Finding types
GuardDuty RDS Protection is in preview release. Your use of the RDS Protection feature is subject to Section 2 of the
Amazon Service Terms |
For information about important changes to the GuardDuty finding types, including newly added or retired finding types, see Document history for Amazon GuardDuty.
For information about retired finding types see Retired finding types.
Findings by resource type
The following pages are broken down by each resource type GuardDuty currently generates findings for. The pages contain detailed information on all finding types for that resources type.
Findings table
The following table lists all finding types by name, resource, data source and severity. A severity listed with an asterisk (*) indicates the finding has variable severities depending the circumstances of the finding, which are described in the details for that finding. Choose the finding name to open more info about that finding.
Finding type |
Resource |
Data source |
Severity |
---|---|---|---|
EC2 |
VPC flow logs |
High |
|
EC2 |
DNS logs |
High |
|
EC2 |
VPC flow logs |
High |
|
EC2 |
VPC flow logs |
High |
|
EC2 |
VPC flow logs |
High |
|
EC2 |
VPC flow logs |
High |
|
EC2 |
VPC flow logs |
High |
|
EC2 |
VPC flow logs |
Medium |
|
EC2 |
VPC flow logs |
Medium |
|
EC2 |
VPC flow logs |
Medium |
|
IAM |
CloudTrail management event |
Medium |
|
Kubernetes |
Kubernetes audit logs |
High |
|
Kubernetes |
Kubernetes audit logs |
High |
|
Kubernetes |
Kubernetes audit logs |
High |
|
Kubernetes |
Kubernetes audit logs |
High |
|
EC2 |
VPC flow logs |
High |
|
EC2 |
DNS logs |
High |
|
IAM |
CloudTrail management event |
Medium |
|
Kubernetes |
Kubernetes audit logs |
High |
|
Kubernetes |
Kubernetes audit logs |
High |
|
Kubernetes |
Kubernetes audit logs |
High |
|
Kubernetes |
Kubernetes audit logs |
High |
|
IAM |
CloudTrail management event |
Low |
|
Kubernetes |
Kubernetes audit logs |
Medium |
|
Kubernetes |
Kubernetes audit logs |
Medium |
|
Kubernetes |
Kubernetes audit logs |
Medium |
|
Kubernetes |
Kubernetes audit logs |
Medium |
|
S3 |
CloudTrail data events for S3 |
Low |
|
S3 |
CloudTrail data events for S3 |
High |
|
S3 |
CloudTrail data events for S3 |
High |
|
S3 |
CloudTrail data events for S3 |
Medium |
|
Kubernetes |
Kubernetes audit logs |
Medium |
|
IAM |
CloudTrail management event |
High |
|
S3 |
CloudTrail data events for S3 |
High |
|
S3 |
CloudTrail data events for S3 |
High |
|
EC2 |
DNS logs |
Medium |
|
EC2 |
DNS logs |
High |
|
EC2 |
DNS logs |
High |
|
EC2 |
VPC flow logs |
High |
|
EC2 |
DNS logs |
Low |
|
EC2 |
VPC flow logs |
Low* |
|
IAM |
CloudTrail management event |
High |
|
Kubernetes |
Kubernetes audit logs |
High |
|
Kubernetes |
Kubernetes audit logs |
High |
|
Kubernetes |
Kubernetes audit logs |
High |
|
Kubernetes |
Kubernetes audit logs |
High |
|
S3 |
CloudTrail data events for S3 |
High |
|
S3 |
CloudTrail data events for S3 |
High |
|
S3 |
CloudTrail data events for S3 |
Medium |
|
S3 |
CloudTrail data events for S3 |
High |
|
IAM |
CloudTrail management event |
Medium |
|
IAM |
CloudTrail management event |
Medium |
|
IAM |
CloudTrail management event |
Medium |
|
IAM |
CloudTrail management event |
Medium |
|
S3 |
CloudTrail data events for S3 |
Medium |
|
S3 |
CloudTrail data events for S3 |
Medium |
|
S3 |
CloudTrail data events for S3 |
Medium |
|
IAM |
CloudTrail management event |
Medium |
|
Kubernetes |
Kubernetes audit logs |
Medium |
|
Kubernetes |
Kubernetes audit logs |
Medium |
|
Kubernetes |
Kubernetes audit logs |
Medium |
|
Kubernetes |
Kubernetes audit logs |
High |
|
Kubernetes |
Kubernetes audit logs |
Medium |
|
IAM |
CloudTrail management events or CloudTrail data events for S3 |
Low |
|
Kubernetes |
Kubernetes audit logs |
High |
|
Kubernetes |
Kubernetes audit logs |
High |
|
Kubernetes |
Kubernetes audit logs |
Medium |
|
Kubernetes |
Kubernetes audit logs |
Medium |
|
S3 |
CloudTrail management events |
Low |
|
S3 |
CloudTrail management events |
High |
|
S3 |
CloudTrail management events |
Low |
|
S3 |
CloudTrail management events |
High |
|
IAM |
CloudTrail management events |
Medium |
|
Kubernetes |
Kubernetes audit logs |
Medium |
|
EC2 |
VPC flow logs |
High |
|
EC2 |
VPC flow logs |
Low* |
|
EC2 |
VPC flow logs |
Medium |
|
IAM |
CloudTrail management events |
Medium |
|
IAM |
CloudTrail management events |
Medium |
|
IAM |
CloudTrail management events |
Medium |
|
IAM |
CloudTrail management events |
Low |
|
IAM |
CloudTrail management event |
Low* |
|
S3 |
CloudTrail management events |
Low |
|
EC2 |
VPC flow logs |
Medium |
|
EC2 |
DNS logs |
Medium |
|
EC2 |
DNS logs |
High |
|
EC2 |
DNS logs |
High |
|
EC2 |
DNS logs |
High |
|
EC2 |
DNS logs |
High |
|
EC2 |
VPC flow logs |
Medium |
|
EC2 |
DNS logs |
Medium |
|
EC2 |
DNS logs |
High |
|
EC2 |
VPC flow logs |
Medium |
|
EC2 |
DNS logs |
High |
|
EC2 |
VPC flow logs |
Low* |
|
EC2 |
VPC flow logs |
Low* |
|
EC2 |
VPC flow logs |
High |
|
EC2 |
VPC flow logs |
High |
|
IAM |
CloudTrail management events |
Medium |
|
UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.InsideAWS |
IAM |
CloudTrail management event |
High* |
UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.OutsideAWS |
IAM |
CloudTrail management events or CloudTrail data events for S3 |
High |
IAM |
CloudTrail management events |
Medium |
|
IAM |
CloudTrail management events |
Medium |
|
IAM |
CloudTrail management events |
Medium |
|
S3 |
CloudTrail data events S3 |
High |
|
S3 |
CloudTrail data events for S3 |
High |
|
EC2 |
EBS volumes |
Varies depending on the detected threat |
|
ECS |
EBS volumes |
Varies depending on the detected threat |
|
Kubernetes |
EBS volumes |
Varies depending on the detected threat |
|
Container |
EBS volumes |
Varies depending on the detected threat |
|
EC2 |
EBS volumes |
Varies depending on the detected threat |
|
ECS |
EBS volumes |
Varies depending on the detected threat |
|
Kubernetes |
EBS volumes |
Varies depending on the detected threat |
|
Container |
EBS volumes |
Varies depending on the detected threat |
|
RDS login activity monitoring |
Medium |
||
RDS login activity monitoring |
Low |