Amazon GuardDuty in AWS GovCloud (US)

Amazon GuardDuty is a continuous security monitoring service. Amazon GuardDuty can help to identify unexpected and potentially unauthorized or malicious activity in your AWS environment.

How Amazon GuardDuty differs for AWS GovCloud (US) Regions

The following list indicates the differences in the feature availability in AWS GovCloud (US) Regions:

• In Malware Protection for S3, the Extracted archive files default quota is 1,000 in the AWS GovCloud (US) Regions. For more information, see Quotas in Malware Protection for S3.

• When using Runtime Monitoring (including EKS Runtime Monitoring), make the following changes in the AWS GovCloud (US) Regions:

  1. For both Amazon EC2 and Amazon EKS – In the prerequisite step for creating an Amazon VPC endpoint manually, the Service name in the AWS GovCloud (US) Region should be com.amazonaws.us-gov-east-1.guardduty-data-fips.

     Replace us-gov-east-1 with your Region. This must be the same Region as your Amazon EC2 instance (or Amazon EKS cluster) that belongs to your AWS account ID.

  2. With the initial release of Runtime Monitoring, GuardDuty starts the support with the following security agent versions:

     • Amazon EKS - v1.11.1

     • Amazon EC2 - v1.8.0

     • Fargate-Amazon ECS - v1.8.0

     For more information, see GuardDuty security agent release versions.

  3. For Amazon EC2 – When managing the security agent manually using Method 2 - Using Linux Package Managers, use the following AWS account IDs and Regions for both RPM installation and Debian installation:

     • AWS GovCloud (US-East) (us-gov-east-1) – 383115532789

     • AWS GovCloud (US-West) (us-gov-west-1) – 383110348953

  4. For Amazon EKS and Fargate-Amazon ECS resources – For Amazon ECR repository hosting GuardDuty agent, use the following ECR repository for your Amazon EKS and Fargate-Amazon ECS resources:

     • Amazon ECR repository for EKS resources:

       AWS GovCloud (US-East) - 151742754352.dkr.ecr.us-gov-east-1.amazonaws.com

       AWS GovCloud (US-West) - 013241004608.dkr.ecr.us-gov-west-1.amazonaws.com

     • Amazon ECR repository for Fargate-ECS resources:

       AWS GovCloud (US-East) - 383115532789.dkr.ecr.us-gov-east-1.amazonaws.com/aws-guardduty-agent-fargate

       AWS GovCloud (US-West) - 383110348953.dkr.ecr.us-gov-west-1.amazonaws.com/aws-guardduty-agent-fargate

• The entity lists capability in Customizing threat detection with entity lists and IP address lists is not supported in AWS GovCloud (US) Regions. GuardDuty continues to support IP address lists.

• The Extended Threat Detection coverage for EKS clusters supports detecting multi-stage attacks through available EKS Protection finding types (EKS audit log monitoring) and AWS API activity in AWS GovCloud (US) Regions.

• The following EKS Protection (EKS audit log monitoring) finding types are not available in the AWS GovCloud (US) Regions:

  • CredentialAccess:Kubernetes/AnomalousBehavior.SecretsAccessed

  • PrivilegeEscalation:Kubernetes/AnomalousBehavior.RoleBindingCreated

  • Execution:Kubernetes/AnomalousBehavior.ExecInPod

  • PrivilegeEscalation:Kubernetes/AnomalousBehavior.WorkloadDeployed!PrivilegedContainer

  • Persistence:Kubernetes/AnomalousBehavior.WorkloadDeployed!ContainerWithSensitiveMount

  • Execution:Kubernetes/AnomalousBehavior.WorkloadDeployed

  • PrivilegeEscalation:Kubernetes/AnomalousBehavior.RoleCreated

  • Discovery:Kubernetes/AnomalousBehavior.PermissionChecked

• RDS Protection is not supported in AWS GovCloud (US) Regions.

• In Malware Protection for EC2, the support for scanning instances with productCode as marketplace is not supported. GuardDuty will skip the malware scan for such instances and log the skip reason as UNSUPPORTED_PRODUCT_CODE_TYPE.

• Cross-region data transfer is not supported in AWS GovCloud (US) Regions.

• Member accounts invitation notifications through AWS Health Dashboard and email are not supported in AWS GovCloud (US) Regions.

• In AWS GovCloud (US) Regions, AWS doesn't use or store Customer Content processed by Amazon GuardDuty to develop and improve the service or technologies of AWS or its affiliates. Opt-out policies are currently not applicable to these Regions.

Documentation for Amazon GuardDuty

Amazon GuardDuty documentation.

Export-controlled content

For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.

• This service can generate metadata from customer-defined configurations. AWS suggests customers do not enter export-controlled information in console fields, descriptions, resource names, and tagging information.

No data will leave the AWS GovCloud (US) Regions for this service.