0PricingLogin
AWS Security Academy · Lesson

GuardDuty Data Sources and Finding Types

Learn which logs GuardDuty analyzes and the threats it surfaces.

What GuardDuty Reads

GuardDuty does not install sensors; it analyzes logs AWS already generates. Its foundational data sources are CloudTrail management events, VPC Flow Logs, and DNS query logs. From these three streams it reconstructs account, network, and name-resolution activity to hunt for threats.

CloudTrail as a Source

By reading CloudTrail management events, GuardDuty sees the API calls made in your account. This lets it detect identity threats like unusual API activity, credentials used from a strange location, or attempts to disable logging. It also analyzes CloudTrail S3 data events as an optional source.

All lessons in this course

  1. What GuardDuty Detects and Why
  2. GuardDuty Data Sources and Finding Types
  3. Reading and Prioritizing GuardDuty Findings
  4. Enabling GuardDuty Across an Organization
← Back to AWS Security Academy