Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in Trend Vision One™ Cloud Risk Management. For details, please refer to Upgrade to Trend Vision One
Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

Enable Amazon GuardDuty Protection Features (Informational)

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that recommended Amazon GuardDuty protection features are enabled in order to protect your AWS cloud environment and infrastructure (AWS accounts and resources, IAM credentials, guest Operating Systems, applications, etc.) against security threats. Amazon GuardDuty is a managed threat detection service that continuously monitors your VPC flow logs, AWS CloudTrail event logs, and DNS logs for malicious or unauthorized behavior. The AWS service monitors for activity such as unusual API calls, potentially compromised EC2 instances, or potentially unauthorized deployments that indicate a possible AWS account compromise. Amazon GuardDuty operates entirely on Amazon Web Services infrastructure and does not affect the performance or reliability of your applications. GuardDuty does not require any software agents, sensors, or network appliances. Amazon GuardDuty uses threat intelligence feeds, such as lists of malicious IPs or domains, and advanced machine learning algorithms to identify unexpected, potentially unauthorized, and malicious activity within your AWS cloud environment. For example, the service can detect when an EC2 instance might be compromised due to traffic from a known set of malicious IP addresses. Once the compromised EC2 instance is detected, you can take immediate action to restrict outbound traffic for that instance, which stops data loss until a security engineer can assess exactly what has occurred. Amazon GuardDuty can also detect unauthorized infrastructure deployments, such as EC2 instances deployed in an AWS region that has never been used before, or unusual API calls, such as an IAM user password policy change that reduces the password strength. Ultimately, GuardDuty can detect compromised instances used by malicious individuals for cryptocurrency mining and serving malware.

Trend Cloud One™ – Conformity recommends enabling the following Amazon GuardDuty protection features for comprehensive security coverage:

  1. S3 Protection:
    • - Description: monitors Amazon S3 data events, such as "GetObject" and "ListObjects", and configuration changes captured in AWS CloudTrail for suspicious activity. It detects unauthorized data access, attempts to delete or exfiltrate data, and suspicious bucket policy changes.
    • - Benefits: S3 often holds your most sensitive data and backups. You must know immediately if an attacker gains unauthorized access or attempts data exfiltration.
  2. Malware Protection for EC2:
    • - Description: provides agentless scanning of Amazon EBS volumes attached to your EC2 instances and container workloads. It is automatically triggered when GuardDuty detects unusual behavior (anomalies) that suggests a potential compromise.
    • - Benefits: this is your last line of defense against malware, rootkits, and crypto-miners infecting your compute resources. It operates without impacting instance performance, ensuring continuous threat validation for running workloads.
  3. Malware Protection for S3:
    • - Description: scans newly uploaded objects in your S3 buckets for malware, viruses, and trojans using continuously updated threat intelligence. When malware is found, it can automatically tag the object to enable orchestrated quarantine and remediation.
    • - Benefits: prevents your data lake or application backends from becoming a malware distribution source. Files uploaded from untrusted external sources or compromised clients pose a significant risk that must be neutralized at ingestion.
  4. Malware Protection for AWS Backup:
    • - Description: scans AWS Backup recovery points (backups of EC2/EBS and S3 data) for malware. It ensures that the data you intend to restore is clean and uncompromised.
    • - Benefits: ensures your backups are clean recovery points and prevents the restoration of a compromised system. This should scan the integrity of backups to prevent accidental malware re-infection upon restoration.
  5. EKS Protection:
    • - Description: monitors your Amazon EKS clusters by analyzing Kubernetes audit logs and, optionally, uses a managed security agent for runtime monitoring of container and host process activity. It focuses on container-specific threats like privilege escalation and container escapes.
    • - Benefits: containers can introduce a unique attack surface that standard logs miss. Because of this, you need specialized detection for container escapes and suspicious process execution. It secures your modern, distributed Kubernetes applications against targeted container attacks.
  6. Lambda Protection:
    • - Description: provides serverless-specific threat detection by analyzing network, file access, and execution activity within your AWS Lambda function runtimes. This is done using an AWS-managed sensor without modifying your function code.
    • - Benefits: Lambda functions are API endpoints and backends that attackers can compromise. This feature detects malicious outbound connections or file access in the ephemeral environment. It extends security visibility to your entirely serverless architectures, closing a critical security gap.
  7. RDS Protection:
    • - Description: profiles and analyzes login activity for your Amazon Aurora databases (Amazon Aurora MySQL-Compatible Edition and Aurora PostgreSQL-Compatible Edition) and Amazon RDS for PostgreSQL. It uses machine learning to detect suspicious login patterns, such as brute-force attacks or logins from a never-before-seen malicious IP.
    • - Benefits: database credentials are a high-value target for attackers. You must have continuous monitoring for compromised database access. This provides agentless, high-fidelity alerts specifically for threats against your most valuable relational data.
  8. Runtime Monitoring
    • - Description: this is the underlying capability that allows GuardDuty to see inside the running environments of your compute services like Amazon EKS, Amazon EC2, and Amazon ECS (including AWS Fargate). It analyzes process activity, file access, and system calls within the runtime environment using lightweight, AWS-managed sensors.
    • - Benefits: runtime monitoring provides the deep visibility needed to detect threats after initial access. It catches sophisticated attacks like container escapes or unexpected code execution that traditional log analysis misses.

This rule can help you work with the AWS Well-Architected Framework.

Security

Enabling GuardDuty Malware Protection for Amazon EC2 resources enhances security by detecting and analyzing malicious files, reducing the risk of data breaches or compromised workloads. It provides early threat detection, helping to identify malware infections and allowing for quicker remediation, thus ensuring the integrity and security of your AWS cloud environment.

References

Publication date Nov 25, 2025

Related GuardDuty rules