GuardDuty No High Severity Findings
Overview
This check looks for unresolved high-severity security findings in Amazon GuardDuty. GuardDuty is AWS's threat detection service that continuously monitors your accounts for malicious activity.
A high-severity finding means GuardDuty has detected something serious that needs your immediate attention.
Risk
High-severity findings often indicate active threats such as:
- Unauthorized access to your AWS resources
- Data exfiltration (someone copying your data out)
- Cryptocurrency mining using your compute resources
- Compromised credentials being used maliciously
Leaving these findings unaddressed gives attackers time to move deeper into your environment and cause more damage.
Remediation Steps
Prerequisites
You need access to the AWS Console with permissions to view and manage GuardDuty findings. Typically, this means having the guardduty:GetFindings, guardduty:ListFindings, and guardduty:ArchiveFindings permissions.
AWS Console Method
- Sign in to the AWS Console
- Navigate to GuardDuty (search for it in the top search bar)
- Make sure you're in the us-east-1 region (check the region selector in the top-right corner)
- Click Findings in the left navigation menu
- Click the Filter findings dropdown and select:
- Severity = High
- Finding status = Current (to exclude already-archived findings)
- Review each finding carefully:
- Click on a finding to see full details
- Understand what triggered it and which resources are affected
- Investigate the root cause before archiving
- Once you've investigated and addressed the underlying issue:
- Select the finding(s) by clicking the checkbox
- Click Actions > Archive
- Repeat steps 3-7 for each AWS region where GuardDuty is enabled
Important: Do not simply archive findings to make this check pass. Each high-severity finding represents a potential security incident that requires investigation and remediation.
AWS CLI Method
Step 1: Get your GuardDuty Detector ID
aws guardduty list-detectors --region us-east-1
This returns your detector ID, which you'll need for the following commands. Example output:
{
"DetectorIds": ["12abc34d567e8fa901bc2d34eexample"]
}
Step 2: List high-severity findings
aws guardduty list-findings \
--detector-id <your-detector-id> \
--region us-east-1 \
--finding-criteria '{
"Criterion": {
"severity": {"Gte": 7},
"service.archived": {"Eq": ["false"]}
}
}'
Replace <your-detector-id> with the ID from Step 1.
Step 3: Get details for each finding
aws guardduty get-findings \
--detector-id <your-detector-id> \
--region us-east-1 \
--finding-ids <finding-id-1> <finding-id-2>
Step 4: Archive findings (after investigation)
aws guardduty archive-findings \
--detector-id <your-detector-id> \
--region us-east-1 \
--finding-ids <finding-id-1> <finding-id-2>
Note: Only GuardDuty administrator accounts can archive findings. Member accounts in a multi-account setup do not have this permission.
CloudFormation - Automated Response (Advanced)
While you cannot remediate existing findings via CloudFormation, you can set up automated alerting for new high-severity findings using EventBridge and SNS.
AWSTemplateFormatVersion: '2010-09-09'
Description: Alert on GuardDuty high severity findings
Parameters:
AlertEmail:
Type: String
Description: Email address to receive alerts
Resources:
GuardDutyAlertTopic:
Type: AWS::SNS::Topic
Properties:
TopicName: guardduty-high-severity-alerts
DisplayName: GuardDuty High Severity Alerts
GuardDutyAlertSubscription:
Type: AWS::SNS::Subscription
Properties:
TopicArn: !Ref GuardDutyAlertTopic
Protocol: email
Endpoint: !Ref AlertEmail
GuardDutyHighSeverityRule:
Type: AWS::Events::Rule
Properties:
Name: guardduty-high-severity-findings
Description: Trigger alert on GuardDuty high severity findings
EventPattern:
source:
- aws.guardduty
detail-type:
- GuardDuty Finding
detail:
severity:
- numeric:
- '>='
- 7
State: ENABLED
Targets:
- Id: SendToSNS
Arn: !Ref GuardDutyAlertTopic
SNSTopicPolicy:
Type: AWS::SNS::TopicPolicy
Properties:
Topics:
- !Ref GuardDutyAlertTopic
PolicyDocument:
Version: '2012-10-17'
Statement:
- Sid: AllowEventBridgeToPublish
Effect: Allow
Principal:
Service: events.amazonaws.com
Action: sns:Publish
Resource: !Ref GuardDutyAlertTopic
Outputs:
AlertTopicArn:
Description: SNS Topic ARN for GuardDuty alerts
Value: !Ref GuardDutyAlertTopic
Deploy with:
aws cloudformation deploy \
--template-file guardduty-alerts.yaml \
--stack-name guardduty-high-severity-alerts \
--parameter-overrides AlertEmail=security-team@example.com \
--region us-east-1
Terraform - Automated Response (Advanced)
This Terraform configuration sets up automated alerting for high-severity GuardDuty findings.
