Amazon GuardDuty 本番運用ガイド（脅威検知／Extended Threat Detection・攻撃シーケンス／EventBridge自動対応(SOAR)／マルチアカウント統制／Runtime Monitoring／EKS Protection／S3マルウェア対策／RDS・Lambda Protection／Detective調査／Security Lake集約／誤検知チューニング／コスト最適化／技術選定）

GuardDuty raised a Critical—but can you answer 'what happened, and how far did it spread'? Amazon Detective builds a behavior graph from CloudTrail, VPC Flow Logs, GuardDuty findings, and EKS audit logs over up to a year, and visualizes root cause and blast radius. From pivoting off a finding, finding groups, Detective Investigation using IOCs, automated StartInvestigation via CLI/EventBridge, to aligning the organization's delegated administrators—we design the detect→investigate→respond investigation layer in real code based on the official documentation (June 2026).

Decompose Amazon GuardDuty's pricing per component and identify the dominant drivers (Runtime Monitoring vCPU-hours, CloudTrail management events, VPC Flow Logs). Explained with bash/Terraform: usage visualization with get-usage-statistics, bill prediction from the trial, selection of protection plans, and dispelling the misconception that suppression rules lower cost. Prices vary by region/revision — confirm them.

A production-design guide to GuardDuty EKS Protection. We explain the mechanism of detecting control-plane threats — RBAC grants to system:anonymous, cluster-admin tampering, exec in kube-system, privileged-container launches — with EKS audit logs. Because GuardDuty ingests audit logs in an independent stream, enabling EKS control-plane logging (CloudWatch) is unneeded. We organize finding types by ThreatPurpose with MITRE ATT&CK mapping, and show per-ThreatPurpose response, Terraform (EKS_AUDIT_LOGS) enablement, RBAC hardening, and SOAR integration in code. We also clarify the difference from Runtime Monitoring (the data plane).

A production-design guide to turning GuardDuty findings into automated incident response (SOAR) via EventBridge → Step Functions. Numeric severity matching, notify broadly / contain narrowly with an allowlist / human approval for destructive actions, EC2/IAM/S3/EKS playbooks, plus idempotency, DLQ, and least privilege—all explained in real code.

A thorough explanation of GuardDuty Extended Threat Detection (ETD) and attack-sequence (AttackSequence) findings. From the weak-signal correlation model, the 24-hour rolling window, the five attack-sequence types of IAM/S3/EKS/ECS/EC2, why they're all Critical (9.0–10.0), the correlation range that widens by protection plan, verification with sample generation, to the trap where a Suppression Rule ignores the archived — read it as a line with a real example of credential compromise → privilege escalation → S3 exfiltration.

A production design guide for auto-malware-scanning uploaded S3 objects with GuardDuty Malware Protection for S3. Explained with real Terraform / Python / bucket-policy code: the difference from the easily-confused 'S3 Protection (CloudTrail data-event monitoring),' the standalone operation mode used without GuardDuty itself (no detector ID = no finding generated), scan-result tags (GuardDutyMalwareScanStatus) and EventBridge events, and a secure upload pipeline that promotes only NO_THREATS_FOUND to a clean bucket and seals off reads with tag-based access control (TBAC).

An implementation guide for governing GuardDuty org-wide with AWS Organizations. In code: why you consolidate to a delegated administrator (a dedicated security account) rather than operating from the management account, migrating from the invitation method, why you set auto_enable_organization_members to ALL, org auto-enablement of protection plans, an all-Regions strategy that doesn't miss global service events, a Terraform multi-region implementation with provider alias / for_each, and the least-privilege boundaries between accounts.

An implementation guide for designing Amazon GuardDuty's RDS Protection and Lambda Protection for production. Directly monitor Aurora/RDS login anomalies (success, failure, brute force, malicious IPs, Tor), and detect crypto mining / C&C communication from the network activity of all Lambda functions (including non-VPC) — both agentless, zero infrastructure change, no code change. Explained per the official docs: supported engines, finding types, the up-to-two-week learning period, pricing and the 30-day free trial, Terraform enablement, and EventBridge automated response.

A production-operation guide for GuardDuty Runtime Monitoring. It explains, with Terraform/bash, how the eBPF agent observes OS-level processes, files, and networking from the inside, the three distribution surfaces EKS/ECS-Fargate/EC2 and automatic/manual management, coverage (Healthy/Unhealthy) confirmation, the VPC Flow Logs double-charge exemption, and the discipline of vCPU billing.

GuardDuty findings are strong on 'now' but unsuited to compliance long-term retention, cross-queries of finding × CloudTrail × VPC Flow, and SIEM supply. Amazon Security Lake builds a managed data lake of OCSF + Apache Parquet on your own S3, enabling years-span retention, SQL analysis, and SIEM integration. Centered on the decisive accuracy crux — Security Lake has no direct GuardDuty source, and findings are OCSF-ified via 'AWS Security Hub CSPM findings (SH_FINDINGS)' — I run through native sources, rollup Regions, the 2 subscriber types (query/data access), real Athena SQL, and Terraform implementation, based on the official documentation (June 2026).

A tuning implementation guide to suppressing Amazon GuardDuty's noise and false positives at production quality. We use the 3 tools — Suppression Rules (auto-archiving known noise), trusted IP/entity lists (not emitting findings from known legitimate sources), and threat lists (emitting findings from known malicious sources) — by a symptom→correct-tool mapping. A suppressed finding doesn't reach Security Hub/S3/Detective/EventBridge, nor does it become correlation material for Extended Threat Detection — we explain, in real Terraform/CLI code, the trap where too-broad suppression makes a Critical attack sequence wholly invisible, and the reactive, minimal-scope, IaC-centric operational rules.

GuardDuty (detect), Security Hub (aggregate and standard checks), Detective (investigate), Inspector (vulnerability), and Macie (data classification) are not competitors but complementary layers of defense-in-depth. Based on the official documentation (June 2026), this organizes each service's role, the data it handles, and its lifecycle position, and explains easily-confused differences, a technology-selection frame, and integration design with EventBridge/Security Hub.