aid: amazon-guardduty
name: Amazon GuardDuty
description: Amazon GuardDuty is an intelligent threat detection service that continuously monitors your AWS accounts, workloads,
  and data for malicious activity. It uses machine learning, anomaly detection, and integrated threat intelligence to identify
  and prioritize potential threats to your AWS environment.
type: Index
image: https://a0.awsstatic.com/libra-css/images/logos/aws_logo_smile_1200x630.png
url: https://raw.githubusercontent.com/api-evangelist/amazon-guardduty/refs/heads/main/apis.yml
created: '2024-01-15'
modified: '2026-05-19'
specificationVersion: '0.19'
tags:
- Anomaly Detection
- AWS
- Compliance
- Machine Learning
- Monitoring
- Security
- Threat Detection
apis:
- aid: amazon-guardduty:amazon-guardduty-api
  name: Amazon GuardDuty API
  description: The Amazon GuardDuty API provides programmatic access to manage detectors, findings, filters, trusted IP sets,
    and threat intelligence for continuous threat detection across AWS accounts and workloads.
  humanURL: https://aws.amazon.com/guardduty/
  baseURL: https://guardduty.amazonaws.com
  tags:
  - Security
  - Threat Detection
  - Machine Learning
  properties:
  - type: Documentation
    url: https://docs.aws.amazon.com/guardduty/latest/APIReference/Welcome.html
  - type: OpenAPI
    url: openapi/amazon-guardduty-openapi.yml
  - type: GettingStarted
    url: https://aws.amazon.com/guardduty/getting-started/
  - type: Pricing
    url: https://aws.amazon.com/guardduty/pricing/
  - type: FAQ
    url: https://aws.amazon.com/guardduty/faqs/
  - type: APIReference
    url: https://docs.aws.amazon.com/guardduty/latest/APIReference/Welcome.html
  - type: Authentication
    url: https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html
  - type: JSONSchema
    url: json-schema/guardduty-finding-schema.json
  - type: JSONLD
    url: json-ld/amazon-guardduty-context.jsonld
  - type: NaftikoCapability
    url: capabilities/amazon-guardduty.yaml
common:
- type: Portal
  url: https://aws.amazon.com/guardduty/
- type: Documentation
  url: https://docs.aws.amazon.com/guardduty/
- type: TermsOfService
  url: https://aws.amazon.com/service-terms/
- type: PrivacyPolicy
  url: https://aws.amazon.com/privacy/
- type: Support
  url: https://aws.amazon.com/premiumsupport/
- type: Blog
  url: https://aws.amazon.com/blogs/security/tag/amazon-guardduty/
- type: GitHubOrganization
  url: https://github.com/aws
- type: Console
  url: https://console.aws.amazon.com/guardduty/
- type: SignUp
  url: https://portal.aws.amazon.com/billing/signup
- type: StatusPage
  url: https://health.aws.amazon.com/health/status
- type: Contact
  url: https://aws.amazon.com/contact-us/
- type: SpectralRules
  url: rules/amazon-guardduty-spectral-rules.yml
- type: Vocabulary
  url: vocabulary/amazon-guardduty-vocabulary.yaml
- type: Features
  data:
  - name: Intelligent Threat Detection
    description: Uses ML and anomaly detection to identify threats without manual configuration or rule management.
  - name: Integrated Threat Intelligence
    description: Incorporates curated threat intelligence feeds from AWS, CrowdStrike, and Proofpoint for enhanced detection.
  - name: Multi-Account Support
    description: Monitor all accounts in an AWS Organization from a central administrator account.
  - name: Continuous Monitoring
    description: Analyzes CloudTrail, VPC Flow Logs, DNS logs, and S3 access logs 24/7 without performance impact.
  - name: Finding Prioritization
    description: Automatically prioritizes findings by severity (Low, Medium, High) for efficient response.
  - name: Malware Protection
    description: Scans EC2 instance volumes and S3 objects for malware and known threats.
- type: UseCases
  data:
  - name: Account Compromise Detection
    description: Detect compromised AWS credentials and unauthorized API calls using ML-based anomaly detection.
  - name: Insider Threat Monitoring
    description: Identify suspicious behavior from privileged users or compromised internal accounts.
  - name: Cryptocurrency Mining Detection
    description: Detect and alert on unauthorized cryptocurrency mining using EC2 or Lambda resources.
  - name: Malware Detection
    description: Scan workloads and data for malware and ransomware threats.
  - name: Data Exfiltration Prevention
    description: Identify unusual data access patterns and potential exfiltration from S3 buckets.
- type: Integrations
  data:
  - name: AWS Security Hub
    description: Automatically send GuardDuty findings to Security Hub for centralized security management.
  - name: Amazon EventBridge
    description: Trigger automated responses to findings using EventBridge rules and Lambda functions.
  - name: AWS Organizations
    description: Enable GuardDuty organization-wide for centralized multi-account threat monitoring.
  - name: Amazon Detective
    description: Investigate GuardDuty findings in depth using Detective for root cause analysis.
  - name: Amazon Macie
    description: Combine with Macie for comprehensive data security and threat detection.
maintainers:
- FN: Kin Lane
  email: kin@apievangelist.com
  url: https://apievangelist.com