involved. So, if someone tries to do some API activity specific to AWS within the infrastructure, this will be a source. These are multiple sources of logs that Amazon GuardDuty consumes as input to analyze the traffic for any security anomalies. So, based on these sources, the solution helps us report findings if security anomalies occur in our systems from the internet or within the cloud infra, cloud account, or AWS account.

AWS is account-specific, and last year, I believe AWS included something related to Kubernetes monitoring or Kubernetes Logs. So if we use EKS within the Kubernetes service and an anomaly occurs, some anomaly traffic is seen in the Kubernetes cluster, and it will be able to identify. That is a good feature they recently added in testable APIs.

Amazon GuardDuty could be better enriched in threat intelligence data. An internal AWS threat intelligence team works 24 hours to enrich customers. That service could be leveraged if there is any new attack, new security vulnerability, or exploitation. Day-to-day hackers find new vulnerabilities, so Amazon GuardDuty should be up to date and help customers find issues.

Kubernetes Logs was missing but is now included. The solution covers most incoming sources in an S3 bucket, storage level, public internet traffic, the cloud infrastructure, the AWS account, and multiple accounts in Kubernetes. So there aren't any missing pieces with Amazon GuardDuty, especially from a monitoring perspective.

Another valuable feature is the delegation service. Even if there are hundreds of accounts, some part of the account is for security, some for DevOps, and some for developers. Certain accounts are assigned within AWS. For example, for Amazon GuardDuty, a master account of the administrator assigns Amazon GuardDuty's administration and full access to our secure account. Once the delegation is done, we work with the tool, the findings, and what it reports to then validate the findings. So, in this situation case, AWS has efficient features.

We have been using this solution for three years. 

It is a stable solution, especially if you compare it to Azure or GCP, so we don't have any complaints about the stability. Other solutions have similar features, but we don't know how enriched those features are.

We have around five people on the security team, and it is very small. However, for large companies like Google or Microsoft that invest a large number of resources, they may have about 50 to 75 people on their team.

Another useful feature is the ability for Amazon GuardDuty to manage hundreds of accounts. There is usually a master account, and the remaining 99 accounts are member accounts. So if you push an order via the master account everything takes place in those 99 member accounts. Most companies don't want to give people access to the master account even to their operations, DevOps, infrastructure or development teams.

With Amazon GuardDuty, most of the tools have a delegation feature. So, from the master account, the administrator can delegate administrator access to a security account. So on our security team, we have our account in AWS, which is part of the master account. Under the master account, the administrator will give us access as a delegated administrator. Once the administrator delegates the security account, our five people team takes care of all the tasks around the solution. 

We have full access to configuring, monitoring and automation. The administrator can delegate the DevOps tool or service and the AWS office to the DevOps team account. So the DevOps team can take care of building automation, managing, and administering that particular service around the DevOps service. So, in this case, Amazon GuardDuty is delegated to our security account, and we manage it completely.

Scalability is good. Companies will usually run across multiple accounts in AWS, and their resources run about a hundred accounts. However, one of the past companies I absolved ran close to a thousand accounts, and in that situation, the Amazon GuardDuty scalability factor was important. 

Also, suppose a company is not leveraging AWS Organization which is very rare, AWS still provides risk APIs or their SD case, where a developer can write a script or automation to deploy seamlessly within a short time. Our security team predominantly uses Amazon GuardDuty. The cybersecurity team monitors the anomalies that occur using Amazon GuardDuty.

The technical support is great. I've contacted AWS support multiple times, and they've resolved the query. They have three technical support features, namely chat support, phone support, and web support, where we can raise a query, and they reply to us. Most of the time, we leverage the phone call feature, and once we input our concerns for the queries, they'll reach out to us over the phone and share a chime link screen sharing service. They try to understand our problems and the areas of concern and provide a solution.

The only concern is that it takes some time to assign someone when we reach out for technical support via phone service. It takes at least 45 minutes to get connected, and time is spent on hold waiting for someone to join from AWS.

Deployment does not take long if it is an account-specific or AWS organization level. My company has around a hundred AWS accounts, so deploying across a hundred AWS accounts was pretty easy. AWS also provides AWS Organization, where one account acts as a master, and the rest of the 19 accounts are member accounts under this master. So once you give an order to the master, you can invoke Amazon GuardDuty across all the accounts. So deployment is great, and we didn't face any big challenges.

