ben.carrasco/prowler
1
0
Fork 0
mirror of https://github.com/prowler-cloud/prowler.git synced 2026-01-25 02:08:11 +00:00
Code Issues Packages Projects Releases Wiki Activity

chore(aws): enhance metadata for guardduty service (#9259)

Browse Source 
Co-authored-by: HugoPBrito <hugopbrit@gmail.com>
This commit is contained in:
Rubén De la Torre Vico
2025-12-04 14:35:41 +01:00
committed by GitHub
parent 379c1dc7dd
commit 6400dc1059
10 changed files with 180 additions and 108 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
prowler/CHANGELOG.md
View File

@@ -12,6 +12,9 @@ All notable changes to the **Prowler SDK** are documented in this file.
- `compute_instance_automatic_restart_enabled` check for GCP provider [(#9271)](https://github.com/prowler-cloud/prowler/pull/9271)
- `compute_instance_deletion_protection_enabled` check for GCP provider [(#9358)](https://github.com/prowler-cloud/prowler/pull/9358)
### Changed
- Update AWS GuardDuty service metadata to new format [(#9259)](https://github.com/prowler-cloud/prowler/pull/9259)
---
## [v5.14.2] (Prowler UNRELEASED)

26
prowler/providers/aws/services/guardduty/guardduty_centrally_managed/guardduty_centrally_managed.metadata.json
View File

@@ -1,26 +1,32 @@
{
"Provider": "aws",
"CheckID": "guardduty_centrally_managed",
"CheckTitle": "GuardDuty is centrally managed",
"CheckType": [],
"CheckTitle": "GuardDuty detector is managed by an administrator account or is the administrator with member accounts",
"CheckType": [
"Software and Configuration Checks/AWS Security Best Practices",
"Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices"
],
"ServiceName": "guardduty",
"SubServiceName": "",
"ResourceIdTemplate": "arn:aws:guardduty:region:account-id/detector-id",
"ResourceIdTemplate": "",
"Severity": "medium",
"ResourceType": "AwsGuardDutyDetector",
"Description": "GuardDuty is centrally managed",
"Risk": "If GuardDuty is not centrally managed, it is not possible to centrally manage the GuardDuty findings, settings, and member accounts.",
"RelatedUrl": "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_accounts.html",
"Description": "Amazon GuardDuty detectors are under **centralized management** when linked to a delegated administrator account, or when the detector's account serves as the **administrator** with associated member accounts.",
"Risk": "Lack of central management fragments **visibility** and slows **incident response** across accounts and regions. Adversaries can persist unnoticed, perform **lateral movement**, exfiltrate data, and alter configurations, harming **confidentiality**, **integrity**, and **availability**.",
"RelatedUrl": "",
"AdditionalURLs": [
"https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_accounts.html"
],
"Remediation": {
"Code": {
"CLI": "",
"CLI": "aws guardduty enable-organization-admin-account --admin-account-id <ADMIN_ACCOUNT_ID>",
"NativeIaC": "",
"Other": "",
"Other": "1. Sign in to the AWS Organizations management account\n2. Open the AWS Organizations console\n3. Go to Services > Amazon GuardDuty\n4. Click Register delegated administrator\n5. Enter the admin account ID and click Register",
"Terraform": ""
},
"Recommendation": {
"Text": "Configure GuardDuty to be centrally managed",
"Url": "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_accounts.html"
"Text": "Designate a **delegated administrator** (preferably via *AWS Organizations*) and enroll all accounts as **members**. Enable auto-enrollment for new accounts, standardize detector settings across required regions, and route findings to central monitoring. Apply **least privilege** and **separation of duties**.",
"Url": "https://hub.prowler.com/check/guardduty_centrally_managed"
}
},
"Categories": [],

37
prowler/providers/aws/services/guardduty/guardduty_ec2_malware_protection_enabled/guardduty_ec2_malware_protection_enabled.metadata.json
View File

