🛡️ AWS GuardDuty is not enabled in all regions🟢

Contextual name: 🛡️ GuardDuty is not enabled in all regions🟢
ID: /ce/ca/aws/guardduty/detector-not-enabled-in-all-regions
Tags:
- 🟢 Policy with categories
- 🟢 Policy with type
- 🟢 Production policy
Policy Type: COMPLIANCE_POLICY
Policy Categories: SECURITY

Logic

🧠 prod.logic.yaml🟢
- 📗 AWS Account
- 🔌 AWS Account Region - object.extracts.yaml
- 🔌 AWS GuardDuty Detector - object.extracts.yaml
- 🧪 test-data.json

Similar Policies

AWS Security Hub: [GuardDuty.1] GuardDuty should be enabled

Description

Description

This policy identifies whether AWS GuardDuty is enabled in all active AWS regions for an AWS Account.

AWS GuardDuty is a threat detection service that continuously monitors AWS accounts and workloads for malicious or unauthorized activity, providing detailed security findings to support timely remediation.

Rationale

Enabling GuardDuty in all regions is a security best practice. Adversaries may exploit unused or unmonitored regions to launch resources or conduct malicious activities undetected. Enabling GuardDuty across all regions ensures comprehensive visibility and consistent threat detection, reducing the risk of security blind spots.

Impact

If GuardDuty is not enabled in all regions, critical security findings—such as indicators of unauthorized access, compromised instances, or reconnaissance attempts, may be missed in unmonitored regions. This can delay incident response and increase the impact of potential breaches.

Enabling GuardDuty in all regions incurs costs based on the volume of AWS CloudTrail events, VPC Flow Logs, and DNS query logs analyzed.

... see more

Remediation

Open File

Remediation

Enable GuardDuty in a Region

From Command Line

To enable GuardDuty in a specific region, run the following command, replacing {{region}} with the target region:
```
aws guardduty create-detector --enable --region {{region}}
```

To enable GuardDuty in all available AWS regions, you can use the following shell script:

#!/bin/bash
set -e

REGIONS=$(aws ec2 describe-regions --query "Regions[].RegionName" --output text)

if [ -z "$REGIONS" ]; then
    echo "Error: Unable to retrieve AWS regions"
    exit 1
fi

for region in $REGIONS; do
    echo "Checking GuardDuty in region: $region"
    
    # Get detector ID for the region
    DETECTOR_ID=$(aws guardduty list-detectors --region "$region" --query "DetectorIds[0]" --output text)
    
    if [ "$DETECTOR_ID" == "None" ] || [ -z "$DETECTOR_ID" ]; then
        echo "GuardDuty not found in $region. Enabling..."
        
