GuardDuty uses threat detection feeds from a variety of sources in order to stay up to date with the latest malicious activity that is common on the internet. It monitors logs and applies machine learning to alert you when something suspicious is happening. Alerts are sent to CloudWatch, so that you can then take action on these alerts, by sending messages to administrators, or even automating responses with AWS Lambda.

GuardDuty can consolidate findings across multiple accounts, and feed them all into a central administrative account, which makes setting up enterprise-wide monitoring quick and easy.