@@ -1,32 +1,41 @@
{
"Provider": "aws",
"CheckID": "guardduty_ec2_malware_protection_enabled",
"CheckTitle": "Ensure that GuardDuty Malware Protection for EC2 is enabled.",
"CheckTitle": "GuardDuty detector has Malware Protection for EC2 enabled",
"CheckType": [
"Software and Configuration Checks/AWS Security Best Practices"
"Software and Configuration Checks/AWS Security Best Practices/Runtime Behavior Analysis",
"Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices"
],
"ServiceName": "guardduty",
"SubServiceName": "",
"ResourceIdTemplate": "arn:aws:guardduty:region:account-id/detector-id",
"ResourceIdTemplate": "",
"Severity": "high",
"ResourceType": "AwsGuardDutyDetector",
"Description": "GuardDuty Malware Protection for EC2 helps you detect the potential presence of malware by scanning the Amazon Elastic Block Store (Amazon EBS) volumes that are attached to Amazon Elastic Compute Cloud (Amazon EC2) instances and container workloads.",
"Risk": "Malware can compromise your EC2 instances and container workloads, leading to data breaches, data exfiltration, and other security incidents.",
"RelatedUrl": "https://docs.aws.amazon.com/guardduty/latest/ug/malware-protection.html",
"Description": "**GuardDuty detectors** with **Malware Protection for EC2** enabled perform agentless scans of EBS volumes attached to **EC2 instances** and container workloads. Scans can be triggered by suspicious activity or run on-demand to identify malicious files within restored volume snapshots.",
"Risk": "Absent this coverage, malware on EC2 or containers can remain **undetected**, enabling:\n- Confidentiality loss via data exfiltration/credential theft\n- Integrity compromise through tampering and backdoors\n- Availability impact from ransomware/cryptominers\n\nPersistence increases **lateral movement** across the environment.",
"RelatedUrl": "",
"AdditionalURLs": [
"https://www.infoq.com/news/2022/08/aws-guardduty-malware-detection/",
"https://docs.aws.amazon.com/guardduty/latest/ug/malware-protection.html",
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/GuardDuty/enable-malware-protection-for-ec2.html",
"https://medium.com/@shashank.kulkarni0708/get-juiced-how-i-hacked-owasp-juice-shop-and-let-guardduty-catch-me-537f7064a1d5",
"https://docs.aws.amazon.com/guardduty/latest/ug/configure-malware-protection-single-account.html",
"https://docs.aws.amazon.com/securityhub/latest/userguide/guardduty-controls.html#guardduty-8"
],
"Remediation": {
"Code": {
"CLI": "aws guardduty update-detector --detector-id <detector-id> --data-sources MalwareProtection={ScanEc2InstanceWithFindings={EbsVolumes=true}}",
"NativeIaC": "",
"Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/guardduty-controls.html#guardduty-8",
"Terraform": ""
"CLI": "aws guardduty update-detector --detector-id <detector-id> --features '[{\"Name\":\"EBS_MALWARE_PROTECTION\",\"Status\":\"ENABLED\"}]'",
"NativeIaC": "```yaml\n# CloudFormation: enable GuardDuty Malware Protection for EC2\nResources:\n GuardDutyDetector:\n Type: AWS::GuardDuty::Detector\n Properties:\n Enable: true\n Features:\n - Name: EBS_MALWARE_PROTECTION # Critical: selects EC2 Malware Protection feature\n Status: ENABLED # Critical: enables the feature\n```",
"Other": "1. In the AWS console, open GuardDuty\n2. In the left menu, select Protection plans > Malware Protection for EC2\n3. Click Enable, then Save",
"Terraform": "```hcl\n# Enable GuardDuty Malware Protection for EC2\nresource \"aws_guardduty_detector\" \"<example_resource_name>\" {\n enable = true\n\n features {\n name = \"EBS_MALWARE_PROTECTION\" # Critical: selects EC2 Malware Protection feature\n status = \"ENABLED\" # Critical: enables the feature\n }\n}\n```"
},
"Recommendation": {
"Text": "Enable Malware Protection for EC2 in GuardDuty.",
"Url": "https://docs.aws.amazon.com/guardduty/latest/ug/configure-malware-protection-single-account.html"
"Text": "Enable **Malware Protection for EC2** across all accounts and Regions under centralized administration. Apply **least privilege** to findings access, define scan scope with tags and minimize exclusions, and retain snapshots based on data sensitivity. Integrate alerts with IR/SIEM and pair with hardening and vulnerability scanning for **defense in depth**.",
"Url": "https://hub.prowler.com/check/guardduty_ec2_malware_protection_enabled"
}
},
"Categories": [],
"Notes": "",
"DependsOn": [],
"RelatedTo": []
"RelatedTo": [],
"Notes": ""
}

32
prowler/providers/aws/services/guardduty/guardduty_eks_audit_log_enabled/guardduty_eks_audit_log_enabled.metadata.json
View File