        if aws guardduty create-detector --enable --region "$region"; then

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Compliance
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [GuardDuty.1] GuardDuty should be enabled			1	no data
💼 AWS Well-Architected → 💼 SEC04-BP03 Correlate and enrich security alerts			2	no data
💼 AWS Well-Architected → 💼 SEC04-BP04 Initiate remediation for non-compliant resources			2	no data
💼 AWS Well-Architected → 💼 SEC05-BP03 Implement inspection-based protection			3	no data
💼 AWS Well-Architected → 💼 SEC05-BP04 Automate network protection			1	no data
💼 Cloudaware Framework → 💼 Threat Protection			36	no data
💼 FedRAMP High Security Controls → 💼 AC-2(12) Account Monitoring for Atypical Usage (M)(H)		1	2	no data
💼 FedRAMP High Security Controls → 💼 AU-6(1) Automated Process Integration (M)(H)			3	no data
💼 FedRAMP High Security Controls → 💼 AU-6(5) Integrated Analysis of Audit Records (H)			2	no data
💼 FedRAMP High Security Controls → 💼 CA-7 Continuous Monitoring (L)(M)(H)	2		13	no data
💼 FedRAMP High Security Controls → 💼 CM-8(3) Automated Unauthorized Component Detection (M)(H)			1	no data
💼 FedRAMP High Security Controls → 💼 SA-11(1) Static Code Analysis (M)(H)			1	no data
💼 FedRAMP High Security Controls → 💼 SC-5 Denial-of-service Protection (L)(M)(H)			1	no data
💼 FedRAMP High Security Controls → 💼 SI-4 System Monitoring (L)(M)(H)	14	50	56	no data
💼 FedRAMP High Security Controls → 💼 SI-4(1) System-wide Intrusion Detection System (M)(H)		1	2	no data
💼 FedRAMP High Security Controls → 💼 SI-4(2) Automated Tools and Mechanisms for Real-time Analysis (M)(H)			1	no data
💼 FedRAMP High Security Controls → 💼 SI-4(4) Inbound and Outbound Communications Traffic (M)(H)		6	8	no data
💼 FedRAMP High Security Controls → 💼 SI-4(5) System-generated Alerts (M)(H)			2	no data
💼 FedRAMP High Security Controls → 💼 SI-4(22) Unauthorized Network Services (H)			1	no data
💼 FedRAMP Low Security Controls → 💼 CA-7 Continuous Monitoring (L)(M)(H)	1		13	no data
💼 FedRAMP Low Security Controls → 💼 SC-5 Denial-of-service Protection (L)(M)(H)			1	no data
💼 FedRAMP Low Security Controls → 💼 SI-4 System Monitoring (L)(M)(H)			8	no data
💼 FedRAMP Moderate Security Controls → 💼 AC-2(12) Account Monitoring for Atypical Usage (M)(H)			2	no data
💼 FedRAMP Moderate Security Controls → 💼 AU-6(1) Automated Process Integration (M)(H)			3	no data
💼 FedRAMP Moderate Security Controls → 💼 CA-7 Continuous Monitoring (L)(M)(H)	2		13	no data
💼 FedRAMP Moderate Security Controls → 💼 CM-8(3) Automated Unauthorized Component Detection (M)(H)			1	no data
💼 FedRAMP Moderate Security Controls → 💼 SA-11(1) Static Code Analysis (M)(H)			1	no data
💼 FedRAMP Moderate Security Controls → 💼 SC-5 Denial-of-service Protection (L)(M)(H)			1	no data
💼 FedRAMP Moderate Security Controls → 💼 SI-4 System Monitoring (L)(M)(H)	7		10	no data
💼 FedRAMP Moderate Security Controls → 💼 SI-4(1) System-wide Intrusion Detection System (M)(H)			2	no data
💼 FedRAMP Moderate Security Controls → 💼 SI-4(2) Automated Tools and Mechanisms for Real-time Analysis (M)(H)			1	no data
💼 FedRAMP Moderate Security Controls → 💼 SI-4(4) Inbound and Outbound Communications Traffic (M)(H)			8	no data
💼 FedRAMP Moderate Security Controls → 💼 SI-4(5) System-generated Alerts (M)(H)			2	no data
💼 NIST CSF v2.0 → 💼 DE.AE-02: Potentially adverse events are analyzed to better understand associated activities			35	no data
💼 NIST CSF v2.0 → 💼 DE.AE-03: Information is correlated from multiple sources			50	no data
💼 NIST CSF v2.0 → 💼 DE.CM-01: Networks and network services are monitored to find potentially adverse events			150	no data
💼 NIST CSF v2.0 → 💼 DE.CM-02: The physical environment is monitored to find potentially adverse events			13	no data
💼 NIST CSF v2.0 → 💼 DE.CM-03: Personnel activity and technology usage are monitored to find potentially adverse events			85	no data
💼 NIST CSF v2.0 → 💼 DE.CM-06: External service provider activities and services are monitored to find potentially adverse events			35	no data
💼 NIST CSF v2.0 → 💼 DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events			149	no data
💼 NIST CSF v2.0 → 💼 ID.IM-01: Improvements are identified from evaluations			26	no data
💼 NIST CSF v2.0 → 💼 ID.IM-02: Improvements are identified from security tests and exercises, including those done in coordination with suppliers and relevant third parties			40	no data
💼 NIST CSF v2.0 → 💼 ID.IM-03: Improvements are identified from execution of operational processes, procedures, and activities			41	no data
💼 NIST CSF v2.0 → 💼 ID.RA-01: Vulnerabilities in assets are identified, validated, and recorded			31	no data
💼 NIST CSF v2.0 → 💼 ID.RA-07: Changes and exceptions are managed, assessed for risk impact, recorded, and tracked			31	no data
💼 NIST CSF v2.0 → 💼 PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected			164	no data
💼 NIST CSF v2.0 → 💼 PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected			140	no data
💼 NIST CSF v2.0 → 💼 PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected			156	no data
