Why did GuardDuty send me alert findings for a trusted IP list address?

Last updated: 2020-02-17

I followed the instructions to set up a trusted IP address list for Amazon GuardDuty. Why is GuardDuty sending me alert findings for my trusted IP address?

Resolution

Use the following best practices to verify the trusted IP list settings:

  • Be sure that the trusted IP lists uploaded in the same AWS Region as your GuardDuty findings.
  • Verify that the trusted IP lists are activated. For instructions, see activate or deactivate trusted IP lists and threat lists.
  • If you changed the trusted IP list, you must reactivate it in GuardDuty. For instructions, see update trusted IP lists and threat lists.
  • Be sure that IP addresses added in the trusted IP list are publicly routable IPv4 addresses.
  • Adding a domain name, private IP address, or IPv6 address in a trusted IP list doesn't prevent GuardDuty from generating findings.
  • In member accounts, GuardDuty generates findings for malicious IP addresses from the master's threat lists, not the master's trusted IP lists. For more information, see GuardDuty Master Accounts.