AWS threat detection refers to identifying and prioritizing malicious or suspicious activity in AWS by analyzing cloud telemetry for signs of attacker behavior. Rather than evaluating single events in isolation, this approach examines what an actor is doing across identities, roles, and services. With 80% of organizations experiencing at least one cloud security breach in the past year and public cloud incidents averaging $5.17 million per breach, the stakes for effective AWS threat detection continue to grow.
AWS environments generate large volumes of logs and metadata that are difficult to interpret independently. Connecting this telemetry into behavioral signals helps reveal attacker movement through a cloud attack lifecycle, which matters because uncorrelated activity can delay investigation and response.
実際の運用では、AWS脅威検知は関連するアクションを振る舞い として結び付け、調査と優先順位付けを可能にします。クラウドテレメトリを無関係なアラートの集合体として扱うのではなく、活動を潜在的な攻撃シーケンスの証拠として解釈します。この区別が重要なのは、多くのAWSアクションが技術的には正当な操作でありながら、アクセス権、ロール、サービスの悪用を表している場合があるためです。
Activity types that reveal intent across time and services:
AWS provides several native security services that form the foundation of a cloud threat detection strategy. Understanding what each tool does — and where gaps remain — helps teams build effective detection coverage.
Amazon GuardDuty is the primary AWS threat detection service. It continuously analyzes CloudTrail management events, VPC Flow Logs, DNS query logs, and runtime telemetry using machine learning, anomaly detection, and integrated threat intelligence. In December 2025, AWS launched Extended Threat Detection for EC2 and ECS, which uses AI/ML to correlate signals across multiple data sources and map multi-stage attack sequences to MITRE ATT&CK tactics.
Security Hub aggregates findings from GuardDuty, Amazon Inspector, AWS Config, and third-party tools into a unified dashboard. It provides compliance checks against standards like CIS AWS Foundations and supports automated remediation through integrations with AWS Lambda and Amazon EventBridge.
Detective complements GuardDuty by providing deeper investigative analysis. When GuardDuty identifies a high-severity finding, Detective helps trace the origin, scope, and relationships of the suspicious activity across resources.
Table: AWS native threat detection services compared
These native tools provide essential coverage, but they focus on activity within AWS. Attacks that start outside AWS — through compromised identity providers, on-premises networks, or SaaS applications — require additional correlation across hybrid environments to detect the full attack chain.
Log-centric monitoring in AWS often fails to expose attacker behavior because events are analyzed as standalone records. Attribution frequently stops at the most recent role or temporary credential, causing investigations to focus on the wrong abstraction. As a result, defenders may not identify the original actor in time to contain activity before impact.
Failure modes when AWS activity is evaluated as isolated events:
Understanding how attackers move through AWS requires looking beyond individual service actions. Behavior-focused detection highlights progression patterns, such as role chaining, logging evasion, and lateral service access, that can appear legitimate when viewed in isolation.
Progression patterns:
AWS内のすべてのシグナルが同等の調査価値を持つわけではありません。検知活動では、特定のアクターに関連する異常な行動や複数段階にわたる行動を反映する指標を優先します。初期段階の指標は微細で分散している場合があり、一方、後期段階のシグナルは重大な被害が発生した後に初めて表面化することが多いのです。
Key signals:
Recent incidents illustrate why behavioral detection matters more than log-level monitoring alone.
The Codefinger ransomware group exploited compromised AWS credentials to encrypt S3 data using server-side encryption with customer-provided keys (SSE-C). Because the attackers used legitimate AWS encryption features rather than malware, traditional signature-based detection tools missed the activity. Only behavioral monitoring — detecting unusual bulk encryption operations tied to a suspicious credential chain — could surface the attack before data became unrecoverable.
Amazon Threat Intelligence documented a campaign in which a Russian-speaking financially motivated threat actor used commercial generative AI services to compromise over 600 FortiGate devices across 55+ countries between January 11 and February 18, 2026. The attackers leveraged AI to scale their operations, demonstrating that AI-augmented threats are accelerating attack volume for both skilled and unskilled adversaries.
In February 2026, a threat actor exploited an unpatched React frontend application running on AWS to gain initial access, then abused an over-permissive ECS task role with broad read access to AWS Secrets Manager. This enabled exfiltration of Redshift credentials, VPC maps, and millions of database records. The incident mapped to MITRE ATT&CK techniques including T1190 (exploit public-facing application), T1078 (valid accounts), and T1530 (data from cloud storage object) — underscoring why monitoring identity and role behavior is essential for AWS threat detection.
These incidents share a pattern: attackers used legitimate AWS mechanisms (encryption features, valid roles, temporary credentials) to carry out malicious activity that looked normal at the event level but revealed itself through behavioral analysis.
AWSにおける脅威の検知には依然として限界がある。不審な行動を特定できる一方で、脅威の検知はクラウドセキュリティリスクを自動的に防止または修復するものではない。つまり、チームは依然として対応ワークフローとアナリストの判断に依存する必要がある。検知と防止を混同すると、封じ込めを遅らせる盲点が生じる可能性がある。
Table: Misconceptions vs. corrections
Several trends are reshaping how organizations approach threat detection in AWS environments.