@@ -1,32 +1,38 @@
{
"Provider": "aws",
"CheckID": "guardduty_eks_audit_log_enabled",
"CheckTitle": "GuardDuty EKS Audit Log Monitoring Enabled",
"CheckTitle": "GuardDuty detector has EKS Audit Log Monitoring enabled",
"CheckType": [
"Software and Configuration Checks/AWS Security Best Practices/Runtime Behavior Analysis"
"Software and Configuration Checks/AWS Security Best Practices/Runtime Behavior Analysis",
"Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices"
],
"ServiceName": "guardduty",
"SubServiceName": "",
"ResourceIdTemplate": "arn:aws:guardduty:region:account-id/detector-id",
"ResourceIdTemplate": "",
"Severity": "high",
"ResourceType": "AwsGuardDutyDetector",
"Description": "Checks whether GuardDuty EKS Audit Log Monitoring is enabled as source in a detector.",
"Risk": "Without GuardDuty EKS Audit Log Monitoring enabled, you may not be able to detect potentially suspicious activities in your Amazon Elastic Kubernetes Service (Amazon EKS) clusters.",
"RelatedUrl": "https://docs.aws.amazon.com/guardduty/latest/ug/kubernetes-protection.html",
"Description": "**Amazon GuardDuty detectors** are evaluated for **EKS Audit Log Monitoring** (`EKS_AUDIT_LOGS`) being enabled to analyze Kubernetes audit activity from your **Amazon EKS** clusters.",
"Risk": "Without it, **Kubernetes API abuse** may go undetected, impacting CIA:\n- Secret access and data exfiltration\n- RBAC changes enabling privilege escalation\n- Rogue deployments for persistence/cryptomining\n\nAttackers can laterally move to AWS using harvested credentials.",
"RelatedUrl": "",
"AdditionalURLs": [
"https://docs.aws.amazon.com/guardduty/latest/ug/eks-protection-enable-standalone-account.html",
"https://docs.aws.amazon.com/securityhub/latest/userguide/guardduty-controls.html#guardduty-5",
"https://docs.aws.amazon.com/guardduty/latest/ug/kubernetes-protection.html"
],
"Remediation": {
"Code": {
"CLI": "aws guardduty update-detector --detector-id <detector-id> --data-sources Kubernetes={AuditLogs={Enable=true}}",
"NativeIaC": "",
"Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/guardduty-controls.html#guardduty-5",
"Terraform": ""
"CLI": "aws guardduty update-detector --detector-id <detector-id> --features '[{\"Name\":\"EKS_AUDIT_LOGS\",\"Status\":\"ENABLED\"}]'",
"NativeIaC": "```yaml\n# CloudFormation: Enable EKS Audit Log Monitoring on GuardDuty detector\nResources:\n GuardDutyDetector:\n Type: AWS::GuardDuty::Detector\n Properties:\n Enable: true\n DataSources:\n Kubernetes:\n AuditLogs:\n Enable: true # CRITICAL: Enables EKS Audit Log Monitoring\n```",
"Other": "1. Open the AWS Console and go to Amazon GuardDuty\n2. Select the Region where you want to enable it\n3. In the left menu, click EKS Protection\n4. Click Enable and confirm\n5. If using AWS Organizations, perform these steps in the delegated GuardDuty administrator account",
"Terraform": "```hcl\n# Enable EKS Audit Log Monitoring on GuardDuty detector\nresource \"aws_guardduty_detector\" \"example\" {\n enable = true\n\n features {\n name = \"EKS_AUDIT_LOGS\"\n status = \"ENABLED\" # CRITICAL: Enables EKS Audit Log Monitoring\n }\n}\n```"
},
"Recommendation": {
"Text": "Enable GuardDuty EKS Audit Log Monitoring to detect potentially suspicious activities in your Amazon Elastic Kubernetes Service (Amazon EKS) clusters.",
"Url": "https://docs.aws.amazon.com/guardduty/latest/ug/eks-protection-enable-standalone-account.html"
"Text": "Enable **EKS Audit Log Monitoring** on all detectors in every required Region, centrally managed by the GuardDuty administrator.\n- Route findings to alerting/IR workflows\n- Enforce **least privilege** on access to findings and configs\n- Combine with **defense-in-depth**: hardened RBAC and runtime monitoring",
"Url": "https://hub.prowler.com/check/guardduty_eks_audit_log_enabled"
}
},
"Categories": [
"logging"
"cluster-security"
],
"DependsOn": [],
"RelatedTo": [],

30
prowler/providers/aws/services/guardduty/guardduty_eks_runtime_monitoring_enabled/guardduty_eks_runtime_monitoring_enabled.metadata.json
View File