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 5.0"
}
}
}
provider "aws" {
region = "us-east-1"
}
variable "alert_email" {
description = "Email address to receive GuardDuty alerts"
type = string
}
# SNS Topic for alerts
resource "aws_sns_topic" "guardduty_alerts" {
name = "guardduty-high-severity-alerts"
display_name = "GuardDuty High Severity Alerts"
}
resource "aws_sns_topic_subscription" "email_alert" {
topic_arn = aws_sns_topic.guardduty_alerts.arn
protocol = "email"
endpoint = var.alert_email
}
# EventBridge rule to catch high-severity findings
resource "aws_cloudwatch_event_rule" "guardduty_high_severity" {
name = "guardduty-high-severity-findings"
description = "Trigger alert on GuardDuty high severity findings"
event_pattern = jsonencode({
source = ["aws.guardduty"]
detail-type = ["GuardDuty Finding"]
detail = {
severity = [{
numeric = [">=", 7]
}]
}
})
}
resource "aws_cloudwatch_event_target" "sns_target" {
rule = aws_cloudwatch_event_rule.guardduty_high_severity.name
target_id = "SendToSNS"
arn = aws_sns_topic.guardduty_alerts.arn
}
# Allow EventBridge to publish to SNS
resource "aws_sns_topic_policy" "allow_eventbridge" {
arn = aws_sns_topic.guardduty_alerts.arn
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Sid = "AllowEventBridgeToPublish"
Effect = "Allow"
Principal = {
Service = "events.amazonaws.com"
}
Action = "sns:Publish"
Resource = aws_sns_topic.guardduty_alerts.arn
}
]
})
}
output "alert_topic_arn" {
description = "SNS Topic ARN for GuardDuty alerts"
value = aws_sns_topic.guardduty_alerts.arn
}
Apply with:
terraform init
terraform apply -var="alert_email=security-team@example.com"
Verification
After addressing and archiving high-severity findings:
- Go to GuardDuty > Findings in the AWS Console
- Filter by Severity = High and Finding status = Current
- Confirm that no results are displayed
- Run the Prowler check again to confirm it passes
CLI Verification
# List any remaining high-severity findings
aws guardduty list-findings \
--detector-id <your-detector-id> \
--region us-east-1 \
--finding-criteria '{
"Criterion": {
"severity": {"Gte": 7},
"service.archived": {"Eq": ["false"]}
}
}'
The response should show an empty FindingIds array:
{
"FindingIds": []
}
Additional Resources
- Amazon GuardDuty Findings Documentation
- Understanding GuardDuty Severity Levels
- AWS Vulnerability Assessment Guidance
- GuardDuty Finding Types Reference
Notes
- Treat high-severity findings as security incidents. They require immediate triage, not just archiving.
- Investigate before archiving. Understand what caused the finding and ensure the threat has been neutralized.
- Check all regions. GuardDuty findings are region-specific. A detector in us-east-1 won't show findings from eu-west-1.
- Multi-account environments: In AWS Organizations with delegated GuardDuty administration, findings from member accounts are aggregated in the administrator account. Only the administrator can archive findings.
- Automate alerting: Set up EventBridge rules to notify your security team immediately when new high-severity findings appear.
- False positives: If a finding is a false positive, archive it and consider creating a suppression rule to prevent similar false alerts in the future.