Remediation
Enable S3 Protectionβ
For Multi-Account Environmentsβ
In a multi-account environment, only the delegated GuardDuty administrator account can enable or disable S3 Protection for member accounts. Member accounts cannot modify this configuration directly.
From Command Lineβ
aws guardduty update-member-detectors \
--detector-id {{detector-id}} \
--account-ids {{account-id1}} {{account-id2}} \
--region {{region}} \
--features 'Name=S3_DATA_EVENTS,Status=ENABLED'
The delegated administrator can also automatically enable S3 Protection for all and new accounts as they join the organization.
aws guardduty update-organization-configuration \
--detector-id {{detector-id}} \
--region {{region}} \
--features 'Name=S3_DATA_EVENTS,AutoEnable={{NEW | ALL}}'
For a Standalone Accountβ
If your account is not associated with a delegated GuardDuty administrator via AWS Organizations, enable S3 Protection directly:
aws guardduty update-detector \
--detector-id {{detector-id}} \
--region {{region}} \
--features 'Name=S3_DATA_EVENTS,Status=ENABLED'