Skip to main content

GuardDuty Detector is Enabled

Overview

This check verifies that Amazon GuardDuty is enabled and actively running in your AWS account. GuardDuty is a threat detection service that continuously monitors your AWS environment for malicious activity and unauthorized behavior by analyzing CloudTrail logs, VPC Flow Logs, DNS logs, and other data sources.

Risk

Without an active GuardDuty detector:

  • Threats go undetected: Malicious activity in CloudTrail, VPC Flow Logs, DNS queries, S3, EKS, EBS, and Lambda workloads may not be noticed
  • Data exfiltration risk: Attackers can steal sensitive data without triggering alerts
  • Lateral movement: Compromised credentials or resources can be used to access other parts of your environment undetected
  • Cryptocurrency mining: Unauthorized compute usage for crypto mining can run unchecked, increasing costs
  • Blind spots in unmonitored regions: Attackers may target regions where GuardDuty is not enabled

Remediation Steps

Prerequisites

  • AWS account access with permission to enable GuardDuty
  • guardduty:CreateDetector permission (or Administrator access)

AWS Console Method

  1. Sign in to the AWS Management Console
  2. Navigate to GuardDuty (search for "GuardDuty" in the services search bar)
  3. Ensure you are in the correct region (start with us-east-1)
  4. If GuardDuty has never been enabled, click Get Started, then click Enable GuardDuty
  5. If GuardDuty was previously suspended:
    • Go to Settings in the left navigation
    • Scroll down and click Enable or Resume to reactivate the detector
  6. Repeat steps 3-5 for each AWS region you want to protect

Tip: For organizations, consider using a delegated administrator account to manage GuardDuty across all member accounts automatically.

AWS CLI (optional)

Enable GuardDuty in a region:

aws guardduty create-detector \
    --enable \
    --region us-east-1

This returns a detector ID:

{
    "DetectorId": "b6b992d6d2f48e64bc59180bfexample"
}

Check if GuardDuty is already enabled:

aws guardduty list-detectors --region us-east-1

If the DetectorIds array is empty, GuardDuty is not enabled.

Get detector status (if a detector exists):

# First, get the detector ID
DETECTOR_ID=$(aws guardduty list-detectors --region us-east-1 --query 'DetectorIds[0]' --output text)

# Then check its status
aws guardduty get-detector \
    --detector-id "$DETECTOR_ID" \
    --region us-east-1

Look for "Status": "ENABLED" in the output. If the status is SUSPENDED, you need to update it.

Resume a suspended detector:

aws guardduty update-detector \
    --detector-id "$DETECTOR_ID" \
    --enable \
    --region us-east-1

Enable GuardDuty in all regions (script):

for region in $(aws ec2 describe-regions --query 'Regions[].RegionName' --output text); do
    echo "Enabling GuardDuty in $region..."
    aws guardduty create-detector --enable --region "$region" 2>/dev/null || echo "Already enabled or error in $region"
done
CloudFormation (optional)

Deploy a GuardDuty detector using CloudFormation:

AWSTemplateFormatVersion: '2010-09-09'
Description: Enable Amazon GuardDuty threat detection

Resources:
  GuardDutyDetector:
    Type: AWS::GuardDuty::Detector
    Properties:
      Enable: true
      FindingPublishingFrequency: FIFTEEN_MINUTES
      DataSources:
        S3Logs:
          Enable: true
        Kubernetes:
          AuditLogs:
            Enable: true
        MalwareProtection:
          ScanEc2InstanceWithFindings:
            EbsVolumes: true
      Tags:
        - Key: Purpose
          Value: ThreatDetection

Outputs:
  DetectorId:
    Description: The GuardDuty Detector ID
    Value: !Ref GuardDutyDetector

Deploy the template:

aws cloudformation deploy \
    --template-file guardduty.yaml \
    --stack-name guardduty-detector \
    --region us-east-1

Note: CloudFormation StackSets can be used to deploy GuardDuty across multiple regions and accounts simultaneously.

Terraform (optional)

Enable GuardDuty using Terraform:

resource "aws_guardduty_detector" "main" {
  enable                       = true
  finding_publishing_frequency = "FIFTEEN_MINUTES"

  datasources {
    s3_logs {
      enable = true
    }
    kubernetes {
      audit_logs {
        enable = true
      }
    }
    malware_protection {
      scan_ec2_instance_with_findings {
        ebs_volumes {
          enable = true
        }
      }
    }
  }

  tags = {
    Purpose = "ThreatDetection"
  }
}

output "detector_id" {
  description = "The GuardDuty Detector ID"
  value       = aws_guardduty_detector.main.id
}

For multi-region deployment, use a module with for_each:

variable "regions" {
  type    = list(string)
  default = ["us-east-1", "us-west-2", "eu-west-1"]
}

module "guardduty" {
  source   = "./modules/guardduty"
  for_each = toset(var.regions)

  providers = {
    aws = aws.region[each.key]
  }
}

Verification

After enabling GuardDuty, verify it is working:

  1. Go to GuardDuty in the AWS Console
  2. Confirm the Status shows Enabled (look for a green indicator)
  3. Check that the detector is not suspended under Settings
  4. Optionally, navigate to Findings to see any threats detected
CLI verification commands

List detectors and verify status:

# List detector IDs
aws guardduty list-detectors --region us-east-1

# Get detector details
DETECTOR_ID=$(aws guardduty list-detectors --region us-east-1 --query 'DetectorIds[0]' --output text)

aws guardduty get-detector \
    --detector-id "$DETECTOR_ID" \
    --region us-east-1 \
    --query '{Status: Status, FindingPublishingFrequency: FindingPublishingFrequency}'

Expected output:

{
    "Status": "ENABLED",
    "FindingPublishingFrequency": "FIFTEEN_MINUTES"
}

Check all regions at once:

for region in $(aws ec2 describe-regions --query 'Regions[].RegionName' --output text); do
    detector=$(aws guardduty list-detectors --region "$region" --query 'DetectorIds[0]' --output text 2>/dev/null)
    if [ "$detector" != "None" ] && [ -n "$detector" ]; then
        status=$(aws guardduty get-detector --detector-id "$detector" --region "$region" --query 'Status' --output text 2>/dev/null)
        echo "$region: $status"
    else
        echo "$region: NOT ENABLED"
    fi
done

Additional Resources

Notes

  • One detector per region: Each AWS region requires its own GuardDuty detector
  • Enable in all regions: Even if you only use a few regions, enable GuardDuty everywhere to detect unauthorized activity in unused regions
  • 30-day free trial: New accounts get a 30-day free trial to evaluate GuardDuty
  • Finding export: Consider exporting findings to S3 or EventBridge for long-term storage and automated response
  • Organization deployment: For AWS Organizations, designate a delegated administrator to manage GuardDuty centrally and auto-enable for new accounts
  • Protection plans: GuardDuty offers optional protection plans (S3, EKS, Malware, RDS, Lambda) that can be enabled separately