@@ -1,28 +1,34 @@
{
"Provider": "aws",
"CheckID": "guardduty_eks_runtime_monitoring_enabled",
"CheckTitle": "GuardDuty EKS Runtime Monitoring should be enabled",
"CheckTitle": "GuardDuty detector has EKS Runtime Monitoring enabled",
"CheckType": [
"Software and Configuration Checks/AWS Security Best Practices"
"Software and Configuration Checks/AWS Security Best Practices/Runtime Behavior Analysis",
"Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices"
],
"ServiceName": "guardduty",
"SubServiceName": "",
"ResourceIdTemplate": "arn:aws:guardduty:{region}:{account-id}:detector/{detector-id}",
"ResourceIdTemplate": "",
"Severity": "medium",
"ResourceType": "AwsGuardDutyDetector",
"Description": "This control checks whether GuardDuty EKS Runtime Monitoring with automated agent management is enabled. For a standalone account, the control fails if GuardDuty EKS Runtime Monitoring with automated agent management is disabled in the account. In a multi-account environment, the control fails if the delegated GuardDuty administrator account and all member accounts don't have EKS Runtime Monitoring with automated agent management enabled.",
"Risk": "Without EKS Runtime Monitoring in GuardDuty, your Amazon EKS clusters may lack necessary protection against potential threats that can compromise container security, leading to unmonitored security risks.",
"RelatedUrl": "https://docs.aws.amazon.com/config/latest/developerguide/guardduty-eks-protection-runtime-enabled.html",
"Description": "GuardDuty detectors are evaluated for **EKS Runtime Monitoring** being enabled for Amazon EKS. The configuration is at the detector level and relates to visibility into *process, file, and network* activity on EKS nodes and containers.",
"Risk": "Absent **EKS runtime monitoring**, in-cluster activity is blind to detection. Adversaries can run malware or cryptominers, exfiltrate secrets via pods, tamper with workloads, or pivot to other services, degrading confidentiality, corrupting integrity, and exhausting resources (availability).",
"RelatedUrl": "",
"AdditionalURLs": [
"https://docs.aws.amazon.com/guardduty/latest/ug/runtime-monitoring-configuration.html",
"https://docs.aws.amazon.com/config/latest/developerguide/guardduty-eks-protection-runtime-enabled.html",
"https://docs.aws.amazon.com/securityhub/latest/userguide/guardduty-controls.html#guardduty-7"
],
"Remediation": {
"Code": {
"CLI": "aws guardduty update-organization-configuration --detector-id <detector-id> --eks-runtime-monitoring-configuration Enable=true --auto-enable",
"NativeIaC": "",
"Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/guardduty-controls.html#guardduty-7",
"Terraform": ""
"CLI": "aws guardduty update-detector --detector-id <detector-id> --features name=EKS_RUNTIME_MONITORING,status=ENABLED",
"NativeIaC": "```yaml\nResources:\n <example_resource_name>:\n Type: AWS::GuardDuty::Detector\n Properties:\n Enable: true\n Features:\n - Name: EKS_RUNTIME_MONITORING # Critical: selects EKS Runtime Monitoring feature\n Status: ENABLED # Critical: enables the feature to pass the check\n```",
"Other": "1. Open the AWS Console and go to Amazon GuardDuty\n2. In the left pane, select Settings > Runtime monitoring\n3. Under EKS Runtime Monitoring, switch the status to Enabled\n4. Click Save changes",
"Terraform": "```hcl\nresource \"aws_guardduty_detector\" \"<example_resource_name>\" {\n enable = true\n\n features {\n name = \"EKS_RUNTIME_MONITORING\" # Critical: selects EKS Runtime Monitoring feature\n status = \"ENABLED\" # Critical: enables the feature to pass the check\n }\n}\n```"
},
"Recommendation": {
"Text": "Enable GuardDuty EKS Runtime Monitoring with automated agent management to protect EKS clusters.",
"Url": "https://docs.aws.amazon.com/guardduty/latest/ug/runtime-monitoring-configuration.html"
"Text": "- Enable **EKS Runtime Monitoring** with automated agent management across all accounts and clusters\n- Enforce **least privilege** for agents and segment cluster access\n- Integrate findings with response workflows and periodically verify runtime coverage",
"Url": "https://hub.prowler.com/check/guardduty_eks_runtime_monitoring_enabled"
}
},
"Categories": [],

37
prowler/providers/aws/services/guardduty/guardduty_is_enabled/guardduty_is_enabled.metadata.json
View File

