AWS threat detection refers to identifying and prioritizing malicious or suspicious activity in AWS by analyzing cloud telemetry for signs of attacker behavior. Rather than evaluating single events in isolation, this approach examines what an actor is doing across identities, roles, and services. With 80% of organizations experiencing at least one cloud security breach in the past year and public cloud incidents averaging $5.17 million per breach, the stakes for effective AWS threat detection continue to grow.
AWS environments generate large volumes of logs and metadata that are difficult to interpret independently. Connecting this telemetry into behavioral signals helps reveal attacker movement through a cloud attack lifecycle, which matters because uncorrelated activity can delay investigation and response.
In practice, AWS threat detection links related actions into behavioral patterns that can be investigated and prioritized. Rather than treating cloud telemetry as a collection of unrelated alerts, it interprets activity as evidence of a possible attack sequence. This distinction matters because many AWS actions are technically legitimate while still representing abuse of access, roles, or services.
Activity types that reveal intent across time and services:
AWS provides several native security services that form the foundation of a cloud threat detection strategy. Understanding what each tool does — and where gaps remain — helps teams build effective detection coverage.
Amazon GuardDuty is the primary AWS threat detection service. It continuously analyzes CloudTrail management events, VPC Flow Logs, DNS query logs, and runtime telemetry using machine learning, anomaly detection, and integrated threat intelligence. In December 2025, AWS launched Extended Threat Detection for EC2 and ECS, which uses AI/ML to correlate signals across multiple data sources and map multi-stage attack sequences to MITRE ATT&CK tactics.
Security Hub aggregates findings from GuardDuty, Amazon Inspector, AWS Config, and third-party tools into a unified dashboard. It provides compliance checks against standards like CIS AWS Foundations and supports automated remediation through integrations with AWS Lambda and Amazon EventBridge.
Detective complements GuardDuty by providing deeper investigative analysis. When GuardDuty identifies a high-severity finding, Detective helps trace the origin, scope, and relationships of the suspicious activity across resources.
Table: AWS native threat detection services compared
These native tools provide essential coverage, but they focus on activity within AWS. Attacks that start outside AWS — through compromised identity providers, on-premises networks, or SaaS applications — require additional correlation across hybrid environments to detect the full attack chain.
Log-centric monitoring in AWS often fails to expose attacker behavior because events are analyzed as standalone records. Attribution frequently stops at the most recent role or temporary credential, causing investigations to focus on the wrong abstraction. As a result, defenders may not identify the original actor in time to contain activity before impact.
Failure modes when AWS activity is evaluated as isolated events:
Understanding how attackers move through AWS requires looking beyond individual service actions. Behavior-focused detection highlights progression patterns, such as role chaining, logging evasion, and lateral service access, that can appear legitimate when viewed in isolation.
Progression patterns:
Not all signals in AWS carry equal investigative value. Detection efforts prioritize indicators that reflect abnormal or multi-step behavior tied to a specific actor. Early indicators may be subtle and distributed, while late-stage signals often surface only after meaningful damage has occurred.
Key signals:
Recent incidents illustrate why behavioral detection matters more than log-level monitoring alone.
The Codefinger ransomware group exploited compromised AWS credentials to encrypt S3 data using server-side encryption with customer-provided keys (SSE-C). Because the attackers used legitimate AWS encryption features rather than malware, traditional signature-based detection tools missed the activity. Only behavioral monitoring — detecting unusual bulk encryption operations tied to a suspicious credential chain — could surface the attack before data became unrecoverable.
Amazon Threat Intelligence documented a campaign in which a Russian-speaking financially motivated threat actor used commercial generative AI services to compromise over 600 FortiGate devices across 55+ countries between January 11 and February 18, 2026. The attackers leveraged AI to scale their operations, demonstrating that AI-augmented threats are accelerating attack volume for both skilled and unskilled adversaries.
In February 2026, a threat actor exploited an unpatched React frontend application running on AWS to gain initial access, then abused an over-permissive ECS task role with broad read access to AWS Secrets Manager. This enabled exfiltration of Redshift credentials, VPC maps, and millions of database records. The incident mapped to MITRE ATT&CK techniques including T1190 (exploit public-facing application), T1078 (valid accounts), and T1530 (data from cloud storage object) — underscoring why monitoring identity and role behavior is essential for AWS threat detection.
These incidents share a pattern: attackers used legitimate AWS mechanisms (encryption features, valid roles, temporary credentials) to carry out malicious activity that looked normal at the event level but revealed itself through behavioral analysis.
