< ciso
brief />
Tag Banner

All news with #aws guardduty tag

26 articles

GuardDuty Runtime adds sensitive file modification detection

๐Ÿ›ก๏ธ Amazon GuardDuty Runtime Monitoring now includes three new threat detections to alert teams when sensitive files are modified on Amazon EC2 instances and container workloads on Amazon EKS and Amazon ECS. These findings monitor critical system files such as configuration files, authentication settings, and system logs to surface post-compromise activity. The detections map to MITRE ATT&CKยฎ tactics and provide remediation guidance while using correlation analysis to reduce false positives. The capability is available to customers with GuardDuty Runtime Monitoring enabled, with a 30-day trial for new users.
read more โ†’

AI-powered investigations preview for Amazon GuardDuty

๐Ÿ›ก๏ธ AWS previewed AI-powered investigations in Amazon GuardDuty to automate analysis of findings and reduce manual investigation time. The capability uses knowledge graphs and threat intelligence to examine 90 days of related activity, affected resources, and indicators, delivering disposition assessments with confidence scores, MITRE ATT&CK classifications, evidence, and remediation recommendations. Available in preview in 10 regions and accessible via the GuardDuty console, CLI, API, or AWS' MCP Server.
read more โ†’

Accelerating AWS security investigations with Kiro CLI

๐Ÿ” This post shows how Kiro CLI, an AI-powered command line assistant, speeds AWS security investigations by proposing, explaining, and optionally executing AWS CLI commands while documenting each step. It demonstrates a GuardDuty-driven investigation following the AWS Security Incident Response Guide: triage, EC2 and IAM assessment, CloudTrail analysis, containment, and remediation. The walkthrough highlights benefits like faster triage, automated CloudTrail queries, and guided remediation, while advising human validation and forensic preservation.
read more โ†’

Operationalizing AWS security: a maturity roadmap

๐Ÿ”’ This post outlines a practical, phased maturity roadmap for organizations that have enabled AWS Security Hub and Amazon GuardDuty. It emphasizes moving from enabled tooling to operational security practices by assessing current state, tuning signal quality, routing findings, automating safe remediations, and establishing a recurring operational cadence. Each phase includes goals, timelines, deliverables, and decision criteria to measure progress and reduce alert fatigue.
read more โ†’

Introducing the AWS Customer Incident Response Team

๐Ÿ”’ The AWS Customer Incident Response Team (CIRT) is a 24/7 global team that helps customers during active security events affecting the customer side of the Shared Responsibility Model. The team analyzes AWS service logs and the control plane using sources like AWS CloudTrail, VPC Flow Logs, and GuardDuty, provides triage and containment guidance, and recommends follow-up actions. AWS also publishes tools, workshops, and the Threat Technique Catalog for AWS (TTC) to help customers prepare and detect recurring tactics and techniques.
read more โ†’

GuardDuty malware scanning for S3 continuous backups

๐Ÿ›ก๏ธ Amazon GuardDuty Malware Protection for AWS Backup now supports Amazon S3 continuous backups, enabling malware scanning across your continuous backup timeline. You can enable full or incremental scans within your backup plan and run on-demand scans up to any restorable point in time. The new GetPITRMalwareScanResults API lets you query scan status at a specific point in time to confirm a clean recovery point. Support is available in all Regions where GuardDuty Malware Protection for AWS Backup is offered, and you can enable it via the AWS Backup console, API, or CLI.
read more โ†’

Automating identity lifecycle with AWS Directory APIs

๐Ÿ”’ AWS Managed Microsoft AD now supports CRUD operations on users and groups through the Directory Service Data APIs, accessible via the AWS CLI, APIs, and Management Console. This enables automation of identity lifecycle management and tighter security controls by integrating with services like Amazon GuardDuty, AWS Step Functions, and Amazon EventBridge. The blog demonstrates a practical workflow that detects unusual AD user behavior and triggers automated remediation such as disabling accounts and notifying stakeholders.
read more โ†’

Preventing Unauthorized AWS Organizations Account Removal

๐Ÿ”’ The AWS Customer Incident Response Team describes a tactic where attackers use credentials with the organizations:LeaveOrganization permission to remove a member account from an AWS Organization, bypassing inherited safeguards such as Service Control Policies and centralized management. After removal, the account is disentangled from consolidated billing, organization-wide CloudTrail trails, and delegated GuardDuty findings, reducing visibility. The post urges deploying the DenyLeaveOrganizationSCP, enforcing least privilege, securing root users with MFA and centralized root management, and updating detection and response workflows to monitor related CloudTrail events.
read more โ†’

Detecting and Preventing Crypto Mining in AWS Environments

๐Ÿ”Ž Amazon GuardDuty provides specialized detections and runtime monitoring to identify and mitigate cryptocurrency mining in AWS. It analyzes VPC Flow Logs, DNS queries, CloudTrail events, and workload telemetry to surface findings such as CryptoCurrency:Runtime/BitcoinTool.B and Impact:Runtime/CryptoMinerExecuted. Enable GuardDuty across accounts and Regions and combine it with patching, least-privilege access, and preventive controls to reduce risk.
read more โ†’

AWS Security Hub Now Available in GovCloud US Regions

๐Ÿ”’ AWS Security Hub is now available in the AWS GovCloud (US-East) and AWS GovCloud (US-West) Regions. Security Hub offers a unified cloud security posture by correlating and enriching signals from Amazon GuardDuty, Amazon Inspector, and Security Hub CSPM to prioritize active risks. The service delivers nearโ€‘realโ€‘time risk analytics, exposure findings, automated response workflows, attack path visualization, and centralized organization-wide deployment with streamlined pricing for improved cost predictability.
read more โ†’