Supporting AWS threat detection requires understanding attacker behavior across identity, network, and cloud activity as a single continuum. The Vectra AI Platform approaches this problem by correlating actions instead of treating AWS events as isolated alerts, which reduces uncertainty when roles, temporary credentials, and multi-service activity obscure attribution. Vectra AI's Cloud Detection and Response (CDR) for AWS extends detection beyond native tools by analyzing behaviors across hybrid attack surfaces.
Platform capabilities:
See AWS attacker behavior in action with a guided attack tour
CloudTrailの監視は個々のイベントを記録するのに対し、AWSの脅威検知は、攻撃者の振る舞いを明らかにするために、ID、ロール、サービス、時間軸を横断してイベントを関連付けることを目的としています。孤立したログイベントは発生した事象を示すことはできますが、特に攻撃者が一時的な認証情報やロールの乗っ取りを利用する場合、その意図や進行過程を示すことは稀です。実用上の違いは調査手法にあります:脅威検知は、分析担当者が生のログから手動で経緯を組み立てることを余儀なくされるのではなく、帰属させられ対応可能な多段階の行動パターンを優先的に検知します。
いいえ。AWSの脅威検知は、それ自体ではアーキテクチャや設定上の問題を防止または修正しません。設定ミス管理は安全でない設定や露出状態の特定に焦点を当てているのに対し、脅威検知はAWS環境内で発生する悪意のある活動や不審な活動の特定に重点を置いています。これらの機能を混同することは重大な問題です。チームが検知が設定セキュリティに取って代わると誤解し、主要な侵入経路に対処せずに脅威検知で補完できると期待する可能性があるためです。
アイデンティティとロールは、攻撃者が最初の侵害後、想定されたロールや一時的な認証情報といった正当なアクセスメカニズムを用いて活動することが多いため、中心的な役割を果たします。アクションは不正行為を示すものであっても、APIレベルでは有効に見える場合があるため、誰がシーケンスを開始したのか、そしてそのシーケンスが想定される動作と一致しているかどうかを理解するには、アトリビューションが不可欠となります。ロールの連鎖によって元の攻撃者が不明瞭になる可能性があり、最後に使用された一時的なロールで調査が停止すると、調査が失敗する可能性があるため、これは重要です。
正当なAWSメカニズムを利用した複数段階の動作は、イベントごとに評価すると最も検知が困難になります。ロールの連鎖、一時的な認証情報のシーケンス、そして単独では正常に見える動作も、多くの場合、サービスやID間の相関関係がなければ意味を持ちません。これらのパターンは複数のAWSサービスや時間枠に分散している可能性があり、最後に使用された認証情報が元の攻撃者を反映していない可能性があるため、検知が困難です。これは、初期段階の微妙な動作は、後期段階の兆候が現れるまで見逃される可能性があるため、重要です。
はい、可能です。ただし、AWSを独立したドメインとして扱うのではなく、環境間のアクティビティを連携させるアプローチが必須です。ハイブリッド攻撃は、侵害されたラップトップやIDプロバイダーから開始され、その後、信頼されたID関係と想定されたロールを使用してAWSに侵入する可能性があります。IDと関連テレメトリの相関関係がなければ、AWSのアクティビティは最初の侵害経路から切り離されているように見える可能性があります。これは重要です。なぜなら、防御側は、対応と帰属の範囲を適切に決定するために、クラウドでのアクションが以前のアクセスとどのように関連しているかを理解する必要があるからです。
Amazon GuardDuty performs active threat detection by analyzing CloudTrail events, VPC Flow Logs, and DNS logs using machine learning to identify malicious behavior. AWS Security Hub is a centralized findings aggregator that collects and prioritizes alerts from GuardDuty, Amazon Inspector, AWS Config, and third-party tools. GuardDuty detects threats. Security Hub organizes and manages them. Most organizations use both together — GuardDuty as the detection engine and Security Hub as the operational dashboard for prioritizing response across accounts and regions.
Start with Amazon GuardDuty enabled across all AWS accounts and all regions — including regions not actively in use, since attackers target unmonitored regions for activities like cryptomining. Feed GuardDuty findings into AWS Security Hub for centralized visibility. Add Amazon Detective for investigating high-severity findings. Then configure EventBridge rules with Lambda functions to automate responses to critical alerts. This layered approach provides detection, aggregation, investigation, and automated response.
Threat actors increasingly use commercial generative AI services to scale their attacks against cloud infrastructure. In early 2026, Amazon Threat Intelligence documented a campaign where attackers used AI to compromise over 600 network devices across 55+ countries, then pivoted into cloud environments. AI helps attackers automate reconnaissance, generate exploit code, and identify misconfigurations faster than manual methods allow. This trend makes behavioral detection more important because AI-augmented attacks generate higher volumes of activity that can overwhelm rule-based detection systems.
Extended Threat Detection is a capability launched in December 2025 that uses AI and machine learning to identify multi-stage attack sequences across AWS services. Instead of generating separate findings for each suspicious event, it correlates signals — such as credential abuse, privilege escalation, and data exfiltration — into a single attack sequence mapped to MITRE ATT&CK tactics. This reduces triage time by showing the full attack story rather than leaving analysts to manually connect individual findings.