GuardDuty

GuardDuty can continuously monitor any AWS account or workload for malicious activity and unauthorized behavior. It is used for machine learning and integrated threat intelligence to identify abnormal behavior and suspected attackers. This is done from billions of events recorded via AWS CloudTrail, Amazon Virtual Private Cloud (VPC) Flow logs, and Domain Name System (DNS) logs. In this example, we implement GuardDuty to protect accounts created and governed by AWS Control Tower.

We deploy GuardDuty using the GuardDuty delegated administrator feature. This feature allows you to manage multiple GuardDuty accounts in an AWS Organization and broadly applies to any AWS Organization. AWS Control Tower is an ideal use case but is not a prerequisite for using GuardDuty or the GuardDuty delegated administrator feature.