Getting Started with Security Response Automation on AWS

๐Ÿ›ก๏ธ AWS outlines core concepts and a hands-on walkthrough for implementing security response automation to detect and remediate threats across AWS environments. The post maps automation to the NIST Cybersecurity Framework and demonstrates a CloudFormation deployment using EventBridge, Lambda, GuardDuty, and Security Hub to automatically restart CloudTrail and notify operators. It also highlights the Automated Security Response library, testing guidance, and cost and cleanup considerations.
read more โ†’

Real-Time Malware Defense with AWS Network Firewall

๐Ÿ›ก๏ธAWS describes an automated active threat defense that translates MadPot honeypot intelligence into AWS Network Firewall protections within 30 minutes. The offering integrates with Amazon GuardDuty to surface detections while Network Firewall enforces multi-layered blocks across DNS, HTTP host headers, TLS SNI, and direct IP connections. Using a Swiss cheese model, it stacks inspection points so that if one layer is bypassed, others still interrupt reconnaissance, malware downloads, and C2 communications.
read more โ†’

AWS unveils AI-driven security enhancements at re:Invent

๐Ÿ”’ AWS announced a suite of AI- and automation-driven security features at re:Invent 2025 designed to shift cloud protection from reactive response to proactive prevention. AWS Security Agent and agentic incident response add continuous code review and automated investigations, while ML enhancements in GuardDuty and near real-time analytics in Security Hub improve multi-stage threat detection. Agent-centric IAM tools, including policy autopilot and private sign-in routes, streamline permissions and enforce granular, zero-trust access for agents and workloads.
read more โ†’

AWS Security Hub Adds Near Real-Time Risk Analytics

๐Ÿ”’ AWS announces general availability of AWS Security Hub, adding near real-time risk analytics, advanced trends, unified enablement, and streamlined pricing across AWS security services. Security Hub correlates and enriches signals from Amazon GuardDuty, Amazon Inspector, and AWS Security Hub CSPM to surface and prioritize active risks. Centralized deployment across AWS Organizations, attack-path visualization, and automated workflows reduce manual correlation and speed remediation at scale.
read more โ†’

AWS GuardDuty extends threat detection for EC2 and ECS

๐Ÿ” AWS announced an update to GuardDuty Extended Threat Detection that adds multistage attack detection for Amazon EC2 instances and Amazon ECS clusters running on Fargate or EC2. The release introduces two critical findings โ€” AttackSequence:EC2/CompromisedInstanceGroup and AttackSequence:ECS/CompromisedCluster โ€” that group related events into a single, high-priority alert. Findings include a summary, event timeline, MITRE ATT&CK mappings, and remediation guidance to speed response. Runtime Monitoring must be enabled for full coverage, and customers can try the feature free for 30 days.
read more โ†’

Amazon GuardDuty Malware Protection for AWS Backup

๐Ÿ”’ Amazon announced GuardDuty Malware Protection for AWS Backup, extending malware detection to backups of Amazon EC2 instances, Amazon EBS volumes, and Amazon S3 objects. The capability automatically scans new backups, supports on-demand scans of existing backups, and can identify the last known clean backup to reduce recovery impact. It offers incremental scanning to analyze only changed data between backups, lowering costs versus full rescans, and can be enabled even if GuardDuty foundational data sources are not active. The feature is available in supported Regions and accessible via the AWS Backup console, API, or CLI.
read more โ†’

AWS Transfer Family Terraform Module Adds Malware Scanning

๐Ÿ›ก๏ธ AWS has updated the Transfer Family Terraform module to support automated malware scanning workflows for files transferred to S3. The module provisions GuardDuty S3 Protectionโ€“based scan pipelines, dynamic routing based on results, and threat notifications in a single deployment. It preserves folder structure, allows granular S3 prefix targeting, and helps ensure only verified clean files reach applications and data lakes.
read more โ†’

Planning and Running an AWS Security Hub POC Guide

๐Ÿ”’ This post explains how to plan and implement an AWS Security Hub proof of concept (POC) to evaluate unified cloud security operations. It outlines steps to define success criteria, configure integrations with GuardDuty, Amazon Inspector, Macie, and Security Hub CSPM, and to prepare, enable, and validate the deployment. The guidance recommends using overlapping trial periods, adopting the OCSF standard for normalized findings, and leveraging automation and ticketing integrations to measure operational impact.
read more โ†’

Optimize Security Operations with AWS Incident Response

๐Ÿ”’ AWS Security Incident Response provides an AWS-native incident management capability that combines automated triage, threat intelligence, and customer metadata to surface and prioritize genuine threats. The service integrates with Amazon GuardDuty, AWS Security Hub, and select third-party detections, and offers a unified console with 24/7 access to the AWS Customer Incident Response Team (CIRT). It supports delegated administration, organization-wide coverage, and immutable case timelines. Included with Amazon Managed Services (AMS), it accelerates investigation and containment to reduce mean time to resolution.
read more โ†’

Amazon GuardDuty Protection Plans and Threat Detection

๐Ÿ” Amazon GuardDuty centralizes continuous threat detection across AWS using AI/ML and integrated threat intelligence. It offers optional protection plansโ€”S3, EKS, Runtime Monitoring, Malware Protection for EC2 and S3, RDS, and Lambdaโ€”that extend detections to service-specific telemetry and runtime behaviors. Built-in Extended Threat Detection correlates signals into high-confidence attack sequences and maps findings to MITRE ATT&CK, providing prioritized remediation guidance.
read more โ†’