What is Amazon GuardDuty?
Amazon GuardDuty is a threat detection service that continuously monitors, analyzes, and processes activity in your AWS environment. It ingests foundational data sources automatically — including AWS CloudTrail management events, VPC flow logs, and DNS logs — and applies threat intelligence feeds and machine learning models to identify suspicious or potentially malicious activity. No manual configuration is required for GuardDuty to begin analyzing these sources once it is enabled.
GuardDuty detects a range of threats, including compromised AWS credentials, unauthorized cryptomining activity in EC2 instances and container workloads, malware in EC2 instances and S3 buckets, and anomalous login patterns in RDS and Aurora databases. When a threat is detected, GuardDuty generates a security finding with details about the affected resource, enabling rapid investigation and response.
Why GuardDuty is Enabled on Your Account
GuardDuty is enabled by default on all new accounts. We enable it automatically at account creation, no action is required on your part. The charge you see reflects active monitoring of your account’s AWS environment.
GuardDuty is a required service for all accounts. We use GuardDuty to provide proactive security alerts across the research computing environment. When GuardDuty detects a potential threat in your account, our team is notified and can respond quickly, before issues escalate. This protects both your research data and the broader platform.
GuardDuty reflects cloud security best practices. Continuous threat monitoring is a standard requirement for secure cloud environments and is recommended by AWS as a foundational security control. Enabling GuardDuty across all accounts ensures a consistent security baseline and supports compliance with institutional and regulatory requirements.