Detecting threats in AWS still has its limits. While it can identify suspicious behavior, detecting threats does not automatically prevent or remediate cloud security risk. This means teams still need to rely on response workflows and analyst judgment. Confusing detection with prevention can create blind spots that delay containment.
Table: Misconceptions vs. corrections
Several trends are reshaping how organizations approach threat detection in AWS environments.
Supporting AWS threat detection requires understanding attacker behavior across identity, network, and cloud activity as a single continuum. The Vectra AI Platform approaches this problem by correlating actions instead of treating AWS events as isolated alerts, which reduces uncertainty when roles, temporary credentials, and multi-service activity obscure attribution. Vectra AI's Cloud Detection and Response (CDR) for AWS extends detection beyond native tools by analyzing behaviors across hybrid attack surfaces.
Platform capabilities:
See AWS attacker behavior in action with a guided attack tour
CloudTrail monitoring records individual events, whereas AWS threat detection aims to connect events across identities, roles, services, and time to reveal attacker behavior. Isolated log events can show what happened, but they often do not show intent or progression, especially when attackers use temporary credentials and assumed roles. The practical difference is investigative: threat detection prioritizes multi-step behavior patterns that can be attributed and acted on, instead of leaving analysts to manually assemble the narrative from raw logs.
No. AWS threat detection does not prevent or remediate architectural or configuration issues by itself. Misconfiguration management focuses on identifying insecure settings and exposure conditions, while threat detection focuses on identifying malicious or suspicious activity that occurs within an AWS environment. Confusing these functions matters because teams may assume detection replaces configuration security, leaving primary entry points unaddressed while expecting threat detection to compensate.
Identity and roles are central because attackers often operate using legitimate access mechanisms after initial compromise, including assumed roles and temporary credentials. Actions can appear valid at the API level even when they represent abuse, so attribution becomes essential to understand who initiated a sequence and whether that sequence aligns with expected behavior. This matters because role chaining can obscure the original actor, and investigations can fail if they stop at the last temporary role used.
Multi-step behavior that uses legitimate AWS mechanisms is hardest to detect when evaluated event-by-event. Role chaining, temporary credential sequences, and actions that appear normal in isolation often require correlation across services and identities to become meaningful. These patterns are difficult because they can be distributed across multiple AWS services and time windows, and because the last credential used may not reflect the original actor. This matters because subtle early-stage behavior can be missed until late-stage indicators emerge.
Yes, but only when the approach connects activity across environments instead of treating AWS as an isolated domain. Hybrid attacks can originate through compromised laptops or identity providers and later pivot into AWS using trusted identity relationships and assumed roles. Without correlation across identity and related telemetry, AWS activity may appear disconnected from the initial compromise path. This matters because defenders need to understand how cloud actions relate to earlier access to correctly scope response and attribution.
Amazon GuardDuty performs active threat detection by analyzing CloudTrail events, VPC Flow Logs, and DNS logs using machine learning to identify malicious behavior. AWS Security Hub is a centralized findings aggregator that collects and prioritizes alerts from GuardDuty, Amazon Inspector, AWS Config, and third-party tools. GuardDuty detects threats. Security Hub organizes and manages them. Most organizations use both together — GuardDuty as the detection engine and Security Hub as the operational dashboard for prioritizing response across accounts and regions.
Start with Amazon GuardDuty enabled across all AWS accounts and all regions — including regions not actively in use, since attackers target unmonitored regions for activities like cryptomining. Feed GuardDuty findings into AWS Security Hub for centralized visibility. Add Amazon Detective for investigating high-severity findings. Then configure EventBridge rules with Lambda functions to automate responses to critical alerts. This layered approach provides detection, aggregation, investigation, and automated response.
Threat actors increasingly use commercial generative AI services to scale their attacks against cloud infrastructure. In early 2026, Amazon Threat Intelligence documented a campaign where attackers used AI to compromise over 600 network devices across 55+ countries, then pivoted into cloud environments. AI helps attackers automate reconnaissance, generate exploit code, and identify misconfigurations faster than manual methods allow. This trend makes behavioral detection more important because AI-augmented attacks generate higher volumes of activity that can overwhelm rule-based detection systems.
Extended Threat Detection is a capability launched in December 2025 that uses AI and machine learning to identify multi-stage attack sequences across AWS services. Instead of generating separate findings for each suspicious event, it correlates signals — such as credential abuse, privilege escalation, and data exfiltration — into a single attack sequence mapped to MITRE ATT&CK tactics. This reduces triage time by showing the full attack story rather than leaving analysts to manually connect individual findings.