GuardDuty is a must have for AWS environments
Use Cases and Deployment Scope
We have a multi-tenant AWS environment with dozens of AWS account all managed under control tower. We use GuardDuty on every AWS account and it has been incredibly useful for monitoring the security of our AWS accounts.
Pros
- Monitors outgoing connections from AWS resources to known malicious hosts.
- Monitors incoming connection to AWS resources from known malicious hosts.
- Integrates with other centralized logging solutions.
Cons
- Does not have the ability to add any custom monitors.
Likelihood to Recommend
In a multi-account/multi-tenant environment, GuardDuty often alerts us to possible malicious traffic before it becomes an issue. The ability to automatically enable GuardDuty creates baseline security which is crucial when an account is first created. It also helps greatly in environments where other users are able to create resources as often GuardDuty alerts us to insecure resources we did not know about. It can however sometimes be a little overzealous with its assessments alerting on benign activity which then requires suppression rules.
