Features activation in GuardDuty
When you enable Amazon GuardDuty for the first time or enable a protection type within GuardDuty, GuardDuty starts processing the corresponding Foundational data sources within your Amazon environment. GuardDuty uses these data sources to process a stream of events, such as VPC flow logs, DNS logs, and Amazon CloudTrail event and management logs. It then analyzes these events to identify potential security threats and generates findings in your account.
In addition to log data sources, GuardDuty can use additional data from other Amazon services in your Amazon environment to monitor and analyze for potential security threats.
Feature activation
When you add additional GuardDuty protections, for example, S3 Protection, Runtime Monitoring, or EKS Protection, you can configure the
GuardDuty feature corresponding to the protection type. Historically, GuardDuty protections were called
dataSources
in the APIs. However, after March 2023, new GuardDuty protection types are now configured
as features
and not dataSources
. GuardDuty still supports configuring
protection types launched before March 2023, as dataSources
through the API, but new
protection types are only available as features
.
If you manage GuardDuty configuration and protection types through the console, you are not directly impacted by this change and don't need to take any action. Feature activation affects the behavior of the APIs that are invoked to enable GuardDuty or protection types within GuardDuty. For more information, see GuardDuty API changes.