Amazon S3 Protection in Amazon GuardDuty
S3 Protection helps Amazon GuardDuty monitor AWS CloudTrail data events for Amazon Simple Storage Service (Amazon S3) that include
object-level API operations to identify potential security risks for data within your Amazon S3
buckets.
GuardDuty monitors both AWS CloudTrail management events and AWS CloudTrail S3 data events to identify
potential threats in your Amazon S3 resources. Both the data sources monitor different
kinds of activities. Examples of CloudTrail management events for S3 include operations that
list or configure Amazon S3 buckets, such as ListBuckets, DeleteBuckets, and
PutBucketReplication. Examples of CloudTrail data events for S3 include object-level
API operations, such as GetObject, ListObjects,
DeleteObject, and PutObject.
When you enable Amazon GuardDuty for an AWS account, GuardDuty starts monitoring
CloudTrail management events. You don't need to manually enable or configure S3 data event logging in AWS CloudTrail.
You can enable the S3 Protection feature (that
monitors CloudTrail data events for S3) for any account in any AWS Region where this
feature is available within Amazon GuardDuty, at any time. An AWS account that has already enabled
GuardDuty, can enable S3 Protection for the first time with a 30-day free trial period. For an AWS account that enables
GuardDuty for the first time, S3 Protection is already enabled and included in this 30-day free trial. For more information, see
Estimating GuardDuty cost.
We recommend you enable S3 Protection in GuardDuty. If this feature is not enabled,
GuardDuty will not be able to fully monitor your Amazon S3 buckets or generate findings for suspicious access to the data stored
in your S3 buckets.
How GuardDuty uses S3 data events
When you enable S3 data events (S3 Protection), GuardDuty begins
to analyze S3 data events from all of your S3 buckets, and monitors them for malicious and
suspicious activity. For more information, see AWS CloudTrail data events for S3.
When an unauthenticated user accesses an S3 object, it means that the S3 object is publicly accessible. Therefore, GuardDuty
doesn't process such requests. GuardDuty processes the requests made to the S3 objects by using valid IAM (AWS Identity and Access Management) or AWS STS (AWS Security Token Service)
credentials.
When GuardDuty detects a potential threat
based on S3 data event monitoring, it generates a security finding. For information
about the types of findings GuardDuty can generate for Amazon S3 buckets, see GuardDuty S3 finding types.
If you disable S3 Protection, GuardDuty stops S3 data event monitoring
of the data stored in your S3 buckets.
For accounts associated by AWS Organizations, this process can be automated through console
settings. For more information, see Configuring S3 Protection in multiple-account
environments.
To enable or disable S3 Protection
Choose your preferred access method to configure S3 Protection
for a standalone account.
- Console
-
Sign in to the AWS Management Console and open the GuardDuty console at https://console.aws.amazon.com/guardduty/.
-
In the navigation pane,
choose S3 Protection.
-
The S3 Protection page provides the current
status of S3 Protection for your account. Choose Enable
or Disable to enable or
disable S3 Protection at any point in time.
Choose Confirm to confirm your
selection.
- API/CLI
-
-
Run updateDetector
by using your valid detector ID for the current Region and passing the
features object name as
S3_DATA_EVENTS set to ENABLED or DISABLED to enable
or disable S3 Protection, respectively.
Alternatively, you can use AWS Command Line Interface. To enable S3 Protection, run the following command and make
sure to use your own valid detector ID.
aws guardduty update-detector --detector-id 12abc34d567e8fa901bc2d34e56789f0 --features '[{"Name" : "S3_DATA_EVENTS", "Status" : "ENABLED"}]'
To disable S3 Protection, replace ENABLED with
DISABLED in the example.
Configuring S3 Protection in multiple-account
environments
In a multi-account environment, only the delegated GuardDuty administrator account has the option
to configure (enable or disable) S3 Protection for the member accounts in their AWS
organization. The GuardDuty member accounts can't modify this configuration from their
accounts. The delegated GuardDuty administrator account manages their member accounts using AWS Organizations.
The delegated GuardDuty administrator account can choose to have S3 Protection automatically enabled on all accounts, only new
accounts, or no accounts in the
organization. For more information, see Managing accounts with
AWS Organizations.
