AWS GuardDuty Modules Explained: Features, Coverage, and How Customers Benefit with Coralogix

Introduction

As organizations continue to scale their AWS environments, security teams face increasing challenges in detecting cloud-native threats such as compromised credentials, misused APIs, container breaches, and malicious workload behavior. Traditional perimeter-based controls and legacy endpoint tools are often insufficient in dynamic, cloud-first architectures.

AWS GuardDuty provides native,intelligent threat detection for AWS environments. When GuardDuty findings are integrated into Coralogix Security Analytics, customers gain centralized visibility, richer context, and faster investigation across infrastructure, applications, and cloud services.

This blog provides:

• An overview of AWS GuardDuty modules
• Key features and detection coverage
• Guidance for customers without EDR on containers
• Pricing overview with an example
• How Coralogix enhances GuardDuty for SOC and security teams

What is AWS GuardDuty?

AWS GuardDuty is a managed threat detection service that continuously monitors AWS accounts and workloads for suspicious or malicious activity. It analyzes telemetry from:

• AWS CloudTrail management events
• VPC Flow Logs
• DNS query logs
• Runtime signals from compute and container workloads

Using machine learning, behavioral analysis, and AWS threat intelligence, GuardDuty generates security findings with severity, context, and recommended remediation steps. The service is fully managed and scales automatically without requiring infrastructure deployment.

AWS GuardDuty Protection Modules Available Today

Based on the official AWS GuardDuty User Guide and AWS security best-practice documentation, the following GuardDuty modules (also referred to as protection plans) are currently available. These modules extend threat detection beyond foundational monitoring and allow customers to enable coverage selectively based on workload type and risk profile.

Foundational Threat Detection (Enabled by Default)

When AWS GuardDuty is enabled, it automatically begins continuous threat detection using these core data sources:

• AWS CloudTrail management events
  Detects suspicious control-plane activity such as compromised credentials, unauthorized API calls, and privilege escalation.
• VPC Flow Logs
  Identifies reconnaissance, brute-force attempts, lateral movement, and communication with known malicious IP addresses.
• DNS query logs
  Detects suspicious or malicious domain lookups, including command-and-control (C2) activity.

These detections require no additional configuration and provide baseline protection for most AWS environments.

Optional GuardDuty Protection Plans

Amazon S3 Protection

Monitors data-plane (object-level) API activity to detect:

• Suspicious object access
• Data exfiltration attempts
• Destructive S3 operations

This module is particularly valuable for workloads handling sensitive or customer data.

Amazon EKS Protection

Analyzes Kubernetes audit logs from the EKS control plane to detect:

• Suspicious pod creation and deletion
• Privilege escalation attempts
• Unauthorized Kubernetes API activity

This provides visibility into Kubernetes control-plane abuse, which is often an early indicator of container compromise.

Runtime Monitoring (EC2, ECS, and EKS)

GuardDuty Runtime Monitoring delivers workload-level behavioral detection across:

• Amazon EC2
• Amazon ECS (including AWS Fargate)
• Amazon EKS workloads

It detects:

• Malicious or unexpected process execution
• Suspicious file access
• Unauthorized outbound network connections
• Privilege escalation activity

This capability provides EDR-like behavioral visibility without requiring customers to deploy or manage traditional endpoint agents.

Malware Protection for EC2

Automatically scans attached EBS volumes when GuardDuty detects suspicious behavior, helping identify:

• Ransomware
• Cryptomining malware
• Persistent malicious artifacts

Scanning is event-driven, minimizing operational and performance impact.

Malware Protection for S3 (via AWS Backup)

Enables malware scanning for:

• S3 objects
• EBS snapshots
• Amazon Machine Images (AMIs)

Scan results are surfaced through GuardDuty findings, extending visibility into backup and storage workflows.

Summary of AWS GuardDuty Modules

Module	What It Detects
Foundational Detection	CloudTrail, VPC Flow Logs, DNS anomaly detection
Amazon S3 Protection	Suspicious S3 object access and data exfiltration
Amazon EKS Protection	Kubernetes audit-log–based threats
Runtime Monitoring	Runtime threats across EC2, ECS, and EKS
Malware Protection (EC2)	Malware scanning of EBS volumes
Malware Protection (S3 / Backup)	Malware scanning for S3 and backup resources

How GuardDuty Compensates When Customers Don’t Have EDR on Containers

Many organizations running containerized workloads on EKS, ECS, or Fargate do not deploy traditional Endpoint Detection and Response (EDR) tools due to agent overhead, limited container support, or cost concerns.

In these environments, AWS GuardDuty can act as a compensating security control.

Key GuardDuty Modules That Compensate for Missing EDR

• Runtime Monitoring
  Provides behavioral detection for malicious processes, reverse shells, cryptomining, and suspicious network connections.
• Amazon EKS Protection
  Detects Kubernetes API abuse, unauthorized exec activity, and privilege escalation.
• VPC Flow Log and DNS Analysis (Foundational)
  Identifies command-and-control traffic and malicious outbound connections from compromised containers.
• Malware Protection for EC2 (for EC2-backed clusters)
  Detects malicious artifacts written to disk following container escape or node compromise.

Important Consideration

GuardDuty does not replace full host-based EDR capabilities such as memory inspection or forensic tooling. However, it provides strong, AWS-native behavioral detection that significantly improves security visibility in environments without endpoint agents.

Why Integrate AWS GuardDuty with Coralogix?

While GuardDuty excels at detection, security teams still need to centralize alerts, correlate signals, and operationalize findings.

By ingesting GuardDuty findings into Coralogix Security Analytics, customers can:

• Centralize GuardDuty alerts alongside logs, metrics, and traces
• Correlate security findings with application and infrastructure behavior
• Reduce alert fatigue through contextual analysis
• Accelerate SOC investigations and response workflows
• Build executive, SOC, and compliance dashboards

This enables GuardDuty findings to move from isolated alerts to actionable security intelligence.

AWS GuardDuty Pricing Overview

AWS GuardDuty uses a pay-as-you-go pricing model:

• No upfront costs
• Pricing based on log volume, protected workloads, and enabled modules
• Region-dependent pricing

AWS also provides a 30-day free trial and a limited free tier for S3 malware protection.

Pricing Example (Illustrative)

Example Environment

• 1 AWS account
• 2 regions
• 20 EC2 instances
• 1 EKS cluster
• Moderate CloudTrail, network, and DNS activity
• S3 buckets handling file uploads

Enabled Modules

• Foundational detection
• Runtime monitoring
• EKS protection
• Malware protection for S3

Estimated Monthly Cost

Component	Estimated Cost
Foundational detection	$25–30
Runtime monitoring	$35–40
EKS protection	$20–25
S3 malware protection	$10–15
Estimated Total	~$100/month

Actual costs vary based on usage patterns and AWS region. For detailed guidance on monitoring and understanding GuardDuty costs, customers can refer to the official AWS GuardDuty cost monitoring documentation here.

Conclusion

AWS GuardDuty provides powerful, native threat detection across AWS environments. By enabling the right GuardDuty modules and integrating findings into Coralogix, customers gain centralized visibility, deeper context, and faster security operations without the complexity of managing additional infrastructure or agents.

For organizations seeking effective cloud threat detection, especially in containerized environments without traditional EDR, the combination of AWS GuardDuty and Coralogix Security Analytics offers a scalable and operationally efficient approach.