GuardDuty finding types
A finding is a notification that GuardDuty generates when it detects an indication of a suspicious or malicious activity in your AWS account. GuardDuty generates a finding in an account that has enabled GuardDuty.
For information about important changes to the GuardDuty finding types, including newly added or retired finding types, see Document history for Amazon GuardDuty.
For information about finding types which are now retired, see Retired finding types.
GuardDuty finding types by potentially impacted resources
The following pages are categorized by the potentially impacted resource type associated to a GuardDuty finding:
GuardDuty active finding types
The following table shows all of the active finding types sorted by the foundational data source or feature, as applicable. Some of the following finding types may have a variable severity, indicated by an asterisk (*). For information about the variable severity of a finding type, view the detailed description of that finding type.
Finding type |
Resource type |
Foundational data source/Feature |
Finding severity |
---|---|---|---|
Amazon S3 |
CloudTrail data events for S3 |
Low |
|
Amazon S3 |
CloudTrail data events for S3 |
High |
|
Amazon S3 |
CloudTrail data events for S3 |
High |
|
Amazon S3 |
CloudTrail data events for S3 |
Medium |
|
Amazon S3 |
CloudTrail data events for S3 |
High |
|
Amazon S3 |
CloudTrail data events for S3 |
High |
|
Amazon S3 |
CloudTrail data events for S3 |
High |
|
Amazon S3 |
CloudTrail data events for S3 |
High |
|
Amazon S3 |
CloudTrail data events for S3 |
Medium |
|
Amazon S3 |
CloudTrail data events for S3 |
High |
|
Amazon S3 |
CloudTrail data events for S3 |
Medium |
|
Amazon S3 |
CloudTrail data events for S3 |
Medium |
|
Amazon S3 |
CloudTrail data events for S3 |
Medium |
|
Amazon S3 |
CloudTrail data events for S3 |
High |
|
Amazon S3 |
CloudTrail data events for S3 |
High |
|
IAM |
CloudTrail management events |
Medium |
|
IAM |
CloudTrail management events |
Medium |
|
IAM |
CloudTrail management events |
Low |
|
IAM |
CloudTrail management events |
High |
|
IAM |
CloudTrail management events |
High |
|
IAM |
CloudTrail management events |
Medium |
|
IAM |
CloudTrail management events |
Medium |
|
IAM |
CloudTrail management events |
Medium |
|
IAM |
CloudTrail management events |
Medium |
|
IAM |
CloudTrail management events |
Medium |
|
IAM |
CloudTrail management events |
Low* |
|
UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.InsideAWS |
IAM |
CloudTrail management events |
High* |
Amazon S3 |
CloudTrail management events |
Low |
|
Amazon S3 |
CloudTrail management events |
High |
|
Amazon S3 |
CloudTrail management events |
Low |
|
Amazon S3 |
CloudTrail management events |
High |
|
IAM |
CloudTrail management events |
Medium |
|
IAM |
CloudTrail management events |
Medium |
|
IAM |
CloudTrail management events |
Medium |
|
IAM |
CloudTrail management events |
Medium |
|
IAM |
CloudTrail management events |
Low |
|
Amazon S3 |
CloudTrail management events |
Low |
|
IAM |
CloudTrail management events |
Medium |
|
IAM |
CloudTrail management events |
Medium |
|
IAM |
CloudTrail management events |
Medium |
|
IAM |
CloudTrail management events |
Medium |
|
IAM |
CloudTrail management events or CloudTrail data events for S3 |
Low |
|
UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.OutsideAWS |
IAM |
CloudTrail management events or CloudTrail data events for S3 |
High |
Resources involved in attack sequence |
CloudTrail management events |
Critical |
|
Resources involved in attack sequence |
CloudTrail management events and CloudTrail data events for S3 |
Critical |
|
Amazon EC2 |
DNS logs |
High |
|
Amazon EC2 |
DNS logs |
High |
|
Amazon EC2 |
DNS logs |
Medium |
|
Amazon EC2 |
DNS logs |
High |
|
Amazon EC2 |
DNS logs |
High |
|
Amazon EC2 |
DNS logs |
Low |
|
Amazon EC2 |
DNS logs |
Medium |
|
Amazon EC2 |
DNS logs |
High |
|
Amazon EC2 |
DNS logs |
High |
|
Amazon EC2 |
DNS logs |
High |
|
Amazon EC2 |
DNS logs |
High |
|
Amazon EC2 |
DNS logs |
Medium |
|
Amazon EC2 |
DNS logs |
High |
