GuardDuty detector has Lambda Protection enabled
guardduty_lambda_protection_enabled
Amazon GuardDuty detectors with Lambda Protection enabled analyze Lambda invocation network activity logs across your account.
Evaluation determines whether the detector has Lambda Protection turned on.
Risk
Without Lambda Protection, Lambda network traffic is uninspected, enabling:
- C2 callbacks and data exfiltration (confidentiality)
- Malicious code altering data or configs (integrity)
- Lateral movement or abuse causing disruption (availability)
prowler aws --checks guardduty_lambda_protection_enabled
Recommendation
Enable Lambda Protection on all detectors in every active Region and account.
Apply least privilege to Lambda roles, restrict egress with network controls, and integrate findings with alerting and response for defense in depth. In multi-account setups, manage centrally for consistent coverage.
Remediation
aws guardduty update-detector --detector-id <detector-id> --features '[{"Name":"LAMBDA_NETWORK_LOGS","Status":"ENABLED"}]'
- Open the AWS Console and go to GuardDuty
- In the left pane, select Settings > Lambda Protection
- Click Enable
- Click Confirm to save
Source Code
Resource Type
AwsGuardDutyDetector