Amazon GuardDuty is a continuous security monitoring service that analyzes and processes the following data sources: VPC Flow Logs, AWS CloudTrailmanagement event logs, Cloudtrail S3 data event logs, and DNS logs. It uses threat intelligence feeds, such as malicious IP addresses and domain lists, and machine learning to identify unexpected and potentially unauthorized and malicious activity in your AWS environment. This can include issues such as privilege escalation, using public credentials, or communicating with a malicious IP address or domain. For example, GuardDuty can detect infected EC2 instances that serve malware or mine Bitcoin. It also monitors for signs of compromise of AWS account access behavior, such as unauthorized infrastructure deployments (such as instances deployed in regions that have never been used), or unusual API calls (such as changing password policies to reduce password strength).