Skip to main content

πŸ›‘οΈ AWS GuardDuty Detector S3 Protection is not enabled🟒

  • Contextual name: πŸ›‘οΈ Detector S3 Protection is not enabled🟒
  • ID: /ce/ca/aws/guardduty/detector-s3-protection
  • Tags:
  • Policy Type: COMPLIANCE_POLICY
  • Policy Categories: SECURITY

Logic​

Similar Policies​

Description​

Open File

Description​

This policy identifies AWS GuardDuty Detectors that do not have S3 Protection enabled.

S3 Protection helps detect potential security risks to your data, such as exfiltration or destruction, in Amazon Simple Storage Service (Amazon S3) buckets. GuardDuty monitors AWS CloudTrail S3 data events, including object-level API operations, to identify these risks across all S3 buckets in your account.

Rationale​

GuardDuty S3 Protection analyzes AWS CloudTrail S3 data events (e.g., GetObject, ListObjects, DeleteObject) to detect suspicious activity targeting your S3 buckets. It can identify threats such as data exfiltration from unusual geolocations, API calls from known malicious IP addresses, or actions performed by compromised credentials.

Impact​

CloudTrail S3 data event analysis is charged per 1 million events per month, is prorated, and is discounted based on volume.

Audit​

This policy flags an AWS GuardDuty Detector as INCOMPLIANT if the S3_DATA_EVENTS Feature is set to DISABLED.

Remediation​

Open File

Remediation​

Enable S3 Protection​

For Multi-Account Environments​

In a multi-account environment, only the delegated GuardDuty administrator account can enable or disable S3 Protection for member accounts. Member accounts cannot modify this configuration directly.

From Command Line​
aws guardduty update-member-detectors \
    --detector-id {{detector-id}} \
    --account-ids {{account-id1}} {{account-id2}} \
    --region {{region}} \
    --features 'Name=S3_DATA_EVENTS,Status=ENABLED'

The delegated administrator can also automatically enable S3 Protection for all and new accounts as they join the organization.

aws guardduty update-organization-configuration \
    --detector-id {{detector-id}} \
    --region {{region}} \
    --features 'Name=S3_DATA_EVENTS,AutoEnable={{NEW | ALL}}'
For a Standalone Account​

If your account is not associated with a delegated GuardDuty administrator via AWS Organizations, enable S3 Protection directly:

aws guardduty update-detector \
    --detector-id {{detector-id}} \

... [see more](remediation.md)

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [GuardDuty.10] GuardDuty S3 Protection should be enabled1no data
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Threat Protection36no data
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 11.4 Use intrusion-detection and/or intrusion-prevention techniques to detect and/or prevent intrusions into the network.113no data
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 11.5.1 Intrusion-detection and/or intrusion-prevention techniques are used to detect and/or prevent intrusions into the network.113no data
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 11.5.1.1 Intrusion-detection and/or intrusion-prevention techniques detect, alert on/prevent, and address covert malware communication channels.13no data
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 11.6.1 A change- and tamper-detection mechanism is deployed.13no data
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 11.5.1 Intrusion-detection and/or intrusion-prevention techniques are used to detect and/or prevent intrusions into the network.1813no data
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 11.5.1.1 Intrusion-detection and/or intrusion-prevention techniques detect, alert on/prevent, and address covert malware communication channels.813no data
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 11.6.1 A change- and tamper-detection mechanism is deployed.13no data