Introduction:

In today’s cloud-native world, security isn’t just a checkbox; it’s a continuous process that needs to be embedded throughout your development lifecycle. AWS provides two powerful security services that work together to protect your cloud infrastructure: Amazon GuardDuty for intelligent threat detection and Amazon Inspector for comprehensive vulnerability management. This guide explores how to leverage both services to implement a robust DevSecOps strategy that secures your applications from code to runtime. 

Part 1: Amazon GuardDuty – Your 24/7 Threat Detection Guardian

What is Amazon GuardDuty?

Amazon GuardDuty is an intelligent threat detection service that continuously monitors your AWS environment for malicious activity and unauthorized behavior. Think of it as your cloud security guard that never sleeps and analyzes billions of events across multiple data sources using machine learning, anomaly detection, and integrated threat intelligence from AWS and industry leading third parties. 

Key GuardDuty Capabilities:

1. Expanded Workload Runtime Protection

GuardDuty now monitors EC2 instances, Amazon EKS containers, and AWS Fargate workloads at runtime to detect: 

• Suspicious processes and unauthorized executables 

• Reverse shells indicating remote access attempts 

• Cryptocurrency mining malware.

• Backdoor behavior and persistence mechanisms. 

• Defense evasion tactics and unusual file access patterns. 

This agent-based monitoring provides deep visibility into operating system-level activity, generating over 30 different runtime security findings to help protect your workloads. 

2. Enhanced Malware Detection Capability

GuardDuty Malware Protection now offers comprehensive malware scanning across multiple AWS services

  1. EC2 and EBS Volume Scanning: 

• • Agentless scanning of EBS volumes attached to EC2 instances. 

• • GuardDuty initiated scans triggered by suspicious behavior. 

• • On-demand scans you can initiate manually. 

• • Detects trojans, ransomware, botnets, webshells, and cryptominers. 

 

  2. S3 Malware Protection: 

• • Automatic scanning of newly uploaded objects to S3 buckets. 

• • AWS developed multiple industry-leading third-party scan engines. 

• • Tagging of scanned objects with scan status (NO_THREATS_FOUND, THREATS_FOUND, etc.) 

• • Policy-based prevention of accessing malicious files. 

 

  3. AWS Backup Malware Protection (New): 

• • Extends malware detection to EC2, EBS, and S3 backups. 

• • Automatic scanning of new backups. 

• • On-demand scanning of existing backups. 

• • Verification that backups are clean before restoration. 

• • Incremental scanning to analyze only changed data, reducing costs. 

• • Helps identify your last known clean backup to minimize business disruption. 

3. Broader Service Coverage

GuardDuty now protects an expanded range of AWS services beyond EC2:

• Amazon S3 Protection: Detects unusual access patterns, data exfiltration attempts, disabling of S3 Block Public Access, and API patterns indicating misconfigured bucket permissions.
• Amazon RDS Protection: Monitors RDS and Aurora databases for anomalous login behavior, brute force attacks, and suspicious database access patterns.
• AWS Lambda Protection: Detects malicious execution behavior in serverless functions, including invocations from suspicious locations and unusual VPC network activity.
• Amazon EKS Protection: Monitors Kubernetes audit logs to detect suspicious API activity, unauthorized access attempts, and policy violations in your EKS clusters.

4. Smarter Threat Intelligence & Advanced Finding Types

GuardDuty’s enhanced machine learning models and AWS and third-party threat intelligence enable detection of sophisticated attack patterns: 

• Credential Compromise: Detects IAM credentials being used from unusual locations or by compromised instances 

• Persistence Techniques: Identifies attackers establishing backdoors and maintaining access 

• Privilege Escalation: Flags attempts to gain higher-level permissions within your environment 

• Command-and-Control Traffic: Detects EC2 instances communicating with known malicious domains and C2 servers 

• Cryptomining Activity: Identifies unauthorized cryptocurrency mining using your resources 

• Extended Threat Detection: Uses AI/ML to automatically correlate multiple security signals across network activity, process runtime behavior, malware execution, and API activity to detect multi-stage attacks that might otherwise go unnoticed 

GuardDuty now generates critical severity findings like AttackSequence:EC2/CompromisedInstanceGroup that provide attack sequence information, complete timelines, MITRE ATT&CK mappings, and remediation recommendations, allowing you to spend less time on analysis and more time responding to threats. 

 

How GuardDuty Works ?

GuardDuty analyzes and processes data from multiple sources: 

• VPC Flow Logs: Network traffic patterns and communication with malicious IPs. 

• AWS CloudTrail Management Events: API calls and account activity for detecting credential misuse. 

• CloudTrail S3 Data Events: S3 object-level API activity. 

• DNS Query Logs: DNS queries to detect malicious domain communications. 