|
Amazon EC2 |
DNS logs |
High |
|
Container |
EBS Malware Protection |
Varies depending on the detected threat |
|
Container |
EBS Malware Protection |
Varies depending on the detected threat |
|
Amazon EC2 |
EBS Malware Protection |
Varies depending on the detected threat |
|
Amazon EC2 |
EBS Malware Protection |
Varies depending on the detected threat |
|
ECS |
EBS Malware Protection |
Varies depending on the detected threat |
|
ECS |
EBS Malware Protection |
Varies depending on the detected threat |
|
Kubernetes |
EBS Malware Protection |
Varies depending on the detected threat |
|
Kubernetes |
EBS Malware Protection |
Varies depending on the detected threat |
|
CredentialAccess:Kubernetes/AnomalousBehavior.SecretsAccessed |
Kubernetes |
EKS audit logs |
Medium |
Kubernetes |
EKS audit logs |
High |
|
Kubernetes |
EKS audit logs |
High |
|
Kubernetes |
EKS audit logs |
High |
|
Kubernetes |
EKS audit logs |
High |
|
Kubernetes |
EKS audit logs |
High |
|
Kubernetes |
EKS audit logs |
High |
|
Kubernetes |
EKS audit logs |
High |
|
Kubernetes |
EKS audit logs |
High |
|
Kubernetes |
EKS audit logs |
Low |
|
Kubernetes |
EKS audit logs |
Medium |
|
Kubernetes |
EKS audit logs |
Medium |
|
Kubernetes |
EKS audit logs |
Medium |
|
Kubernetes |
EKS audit logs |
Medium |
|
Kubernetes |
EKS audit logs |
Medium |
|
Kubernetes |
EKS audit logs |
Medium |
|
Kubernetes |
EKS audit logs |
Low |
|
Kubernetes |
EKS audit logs |
High |
|
Kubernetes |
EKS audit logs |
High |
|
Kubernetes |
EKS audit logs |
High |
|
Kubernetes |
EKS audit logs |
High |
|
Kubernetes |
EKS audit logs |
Medium |
|
Kubernetes |
EKS audit logs |
Medium |
|
Kubernetes |
EKS audit logs |
Medium |
|
Kubernetes |
EKS audit logs |
High |
|
Kubernetes |
EKS audit logs |
Medium |
|
Kubernetes |
EKS audit logs |
High |
|
Kubernetes |
EKS audit logs |
High |
|
Kubernetes |
EKS audit logs |
Medium |
|
Kubernetes |
EKS audit logs |
Medium |
|
PrivilegeEscalation:Kubernetes/AnomalousBehavior.RoleBindingCreated |
Kubernetes |
EKS audit logs |
Medium* |
PrivilegeEscalation:Kubernetes/AnomalousBehavior.RoleCreated |
Kubernetes |
EKS audit logs |
Low |
Persistence:Kubernetes/AnomalousBehavior.WorkloadDeployed!ContainerWithSensitiveMount |
Kubernetes |
EKS audit logs |
High |
PrivilegeEscalation:Kubernetes/AnomalousBehavior.WorkloadDeployed!PrivilegedContainer |
Kubernetes |
EKS audit logs |
High |
Kubernetes |
EKS audit logs |
Medium |
|
Lambda |
Lambda Network Activity Monitoring |
High |
|
Lambda |
Lambda Network Activity Monitoring |
High |
|
Lambda |
Lambda Network Activity Monitoring |
Medium |
|
Lambda |
Lambda Network Activity Monitoring |
Medium |
|
Lambda |
Lambda Network Activity Monitoring |
Medium |
|
Lambda |
Lambda Network Activity Monitoring |
High |
|
Lambda |
Lambda Network Activity Monitoring |
High |
|
S3Object |
Malware Protection for S3 |
High |
|
Supported Amazon Aurora, Amazon RDS, and Aurora Limitless databases |
RDS Login Activity Monitoring |
Low |
|
Supported Amazon Aurora, Amazon RDS, and Aurora Limitless databases |
RDS Login Activity Monitoring |
High |
|
Supported Amazon Aurora, Amazon RDS, and Aurora Limitless databases |
RDS Login Activity Monitoring |
Variable* |
|
Supported Amazon Aurora, Amazon RDS, and Aurora Limitless databases |
RDS Login Activity Monitoring |
Medium |
|
Supported Amazon Aurora, Amazon RDS, and Aurora Limitless databases |
RDS Login Activity Monitoring |
High |
|
Supported Amazon Aurora, Amazon RDS, and Aurora Limitless databases |
RDS Login Activity Monitoring |
Medium |
|
Supported Amazon Aurora, Amazon RDS, and Aurora Limitless databases |
RDS Login Activity Monitoring |
High |
|
Supported Amazon Aurora, Amazon RDS, and Aurora Limitless databases |
RDS Login Activity Monitoring |
Medium |
|
Supported Amazon Aurora, Amazon RDS, and Aurora Limitless databases |
RDS Login Activity Monitoring |
Medium |
|
Instance, EKS cluster, ECS cluster, or container |
Runtime Monitoring |
High |
|
Instance, EKS cluster, ECS cluster, or container |
Runtime Monitoring |
High |
|
Instance, EKS cluster, ECS cluster, or container |