@@ -1,26 +1,37 @@
{
"Provider": "aws",
"CheckID": "guardduty_is_enabled",
"CheckTitle": "Check if GuardDuty is enabled",
"CheckType": [],
"CheckTitle": "GuardDuty detector is enabled and not suspended",
"CheckType": [
"Software and Configuration Checks/AWS Security Best Practices/Runtime Behavior Analysis",
"Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
],
"ServiceName": "guardduty",
"SubServiceName": "",
"ResourceIdTemplate": "arn:aws:guardduty:region:account-id/detector-id",
"Severity": "medium",
"ResourceIdTemplate": "",
"Severity": "high",
"ResourceType": "AwsGuardDutyDetector",
"Description": "Check if GuardDuty is enabled",
"Risk": "Amazon GuardDuty is a continuous security monitoring service that analyzes and processes several datasources.",
"RelatedUrl": "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_settingup.html",
"Description": "**Amazon GuardDuty** detector existence and health are evaluated per Region. It identifies where GuardDuty isn't enabled for the account, where a detector has no status, or where a detector is configured but `suspended`.",
"Risk": "Without active **GuardDuty**, threats in CloudTrail, VPC Flow Logs, DNS, S3, EKS, EBS, and Lambda can go unnoticed. Attackers can exfiltrate data, move laterally, and mine crypto, degrading confidentiality, integrity, and availability-especially in unmonitored Regions.",
"RelatedUrl": "",
"AdditionalURLs": [
"https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_settingup.html",
"https://aws.plainenglish.io/how-to-protect-your-organizations-aws-account-with-aws-guardduty-a1a635c417aa",
"https://medium.com/swlh/aws-cdk-automating-guardduty-event-notifications-in-all-regions-f0bbcec6077d",
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/GuardDuty/guardduty-enabled.html",
"https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/use-terraform-to-automatically-enable-amazon-guardduty-for-an-organization.html"
],
"Remediation": {
"Code": {
"CLI": "aws guardduty create-detector --region <REGION> --enable",
"NativeIaC": "",
"Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/GuardDuty/guardduty-enabled.html",
"Terraform": "https://docs.prowler.com/checks/aws/general-policies/ensure-guardduty-is-enabled-to-specific-orgregion#fix---buildtime"
"CLI": "",
"NativeIaC": "```yaml\n# CloudFormation: Ensure GuardDuty detector is enabled (not suspended) in the Region\nResources:\n ExampleGuardDutyDetector:\n Type: AWS::GuardDuty::Detector\n Properties:\n Enable: true # Critical: enables the detector so GuardDuty is active (not suspended)\n```",
"Other": "1. Sign in to the AWS Console and open Amazon GuardDuty\n2. Switch to the target AWS Region\n3. If prompted with Get started, click Enable GuardDuty\n4. If GuardDuty is already configured but suspended, go to Settings and click Enable (or Resume) to activate the detector\n5. Repeat in each required Region",
"Terraform": "```hcl\n# Terraform: Ensure GuardDuty detector is enabled (not suspended) in the Region\nresource \"aws_guardduty_detector\" \"example_resource_name\" {\n enable = true # Critical: turns GuardDuty on and ensures it is not suspended\n}\n```"
},
"Recommendation": {
"Text": "Enable GuardDuty and analyze its findings.",
"Url": "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_settingup.html"
"Text": "Enable and keep **GuardDuty** active in all supported Regions and accounts under a delegated admin. Turn on relevant protection plans and auto-enroll new accounts. Avoid `suspended` detectors, enforce **least privilege** for admins, and integrate findings into response for **defense in depth**.",
"Url": "https://hub.prowler.com/check/guardduty_is_enabled"
}
},
"Categories": [

34
prowler/providers/aws/services/guardduty/guardduty_lambda_protection_enabled/guardduty_lambda_protection_enabled.metadata.json
View File

