Document history for Amazon GuardDuty
| Change | Description | Date |
|---|---|---|
GuardDuty Malware Protection is an optional enhancement to Amazon GuardDuty. While GuardDuty identifies the resources at risk, Malware Protection detects the malware that may be the source of the compromise. With Malware Protection enabled, whenever GuardDuty detects suspicious behavior on an Amazon EC2 instance or a container workload indicative of malware, GuardDuty Malware Protection initiates an agentless scan on the EBS volumes attached to impacted EC2 instance or container workloads to detect the presence of malware. To learn how Malware Protection works and how to configure this feature, see GuardDuty Malware Protection.
| July 26, 2022 | |
Exfiltration:S3/ObjectRead.Unusual has been retired. | July 5, 2022 | |
Added the following new S3 finding types. These finding types identify if an API request invoked an IAM entity in an anomalous way. The ML model evaluates all API requests in your account and identifies anomalous events that are associated with techniques used by adversaries. To learn more about each of these new findings, see S3 finding types. | July 5, 2022 | |
GuardDuty can now generate findings for your Amazon EKS resources through the monitoring of Kubernetes audit logs. To learn how to configure this feature, see Kubernetes Protection in Amazon GuardDuty. For a list of findings GuardDuty can generate for Amazon EKS resources, see Kubernetes findings. New remediation guidance has been added to support remediating these findings in the Kubernetes finding remediation guide. | January 25, 2022 | |
A new finding UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.InsideAWS has been added. This finding informs you when your instance credentials are accessed by an Amazon account outside your Amazon environment. | January 20, 2022 | |
Updated the finding types to help identify issues related to log4j | Amazon GuardDuty has updated the following finding types to help identify and prioritize issues related to CVE-2021-44228 and CVE-2021-45046: Backdoor:EC2/C&CActivity.B; Backdoor:EC2/C&CActivity.B!DNS; Behavior:EC2/NetworkPortUnusual. | December 22, 2021 |
UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration has been changed to UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.OutsideAWS. This improved version of the finding learns the typical locations your credentials are used from to reduce findings from traffic routed through on premise networks. UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.OutsideAWS | September 7, 2021 | |
The GuardDuty SLR has been updated with new actions to improve finding accuracy. | August 3, 2021 | |
Finding descriptions now contain information on which data source GuardDuty uses to generate that finding. | May 10, 2021 | |
13 findings have been retired to be replaced with new AnomalousBehavoir findings. Persistence:IAMUser/NetworkPermissions, Persistence:IAMUser/ResourcePermissions, Persistence:IAMUser/UserPermissions, PrivilegeEscalation:IAMUser/AdministrativePermissions, Recon:IAMUser/NetworkPermissions, Recon:IAMUser/ResourcePermissions, Recon:IAMUser/UserPermissions, ResourceConsumption:IAMUser/ComputeResources, Stealth:IAMUser/LoggingConfigurationModified, Discovery:S3/BucketEnumeration.Unusual, Impact:S3/ObjectDelete.Unusual, Impact:S3/PermissionsModification.Unusual. | March 12, 2021 | |
Added 8 new IAMUser finding types based on anomalous behavior for IAM principals. CredentialAccess:IAMUser/AnomalousBehavior, DefenseEvasion:IAMUser/AnomalousBehavior, Discovery:IAMUser/AnomalousBehavior, Exfiltration:IAMUser/AnomalousBehavior, Impact:IAMUser/AnomalousBehavior, InitialAccess:IAMUser/AnomalousBehavior, Persistence:IAMUser/AnomalousBehavior, PrivilegeEscalation:IAMUser/AnomalousBehavior. | March 12, 2021 | |
Added 4 new Impact finding types based on domain reputation. Impact:EC2/AbusedDomainRequest.Reputation , Impact:EC2/BitcoinDomainRequest.Reputation , Impact:EC2/MaliciousDomainRequest.Reputation . Also added a new EC2 finding for C&CActivity. Impact:EC2/SuspiciousDomainRequest.Reputation | January 27, 2021 | |
