Amazon S3 Protection in Amazon GuardDuty - Amazon GuardDuty

Amazon S3 Protection in Amazon GuardDuty

S3 Protection helps Amazon GuardDuty monitor AWS CloudTrail data events for Amazon Simple Storage Service (Amazon S3) that include object-level API operations to identify potential security risks for data within your Amazon S3 buckets.

GuardDuty monitors both AWS CloudTrail management events and AWS CloudTrail S3 data events to identify potential threats in your Amazon S3 resources. Both the data sources monitor different kinds of activities. Examples of CloudTrail management events for S3 include operations that list or configure Amazon S3 buckets, such as ListBuckets, DeleteBuckets, and PutBucketReplication. Examples of CloudTrail data events for S3 include object-level API operations, such as GetObject, ListObjects, DeleteObject, and PutObject.

When you enable Amazon GuardDuty for an AWS account, GuardDuty starts monitoring CloudTrail management events. You don't need to manually enable or configure S3 data event logging in AWS CloudTrail. You can enable the S3 Protection feature (that monitors CloudTrail data events for S3) for any account in any AWS Region where this feature is available within Amazon GuardDuty, at any time. An AWS account that has already enabled GuardDuty, can enable S3 Protection for the first time with a 30-day free trial period. For an AWS account that enables GuardDuty for the first time, S3 Protection is already enabled and included in this 30-day free trial. For more information, see Estimating GuardDuty cost.

We recommend you enable S3 Protection in GuardDuty. If this feature is not enabled, GuardDuty will not be able to fully monitor your Amazon S3 buckets or generate findings for suspicious access to the data stored in your S3 buckets.

How GuardDuty uses S3 data events

When you enable S3 data events (S3 Protection), GuardDuty begins to analyze S3 data events from all of your S3 buckets, and monitors them for malicious and suspicious activity. For more information, see AWS CloudTrail data events for S3.

When an unauthenticated user accesses an S3 object, it means that the S3 object is publicly accessible. Therefore, GuardDuty doesn't process such requests. GuardDuty processes the requests made to the S3 objects by using valid IAM (AWS Identity and Access Management) or AWS STS (AWS Security Token Service) credentials.

When GuardDuty detects a potential threat based on S3 data event monitoring, it generates a security finding. For information about the types of findings GuardDuty can generate for Amazon S3 buckets, see GuardDuty S3 finding types.

If you disable S3 Protection, GuardDuty stops S3 data event monitoring of the data stored in your S3 buckets.

Configuring S3 Protection for a standalone account

For accounts associated by AWS Organizations, this process can be automated through console settings. For more information, see Configuring S3 Protection in multiple-account environments.

To enable or disable S3 Protection

Choose your preferred access method to configure S3 Protection for a standalone account.

Console
  1. Sign in to the AWS Management Console and open the GuardDuty console at https://console.aws.amazon.com/guardduty/.

  2. In the navigation pane, choose S3 Protection.

  3. The S3 Protection page provides the current status of S3 Protection for your account. Choose Enable or Disable to enable or disable S3 Protection at any point in time.

  4. Choose Confirm to confirm your selection.

API/CLI
  1. Run updateDetector by using your valid detector ID for the current Region and passing the features object name as S3_DATA_EVENTS set to ENABLED or DISABLED to enable or disable S3 Protection, respectively.

    Note

    To find the detectorId for your account and current Region, see Settings page in the https://console.aws.amazon.com/guardduty/ console.

  2. Alternatively, you can use AWS Command Line Interface. To enable S3 Protection, run the following command and make sure to use your own valid detector ID.

    aws guardduty update-detector --detector-id 12abc34d567e8fa901bc2d34e56789f0 --features '[{"Name" : "S3_DATA_EVENTS", "Status" : "ENABLED"}]'

    To disable S3 Protection, replace ENABLED with DISABLED in the example.

Configuring S3 Protection in multiple-account environments

In a multi-account environment, only the delegated GuardDuty administrator account has the option to configure (enable or disable) S3 Protection for the member accounts in their AWS organization. The GuardDuty member accounts can't modify this configuration from their accounts. The delegated GuardDuty administrator account manages their member accounts using AWS Organizations. The delegated GuardDuty administrator account can choose to have S3 Protection automatically enabled on all accounts, only new accounts, or no accounts in the organization. For more information, see Managing accounts with AWS Organizations.

Choose your preferred access method to configure S3 Protection for the delegated GuardDuty administrator account.

Console
  1. Open the GuardDuty console at https://console.aws.amazon.com/guardduty/.