@@ -1,32 +1,38 @@
{
"Provider": "aws",
"CheckID": "guardduty_lambda_protection_enabled",
"CheckTitle": "Check if GuardDuty Lambda Protection is enabled.",
"CheckTitle": "GuardDuty detector has Lambda Protection enabled",
"CheckType": [
"Software and Configuration Checks/AWS Security Best Practices"
"Software and Configuration Checks/AWS Security Best Practices/Runtime Behavior Analysis",
"Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices"
],
"ServiceName": "guardduty",
"SubServiceName": "",
"ResourceIdTemplate": "arn:aws:guardduty:region:account-id/detector-id",
"ResourceIdTemplate": "",
"Severity": "high",
"ResourceType": "AwsGuardDutyDetector",
"Description": "GuardDuty Lambda Protection helps you identify potential security threats when an AWS Lambda function gets invoked. After you enable Lambda Protection, GuardDuty starts monitoring Lambda network activity logs associated with the Lambda functions in your AWS account.",
"Risk": "If Lambda Protection is not enabled, GuardDuty will not be able to monitor Lambda network activity logs and may miss potential security threats.",
"RelatedUrl": "https://docs.aws.amazon.com/guardduty/latest/ug/lambda-protection.html",
"Description": "**Amazon GuardDuty detectors** with **Lambda Protection** enabled analyze **Lambda invocation network activity logs** across your account.\n\nEvaluation determines whether the detector has `Lambda Protection` turned on.",
"Risk": "Without **Lambda Protection**, Lambda network traffic is uninspected, enabling:\n- **C2 callbacks** and data exfiltration (confidentiality)\n- Malicious code altering data or configs (integrity)\n- Lateral movement or abuse causing disruption (availability)",
"RelatedUrl": "",
"AdditionalURLs": [
"https://docs.aws.amazon.com/securityhub/latest/userguide/guardduty-controls.html#guardduty-6",
"https://docs.aws.amazon.com/guardduty/latest/ug/configure-lambda-protection-standalone-acc.html",
"https://docs.aws.amazon.com/guardduty/latest/ug/lambda-protection.html"
],
"Remediation": {
"Code": {
"CLI": "aws guardduty update-detector --detector-id <detector-id> --features Name=LAMBDA_NETWORK_LOGS,Status=ENABLED",
"NativeIaC": "",
"Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/guardduty-controls.html#guardduty-6",
"Terraform": ""
"CLI": "aws guardduty update-detector --detector-id <detector-id> --features '[{\"Name\":\"LAMBDA_NETWORK_LOGS\",\"Status\":\"ENABLED\"}]'",
"NativeIaC": "```yaml\nResources:\n <example_resource_name>:\n Type: AWS::GuardDuty::Detector\n Properties:\n Enable: true\n Features:\n - Name: LAMBDA_NETWORK_LOGS # Critical: selects Lambda Protection feature\n Status: ENABLED # Critical: enables Lambda Protection\n```",
"Other": "1. Open the AWS Console and go to GuardDuty\n2. In the left pane, select Settings > Lambda Protection\n3. Click Enable\n4. Click Confirm to save",
"Terraform": "```hcl\nresource \"aws_guardduty_detector\" \"<example_resource_name>\" {\n enable = true\n features {\n name = \"LAMBDA_NETWORK_LOGS\" # Critical: selects Lambda Protection feature\n status = \"ENABLED\" # Critical: enables Lambda Protection\n }\n}\n```"
},
"Recommendation": {
"Text": "Enable Lambda Protection in your GuardDuty detector to start monitoring Lambda Network Activity in your account.",
"Url": "https://docs.aws.amazon.com/guardduty/latest/ug/configure-lambda-protection-standalone-acc.html"
"Text": "Enable **Lambda Protection** on all detectors in every active Region and account.\n\nApply **least privilege** to Lambda roles, restrict egress with network controls, and integrate findings with alerting and response for **defense in depth**. *In multi-account setups*, manage centrally for consistent coverage.",
"Url": "https://hub.prowler.com/check/guardduty_lambda_protection_enabled"
}
},
"Categories": [],
"Notes": "",
"DependsOn": [],
"RelatedTo": []
"RelatedTo": [],
"Notes": ""
}

27
prowler/providers/aws/services/guardduty/guardduty_no_high_severity_findings/guardduty_no_high_severity_findings.metadata.json
View File

@@ -1,26 +1,35 @@
{
"Provider": "aws",
"CheckID": "guardduty_no_high_severity_findings",
"CheckTitle": "There are High severity GuardDuty findings ",
"CheckType": [],
"CheckTitle": "GuardDuty detector has no high severity findings",
"CheckType": [
"Software and Configuration Checks/AWS Security Best Practices/Runtime Behavior Analysis",
"TTPs",
"Unusual Behaviors"
],
"ServiceName": "guardduty",
"SubServiceName": "",
"ResourceIdTemplate": "arn:aws:guardduty:region:account-id/detector-id",
"ResourceIdTemplate": "",
"Severity": "high",
"ResourceType": "AwsGuardDutyDetector",
"Description": "There are High severity GuardDuty findings ",
"Risk": "If critical findings are not addressed threats can spread in the environment.",
"RelatedUrl": "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html",
"Description": "**GuardDuty detectors** are evaluated for the presence of **High-severity findings**. This surfaces whether any detector currently has findings labeled `High` by GuardDuty.",
"Risk": "Unresolved **High findings** often signal active compromise, enabling:\n- Data exfiltration and unauthorized access (confidentiality)\n- Privilege escalation and tampering (integrity)\n- Disruption via malware/crypto-mining (availability)\n\nAttackers can pivot laterally and persist if not contained.",
"RelatedUrl": "",
"AdditionalURLs": [
"https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html",
"https://docs.aws.amazon.com/prescriptive-guidance/latest/vulnerability-management/assess-and-prioritize-security-findings.html",
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/GuardDuty/findings.html"
],
"Remediation": {
"Code": {
"CLI": "",
"NativeIaC": "",
"Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/GuardDuty/findings.html",
"Other": "1. Sign in to the AWS console and open Amazon GuardDuty\n2. Use the Region selector to choose a Region where GuardDuty is enabled\n3. Go to Findings and filter: Severity = High (7-8.9), Archived status = Not archived\n4. Select all results, click Actions > Archive\n5. Repeat steps 2-4 for every Region with GuardDuty enabled\n6. Confirm there are 0 active High severity findings in each Region",
"Terraform": ""
},
"Recommendation": {
"Text": "Review and remediate critical GuardDuty findings as quickly as possible.",
"Url": "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html"
"Text": "Treat **High findings** as incidents.\n\n- Prioritize triage and containment; isolate affected resources, rotate secrets\n- Automate alerting and response with playbooks; integrate into IR\n- Enforce **least privilege**, network segmentation, and hardened baselines\n- Continuously tune detections and remove unused access to prevent recurrence",
"Url": "https://hub.prowler.com/check/guardduty_no_high_severity_findings"
}
},
"Categories": [],