I rate this solution an eight out of ten. Amazon GuardDuty is a very good service, and we are not planning to change it any time soon.

Regarding advice, it would be good to have data events for Amazon GuardDuty and Kubernetes for monitoring. Data events mean you have an S3 bucket for storing objects or files, and if someone tries to access or monitor those files, API calls will occur, and those transactions will be monitored. So until you enable the data event feature within the Amazon GuardDuty, if someone makes a call at the object or file level, it is something we might miss. Also, there are certain features that are not enabled by default on Amazon GuardDuty.

It's a malware detection service. It's an intelligent malware and security event detection service from AWS.

The out-of-band malware detection from the EBS volumes. It's really cool. No agents or anything needed, it automatically finds and correlates based on malware.

Cost changes. It's very expensive. If you turn on every feature, it's more than most commercial vendors. For smaller orgs, that doesn't make sense.

I have been using it for two years now. It is an offering in the AWS. 

It is a stable product. 

My company have five to six admins using this solution. 

The initial setup was easy. It was a one-click deployment.

For smaller organizations, it is not expensive. 

If you have a large organization or already have similar tools, it might not be necessary. But for most, GuardDuty is the go-to.

For me, I still use GuardDuty. I see a lot of good correlations built up by AWS support.

Don't add all the features at once. Go step-by-step, or you'll end up with a very high cost and turn off the system.

It can get very expensive. If you turn on every feature, it can turn into hundreds of thousands of dollars.

Overall, I would rate the solution an eight out of ten. 

We are only using it for a client's requirements; we are simply building it and selling it to the client.

Amazon GuardDuty is used on private infrastructure for our clients. The application is not publicly accessible; it is hosted internally.

GuardDuty has been used to set the CloudWatch alarms. Assume that both scans are detected, or something similar, we have just enabled CloudWatch alarms for those use cases so that any such use case is detected. The alert will be triggered, and we have configured and integrated Amazon GuardDuty with all of the other seven accounts to have the central HPU.

The correlation back end is the solution's most valuable feature. Like in the backend, it is collecting all the data, which I think is pretty interesting, and coordinating everything, which is another good thing.

While sending the alerts to the email, they are not being patched. we have to do the patching and mapping manually. If GuardDuty could include a feature to do this automatically, it will make our job easier. That is something I believe can be improved.

For example, suppose you want to know when an alert is sent to your mailbox. The information is in JSON format. It would be helpful if that could be sent to the mailbox in a human-readable format.

I believe it can be improved in a variety of ways. If we can build our own use cases instead of using Microsoft Sentinel alone, that would be ideal.

I have been using Amazon GuardDuty for two to three years.

I have used it for the last 12 months.

Amazon GuardDuty is a stable product.

Amazon GuardDuty is scalable.

We have not had any issues that required us to contact the GuardDuty AWS vendor. It's straightforward and effective.

The initial setup is straightforward. We simply click on the app, and that's it.

The deployment can be done in a few minutes. We don't have to spend a lot of time there. It will take some time, to integrate everything one by one, which is why we did it manually, otherwise everything else was straightforward.

Pricing is determined by the number of events sent. It's fine, and it's not a problem from our perspective.

My recommendation is to go for the master setup that will be beneficial to you.

There are some limitations where we cannot modify use cases to meet our needs; we must do additional work, such as setting up CloudWatch alarms and SNS, and things are not patched. There are some restrictions. I'll just suggest that you have some skilled resources with patching knowledge.

It's good, I would rate Amazon GuardDuty a seven out of ten.

AWS GuardDuty is a monitoring solution. The product helps us in threat monitoring. It notifies us of illegitimate users or any other cyber attack scenarios.

The solution is easy to use. It is very tightly integrated. The insights provided by the tool are very informative. It is easy to work on the alerts created by the tool. It gives us more details on different scenarios. The product is doing well compared to other solutions.

It would be great if the solution had some automation capabilities. It should provide auto-remediation and threat handling with automation.

I have been using the solution since 2019.

I rate the product’s stability a nine out of ten.