• EKS Audit Logs: Kubernetes control plane activity. 

• RDS Login Activity: Database authentication events. 

• Lambda Network Activity: Function execution behavior and network connections. 

• Runtime Monitoring: Operating system-level process and file activity.  

All this happens without requiring you to deploy or manage any security software. GuardDuty operates entirely through AWS service integrations.

Practical GuardDuty Demo: Detecting Real Threats

Use Case: Detecting a Compromised EC2 Instance with Cryptomining Activity

Let’s walk through a real-world scenario where GuardDuty detects and alerts on a compromised EC2 instance that’s been infected with cryptocurrency mining malware.  

Step 1: Enable GuardDuty 

• Navigate to AWS Console → GuardDuty → Get Started 

• Click “Enable GuardDuty” (30-day free trial available)

• Enable protection plans: Foundational, Runtime Monitoring, and Malware Protection. 

Step 2: Simulate a Compromised Instance 

Launch an EC2 instance and simulate suspicious activity: 

• SSH into your EC2 instance. 

• Make DNS queries to known malicious test domains (provided by GuardDuty for testing). 

• Generate unusual network traffic patterns. 

 

Step 3: Review GuardDuty Findings 

Within 15-30 minutes, GuardDuty will generate findings such as 

• Cryptocurrency: EC2/BitcoinTool.B!DNS (indicates your EC2 instance is querying a domain associated with Bitcoin mining). 

• Unauthorized Access: EC2/MaliciousIPCaller.Custom (EC2 instance is communicating with a known malicious IP). 

• Runtime: EC2/SuspiciousProcess (Suspicious process detected at the OS level).

Each finding includes: 

• Severity level (Low, Medium, High, Critical) 

• Affected resource details 

• Action details showing what triggered the alert 

• Recommended remediation steps 

• MITRE ATT&CK technique mappings

Step 4: Investigate with Malware Protection 

When GuardDuty detects suspicious behavior, it can automatically trigger a malware scan: 

• Navigate to GuardDuty → Malware scans

• View the scan results for your EC2 instance 

• If malware is detected, GuardDuty generates an Execution:EC2/MaliciousFile finding 

• Finding details include the file hash, file path, and threat name 

Step 5: Automated Response 

Set up automated remediation using EventBridge and Lambda:  

• Create an EventBridge rule to trigger on GuardDuty findings 

• Connect it to a Lambda function that: 

• • Isolates the compromised instance (modifiessecurity group) 
  • Creates a snapshot for forensics
  • Sends notifications to your security team
  • Tags the resource for investigation

This demo demonstrates how GuardDuty provides continuous, intelligent monitoring with minimal configuration, detecting threats in real-time and enabling rapid response to protect your AWS environment. 

Part 2: Amazon Inspector – Comprehensive Vulnerability Management

What is Amazon Inspector?

Amazon Inspector is an automated vulnerability management service that continuously scans your AWS workloads for software vulnerabilities and network exposures. While GuardDuty detects active threats, Inspector identifies weaknesses before they can be exploited. It’s your proactive security assessor that helps you implement a “shift-left” security approach by catching vulnerabilities early in the development lifecycle. 

Key Inspector Capabilities (Enhanced Features):

1. Code Security Scanning : Shift-Left DevSecOps

Inspector now supports application dependency and source code scanning, enabling true shift-left security: 

• • Software Composition Analysis (SCA): Scans open-source library vulnerabilities in your dependencies. 

• • Static Application Security Testing (SAST): Analyzes your source code for security flaws. 

• • Secrets Detection: Identifies hardcoded credentials, API keys, and sensitive data in code. 

• • Infrastructure as Code (IaC) Scanning: Detects misconfigurations in Terraform, CloudFormation, and CDK templates. 

Supported Package Managers & Languages: 

• • JavaScript/Node.js: package.json, package-lock.json, yarn.lock 

• • Python: requirements.txt, Pipfile.lock, poetry.lock 

• • Java: pom.xml (Maven), build.gradle (Gradle) 

• • Ruby: Gemfile.lock 

• • Go: go.mod, go.sum 

2. Continuous Scanning

Unlike traditional security tools that run on schedules, Inspector provides continuous, event-driven scanning: 

• • Automatic scanning on every code commits to connected repositories. 

• • Immediate scanning when new container images are pushed to ECR. 

• • Instant scanning when Lambda functions are created or updated.

• • Continuous monitoring of running EC2 instances. 

• • Real-time rescanning when new CVEs are published. 

3. Network Exposure Detection

The inspector detects network reachability issues that could expose your workload: 

• • Open ports accessible from the internet. 

• • Overly permissive security groups. 

• • Instances with public IP addresses. 

• • Vulnerable services exposed to untrusted networks.

