GuardDuty Revision Guide
AWS Security Specialty · Domain 1 Detection

Amazon GuardDuty + Extended Threat Detection

An interactive study guide built for fast revision, concept clarity, and exam recall. This page is designed to help you remember what GuardDuty sees, what each protection plan adds, how finding severity works, and how Extended Threat Detection connects weak signals into attack sequences.

Foundational Sources Protection Plans Finding Severity Extended Threat Detection EventBridge Automation Amazon Detective
Jump to Severity Guide

1) Core idea you must remember

Think of GuardDuty as AWS-native threat detection. It does not block, patch, or remediate by itself. It detects suspicious behavior and raises findings.

What GuardDuty does

  • Analyzes AWS telemetry for signs of compromise.
  • Detects credential misuse, suspicious API behavior, crypto mining, malicious network communication, reconnaissance, and service-specific threats.
  • Raises findings with severity so you can triage faster.

What GuardDuty does not do

  • It does not act like a firewall.
  • It does not auto-remediate by default.
  • It does not replace incident response or forensics.
Exam shortcut: GuardDuty detects. EventBridge, Lambda, Step Functions, isolation playbooks, and investigators respond.

Foundational data sources that GuardDuty analyzes automatically

SourceWhat it helps detectExam memory hook
CloudTrail management eventsAPI abuse, credential misuse, unusual control plane behaviorWho did what in the account?
VPC Flow LogsNetwork anomalies, suspicious connections, crypto mining, command-and-control trafficWho talked to whom?
Route 53 Resolver DNS query logsCalls to suspicious or malicious domainsWhat names are being resolved?

Fast recall

If the exam asks which telemetry GuardDuty starts with by default, the answer is always this trio:

CloudTrail VPC Flow Logs Route 53 DNS

2) Protection plans and what each one adds

Foundational detection is broad. Protection plans give GuardDuty deeper, service-specific visibility.

Protection planWhat it monitorsKey exam point
S3 ProtectionS3 object-level API activity through CloudTrail data eventsNot access logs; think object API actions.
Lambda ProtectionLambda network activityFocus on network behavior, not code scanning.
RDS ProtectionRDS login activityDesigned for anomalous login behavior.
EKS ProtectionKubernetes audit logs / control plane activityControl plane visibility.
Runtime MonitoringOS and runtime events like file access, process execution, network connectionsAgent-based deep visibility.
Malware Protection for EC2Agentless malware scans of EBS volumesTriggered when malware-related findings occur, and can also be on-demand.
Malware Protection for S3Scans newly uploaded objects in configured bucketsCan be used independently.

Common confusion: foundational vs runtime

Foundational detection

Uses CloudTrail management events, VPC Flow Logs, and Route 53 Resolver DNS query logs. Good for control plane, network, and DNS-level suspicious activity.

Runtime Monitoring

Looks much deeper into what the workload is doing: files touched, processes started, command line activity, and runtime connections. This is where OS-level visibility lives.

Exam shortcut: If a question mentions processes, file access, command lines, or OS-level events, think Runtime Monitoring.

Best-practice pairing for EKS

For stronger EKS coverage, enable both:

  • EKS Protection for audit logs and control plane actions.
  • Runtime Monitoring for container and node-level behavior.
Exam shortcut: EKS audit logs alone are not full workload visibility. Runtime alone is not full control plane visibility. Together they give better coverage.

3) Finding criticality and what to do next

This is one of the most exam-relevant topics. Learn the numeric ranges, the meaning of each severity level, and the recommended response priority.

Critical · 9.0 - 10.0

Attack sequence may be in progress or just happened

A critical severity finding means one or more AWS resources may already be compromised or are actively being compromised. Examples include IAM sign-in credentials or S3 buckets that appear involved in a larger attack sequence.

  • Usually tied to high-confidence, multi-stage compromise.
  • Often indicates escalation risk and urgent business impact.
  • GuardDuty recommends you prioritize triage and remediation immediately.
  • These issues can be part of ransomware progression and can escalate quickly.
Think like the exam: Critical means potential ransomware path, attack progression, or recent successful compromise. Treat it first.
High · 7.0 - 8.9

Resource is likely compromised and actively misused

A high severity finding means the resource, such as an EC2 instance or IAM credentials, is compromised and currently being used for unauthorized purposes.

  • Immediate remediation is recommended.
  • Examples: isolate or clean the EC2 instance, terminate it if needed, rotate IAM credentials.
  • The situation is serious, but the finding is about the impacted resource rather than a full correlated attack sequence.
Medium · 4.0 - 6.9

Suspicious behavior that may indicate compromise

Medium severity means the activity is abnormal and worth investigating. It may be legitimate for your environment, or it may be the early sign of compromise.