Choose your preferred access method to configure S3 Protection for the delegated GuardDuty administrator account.
- Console
-
Open the GuardDuty console at https://console.aws.amazon.com/guardduty/.
Make sure to use the management account credentials.
-
In the navigation pane, choose S3 Protection.
-
On the S3 Protection page, choose Edit.
Do one of the following:
Using Enable for all accounts
Using Configure accounts manually
To enable the protection plan only for the delegated GuardDuty administrator account account, choose
Configure accounts manually.
Choose Enable under the
delegated GuardDuty administrator account (this account) section.
Choose Save.
- API/CLI
-
Run updateDetector by using the
detector ID of the delegated GuardDuty administrator account for the current Region and passing the features object name as
S3_DATA_EVENTS and status as ENABLED or
DISABLED.
Alternatively, you can configure S3 Protection by using AWS Command Line Interface. Run the following command, and make sure to replace
12abc34d567e8fa901bc2d34e56789f0 with the
detector ID of the delegated GuardDuty administrator account for the current Region and 555555555555 with
the AWS account ID of the delegated GuardDuty administrator account.
To find the detectorId for your account and current Region, see
Settings page in the https://console.aws.amazon.com/guardduty/ console.
aws guardduty update-member-detectors --detector-id 12abc34d567e8fa901bc2d34e56789f0 --account-ids 555555555555 --features '[{"Name": "RDS_LOGIN_EVENTS", "Status": "ENABLED"}]'
- Console
-
-
Open the GuardDuty console at https://console.aws.amazon.com/guardduty/.
Sign in using your administrator account account.
Do one of the following:
Using the S3 Protection page
In the navigation pane, choose
S3 Protection.
Choose Enable for all accounts. This action
automatically enables S3 Protection for both existing and new accounts in the organization.
Choose Save.
It may take up to 24 hours to update the configuration for the member accounts.
Using the Accounts page
In the navigation pane, choose
Accounts.
On the Accounts page, choose Auto-enable preferences before
Add accounts by invitation.
In the Manage auto-enable preferences window, choose
Enable for all accounts under S3 Protection.
Choose Save.
If you can't use the Enable for all accounts option, see Selectively enable or disable S3 Protection in
member accounts.
- API/CLI
-
-
To selectively enable or disable S3 Protection for your member accounts, invoke the
updateMemberDetectors API operation using your own
detector ID.
-
The following example shows how you can enable S3 Protection for a single member
account. Make sure to replace 12abc34d567e8fa901bc2d34e56789f0
with the detector-id of the delegated GuardDuty administrator account, and 111122223333.
To disable S3 Protection, replace ENABLED with DISABLED.
To find the detectorId for your account and current Region, see
Settings page in the https://console.aws.amazon.com/guardduty/ console.
aws guardduty update-member-detectors --detector-id 12abc34d567e8fa901bc2d34e56789f0 --account-ids 111122223333 --features '[{"name": "S3_DATA_EVENTS", "status": "ENABLED"}]'
You can also pass a list of account IDs separated by a space.
-
When the code has successfully executed, it returns an empty list of
UnprocessedAccounts. If there were any problems changing the
detector settings for an account, that account ID is listed along with a summary
of the issue.
Choose your preferred access method to enable S3 Protection for all the existing active member accounts
in your organization.
- Console
-
Sign in to the AWS Management Console and open the GuardDuty console at https://console.aws.amazon.com/guardduty/.
Sign in using the delegated GuardDuty administrator account credentials.
In the navigation pane, choose S3 Protection.
On the S3 Protection page, you can view the current status of the
configuration. Under the Active member accounts section, choose Actions.
From the Actions dropdown menu, choose Enable for all existing active member accounts.
Choose Confirm.
- API/CLI
-
-
To selectively enable or disable S3 Protection for your member accounts, invoke the
updateMemberDetectors API operation using your own
detector ID.
-
The following example shows how you can enable S3 Protection for a single member
account. Make sure to replace 12abc34d567e8fa901bc2d34e56789f0
with the detector-id of the delegated GuardDuty administrator account, and 111122223333.
To disable S3 Protection, replace ENABLED with DISABLED.