I rate the tool’s scalability an eight out of ten. The product is scalable, but it needs a manual intervention. More than 100 people are using the solution in our organization.

The support is always great. The support team is pretty quick. Once we raise a concern, the team jumps into a call and resolves the issues. It hardly takes 15 to 20 minutes.

The initial setup is very simple.

We deployed the solution ourselves. We do not need help from a third-party vendor.

I rate the pricing a seven out of ten. The price of the solution is exactly right. It is neither high nor low. It is a pay-as-you-go model. The more number of accounts we integrate, the more the price will increase.

The product is unique to AWS. I would recommend the solution to others. Overall, I rate the product a ten out of ten.

I use AWS GuardDuty to monitor my AWS environment for potential security threats. It analyzes data from various sources like CloudTrail logs and VPC Flow Logs to detect malicious activity. GuardDuty provides insights into potential threats, categorizing them by severity levels, helping me prioritize and respond effectively. 

As I explore AWS GuardDuty, I find its features helpful for spotting threats in my AWS setup. With anomaly detection, active threat monitoring, and set correlation, GuardDuty alerts me to any unusual user behavior or traffic patterns right away, which is great for staying on top of potential security risks. While I'm still new to using it and haven't faced many threats yet, I see how GuardDuty is crucial for beefing up my AWS security by catching and dealing with vulnerabilities early on.

One improvement I would suggest for AWS GuardDuty is the ability to assign findings to specific users or groups, facilitating better communication and follow-up actions. It would be beneficial to have a knowledge bank where past findings and actions taken are stored, aiding in handling repeat incidents and providing historical precedence for new team members.

I have been using AWS GuardDuty for a year.

AWS GuardDuty is stable and responsive. I haven't encountered any glitches or stability issues, and the analytics are quick and reliable.

As a very small business in its initial stage, I find AWS GuardDuty to be scalable for our needs.

The tech support for AWS GuardDuty is good. The documentation and support resources available are clear and comprehensive, making it easy to set up and configure. I would rate it around nine out of ten.

Positive

GuardDuty is intuitive to use and the setup process is simple. There is not much complex configuration involved, which makes it easy to get started. Deploying AWS GuardDuty is straightforward with just a few steps, and it is all done within your AWS cloud account. As for maintenance, it is easy and there haven't been any issues or challenges.

The pricing and licensing for AWS GuardDuty are transparent and predictable, which I appreciate. While some may find it expensive at larger scales, for our small business, it is manageable and in line with expectations. AWS's pay-as-you-go model ensures we only pay for what we use, which is beneficial for budgeting.

GuardDuty helps by flagging unexpected or potentially unauthorized activity in my AWS environment. For instance, it alerts me when there is an API call from an unfamiliar IP address, which might indicate a security threat. However, in some cases, these alerts might be triggered by legitimate actions, such as employees working remotely from different locations using VPNs.

I find the anomaly detection and continuous monitoring features of AWS GuardDuty very effective. They give me peace of mind knowing that AWS is actively looking out for any abnormal behavior or traffic in my environment. In the past, for on-premises setups, I relied on different network tools for this, but in the cloud, GuardDuty takes care of it, sparing me from manual tasks like checking VPC logs. 

Integrating AWS GuardDuty with third-party tools seems straightforward, although I haven't done it yet myself. From what I have seen, getting GuardDuty data into AWS Security Hub appears to be a simple process, allowing for centralized security monitoring across multiple accounts. I'm considering enabling it and trying it out, especially since AWS offers a 30-day trial for Security Hub.

Overall, I would rate AWS GuardDuty as a ten out of ten.

We use the tool for threat detection. AWS includes AI features as well. AWS GuardDuty gives us reports. 

AWS GuardDuty needs to be more customer-oriented. 

I have been working with the tool for three years. 

The tool is stable. 

AWS GuardDuty is scalable. We used the tool bi-weekly. 

I have not contacted customer support yet. 

The tool's setup is easy. You don't need any additional learning or resources to do it. You just need to enable AWS GuardDuty. The tool's deployment got completed in two to three minutes. 

The tool has no subscription charges. 

AWS GuardDuty is automated and gives alerts whenever there is an intrusion. AWS has a SMS service and you can get notifications through it if you subscribe. We have not encountered any performance issues. I would rate the tool a nine out of ten.