29
prowler/providers/aws/services/guardduty/guardduty_rds_protection_enabled/guardduty_rds_protection_enabled.metadata.json
View File

@@ -1,28 +1,35 @@
{
"Provider": "aws",
"CheckID": "guardduty_rds_protection_enabled",
"CheckTitle": "Check if GuardDuty RDS Protection is enabled.",
"CheckTitle": "GuardDuty detector has RDS Protection enabled",
"CheckType": [
"Software and Configuration Checks/AWS Security Best Practices"
"Software and Configuration Checks/AWS Security Best Practices/Runtime Behavior Analysis",
"Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
"TTPs/Credential Access"
],
"ServiceName": "guardduty",
"SubServiceName": "",
"ResourceIdTemplate": "arn:aws:guardduty:<region>:<account-id>:detector/<detector-id>",
"ResourceIdTemplate": "",
"Severity": "high",
"ResourceType": "AwsGuardDutyDetector",
"Description": "Check if GuardDuty RDS Protection is enabled to ensure monitoring and threat detection for RDS activity.",
"Risk": "Without GuardDuty RDS Protection enabled, suspicious login activities to your databases may go undetected, increasing the risk of unauthorized access, data breaches, or compromised database security.",
"RelatedUrl": "https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/guard-duty-rds-protection.html",
"Description": "Active **Amazon GuardDuty detectors** are assessed for **RDS Protection** being enabled, allowing analysis of RDS and Aurora login activity to profile and flag anomalous access patterns.",
"Risk": "Without **RDS Protection**, anomalous database logins can go unnoticed. Attackers using **stolen** or **brute-forced** credentials may access data, alter schemas, or pivot via the DB, impacting **confidentiality** and **integrity**, and potentially **availability**.",
"RelatedUrl": "",
"AdditionalURLs": [
"https://docs.aws.amazon.com/securityhub/latest/userguide/guardduty-controls.html#guardduty-9",
"https://docs.aws.amazon.com/guardduty/latest/ug/rds-protection.html",
"https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/guard-duty-rds-protection.html"
],
"Remediation": {
"Code": {
"CLI": "aws guardduty update-detector --detector-id <detector-id> --features Name=RDS_LOGIN_EVENTS,Status=ENABLED",
"NativeIaC": "",
"Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/guardduty-controls.html#guardduty-9",
"Terraform": ""
"NativeIaC": "```yaml\nResources:\n <example_resource_name>:\n Type: AWS::GuardDuty::Detector\n Properties:\n Enable: true\n Features:\n - Name: RDS_LOGIN_EVENTS # critical: selects GuardDuty RDS Protection feature\n Status: ENABLED # critical: turns RDS Protection on\n```",
"Other": "1. In the AWS Console, open Amazon GuardDuty\n2. Go to Settings (or Protection plans/Features)\n3. Find RDS Protection (RDS login events) and click Enable\n4. Save changes\n5. If using Organizations, perform this in the delegated GuardDuty administrator account",
"Terraform": "```hcl\nresource \"aws_guardduty_detector\" \"<example_resource_name>\" {\n enable = true\n features {\n name = \"RDS_LOGIN_EVENTS\" # critical: GuardDuty RDS Protection feature\n status = \"ENABLED\" # critical: enable the feature\n }\n}\n```"
},
"Recommendation": {
"Text": "Enable GuardDuty RDS Protection to continuously monitor and detect anomalous login behaviors on your Aurora databases, helping to identify and respond to potential access threats without impacting database performance.",
"Url": "https://docs.aws.amazon.com/guardduty/latest/ug/rds-protection.html"
"Text": "Enable **GuardDuty RDS Protection** across all accounts and Regions.\n- Enforce **least privilege** for DB users and rotate credentials\n- Restrict network exposure to databases\n- Integrate findings with alerting and incident response for rapid containment",
"Url": "https://hub.prowler.com/check/guardduty_rds_protection_enabled"
}
},
"Categories": [],