4. Complete Code → Container → Compute Lifecycle Coverage

Inspector provides end-to-end security across your entire application lifecycle: 

• Code Stage: Scan source code repositories (GitHub, GitLab) for vulnerabilities and secrets before deployment 

• Container Stage: Scan container images in Amazon ECR for CVEs in packages and base images 

• Compute Stage: Monitor running EC2 instances and Lambda functions for package vulnerabilities 

DevSecOps Integration: Shift-Left Security

Inspector enables true DevSecOps by shifting security earlier in the Software Development Lifecycle (SDLC): 

1. CI/CD Pipeline Integration:

• • Scan code before merging pull requests 

• • Block deployments containing critical vulnerabilities 

• • Integrate findings into developer workflows via GitHub/GitLab 

• • Automated security gates in deployment pipelines 

2. Early Detection Benefits:

• • Catch vulnerabilities during development, not in production 

• • Reduce remediation costs by finding issues early 

• • Empower developers with immediate security feedback 

• • Maintain security compliance throughout the SDLC

What Inspector Scans?

• • EC2 Instances: Operating system packages and applications, Common Vulnerabilities and Exposures (CVEs), Center for Internet Security (CIS) benchmark compliance
  • Container Images (ECR): Base image vulnerabilities, installed packages, dependency vulnerabilities
  • Lambda Functions: Application code vulnerabilities, package dependencies, layer vulnerabilities, hardcoded secrets
  • Source Code Repositories: Security vulnerabilities in application code, dependency vulnerabilities, IaC misconfigurations, exposed secrets 

Practical Inspector Demo: Securing Your Application from Network Vulnerabilities

This demo shows Inspector’s ability to detect and address network vulnerabilities within your deployed infrastructure, helping secure the network layer across the application lifecycle. 

Step 1: Enable Amazon Inspector 

• • Navigate to AWS Console → Inspector → Get Started

• • Select “Activate Inspector.” 

Step 2: Deploy a Vulnerable Infrastructure 

  Launch an EC2 instance with intentional misconfigurations: 

• • Launch an EC2 instance with an outdated AMI (e.g., Amazon Linux 2). 

• • Create a security group with port 22 (SSH) open to 0.0.0.0/0 (public access). 

• • Install outdated packages to simulate a vulnerable environment. 

Step 3: View Network Vulnerability Findings 

  After deploying your vulnerable infrastructure, Inspector will scan for network related issues and generate findings: 

• • Network Exposure: 

• • • Finding: Port 22 (SSH) is open to the internet.
    • Severity: Medium
    • Remediation: Restrict access to specific IP ranges or use a bastion host for secure SSH access.  

• • Package Vulnerabilities: 

• • • Multiple CVEs in system packages
    • Outdated kernel version
    • Suggested package updates

Step 4: Remediate and Rescan:

  Fix the identified issues and observe continuous monitoring 

• • The inspector automatically rescans and closes remediated findings.

This demo focuses on identifying and remediating network vulnerabilities within your infrastructure using Amazon Inspector. 

GuardDuty + Inspector: Better Together

While GuardDuty and Inspector serve different purposes, they complement each other perfectly to provide comprehensive AWS security: 

• GuardDuty: Detects active threats and malicious activity in real-time (“something bad is happening”) 

• Inspector: Identifies vulnerabilities and misconfigurations proactively (“something could be exploited”) 

Integration Best Practices

• Centralize with Security Hub: Aggregate findings from both GuardDuty and Inspector in AWS Security Hub for a unified security dashboard 

• Automate Responses: Use EventBridge to trigger Lambda functions for automated remediation based on finding severity 

• Enable Organization-Wide: Deploy both services across all AWS accounts using AWS Organizations for comprehensive coverage 

• Integrate with SIEM: Export findings to your Security Information and Event Management system for correlation with other security data 

• Track Metrics: Monitor mean time to detect (MTTD) and mean time to remediate (MTTR) to measure security posture improvements. 

Conclusion:

Securing your AWS environment requires a multi layered approach. Amazon GuardDuty provides intelligent, continuous threat detection across your entire AWS infrastructure, while Amazon Inspector enables proactive vulnerability management from code to production. Together, they form a comprehensive security solution that: 

• Implements shift-left security by catching vulnerabilities during development 

• Continuously monitors for threats and vulnerabilities across your entire environment 

• Detects malware, cryptomining, and sophisticated multi-stage attacks 

• Provides actionable findings with remediation guidance 

• Integrates seamlessly into DevSecOps workflows and CI/CD pipelines 

• Enables automated security responses and compliance reporting

By enabling both GuardDuty and Inspector, you create a robust security foundation that protects your AWS workloads throughout their entire lifecycle from the first line of code to running production infrastructure. Start your security journey today by enabling both services and implementing the best practices outlined in this guide.