  • Check if a legitimate user installed software or changed behavior.
  • Check if security groups or other control plane settings changed.
  • Run anti-malware or host inspection on the resource when appropriate.
  • Review attached IAM permissions and rotate credentials if needed.
  • If you cannot confirm the behavior is authorized, treat the resource as compromised.
Exam mindset: Medium does not mean safe. It means investigate and confirm whether it matches normal business behavior.
Low · 1.0 - 3.9

Attempted suspicious activity, but no compromise

Low severity usually means GuardDuty saw attempted suspicious behavior that did not successfully compromise your environment, such as a port scan or a failed intrusion attempt.

  • No immediate remediation is usually required.
  • Still useful as reconnaissance signal.
  • Can matter later if it becomes part of a larger pattern.

How to think about severity on the exam

SeverityMeaning in plain languageTypical action priority
CriticalActive or very recent multi-stage compromise may be happening now.Immediate triage and remediation.
HighA resource is likely compromised and being misused.Immediate action.
MediumSomething abnormal is happening and could be compromise.Investigate quickly and verify legitimacy.
LowSuspicious attempt or reconnaissance without successful compromise.Monitor, document, correlate.

Must-remember rules

Attack sequence findings are Critical.

If the question mentions Extended Threat Detection correlating multiple signals into an attack sequence, expect the finding to be Critical severity.

High usually means the resource is actively being used without authorization.

Medium means confirm whether the behavior is normal before you downgrade concern.

4) Extended Threat Detection

This is GuardDuty’s correlation engine. Instead of looking at a single event in isolation, it connects multiple signals across services and time.

What it is designed to find

  • Multi-stage attacks that span data sources, resource types, and time.
  • Correlated behaviors rather than single isolated anomalies.
  • Attack sequences that may involve IAM, EC2, EKS, ECS, or S3-related compromise patterns.
Memory hook: Standard GuardDuty finds suspicious events. Extended Threat Detection finds the story those events tell together.

Weak signals

A weak signal is an activity that may look harmless by itself, but becomes suspicious when combined with other actions.

  • One unusual API call may not trigger a major finding.
  • Several related actions across time can reveal reconnaissance, privilege escalation, or data compromise.
Exam shortcut: Weak signal alone may not matter. Weak signals + findings + time correlation = attack sequence.

24-hour rolling time window

Extended Threat Detection uses a rolling time window to identify sequences of activity that suggest an in-progress or recent attack. This matters because sophisticated attacks do not always happen in one moment.

1
Reconnaissance: suspicious listing or discovery actions.
2
Access or privilege change: credentials or permissions shift in a risky way.
3
Impact: resource misuse, data access, or workload abuse appears.

Scope reminder

Extended Threat Detection correlates signals within a single AWS account. It does not correlate activity across multiple AWS accounts or across an AWS Organization as one combined attack graph.

Exam shortcut: Organizations help centralize management and visibility, but Extended Threat Detection still evaluates each account independently.

Suppression rule impact

Archived findings created by suppression rules are not considered in attack sequence correlation.

That means noisy suppression rules can hide signals that might have helped identify a bigger attack pattern.

5) Response, investigation, and exports

GuardDuty alerts. Your automation and investigation tooling does the rest.

Automation pattern

1
GuardDuty generates a finding.
2
Amazon EventBridge matches the finding event.
3
Lambda, Step Functions, SNS, or other targets start the response flow.
Exam trap: GuardDuty does not directly invoke Lambda as the main concept. EventBridge is the routing service you should think of.

Investigation tool

Use Amazon Detective to investigate GuardDuty findings and perform deeper root cause analysis.

  • Good for timeline reconstruction.
  • Good for following entities and relationships.
  • Useful after triage to understand blast radius.

Configuration setup to remember

  • GuardDuty is enabled per Region.
  • For multi-account environments, use AWS Organizations with a delegated administrator.
  • Enable the protection plans you actually need, such as S3 Protection, EKS Protection, Runtime Monitoring, Lambda Protection, or RDS Protection.
  • Centralized administration helps operations, but Extended Threat Detection still correlates activity only inside one account.

Multi-account management

In AWS Organizations, the recommended pattern is to use a delegated GuardDuty administrator account for centralized management across member accounts.

Finding export

GuardDuty findings can be exported to Amazon S3 in near real time and encrypted with AWS KMS.

  • Helps with longer retention.
  • Useful for SIEM ingestion.
  • Useful for centralized analysis workflows.

6) Flip-card revision

Tap any card to flip it. This is useful for last-day recall practice.

7) Final exam checklist

Use this before ending your revision session.

8) Official AWS documentation links

These are useful to keep in your GitHub page as a reference section.