33
prowler/providers/aws/services/guardduty/guardduty_s3_protection_enabled/guardduty_s3_protection_enabled.metadata.json
View File

@@ -1,28 +1,37 @@
{
"Provider": "aws",
"CheckID": "guardduty_s3_protection_enabled",
"CheckTitle": "Check if GuardDuty S3 Protection is enabled.",
"CheckTitle": "GuardDuty detector has S3 Protection enabled",
"CheckType": [
"Software and Configuration Checks/AWS Security Best Practices"
"Software and Configuration Checks/AWS Security Best Practices/Runtime Behavior Analysis",
"Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
"Effects/Data Exfiltration"
],
"ServiceName": "guardduty",
"SubServiceName": "",
"ResourceIdTemplate": "arn:aws:guardduty:<region>:<account-id>:detector/<detector-id>",
"ResourceIdTemplate": "",
"Severity": "high",
"ResourceType": "AwsGuardDutyDetector",
"Description": "This control checks whether GuardDuty S3 Protection is enabled in the account.",
"Risk": "Without GuardDuty S3 Protection enabled, your S3 buckets are not monitored for potential security risks at the object level, which may lead to undetected malicious activities and data breaches.",
"RelatedUrl": "https://docs.aws.amazon.com/guardduty/latest/ug/s3_detection.html",
"Description": "Amazon GuardDuty detectors are evaluated for **S3 Protection**, which analyzes CloudTrail S3 data events to monitor **object-level API activity** (`GetObject`, `PutObject`, `DeleteObject`) across S3 buckets in the account and Region.",
"Risk": "Without S3 Protection, **object-level S3 activity** isn't analyzed, enabling:\n- **Exfiltration** via mass reads/copies\n- **Destructive deletes**\n- **Policy/ACL tampering**\n\nUndetected actions degrade data confidentiality, integrity, and availability.",
"RelatedUrl": "",
"AdditionalURLs": [
"https://docs.amazonaws.cn/en_us/guardduty/latest/ug/guardduty_finding-types-s3.html",
"https://docs.aws.amazon.com/guardduty/latest/ug/s3_detection.html",
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/GuardDuty/enable-s3-protection.html",
"https://docs.aws.amazon.com/guardduty/latest/ug/s3-protection.html",
"https://docs.aws.amazon.com/securityhub/latest/userguide/guardduty-controls.html#guardduty-10"
],
"Remediation": {
"Code": {
"CLI": "aws guardduty update-detector --detector-id <detector-id> --data-sources S3Logs={Enable=true}}'",
"NativeIaC": "",
"Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/guardduty-controls.html#guardduty-10",
"Terraform": ""
"CLI": "aws guardduty update-detector --detector-id <detector-id> --data-sources S3Logs={Enable=true}",
"NativeIaC": "```yaml\n# CloudFormation: Enable S3 Protection on a GuardDuty detector\nResources:\n <example_resource_name>:\n Type: AWS::GuardDuty::Detector\n Properties:\n Enable: true\n DataSources:\n S3Logs:\n Enable: true # Critical: Enables GuardDuty S3 Protection\n```",
"Other": "1. Open the AWS Management Console and go to GuardDuty\n2. In the left menu, select Settings\n3. Find the S3 Protection section and click Enable (or toggle On)\n4. Click Save",
"Terraform": "```hcl\n# Enable S3 Protection on a GuardDuty detector\nresource \"aws_guardduty_detector\" \"<example_resource_name>\" {\n enable = true\n\n datasources {\n s3_logs {\n enable = true # Critical: Enables GuardDuty S3 Protection\n }\n }\n}\n```"
},
"Recommendation": {
"Text": "Enable GuardDuty S3 Protection to monitor object-level API operations in your S3 buckets.",
"Url": "https://docs.aws.amazon.com/guardduty/latest/ug/s3_detection.html"
"Text": "Enable **S3 Protection** across all accounts and Regions to add **defense in depth** for S3. Apply **least privilege** to IAM and bucket policies, keep **Block Public Access** enforced, integrate findings with alerting, and regularly review anomalies to prevent data loss and tampering.",
"Url": "https://hub.prowler.com/check/guardduty_s3_protection_enabled"
}
},
"Categories": [],