GuardDuty detector has S3 Protection enabled
guardduty_s3_protection_enabled
Amazon GuardDuty detectors are evaluated for S3 Protection, which analyzes CloudTrail S3 data events to monitor object-level API activity (GetObject, PutObject, DeleteObject) across S3 buckets in the account and Region.
Risk
Without S3 Protection, object-level S3 activity isn't analyzed, enabling:
- Exfiltration via mass reads/copies
- Destructive deletes
- Policy/ACL tampering
Undetected actions degrade data confidentiality, integrity, and availability.
prowler aws --checks guardduty_s3_protection_enabled
Recommendation
Enable S3 Protection across all accounts and Regions to add defense in depth for S3. Apply least privilege to IAM and bucket policies, keep Block Public Access enforced, integrate findings with alerting, and regularly review anomalies to prevent data loss and tampering.
Remediation
aws guardduty update-detector --detector-id <detector-id> --data-sources S3Logs={Enable=true}
- Open the AWS Management Console and go to GuardDuty
- In the left menu, select Settings
- Find the S3 Protection section and click Enable (or toggle On)
- Click Save
Source Code
Resource Type
AwsGuardDutyDetector
References
- https://docs.amazonaws.cn/en_us/guardduty/latest/ug/guardduty_finding-types-s3.html
- https://docs.aws.amazon.com/guardduty/latest/ug/s3_detection.html
- https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/GuardDuty/enable-s3-protection.html
- https://docs.aws.amazon.com/guardduty/latest/ug/s3-protection.html
- https://docs.aws.amazon.com/securityhub/latest/userguide/guardduty-controls.html#guardduty-10