💼 NIST CSF v2.0 → 💼 PR.IR-01: Networks and environments are protected from unauthorized logical access and usage			103	no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-2(12) Account Management _ Account Monitoring for Atypical Usage			1	no data
💼 NIST SP 800-53 Revision 5 → 💼 AU-6(1) Audit Record Review, Analysis, and Reporting _ Automated Process Integration		1	3	no data
💼 NIST SP 800-53 Revision 5 → 💼 AU-6(5) Audit Record Review, Analysis, and Reporting _ Integrated Analysis of Audit Records			2	no data
💼 NIST SP 800-53 Revision 5 → 💼 CA-7 Continuous Monitoring	6		13	no data
💼 NIST SP 800-53 Revision 5 → 💼 CM-8(3) System Component Inventory _ Automated Unauthorized Component Detection			1	no data
💼 NIST SP 800-53 Revision 5 → 💼 RA-3(4) Risk Assessment _ Predictive Cyber Analytics			1	no data
💼 NIST SP 800-53 Revision 5 → 💼 SA-8(19) Security and Privacy Engineering Principles _ Continuous Protection			1	no data
💼 NIST SP 800-53 Revision 5 → 💼 SA-8(21) Security and Privacy Engineering Principles _ Self-analysis			1	no data
💼 NIST SP 800-53 Revision 5 → 💼 SA-8(25) Security and Privacy Engineering Principles _ Economic Security			1	no data
💼 NIST SP 800-53 Revision 5 → 💼 SA-11(1) Developer Testing and Evaluation _ Static Code Analysis			1	no data
💼 NIST SP 800-53 Revision 5 → 💼 SA-11(6) Developer Testing and Evaluation _ Attack Surface Reviews			1	no data
💼 NIST SP 800-53 Revision 5 → 💼 SA-15(2) Development Process, Standards, and Tools _ Security and Privacy Tracking Tools			1	no data
💼 NIST SP 800-53 Revision 5 → 💼 SA-15(8) Development Process, Standards, and Tools _ Reuse of Threat and Vulnerability Information			1	no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-5 Denial-of-service Protection	3		12	no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-5(1) Denial-of-service Protection _ Restrict Ability to Attack Other Systems			1	no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-5(3) Denial-of-service Protection _ Detection and Monitoring			1	no data
💼 NIST SP 800-53 Revision 5 → 💼 SI-3(8) Malicious Code Protection _ Detect Unauthorized Commands			6	no data
💼 NIST SP 800-53 Revision 5 → 💼 SI-4 System Monitoring	25	1	10	no data
💼 NIST SP 800-53 Revision 5 → 💼 SI-4(1) System Monitoring _ System-wide Intrusion Detection System			1	no data
💼 NIST SP 800-53 Revision 5 → 💼 SI-4(2) System Monitoring _ Automated Tools and Mechanisms for Real-time Analysis			1	no data
💼 NIST SP 800-53 Revision 5 → 💼 SI-4(4) System Monitoring _ Inbound and Outbound Communications Traffic		1	2	no data
💼 NIST SP 800-53 Revision 5 → 💼 SI-4(5) System Monitoring _ System-generated Alerts			2	no data
💼 NIST SP 800-53 Revision 5 → 💼 SI-4(13) System Monitoring _ Analyze Traffic and Event Patterns			1	no data
💼 NIST SP 800-53 Revision 5 → 💼 SI-4(22) System Monitoring _ Unauthorized Network Services			1	no data
💼 NIST SP 800-53 Revision 5 → 💼 SI-4(25) System Monitoring _ Optimize Network Traffic Analysis			1	no data
💼 NIST SP 800-53 Revision 5 → 💼 SI-20 Tainting			2	no data
💼 PCI DSS v3.2.1 → 💼 11.1.2 Implement incident response procedures in the event unauthorized wireless access points are detected.			1	no data
💼 PCI DSS v3.2.1 → 💼 11.4 Use intrusion-detection and/or intrusion-prevention techniques to detect and/or prevent intrusions into the network.		1	13	no data
💼 PCI DSS v3.2.1 → 💼 11.5.1 Implement a process to respond to any alerts generated by the change detection solution.			1	no data
💼 PCI DSS v3.2.1 → 💼 12.10.5 Include alerts from security monitoring systems, including but not limited to intrusion-detection, intrusion-prevention, firewalls, and file-integrity monitoring systems.			1	no data
💼 PCI DSS v4.0.1 → 💼 11.5.1 Intrusion-detection and/or intrusion-prevention techniques are used to detect and/or prevent intrusions into the network.	1		13	no data
💼 PCI DSS v4.0.1 → 💼 11.5.1.1 Intrusion-detection and/or intrusion-prevention techniques detect, alert on/prevent, and address covert malware communication channels.			13	no data
💼 PCI DSS v4.0.1 → 💼 11.6.1 A change- and tamper-detection mechanism is deployed.			13	no data
💼 PCI DSS v4.0.1 → 💼 12.10.5 The security incident response plan includes monitoring and responding to alerts from security monitoring systems.			1	no data
💼 PCI DSS v4.0 → 💼 11.5.1 Intrusion-detection and/or intrusion-prevention techniques are used to detect and/or prevent intrusions into the network.	1	8	13	no data
💼 PCI DSS v4.0 → 💼 11.5.1.1 Intrusion-detection and/or intrusion-prevention techniques detect, alert on/prevent, and address covert malware communication channels.		8	13	no data
💼 PCI DSS v4.0 → 💼 11.6.1 A change- and tamper-detection mechanism is deployed.			13	no data
💼 PCI DSS v4.0 → 💼 12.10.5 The security incident response plan includes monitoring and responding to alerts from security monitoring systems.			1	no data

Logic​

Similar Policies​

Description​

Description​

Rationale​

Impact​

Remediation​

Remediation​

Enable GuardDuty in a Region​

From Command Line​

policy.yaml​

Linked Framework Sections​

Logic

Similar Policies

Description

Description

Rationale

Impact

Remediation

Remediation

Enable GuardDuty in a Region

From Command Line

policy.yaml

Linked Framework Sections