To find the detectorId for your account and current Region, see
Settings page in the https://console.aws.amazon.com/guardduty/ console.
aws guardduty update-member-detectors --detector-id 12abc34d567e8fa901bc2d34e56789f0 --account-ids 111122223333 --features '[{"name": "S3_DATA_EVENTS", "status": "ENABLED"}]'
You can also pass a list of account IDs separated by a space.
-
When the code has successfully executed, it returns an empty list of
UnprocessedAccounts. If there were any problems changing the
detector settings for an account, that account ID is listed along with a summary
of the issue.
Choose your preferred access method to enable S3 Protection for new accounts that join
your organization.
- Console
-
The delegated GuardDuty administrator account can enable for new member accounts in an organization through the
console, using either the S3 Protection or
Accounts page.
To auto-enable S3 Protection for new member accounts
Open the GuardDuty console at https://console.aws.amazon.com/guardduty/.
Make sure to use the delegated GuardDuty administrator account credentials.
-
Do one of the following:
- API/CLI
-
-
To selectively enable or disable S3 Protection for your member accounts, invoke the
UpdateOrganizationConfiguration API operation using
your own detector ID.
-
The following example shows how you can enable S3 Protection for a single member
account. To disable it, see Selectively enable or disable RDS Protection
for member accounts. Set the preferences to automatically enable or
disable the protection plan in that Region for new accounts
(NEW) that join the organization, all
the accounts (ALL), or none of the
accounts (NONE) in the organization.
For more information, see autoEnableOrganizationMembers. Based on
your preference, you may need to replace
NEW with ALL or
NONE.
To find the detectorId for your account and current Region, see
Settings page in the https://console.aws.amazon.com/guardduty/ console.
aws guardduty update-organization-configuration --detector-id 12abc34d567e8fa901bc2d34e56789f0 --auto-enable --features '[{"Name": "S3_DATA_EVENTS", "autoEnable": "NEW"}]'
You can also pass a list of account IDs separated by a space.
-
When the code has successfully executed, it returns an empty list of
UnprocessedAccounts. If there were any problems changing the
detector settings for an account, that account ID is listed along with a summary
of the issue.
Choose your preferred access method to selectively enable or disable S3 Protection for member accounts.
- Console
-
Open the GuardDuty console at https://console.aws.amazon.com/guardduty/.
Make sure to use the delegated GuardDuty administrator account credentials.
-
In the navigation pane, choose
Accounts.
On the Accounts page, review the
S3 Protection column for the status of your member
account.
-
To selectively enable or disable S3 Protection
Select the account for which you want to configure S3 Protection. You can select
multiple accounts at a time. In the Edit Protection Plans
dropdown menu, choose S3Pro, and then choose the
appropriate option.
- API/CLI
-
To selectively enable or disable S3 Protection for your member
accounts, run the updateMemberDetectors API operation
using your own detector ID. The following example shows how you can
enable S3 Protection for a single member account. To disable it, replace
true with false.
To find the detectorId for your account and current Region, see
Settings page in the https://console.aws.amazon.com/guardduty/ console.
aws guardduty update-member-detectors --detector-id 12abc34d567e8fa901bc2d34e56789f0 --account-ids 123456789012 --features '[{"Name" : "S3_DATA_EVENTS", "Status" : "ENABLED"}]'
You can also pass a list of account IDs separated by a
space.
When the code has successfully executed, it returns an empty list of
UnprocessedAccounts. If there were any problems
changing the detector settings for an account, that account ID is listed
along with a summary of the issue.
If you use scripts to on-board new accounts and want to disable S3 Protection in your new accounts, you can modify the createDetector API operation with
the optional dataSources object as described in this
topic.
By default, S3 Protection is enabled automatically for AWS accounts that join GuardDuty for the first time.
If you are a GuardDuty administrator account enabling GuardDuty for the first time on a new account and
do not want S3 Protection enabled by default, you can disable it by modifying the createDetector API operation with the optional
features object. The following example uses the AWS CLI to enable a
new GuardDuty detector with the S3 Protection disabled.
aws guardduty create-detector --enable --features '[{"Name" : "S3_DATA_EVENTS", "Status" : "DISABLED"}]'
