GuardDuty S3 Protection Enabled

Overview

This check verifies that Amazon GuardDuty S3 Protection is enabled in your AWS account. S3 Protection monitors object-level API operations (like GetObject, PutObject, and DeleteObject) across your S3 buckets to detect suspicious activity and potential threats.

Risk

Without S3 Protection enabled, your S3 buckets are not monitored for potential security risks at the object level. This can lead to:

• Undetected data exfiltration through unauthorized reads or copies
• Destructive deletion of critical objects going unnoticed
• Tampering with bucket policies and access control lists
• Data breaches that could have been caught early

Severity: High

Remediation Steps

Prerequisites

You need:

• AWS account access with permissions to modify GuardDuty settings
• GuardDuty must already be enabled in your account (if not, you will enable it as part of this process)

Required IAM permissions

To enable S3 Protection, you need at minimum:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "guardduty:GetDetector",
        "guardduty:ListDetectors",
        "guardduty:UpdateDetector",
        "guardduty:CreateDetector"
      ],
      "Resource": "*"
    }
  ]
}

AWS Console Method

1. Sign in to the AWS Management Console and open the GuardDuty console
2. In the left navigation pane, choose Settings
3. Scroll down to the S3 Protection section
4. Click Enable or toggle S3 Protection to On
5. Click Save to apply the changes

If GuardDuty is not yet enabled in your account, you will first need to enable it:

1. Open the GuardDuty console
2. Click Get Started
3. Click Enable GuardDuty
4. Then follow the steps above to verify S3 Protection is enabled (it is typically enabled by default for new detectors)

AWS CLI

Step 1: Find your detector ID

aws guardduty list-detectors --region us-east-1

This returns a list of detector IDs. If empty, you need to create a detector first.

Step 2a: If you already have a detector, enable S3 Protection

aws guardduty update-detector \
  --detector-id <your-detector-id> \
  --data-sources S3Logs={Enable=true} \
  --region us-east-1

Replace <your-detector-id> with your actual detector ID from Step 1.

Step 2b: If you do not have a detector, create one with S3 Protection enabled

aws guardduty create-detector \
  --enable \
  --data-sources S3Logs={Enable=true} \
  --region us-east-1

CloudFormation

This template creates a GuardDuty detector with S3 Protection enabled:

AWSTemplateFormatVersion: '2010-09-09'
Description: Enable GuardDuty with S3 Protection

Parameters:
  EnableGuardDuty:
    Type: String
    Default: 'true'
    AllowedValues:
      - 'true'
      - 'false'
    Description: Enable GuardDuty detector

Resources:
  GuardDutyDetector:
    Type: AWS::GuardDuty::Detector
    Properties:
      Enable: !Ref EnableGuardDuty
      DataSources:
        S3Logs:
          Enable: true
      FindingPublishingFrequency: FIFTEEN_MINUTES

Outputs:
  DetectorId:
    Description: The ID of the GuardDuty detector
    Value: !Ref GuardDutyDetector
    Export:
      Name: GuardDutyDetectorId

Deploy the stack:

aws cloudformation create-stack \
  --stack-name guardduty-s3-protection \
  --template-body file://guardduty-s3-protection.yaml \
  --region us-east-1

Note: Only one GuardDuty detector can exist per region per account. If you already have a detector, you will need to update it instead of creating a new one.

Terraform

This configuration creates a GuardDuty detector and enables S3 Protection using the recommended aws_guardduty_detector_feature resource:

terraform {
  required_version = ">= 1.0"
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = ">= 5.0"
    }
  }
}

provider "aws" {
  region = "us-east-1"
}

# Enable GuardDuty detector
resource "aws_guardduty_detector" "main" {
  enable = true

  finding_publishing_frequency = "FIFTEEN_MINUTES"

  tags = {
    Name        = "guardduty-detector"
    Environment = "production"
  }
}

# Enable S3 Protection feature
resource "aws_guardduty_detector_feature" "s3_data_events" {
  detector_id = aws_guardduty_detector.main.id
  name        = "S3_DATA_EVENTS"
  status      = "ENABLED"
}

output "detector_id" {
  description = "The ID of the GuardDuty detector"
  value       = aws_guardduty_detector.main.id
}

Apply the configuration:

terraform init
terraform plan
terraform apply

Note: Only one GuardDuty detector can exist per region per account. If you already have a detector, import it first:

terraform import aws_guardduty_detector.main <existing-detector-id>

Verification

After enabling S3 Protection, verify it is active:

1. Open the GuardDuty console
2. Go to Settings in the left navigation
3. Confirm that S3 Protection shows as Enabled

Verify with AWS CLI

# Get your detector ID
DETECTOR_ID=$(aws guardduty list-detectors --region us-east-1 --query 'DetectorIds[0]' --output text)

# Check S3 Protection status
aws guardduty get-detector \
  --detector-id "$DETECTOR_ID" \
  --region us-east-1 \
  --query 'DataSources.S3Logs.Status'

The output should be "ENABLED".

Additional Resources

• Amazon GuardDuty S3 Protection
• GuardDuty Finding Types for S3
• Managing GuardDuty Detectors
• Prowler Check Documentation

Notes

• One detector per region: Only one GuardDuty detector can exist per AWS account per region. If you already have a detector, update it rather than creating a new one.
• Multi-region deployment: S3 Protection must be enabled separately in each region where you have S3 buckets you want to monitor.
• Cost considerations: GuardDuty S3 Protection incurs charges based on the volume of S3 data events analyzed. Review GuardDuty pricing for details.
• New detector defaults: When creating a new GuardDuty detector, S3 Protection is typically enabled by default. However, always verify the configuration.
• Compliance: This control aligns with AWS Foundational Security Best Practices, C5, and KISA-ISMS-P frameworks.