This is a really good addition. AWS has all this data, so it's good to see they're putting it to good use. We had just launched a service called CloudSploit Events [1] that does much the same thing, but I think now we'll be able to treat this as an additional data source to build out our report data using the machine-learning and vast expertise of AWS.<p>[1] <a href="https://cloudsploit.com/events" rel="nofollow">https://cloudsploit.com/events</a>
The pricing page <a href="https://aws.amazon.com/guardduty/pricing/" rel="nofollow">https://aws.amazon.com/guardduty/pricing/</a> is a bit confusing.<p>"First 500 GB / month, $1.00". Not bad! <Looks at pricing example>. Oh... $1.00/GB :)<p>On the other hand, 250GB of only VPC flow logs sounds really high to me, for the "small" environment example.
Just enabled it for our account (incredibly easy, single-button activation), and by morning we had results showing some minor vulnerabilities in our public subnets that we were able to patch immediately. Highly recommend.
Can anyone explain how this works? They're scanning logs of what? Suspicious interaction of a service, or suspicious command line fu? You know, for science.