GuardDuty S3 Protection

S3 Protection helps Amazon GuardDuty monitor AWS CloudTrail data events for Amazon Simple Storage Service (Amazon S3) that include object-level API operations to identify potential security risks for data within your Amazon S3 buckets.

GuardDuty monitors both AWS CloudTrail management events and AWS CloudTrail S3 data events to identify potential threats in your Amazon S3 resources. Both the data sources monitor different kinds of activities. Examples of CloudTrail management events for S3 include operations that list or configure Amazon S3 buckets, such as ListBuckets, DeleteBuckets, and PutBucketReplication. Examples of CloudTrail data events for S3 include object-level API operations, such as GetObject, ListObjects, DeleteObject, and PutObject.

When you enable Amazon GuardDuty for an AWS account, GuardDuty starts monitoring CloudTrail management events. You don't need to explicitly enable or configure S3 data event logging in AWS CloudTrail to use S3 Protection. You can enable the S3 Protection feature (that monitors CloudTrail data events for S3) for any account in any AWS Region where this feature is available within Amazon GuardDuty, at any time. An AWS account that has already enabled GuardDuty, can enable S3 Protection for the first time with a 30-day free trial period. For an AWS account that enables GuardDuty for the first time, S3 Protection is already enabled and included in this 30-day free trial. For more information, see Estimating GuardDuty cost.

We recommend you enable S3 Protection in GuardDuty. If this feature is not enabled, GuardDuty will not be able to fully monitor your Amazon S3 buckets or generate findings for suspicious access to the data stored in your S3 buckets.

How GuardDuty uses S3 data events

When you enable S3 data events (S3 Protection), GuardDuty begins to analyze S3 data events from all of your S3 buckets, and monitors them for malicious and suspicious activity. For more information, see AWS CloudTrail data events for S3.

When an unauthenticated user accesses an S3 object, it means that the S3 object is publicly accessible. Therefore, GuardDuty doesn't process such requests. GuardDuty processes the requests made to the S3 objects by using valid IAM (AWS Identity and Access Management) or AWS STS (AWS Security Token Service) credentials.

When GuardDuty detects a potential threat based on S3 data event monitoring, it generates a security finding. For information about the types of findings GuardDuty can generate for Amazon S3 buckets, see GuardDuty S3 finding types.

If you disable S3 Protection, GuardDuty stops S3 data event monitoring of the data stored in your S3 buckets.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

GuardDuty API changes

Feature