Added 3 new S3 MaliciousIPCaller findings. Discovery:S3/MaliciousIPCaller , Exfiltration:S3/MaliciousIPCaller , Impact:S3/MaliciousIPCaller . Also added a new EC2 finding for C&CActivity. Backdoor:EC2/C&CActivity.B | December 21, 2020 | |
Retired the UnauthorizedAccess:EC2/TorIPCaller finding type. | The UnauthorizedAccess:EC2/TorIPCaller finding type is now retired from GuardDuty. Learn more. | October 1, 2020 |
Added a new Impact finding, Impact:EC2/WinRmBruteForce. Learn more. | September 17, 2020 | |
Added a new Impact finding, Impact:EC2/PortSweep. Learn more. | September 17, 2020 | |
GuardDuty is now available in the Africa (Cape Town) and Europe (Milan) Regions. | Added Africa (Cape Town) and Europe (Milan) to the list of Amazon Regions in which GuardDuty is available. Learn more | July 31, 2020 |
You can now use new metrics to query GuardDuty usage cost data for your account and accounts you manage. A new overview of usage costs is available in the console at https://console.amazonaws.cn/guardduty/ | July 31, 2020 | |
Added content covering S3 protection through S3 data event monitoring in GuardDuty. | GuardDuty S3 Protection is now available through the monitoring of S3 data plane events as a new data source. New accounts will have this feature enabled automatically. If you are already using GuardDuty you can enable the new data source for yourself or your member accounts. | July 31, 2020 |
14 new S3 finding types have been added for S3 control plane and data plane sources. | July 31, 2020 | |
Added additional support for S3 findings and changed 2 existing finding types names. | GuardDuty findings now include more details for findings involving S3 buckets. Existing finding types that were related to S3 activity have been renamed: Policy:IAMUser/S3BlockPublicAccessDisabled has been changed to Policy:S3/BucketBlockPublicAccessDisabled. Stealth:IAMUser/S3ServerAccessLoggingDisabled has been changed to Stealth:S3/ServerAccessLoggingDisabled. | May 28, 2020 |
GuardDuty now integrates with Amazon Organizations delegated administrators to allow you to manage GuardDuty accounts within your organization. When you set a delegated administrator as your GuardDuty administrator you can automatically enable GuardDuty for any organization member to be managed by the delegated administrator account. You can also automatically enable GuardDuty in new Amazon Organizations member accounts. Learn more. | April 20, 2020 | |
Added content that describes the Export Findings feature of GuardDuty. | November 14, 2019 | |
Added the UnauthorizedAccess:EC2/MetadataDNSRebind finding type. | Added a new Unauthorized finding, UnauthorizedAccess:EC2/MetadataDNSRebind. Learn more. | October 10, 2019 |
Added the Stealth:IAMUser/S3ServerAccessLoggingDisabled finding type. | Added a new Stealth finding, Stealth:IAMUser/S3ServerAccessLoggingDisabled. Learn more. | October 10, 2019 |
Added the Policy:IAMUser/S3BlockPublicAccessDisabled finding type. | Added a new Policy finding, Policy:IAMUser/S3BlockPublicAccessDisabled. Learn more. | October 10, 2019 |
The Backdoor:EC2/XORDDOS finding type is now retired from GuardDuty.Learn more | June 12, 2019 | |
The PrivilegeEscalation finding type detects when users attempt to assign escalated, more permissive privileges to their accounts. Learn more | May 14, 2019 | |
GuardDuty is now available in the Europe (Stockholm) Region. | Added Europe (Stockholm) to the list of Amazon Regions in which GuardDuty is available. Learn more | May 9, 2019 |
Added a new finding type, Recon:EC2/PortProbeEMRUnprotectedPort. | This finding informs you that an EMR-related sensitive port on an EC2 Instance is not blocked and is being actively probed. Learn more | May 8, 2019 |
These findings inform you of EC2 instances in your environment that are behaving in a manner that may indicate they is being used to perform Denial of Service (DoS) attacks. Learn more | March 8, 2019 | |
Added a new finding type: Policy:IAMUser/RootCredentialUsage | Policy:IAMUser/RootCredentialUsage finding type informs you that the root credentials of your Amazon account are being used to make programmatic requests to Amazon services. Learn more | January 24, 2019 |