Runtime Monitoring |
High |
|
Instance, EKS cluster, ECS cluster, or container |
Runtime Monitoring |
High |
|
Instance, EKS cluster, ECS cluster, or container |
Runtime Monitoring |
Medium |
|
Instance, EKS cluster, ECS cluster, or container |
Runtime Monitoring |
High |
|
Instance, EKS cluster, ECS cluster, or container |
Runtime Monitoring |
Medium |
|
Instance, EKS cluster, ECS cluster, or container |
Runtime Monitoring |
High |
|
Instance, EKS cluster, ECS cluster, or container |
Runtime Monitoring |
Low |
|
Instance, EKS cluster, ECS cluster, or container |
Runtime Monitoring |
High |
|
Instance, EKS cluster, ECS cluster, or container |
Runtime Monitoring |
Low |
|
Instance, EKS cluster, ECS cluster, or container |
Runtime Monitoring |
High |
|
Instance, EKS cluster, ECS cluster, or container |
Runtime Monitoring |
Medium |
|
Instance, EKS cluster, ECS cluster, or container |
Runtime Monitoring |
Medium |
|
Instance, EKS cluster, ECS cluster, or container |
Runtime Monitoring |
Variable |
|
Instance, EKS cluster, ECS cluster, or container |
Runtime Monitoring |
Low |
|
Instance, EKS cluster, ECS cluster, or container |
Runtime Monitoring |
Variable |
|
Instance, EKS cluster, ECS cluster, or container |
Runtime Monitoring |
High |
|
Instance, EKS cluster, ECS cluster, or container |
Runtime Monitoring |
Medium |
|
Instance, EKS cluster, ECS cluster, or container |
Runtime Monitoring |
High |
|
Instance, EKS cluster, ECS cluster, or container |
Runtime Monitoring |
High |
|
Instance, EKS cluster, ECS cluster, or container |
Runtime Monitoring |
Medium |
|
Instance, EKS cluster, ECS cluster, or container |
Runtime Monitoring |
Low |
|
Instance, EKS cluster, ECS cluster, or container |
Runtime Monitoring |
Medium |
|
Instance, EKS cluster, ECS cluster, or container |
Runtime Monitoring |
High |
|
Instance, EKS cluster, ECS cluster, or container |
Runtime Monitoring |
Medium |
|
Instance, EKS cluster, ECS cluster, or container |
Runtime Monitoring |
Medium |
|
Instance, EKS cluster, ECS cluster, or container |
Runtime Monitoring |
Medium |
|
Instance, EKS cluster, ECS cluster, or container |
Runtime Monitoring |
High |
|
Instance, EKS cluster, ECS cluster, or container |
Runtime Monitoring |
Medium |
|
Instance, EKS cluster, ECS cluster, or container |
Runtime Monitoring |
Medium |
|
Instance, EKS cluster, ECS cluster, or container |
Runtime Monitoring |
Medium |
|
Instance, EKS cluster, ECS cluster, or container |
Runtime Monitoring |
Medium |
|
Instance, EKS cluster, ECS cluster, or container |
Runtime Monitoring |
Medium |
|
Instance, EKS cluster, ECS cluster, or container |
Runtime Monitoring |
High |
|
Instance, EKS cluster, ECS cluster, or container |
Runtime Monitoring |
High |
|
Instance, EKS cluster, ECS cluster, or container |
Runtime Monitoring |
Medium |
|
Instance, EKS cluster, ECS cluster, or container |
Runtime Monitoring |
High |
|
Instance, EKS cluster, ECS cluster, or container |
Runtime Monitoring |
High |
|
Instance, EKS cluster, ECS cluster, or container |
Runtime Monitoring |
High |
|
Instance, EKS cluster, ECS cluster, or container |
Runtime Monitoring |
High |
|
Amazon EC2 |
VPC flow logs |
High |
|
Amazon EC2 |
VPC flow logs |
High |
|
Amazon EC2 |
VPC flow logs |
High |
|
Amazon EC2 |
VPC flow logs |
High |
|
Amazon EC2 |
VPC flow logs |
High |
|
Amazon EC2 |
VPC flow logs |
High |
|
Amazon EC2 |
VPC flow logs |
Medium |
|
Amazon EC2 |
VPC flow logs |
Medium |
|
Amazon EC2 |
VPC flow logs |
Medium |
|
Amazon EC2 |
VPC flow logs |
High |
|
Amazon EC2 |
VPC flow logs |
Medium |
|
Amazon EC2 |
VPC flow logs |
Medium |
|
Amazon EC2 |
VPC flow logs |
Medium |
|
Amazon EC2 |
VPC flow logs |
High |
|
Amazon EC2 |
VPC flow logs |
Low* |
|
Amazon EC2 |
VPC flow logs |
High |
|
Amazon EC2 |
VPC flow logs |
Low* |
|
Amazon EC2 |
VPC flow logs |
Medium |
|
Amazon EC2 |
VPC flow logs |
Medium |
|
Amazon EC2 |
VPC flow logs |
Medium |
|
Amazon EC2 |
VPC flow logs |
Medium |
|
Amazon EC2 |
VPC flow logs |
Low* |
|
Amazon EC2 |
VPC flow logs |
Low* |
|
Amazon EC2 |
VPC flow logs |
High |
|
Amazon EC2 |
VPC flow logs |
High |