Ensure that the S3 Protection feature is enabled for your Amazon GuardDuty detectors. S3 Protection enables GuardDuty to monitor object-level API operations in order to identify potential security risks for data stored within your S3 buckets.
This rule can help you work with the AWS Well-Architected Framework.
The S3 Protection feature refers to whether S3 data events are enabled as a data source for GuardDuty. S3 data event monitoring is a configurable data source in Amazon GuardDuty. When S3 data event monitoring is enabled, GuardDuty immediately begins to analyze S3 data events from all your S3 buckets and monitor them for malicious and suspicious activity. When GuardDuty detects a threat based on S3 data event monitoring, it generates a security finding. If the S3 Protection feature is disabled, Amazon GuardDuty is unable to fully monitor your S3 resources and generate security findings for suspicious access to your S3 data.
Audit
To determine if S3 Protection is enabled for your Amazon GuardDuty detectors, perform the following operations:
Remediation / Resolution
To enable the S3 Protection security feature for Amazon GuardDuty, perform the following operations:
References
- AWS Documentation
- What is Amazon GuardDuty?
- Concepts and terminology
- GuardDuty foundational data sources
- GuardDuty S3 Protection
- AWS Command Line Interface (CLI) Documentation
- list-detectors
- get-detector
- update-detector