UnauthorizedAccess:IAMUser/UnusualASNCaller finding type has been retired | The UnauthorizedAccess:IAMUser/UnusualASNCaller finding type has been retired. You will now be notified about activity invoked from unusual networks via other active GuardDuty finding types. The generated finding type will be based on the category of the API that was invoked from an unusual network. Learn more | December 21, 2018 |
Added two new finding types: PenTest:IAMUser/ParrotLinux and PenTest:IAMUser/PentooLinux | PenTest:IAMUser/ParrotLinux finding type informs you that a computer running Parrot Security Linux is making API calls using credentials that belong to your Amazon account. PenTest:IAMUser/PentooLinux finding type informs you that a machine running Pentoo Linux is making API calls using credentials that belong to your Amazon account. Learn more | December 21, 2018 |
Added support for the Amazon GuardDuty announcements SNS topic | You can now subscribe to the GuardDuty Announcements SNS topic to receive notifications about newly released finding types, updates to the existing finding types, and other functionality changes. Notifications are available in all formats that Amazon SNS supports. Learn more | November 21, 2018 |
Added two new finding types: UnauthorizedAccess:EC2/TorClient and UnauthorizedAccess:EC2/TorRelay | UnauthorizedAccess:EC2/TorClient finding type informs you that an EC2 instance in your Amazon environment is making connections to a Tor Guard or an Authority node. UnauthorizedAccess:EC2/TorRelay finding type informs you that an EC2 instance in your Amazon environment is making connections to a Tor network in a manner that suggests that it's acting as a Tor relay. Learn more | November 16, 2018 |
This finding informs you that an EC2 instance in your Amazon environment is querying a domain name that is associated with Bitcoin, or other cryptocurrency-related activity. Learn more | November 9, 2018 | |
Added support for updating the frequency of notifications sent to CloudWatch events | You can now update the frequency of notifications sent to CloudWatch Events for the subsequent occurrences of existing findings. Possible values are 15 minutes, 1 hour, or the default 6 hours. Learn more | October 9, 2018 |
Added Region support for Amazon GovCloud (US-West) Learn more | July 25, 2018 | |
Added support for Amazon CloudFormation StackSets in GuardDuty | You can use the Enable Amazon GuardDuty template to enable GuardDuty simultaneously in multiple accounts. Learn more | June 25, 2018 |
Customers can now build granular auto-archive rules for suppression of findings. For findings that match an auto-archive rule, GuardDuty automatically marks them as archived. This enables customers to further tune GuardDuty to keep only relevant findings in the current findings table. Learn more | May 4, 2018 | |
GuardDuty is now available in Europe (Paris), allowing you to extend continuous security monitoring and threat detection in this Region. Learn more | March 29, 2018 | |
Creating GuardDuty administrator and member accounts through Amazon CloudFormation is now supported. | For more information, see | March 6, 2018 |
These new finding types are automatically enabled in GuardDuty in all supported Regions. Learn more | February 28, 2018 | |
Added three new threat intelligence detections (finding types). | These new finding types are automatically enabled in GuardDuty in all supported Regions. Learn more | February 5, 2018 |
With this release, you can have up to 1000 GuardDuty member accounts added per Amazon account (GuardDuty administrator account). Learn more | January 25, 2018 | |
With this release, Users from administrator GuardDuty accounts can upload and manage trusted IP lists and threat lists. Users from member GuardDuty accounts CANNOT upload and manage lists. Trusted IP lists and threat lists that are uploaded by the administrator account are imposed on GuardDuty functionality in its member accounts. Learn more | January 25, 2018 |
The following table describes important changes in each release of the GuardDuty User Guide.
Earlier updates
| Change | Description | Date |
|---|---|---|
| Initial publication | Initial publication of the Amazon GuardDuty User Guide. | November 28, 2017 |