Enable GuardDuty Lambda Protection

Overview

This check verifies that Amazon GuardDuty has Lambda Protection enabled. Lambda Protection monitors network activity from your Lambda functions to detect potential security threats such as malicious communications, data exfiltration, or unauthorized access attempts.

Risk

Without Lambda Protection enabled, GuardDuty cannot analyze network traffic from your Lambda functions. This means:

Missed threats: Malicious activity like command-and-control callbacks or data exfiltration may go undetected
Blind spots: Attackers could use compromised Lambda functions as a pivot point without triggering alerts
Compliance gaps: Your security monitoring may not meet regulatory requirements for serverless workloads

Remediation Steps

Prerequisites

Access to the AWS Console with permissions to modify GuardDuty settings, or
AWS CLI configured with appropriate IAM permissions (guardduty:UpdateDetector)
GuardDuty must already be enabled in your account (this check assumes you have an existing detector)

AWS Console Method

Sign in to the AWS Console and navigate to GuardDuty
In the left navigation pane, click Settings
Scroll down to the Lambda Protection section
Click Enable (or toggle it on if shown as a switch)
Click Save to confirm your changes

That's it! GuardDuty will begin monitoring Lambda network activity within a few minutes.

AWS CLI (optional)

Step 1: Find your detector ID

First, retrieve your GuardDuty detector ID:

aws guardduty list-detectors --region us-east-1

This returns a list of detector IDs. Most accounts have one detector per region.

Step 2: Enable Lambda Protection

Replace <detector-id> with your actual detector ID:

aws guardduty update-detector \
  --detector-id <detector-id> \
  --features '[{"Name":"LAMBDA_NETWORK_LOGS","Status":"ENABLED"}]' \
  --region us-east-1

Example with a real detector ID

aws guardduty update-detector \
  --detector-id 12abc34d567e8fa901bc2d34eexample \
  --features '[{"Name":"LAMBDA_NETWORK_LOGS","Status":"ENABLED"}]' \
  --region us-east-1

CloudFormation (optional)

Use this template to create a new GuardDuty detector with Lambda Protection enabled, or update an existing stack:

AWSTemplateFormatVersion: '2010-09-09'
Description: Enable GuardDuty Lambda Protection

Resources:
  GuardDutyDetector:
    Type: AWS::GuardDuty::Detector
    Properties:
      Enable: true
      Features:
        - Name: LAMBDA_NETWORK_LOGS
          Status: ENABLED

Outputs:
  DetectorId:
    Description: The ID of the GuardDuty detector
    Value: !Ref GuardDutyDetector

Deploy the template

aws cloudformation deploy \
  --template-file guardduty-lambda-protection.yaml \
  --stack-name guardduty-lambda-protection \
  --region us-east-1

Note: If you already have a GuardDuty detector managed by CloudFormation, add the Features block to your existing template instead of creating a new stack.

Terraform (optional)

For a new GuardDuty detector

resource "aws_guardduty_detector" "main" {
  enable = true
}

resource "aws_guardduty_detector_feature" "lambda_protection" {
  detector_id = aws_guardduty_detector.main.id
  name        = "LAMBDA_NETWORK_LOGS"
  status      = "ENABLED"
}

For an existing detector

If you already have a GuardDuty detector, reference its ID and add the feature:

data "aws_guardduty_detector" "existing" {}

resource "aws_guardduty_detector_feature" "lambda_protection" {
  detector_id = data.aws_guardduty_detector.existing.id
  name        = "LAMBDA_NETWORK_LOGS"
  status      = "ENABLED"
}

Apply the configuration

terraform init
terraform apply

Verification

After enabling Lambda Protection, verify it is active:

In the AWS Console, go to GuardDuty > Settings
Look for the Lambda Protection section
Confirm the status shows Enabled

Verify with AWS CLI

aws guardduty get-detector \
  --detector-id <detector-id> \
  --region us-east-1 \
  --query 'Features[?Name==`LAMBDA_NETWORK_LOGS`]'

Expected output:

[
    {
        "Name": "LAMBDA_NETWORK_LOGS",
        "Status": "ENABLED",
        "UpdatedAt": "2024-01-15T10:30:00Z"
    }
]

Additional Resources

Notes

Regional scope: GuardDuty operates per-region. You must enable Lambda Protection in each region where you have Lambda functions.
Cost considerations: Lambda Protection may incur additional GuardDuty charges based on the volume of Lambda network activity analyzed. Review GuardDuty pricing for details.
Multi-account environments: If using AWS Organizations with a delegated GuardDuty administrator, enable Lambda Protection from the administrator account to apply it across member accounts.
Finding delivery: After enabling, it may take up to 24 hours for GuardDuty to begin generating Lambda-related findings as it establishes baseline behavior.

Overview​

Risk​

Remediation Steps​

Prerequisites​

AWS Console Method​

Step 1: Find your detector ID​

Step 2: Enable Lambda Protection​

Example with a real detector ID​

Deploy the template​

For a new GuardDuty detector​

For an existing detector​

Apply the configuration​

Verification​

Additional Resources​

Notes​