Posted On: Jul 31, 2020
Amazon GuardDuty broadens threat detection coverage to monitor for highly-suspicious data access and anomaly detection to help you better protect your data residing in Amazon Simple Storage Service (Amazon S3). This new capability adds S3 data events (LISTs/PUTs/GETs) as a new log and event source that GuardDuty continuously profiles to monitor data access behavior, combine it with GuardDuty threat intelligence, and identify suspicious activity such as data access from an unusual geo-location, API calls from a known malicious IP address, or unusual API calls consistent with malicious data discovery attempts.
S3 protection will be on by default when you enable GuardDuty for the first time. If you are already using GuardDuty to protect your accounts and workloads you can enable S3 protection via the GuardDuty console or API. With newly added AWS Organizations support you can enable S3 Protection across your entire organization with a single click. GuardDuty is now integrated directly with S3, removing the requirement to enable S3 data event logging in AWS CloudTrail to take advantage of this new capability. GuardDuty will process only events that are relevant for securing your S3 buckets, significantly reducing the number of events and lowering your costs. S3 protection is available in all AWS regions in which Amazon GuardDuty is available and comes with a 30-day free trial for all current and new GuardDuty customers. During the free trial, the cost of this new protection is calculated based on the actual data events processed for any given account and displayed in the GuardDuty console for review.