Amazon GuardDuty detector existence and health are evaluated per Region. It identifies where GuardDuty isn't enabled for the account, where a detector has no status, or where a detector is configured but suspended.
Risk
Without active GuardDuty, threats in CloudTrail, VPC Flow Logs, DNS, S3, EKS, EBS, and Lambda can go unnoticed. Attackers can exfiltrate data, move laterally, and mine crypto, degrading confidentiality, integrity, and availability-especially in unmonitored Regions.
prowler aws --checks guardduty_is_enabled
prowler aws --checks guardduty_is_enabled --fixer
Recommendation
Enable and keep GuardDuty active in all supported Regions and accounts under a delegated admin. Turn on relevant protection plans and auto-enroll new accounts. Avoid suspended detectors, enforce least privilege for admins, and integrate findings into response for defense in depth.
Remediation
- Sign in to the AWS Console and open Amazon GuardDuty
- Switch to the target AWS Region
- If prompted with Get started, click Enable GuardDuty
- If GuardDuty is already configured but suspended, go to Settings and click Enable (or Resume) to activate the detector
- Repeat in each required Region
Source Code
Resource Type
AwsGuardDutyDetector
References
- https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_settingup.html
- https://aws.plainenglish.io/how-to-protect-your-organizations-aws-account-with-aws-guardduty-a1a635c417aa
- https://medium.com/swlh/aws-cdk-automating-guardduty-event-notifications-in-all-regions-f0bbcec6077d
- https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/GuardDuty/guardduty-enabled.html
- https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/use-terraform-to-automatically-enable-amazon-guardduty-for-an-organization.html