detecting-cloud-threats-with-guardduty

Featured

This skill teaches security teams how to deploy and operationalize Amazon GuardDuty for continuous threat detection across AWS accounts and workloads. It covers enabling protection plans for S3, EKS, EC2 runtime monitoring, and Lambda, interpreting finding severity levels, and building automated response workflows using EventBridge and Lambda.

DevOps & Infrastructure 12,642 stars 1468 forks Updated today Apache-2.0

Install

View on GitHub

Quality Score: 99/100

Stars 20%
100
Recency 20%
100
Frontmatter 20%
70
Documentation 15%
100
Issue Health 10%
50
License 10%
100
Description 5%
100

Skill Content

# Detecting Cloud Threats with GuardDuty ## When to Use - When establishing continuous threat detection for new or existing AWS accounts - When investigating GuardDuty findings related to compromised instances, credential abuse, or data exfiltration - When building automated incident response playbooks triggered by GuardDuty findings - When extending threat coverage to container workloads running on EKS, ECS, or Fargate - When enabling malware scanning for EBS volumes attached to suspicious EC2 instances **Do not use** for Azure or GCP threat detection (see securing-azure-with-microsoft-defender or auditing-gcp-security-posture), for static code analysis, or for compliance posture monitoring (see implementing-aws-security-hub). ## Prerequisites - AWS account with GuardDuty administrative permissions (guardduty:*) - AWS CloudTrail, VPC Flow Logs, and DNS query logs enabled (GuardDuty consumes these automatically) - AWS Organizations configured if deploying GuardDuty across a multi-account estate - EventBridge and Lambda configured for automated response workflows ## Workflow ### Step 1: Enable GuardDuty and Protection Plans Activate GuardDuty at the organization level using a delegated administrator account. Enable all protection plans including S3 Protection, EKS Audit Log Monitoring, Runtime Monitoring, Malware Protection, RDS Login Activity, and Lambda Network Activity Monitoring. ```bash # Enable GuardDuty as organization delegated administrator aws guardduty crea...

Details

Author
mukul975
Repository
mukul975/Anthropic-Cybersecurity-Skills
Created
3 months ago
Last Updated
today
Language
Python
License
Apache-2.0

Integrates with

Google Cloud · Cloud Azure · Cloud

Similar Skills

Semantically similar based on skill content — not just same category

AI & Automation Featured

detecting-aws-guardduty-findings-automation

Automate AWS GuardDuty threat detection findings processing using EventBridge and Lambda to enable real-time incident response, automatic quarantine of compromised resources, and security notification workflows.

12,642 Updated today
mukul975
DevOps & Infrastructure Featured

detecting-compromised-cloud-credentials

Detecting compromised cloud credentials across AWS, Azure, and GCP by analyzing anomalous API activity, impossible travel patterns, unauthorized resource provisioning, and credential abuse indicators using GuardDuty, Defender for Identity, and SCC Event Threat Detection.

12,642 Updated today
mukul975
DevOps & Infrastructure Featured

performing-cloud-native-threat-hunting-with-aws-detective

Hunt for threats in AWS environments using Detective behavior graphs, entity investigation timelines, GuardDuty finding correlation, and automated entity profiling across IAM users, EC2 instances, and IP addresses.

12,642 Updated today
mukul975
DevOps & Infrastructure Featured

detecting-cryptomining-in-cloud

This skill teaches security teams how to detect and respond to unauthorized cryptocurrency mining operations in cloud environments. It covers identifying cryptomining indicators through compute usage anomalies, network traffic patterns to mining pools, GuardDuty CryptoCurrency findings, and runtime process monitoring on EC2, ECS, EKS, and Azure Automation workloads.

12,642 Updated today
mukul975
DevOps & Infrastructure Featured

implementing-aws-security-hub

This skill covers deploying AWS Security Hub as a centralized cloud security posture management platform that aggregates findings from GuardDuty, Inspector, Macie, and third-party tools. It details enabling security standards like CIS AWS Foundations Benchmark, configuring automated remediation, and building executive dashboards for compliance tracking across multi-account AWS organizations.

12,642 Updated today
mukul975