    Make sure to use the management account credentials.

  2. In the navigation pane, choose S3 Protection.

  3. On the S3 Protection page, choose Edit.

  4. Do one of the following:

    Using Enable for all accounts
    • Choose Enable for all accounts. This will enable the protection plan for all the active GuardDuty accounts in your AWS organization, including the new accounts that join the organization.

    • Choose Save.

    Using Configure accounts manually
    • To enable the protection plan only for the delegated GuardDuty administrator account account, choose Configure accounts manually.

    • Choose Enable under the delegated GuardDuty administrator account (this account) section.

    • Choose Save.

API/CLI

Run updateDetector by using the detector ID of the delegated GuardDuty administrator account for the current Region and passing the features object name as S3_DATA_EVENTS and status as ENABLED or DISABLED.

Alternatively, you can configure S3 Protection by using AWS Command Line Interface. Run the following command, and make sure to replace 12abc34d567e8fa901bc2d34e56789f0 with the detector ID of the delegated GuardDuty administrator account for the current Region and 555555555555 with the AWS account ID of the delegated GuardDuty administrator account.

To find the detectorId for your account and current Region, see Settings page in the https://console.aws.amazon.com/guardduty/ console.

aws guardduty update-member-detectors --detector-id 12abc34d567e8fa901bc2d34e56789f0 --account-ids 555555555555 --features '[{"Name": "S3_DATA_EVENTS", "Status": "ENABLED"}]'
Console
  1. Open the GuardDuty console at https://console.aws.amazon.com/guardduty/.

    Sign in using your administrator account account.

  2. Do one of the following:

    Using the S3 Protection page
    1. In the navigation pane, choose S3 Protection.

    2. Choose Enable for all accounts. This action automatically enables S3 Protection for both existing and new accounts in the organization.

    3. Choose Save.

      Note

      It may take up to 24 hours to update the configuration for the member accounts.

    Using the Accounts page
    1. In the navigation pane, choose Accounts.

    2. On the Accounts page, choose Auto-enable preferences before Add accounts by invitation.

    3. In the Manage auto-enable preferences window, choose Enable for all accounts under S3 Protection.

    4. Choose Save.

    If you can't use the Enable for all accounts option, see Selectively enable or disable S3 Protection in member accounts.

API/CLI
  • To selectively enable or disable S3 Protection for your member accounts, invoke the updateMemberDetectors API operation using your own detector ID.

  • The following example shows how you can enable S3 Protection for a single member account. Make sure to replace 12abc34d567e8fa901bc2d34e56789f0 with the detector-id of the delegated GuardDuty administrator account, and 111122223333. To disable S3 Protection, replace ENABLED with DISABLED.

    To find the detectorId for your account and current Region, see Settings page in the https://console.aws.amazon.com/guardduty/ console.

    aws guardduty update-member-detectors --detector-id 12abc34d567e8fa901bc2d34e56789f0 --account-ids 111122223333 --features '[{"name": "S3_DATA_EVENTS", "status": "ENABLED"}]'
    Note

    You can also pass a list of account IDs separated by a space.

  • When the code has successfully executed, it returns an empty list of UnprocessedAccounts. If there were any problems changing the detector settings for an account, that account ID is listed along with a summary of the issue.

Choose your preferred access method to enable S3 Protection for all the existing active member accounts in your organization.

Console
  1. Sign in to the AWS Management Console and open the GuardDuty console at https://console.aws.amazon.com/guardduty/.

    Sign in using the delegated GuardDuty administrator account credentials.

  2. In the navigation pane, choose S3 Protection.

  3. On the S3 Protection page, you can view the current status of the configuration. Under the Active member accounts section, choose Actions.

  4. From the Actions dropdown menu, choose Enable for all existing active member accounts.

  5. Choose Confirm.

API/CLI
  • To selectively enable or disable S3 Protection for your member accounts, invoke the updateMemberDetectors API operation using your own detector ID.

  • The following example shows how you can enable S3 Protection for a single member account. Make sure to replace 12abc34d567e8fa901bc2d34e56789f0 with the detector-id of the delegated GuardDuty administrator account, and 111122223333. To disable S3 Protection, replace ENABLED with DISABLED.

    To find the detectorId for your account and current Region, see Settings page in the https://console.aws.amazon.com/guardduty/ console.

    aws guardduty update-member-detectors --detector-id 12abc34d567e8fa901bc2d34e56789f0 --account-ids 111122223333 --features '[{"name": "S3_DATA_EVENTS", "status": "ENABLED"}]'
    Note

    You can also pass a list of account IDs separated by a space.

