GuardDuty and Macie: How to use AWS’s machine learning security tools

As cyberattacks advance, so, fortunately, does security. Now, it’s vitally important to use machine learning to advance your protection, more quickly detecting and recognizing threats then responding immediately. If you are utilizing Amazon Web Services, they offer two important machine learning security tools, Amazon GuardDuty and Amazon Macie. Here’s how GuardDuty and Macie can keep your data safe.

Amazon GuardDuty


Amazon GuardDuty is intelligent threat detection with continuous monitoring built to safeguard users’ AWS accounts and workloads. Any malicious or unauthorized behavior, such as unusual API calls or potentially unauthorized deployments, will be detected. Any behavior that may indicate an account compromise is also flagged. Additionally, any potentially compromised instances or reconnaissance by attackers will likely be detected.

Simple to enable from the AWS Management Console, GuardDuty utilizes integrated threat intelligence feeds and machine learning to find any anomalies within your account and activity. After detecting the threat, the GuardDuty console and AWS CloudWatch Events both receive a detailed security alert, making alerts actionable and simple to integrate into existing workflow systems and event management.

Amazon GuardDuty can be enabled quickly to immediately analyze billions of events across your AWS infrastructure, and it is not necessary to deploy and maintain software or security infrastructure. This adds to its cost-effectiveness and ability to be enabled quickly without altering existing workloads.

Customers are only required to pay for events analyzed by GuardDuty with no costs upfront, and it comes with a 30-day free trial to determine if it is a proper security tool for your infrastructure.

GuardDuty’s most important features include:

    • Account-level threat detection – accurately detect an account compromise with continuous monitoring in near real-time.
    • Continuous monitoring across AWS accounts — monitor and analyze all AWS account and workload event data found in AWS CloudTrail, VPC Flow Logs, and DNS Logs without additional security software or infrastructure.
    • Threat detections developed and optimized for the cloud – built-in detection techniques are specifically developed and optimized for the cloud. GuardDuty also has integrated threat intelligence with industry-leading third-party security partners, such as Proofpoint and CrowdStrike.
    • Threat severity levels for efficient prioritization — features low, medium, and high threat severity levels so customers can respond accordingly.
  • Automate threat response and remediation — With GuardDuty, you can utilize HTTPS APIs, CLI tools, and AWS CloudWatch Events to support automated security responses to certain findings.
  • Highly available threat detection — Automatically manage resource utilization depending on overall activity levels within the AWS accounts and workloads. GuardDuty adds detection capacity when necessary and reduces utilization when it’s no longer needed.
  • One click deployment without additional software or infrastructure to deploy and manage — Simplify deployment and management with quick and easy enabling.

Amazon Macie


Amazon Macie is a “security service that uses machine learning to automatically discover, classify, and protect sensitive data in AWS.” This sensitive data includes personally identifiable information (PII) or intellectual property. Macie’s dashboard and alerts let users immediately see how this data is being accessed or moved.

Data access activity is continuously monitored for anomalies by this fully managed service. When a risk of unauthorized access or inadvertent data leaks is detected, it generates detailed alerts. Amazon Macie is currently available to protect data stored in Amazon S3, with support for additional AWS data stores coming later in the year.

Benefits of Amazon Macie include:

  • Superior visibility of your data — Security administrators have clear management visibility into data storage environments.
  • Simple to set up and easy to manage — Users only have to log into the AWS console, choose the Amazon Macie service, and select the AWS accounts they would like protected.
  • Data security automation through machine learning — Discovering, classifying, and protecting data stored in AWS is an automated process for Amazon Macie via machine learning. This helps you more quickly and better understand where sensitive information is stored and how it’s being accessed, including user authentications and access patterns.
  • Custom alert monitoring with CloudWatch — If you like, Amazon Macie is able to send all findings to Amazon CloudWatch Events to build custom remediation and alert management for your security ticketing systems.

Amazon Macie works by first creating a baseline and then actively monitoring for any anomalies and variations from that baseline that could indicate a risk and/or suspicious behavior, “such as large quantities of source code being downloaded, credentials being stored in an unsecured manner, or sensitive data that is configured to be externally accessible.”

This service not only gives detailed alerts but also recommendations for how to resolve issues. It also lets users define and customize automated remediation actions, like resetting access control lists or triggering password reset policies.

One of Amazon Macie’s key features is how it uses machine learning-based classification of your Amazon S3 objects to provide visibility into your S3 environment. It can recognize data with high business value, including logging formats, database backup formats, and credentials. It also analyzes user behavior analytics to assist in identifying risky or suspicious activity with AWS service API calls and access to high-value content. Sudden increases in high-risk API activity is detected, as well as anomalous API activity through multiple locations or at infrequent hours.

Using it, customers can also automate workflows and alert categories. You can integrate with Security Information and Event Management (SIEM) services and Managed Security Service Provider (MSSP) solutions to help support security and compliance use cases. In order to receive early warnings then sort and prioritize them, Macie supports 20 different alert categories. These include high-risk data events, API keys, and credentials being stored within the source code, and more.

AWS tools GuardDuty and Macie

While security is a never-ending battle, these tools help to make it a bit more manageable. By utilizing GuardDuty and Macie, you can help keep your data secure.

Featured image: Shutterstock

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top