[bink]

There's at least one thing that GuardDuty does that is much more difficult to do without it: the detection of instance credential usage from outside the account/VPC. I'm sure there's a way to do this with cloudtrail logs but it's not straight forward.

My biggest problem with GuardDuty is that it's all or nothing (for the most part). We'd love to have the cloudtrail/DNS/ML monitoring but disable flow logs, which are by far the most expensive part of GD for large orgs. AWS refuses to give us that option. And if they're going to charge us a fortune for flow logs with GD at least let us download or view them.

[ramimac]

Agreed - I find the credential exfil alerts meaningful. I appreciate that AWS has invested in making them better in recent years (bypass details in https://hackingthe.cloud/aws/avoiding-detection/steal-keys-u...)!

I also find the DNS based cryptomining detections pretty handy, and high enough signal.

Great point on VPC Flow Logs! With the move to SKU off various GuardDuty features (S3 protection, Runtime, etc.) ... it'd be nice if GuardDuty monitoring of VPC Flow logs were more configurable