  • When the code has successfully executed, it returns an empty list of UnprocessedAccounts. If there were any problems changing the detector settings for an account, that account ID is listed along with a summary of the issue.

Choose your preferred access method to enable S3 Protection for new accounts that join your organization.

Console

The delegated GuardDuty administrator account can enable for new member accounts in an organization through the console, using either the S3 Protection or Accounts page.

To auto-enable S3 Protection for new member accounts
  1. Open the GuardDuty console at https://console.aws.amazon.com/guardduty/.

    Make sure to use the delegated GuardDuty administrator account credentials.

  2. Do one of the following:

    • Using the S3 Protection page:

      1. In the navigation pane, choose S3 Protection.

      2. On the S3 Protection page, choose Edit.

      3. Choose Configure accounts manually.

      4. Select Automatically enable for new member accounts. This step ensures that whenever a new account joins your organization, S3 Protection will be automatically enabled for their account. Only the organization delegated GuardDuty administrator account can modify this configuration.

      5. Choose Save.

    • Using the Accounts page:

      1. In the navigation pane, choose Accounts.

      2. On the Accounts page, choose Auto-enable preferences.

      3. In the Manage auto-enable preferences window, select Enable for new accounts under S3 Protection.

      4. Choose Save.

API/CLI
  • To selectively enable or disable S3 Protection for your member accounts, invoke the UpdateOrganizationConfiguration API operation using your own detector ID.

  • The following example shows how you can enable S3 Protection for a single member account. To disable it, see Selectively enable or disable RDS Protection for member accounts. Set the preferences to automatically enable or disable the protection plan in that Region for new accounts (NEW) that join the organization, all the accounts (ALL), or none of the accounts (NONE) in the organization. For more information, see autoEnableOrganizationMembers. Based on your preference, you may need to replace NEW with ALL or NONE.

    To find the detectorId for your account and current Region, see Settings page in the https://console.aws.amazon.com/guardduty/ console.

    aws guardduty update-organization-configuration --detector-id 12abc34d567e8fa901bc2d34e56789f0 --auto-enable --features '[{"Name": "S3_DATA_EVENTS", "autoEnable": "NEW"}]'
    Note

    You can also pass a list of account IDs separated by a space.

  • When the code has successfully executed, it returns an empty list of UnprocessedAccounts. If there were any problems changing the detector settings for an account, that account ID is listed along with a summary of the issue.

Choose your preferred access method to selectively enable or disable S3 Protection for member accounts.

Console
  1. Open the GuardDuty console at https://console.aws.amazon.com/guardduty/.

    Make sure to use the delegated GuardDuty administrator account credentials.

  2. In the navigation pane, choose Accounts.

    On the Accounts page, review the S3 Protection column for the status of your member account.

  3. To selectively enable or disable S3 Protection

    Select the account for which you want to configure S3 Protection. You can select multiple accounts at a time. In the Edit Protection Plans dropdown menu, choose S3Pro, and then choose the appropriate option.

API/CLI

To selectively enable or disable S3 Protection for your member accounts, run the updateMemberDetectors API operation using your own detector ID. The following example shows how you can enable S3 Protection for a single member account. To disable it, replace true with false.

To find the detectorId for your account and current Region, see Settings page in the https://console.aws.amazon.com/guardduty/ console.

aws guardduty update-member-detectors --detector-id 12abc34d567e8fa901bc2d34e56789f0 --account-ids 123456789012 --features '[{"Name" : "S3_DATA_EVENTS", "Status" : "ENABLED"}]'
Note

You can also pass a list of account IDs separated by a space.

When the code has successfully executed, it returns an empty list of UnprocessedAccounts. If there were any problems changing the detector settings for an account, that account ID is listed along with a summary of the issue.

Note

If you use scripts to on-board new accounts and want to disable S3 Protection in your new accounts, you can modify the createDetector API operation with the optional dataSources object as described in this topic.

Important

By default, S3 Protection is enabled automatically for AWS accounts that join GuardDuty for the first time.

If you are a GuardDuty administrator account enabling GuardDuty for the first time on a new account and do not want S3 Protection enabled by default, you can disable it by modifying the createDetector API operation with the optional features object. The following example uses the AWS CLI to enable a new GuardDuty detector with the S3 Protection disabled.

aws guardduty create-detector --enable --features '[{"Name" : "S3_DATA_EVENTS", "Status" : "DISABLED"}]'