Skip to main content

πŸ›‘οΈ AWS GuardDuty Detector Lambda Protection is not enabled🟒

  • Contextual name: πŸ›‘οΈ Detector Lambda Protection is not enabled🟒
  • ID: /ce/ca/aws/guardduty/detector-lambda-protection
  • Tags:
  • Policy Type: COMPLIANCE_POLICY
  • Policy Categories: SECURITY

Logic​

Similar Policies​

Description​

Open File

Description​

This policy identifies AWS GuardDuty Detectors that do not have Lambda Protection enabled.

GuardDuty monitors Lambda network activity logs generated when a Lambda function in your account is invoked. Enabling this feature allows you to detect potential security threats targeting your Lambda functions.

Rationale​

Enabling GuardDuty Lambda Protection ensures continuous monitoring of network activity logs from your Lambda functions. This helps identify malicious or anomalous behavior, such as a function communicating with known malicious IP addresses or other suspicious network activity.

Impact​

GuardDuty incurs charges based on the volume of Lambda network activity log data (in GB) processed to generate findings. To optimize costs, GuardDuty applies intelligent filtering and analyzes only a relevant subset of logs necessary for effective threat detection.

Audit​

This policy flags an AWS GuardDuty Detector as INCOMPLIANT if the LAMBDA_NETWORK_LOGS Feature is set to DISABLED.

Remediation​

Open File

Remediation​

Enable Lambda Protection​

For Multi-Account Environments​

In a multi-account environment, only the delegated GuardDuty administrator account can enable or disable Lambda Protection for member accounts within the organization. Member accounts cannot modify this configuration directly.

From Command Line​
aws guardduty update-member-detectors \
    --detector-id {{detector-id}} \
    --account-ids {{account-id1}} {{account-id2}} \
    --region {{region}} \
    --features 'Name=LAMBDA_NETWORK_LOGS,Status=ENABLED'

The delegated administrator account manages member accounts using AWS Organizations and can choose to automatically enable Lambda network activity monitoring for all accounts as they join the organization.

aws guardduty update-organization-configuration \
    --detector-id {{detector-id}} \
    --region {{region}} \
    --features 'Name=LAMBDA_NETWORK_LOGS,AutoEnable={{NEW | ALL}}'
For a Standalone Account​

If your account is not associated with a delegated GuardDuty administrator account through AWS Organizations, enable Lambda Protection directly from your account.

... see more

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [GuardDuty.6] GuardDuty Lambda Protection should be enabled1no data
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Threat Protection36no data
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 11.4 Use intrusion-detection and/or intrusion-prevention techniques to detect and/or prevent intrusions into the network.113no data
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 11.5.1 Intrusion-detection and/or intrusion-prevention techniques are used to detect and/or prevent intrusions into the network.113no data
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 11.5.1.1 Intrusion-detection and/or intrusion-prevention techniques detect, alert on/prevent, and address covert malware communication channels.13no data
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 11.6.1 A change- and tamper-detection mechanism is deployed.13no data
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 11.5.1 Intrusion-detection and/or intrusion-prevention techniques are used to detect and/or prevent intrusions into the network.1813no data
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 11.5.1.1 Intrusion-detection and/or intrusion-prevention techniques detect, alert on/prevent, and address covert malware communication channels.813no data
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 11.6.1 A change- and tamper-detection mechanism is deployed.13no data