Amazon GuardDuty
Amazon Guard Duty User Guide

Document History for Amazon GuardDuty

Change Description Date

Added content for the Export Findings feature.

Added content that describes the Export Findings feature of GuardDuty.

November 14, 2019

Added the UnauthorizedAccess:EC2/MetadataDNSRebind finding type.

Added a new Unauthorized finding, UnauthorizedAccess:EC2/MetadataDNSRebind. Learn more.

October 10, 2019

Added the Stealth:IAMUser/S3ServerAccessLoggingDisabled finding type.

Added a new Stealth finding, Stealth:IAMUser/S3ServerAccessLoggingDisabled. Learn more.

October 10, 2019

Added the Policy:IAMUser/S3BlockPublicAccessDisabled finding type.

Added a new Policy finding, Policy:IAMUser/S3BlockPublicAccessDisabled. Learn more.

October 10, 2019

Retired the Backdoor:EC2/XORDDOS finding type.

The Backdoor:EC2/XORDDOS finding type is now retired from GuardDuty.Learn more

June 12, 2019

Added the PrivilegeEscalation finding type.

The PrivilegeEscalation finding type detects when users attempt to assign escalated, more permissive privileges to their accounts. Learn more

May 14, 2019

GuardDuty is now available in the EU (Stockholm) Region.

Added EU (Stockholm) to the list of AWS Regions in which GuardDuty is available. Learn more

May 9, 2019

Added a new finding type, Recon:EC2/PortProbeEMRUnprotectedPort.

This finding informs you that an EMR-related sensitive port on an EC2 Instance is not blocked and is being actively probed. Learn more

May 8, 2019

Added 5 new finding types that detect if your EC2 instances are potentially being used for Denial of Service (DoS) attacks.

These findings inform you of EC2 instances in your environment that are behaving in a manner that may indicate they is being used to perform Denial of Service (DoS) attacks. Learn more

March 8, 2019

Added a new finding type: Policy:IAMUser/RootCredentialUsage

Policy:IAMUser/RootCredentialUsage finding type informs you that the root credentials of your AWS account are being used to make programmatic requests to AWS services. Learn more

January 24, 2019

UnauthorizedAccess:IAMUser/UnusualASNCaller finding type has been retired

The UnauthorizedAccess:IAMUser/UnusualASNCaller finding type has been retired. You will now be notified about activity invoked from unusual networks via other active GuardDuty finding types. The generated finding type will be based on the category of the API that was invoked from an unusual network. Learn more

December 21, 2018

Added two new finding types: PenTest:IAMUser/ParrotLinux and PenTest:IAMUser/PentooLinux

PenTest:IAMUser/ParrotLinux finding type informs you that a computer running Parrot Security Linux is making API calls using credentials that belong to your AWS account. PenTest:IAMUser/PentooLinux finding type informs you that a machine running Pentoo Linux is making API calls using credentials that belong to your AWS account. Learn more

December 21, 2018

Added support for the Amazon GuardDuty Announcements SNS Topic

You can now subscribe to the GuardDuty Announcements SNS topic to receive notifications about newly released finding types, updates to the existing finding types, and other functionality changes. Notifications are available in all formats that Amazon SNS supports. Learn more

November 21, 2018

Added two new finding types: UnauthorizedAccess:EC2/TorClient and UnauthorizedAccess:EC2/TorRelay

UnauthorizedAccess:EC2/TorClient finding type informs you that an EC2 instance in your AWS environment is making connections to a Tor Guard or an Authority node. UnauthorizedAccess:EC2/TorRelay finding type informs you that an EC2 instance in your AWS environment is making connections to a Tor network in a manner that suggests that it's acting as a Tor relay. Learn more

November 16, 2018

Added a new finding type: CryptoCurrency:EC2/BitcoinTool.B

This finding informs you that an EC2 instance in your AWS environment is querying a domain name that is associated with Bitcoin, or other cryptocurrency-related activity. Learn more

November 9, 2018

Added support for updating the frequency of notifications sent to CloudWatch Events

You can now update the frequency of notifications sent to CloudWatch Events for the subsequent occurrences of existing findings. Possible values are 15 minutes, 1 hour, or the default 6 hours. Learn more

October 9, 2018

Added region support

Added region support for AWS GovCloud (US) Learn more

July 25, 2018

Added support for AWS CloudFormation StackSets in GuardDuty

You can use the Enable Amazon GuardDuty template to enable GuardDuty simultaneously in multiple accounts. Learn more

June 25, 2018

Added support for GuardDuty auto-archive rules

Customers can now build granular auto-archive rules for suppression of findings. For findings that match an auto-archive rule, GuardDuty automatically marks them as archived. This enables customers to further tune GuardDuty to keep only relevant findings in the current findings table. Learn more

May 4, 2018

GuardDuty is available in the EU (Paris) region

GuardDuty is now available in EU (Paris), allowing you to extend continuous security monitoring and threat detection to AWS' newest EU region. Learn more

March 29, 2018

Creating GuardDuty master and member accounts through AWS CloudFormation is now supported.

For more information, see AWS::GuardDuty::Master and AWS::GuardDuty::Member.

March 6, 2018

Added nine new CloudTrail-based anomaly detections.

These new finding types are automatically enabled in GuardDuty in all supported regions. Learn more

February 28, 2018

Added three new threat intelligence detections (finding types).

These new finding types are automatically enabled in GuardDuty in all supported regions. Learn more

February 5, 2018

Limit increase for GuardDuty member accounts.

With this release, you can have up to 1000 GuardDuty member accounts added per AWS account (GuardDuty master account). Learn more

January 25, 2018

Changes in upload and further management of trusted IP lists and threat lists for GuardDuty master and member accounts.

With this release, Users from master GuardDuty accounts can upload and manage trusted IP lists and threat lists. Users from member GuardDuty accounts CANNOT upload and manage lists. Trusted IP lists and threat lists that are uploaded by the master account are imposed on GuardDuty functionality in its member accounts. Learn more

January 25, 2018

The following table describes important changes in each release of the GuardDuty User Guide.

Earlier updates

Change Description Date
Initial publication Initial publication of the Amazon GuardDuty User Guide. November 28, 2017

On this page: