AWS Security ChangesHomeSearch

AWS securityhub documentation change

Service: securityhub · 2025-02-27 · Documentation low

File: securityhub/latest/userguide/guardduty-controls.md

Summary

Added three new GuardDuty controls: Runtime Monitoring, ECS Runtime Monitoring, and EC2 Runtime Monitoring. Also removed backticks from AWS Config rule links.

Security assessment

The changes add documentation for new GuardDuty monitoring features which are security-related, but there is no evidence these changes address a specific security vulnerability or incident. The removal of backticks from AWS Config rule links is a formatting change unrelated to security.

Diff

diff --git a/securityhub/latest/userguide/guardduty-controls.md
index 4ad5ff9f6..3faeec31b 100644
--- a/securityhub/latest/userguide/guardduty-controls.md
+++ b/securityhub/latest/userguide/guardduty-controls.md
@@ -5 +5 @@
-[GuardDuty.1] GuardDuty should be enabled[GuardDuty.2] GuardDuty filters should be tagged[GuardDuty.3] GuardDuty IPSets should be tagged[GuardDuty.4] GuardDuty detectors should be tagged[GuardDuty.5] GuardDuty EKS Audit Log Monitoring should be enabled[GuardDuty.6] GuardDuty Lambda Protection should be enabled[GuardDuty.7] GuardDuty EKS Runtime Monitoring should be enabled[GuardDuty.8] GuardDuty Malware Protection for EC2 should be enabled[GuardDuty.9] GuardDuty RDS Protection should be enabled[GuardDuty.10] GuardDuty S3 Protection should be enabled
+[GuardDuty.1] GuardDuty should be enabled[GuardDuty.2] GuardDuty filters should be tagged[GuardDuty.3] GuardDuty IPSets should be tagged[GuardDuty.4] GuardDuty detectors should be tagged[GuardDuty.5] GuardDuty EKS Audit Log Monitoring should be enabled[GuardDuty.6] GuardDuty Lambda Protection should be enabled[GuardDuty.7] GuardDuty EKS Runtime Monitoring should be enabled[GuardDuty.8] GuardDuty Malware Protection for EC2 should be enabled[GuardDuty.9] GuardDuty RDS Protection should be enabled[GuardDuty.10] GuardDuty S3 Protection should be enabled[GuardDuty.11] GuardDuty Runtime Monitoring should be enabled[GuardDuty.12] GuardDuty ECS Runtime Monitoring should be enabled[GuardDuty.13] GuardDuty EC2 Runtime Monitoring should be enabled
@@ -23 +23 @@ These controls may not be available in all AWS Regions. For more information, se
-**AWS Config rule:** [`guardduty-enabled-centralized`](https://docs.aws.amazon.com/config/latest/developerguide/guardduty-enabled-centralized.html)
+**AWS Config rule:** [guardduty-enabled-centralized](https://docs.aws.amazon.com/config/latest/developerguide/guardduty-enabled-centralized.html)
@@ -135 +135 @@ To add tags to a GuardDuty detector, see [TagResource](https://docs.aws.amazon.c
-**AWS Config rule:** [`guardduty-eks-protection-audit-enabled`](https://docs.aws.amazon.com/config/latest/developerguide/guardduty-eks-protection-audit-enabled.html)
+**AWS Config rule:** [guardduty-eks-protection-audit-enabled](https://docs.aws.amazon.com/config/latest/developerguide/guardduty-eks-protection-audit-enabled.html)
@@ -161 +161 @@ To enable GuardDuty EKS Audit Log Monitoring, see [EKS Audit Log Monitoring](htt
-**AWS Config rule:** [`guardduty-lambda-protection-enabled`](https://docs.aws.amazon.com/config/latest/developerguide/guardduty-lambda-protection-enabled.html)
+**AWS Config rule:** [guardduty-lambda-protection-enabled](https://docs.aws.amazon.com/config/latest/developerguide/guardduty-lambda-protection-enabled.html)
@@ -211 +211 @@ To enable EKS Runtime Monitoring with automated agent management, see [Enabling
-**AWS Config rule:** [`guardduty-malware-protection-enabled`](https://docs.aws.amazon.com/config/latest/developerguide/guardduty-malware-protection-enabled.html)
+**AWS Config rule:** [guardduty-malware-protection-enabled](https://docs.aws.amazon.com/config/latest/developerguide/guardduty-malware-protection-enabled.html)
@@ -237 +237 @@ To enable GuardDuty Malware Protection for EC2, see [Configuring GuardDuty-initi
-**AWS Config rule:** [`guardduty-rds-protection-enabled`](https://docs.aws.amazon.com/config/latest/developerguide/guardduty-rds-protection-enabled.html)
+**AWS Config rule:** [guardduty-rds-protection-enabled](https://docs.aws.amazon.com/config/latest/developerguide/guardduty-rds-protection-enabled.html)
@@ -263 +263 @@ To enable GuardDuty RDS Protection, see [GuardDuty RDS Protection](https://docs.
-**AWS Config rule:** [`guardduty-s3-protection-enabled`](https://docs.aws.amazon.com/config/latest/developerguide/guardduty-s3-protection-enabled.html)
+**AWS Config rule:** [guardduty-s3-protection-enabled](https://docs.aws.amazon.com/config/latest/developerguide/guardduty-s3-protection-enabled.html)
@@ -278,0 +279,72 @@ To enable GuardDuty S3 Protection, see [Amazon S3 Protection in Amazon GuardDuty
+## [GuardDuty.11] GuardDuty Runtime Monitoring should be enabled
+
+**Category:** Detect > Detection Services
+
+**Severity:** High
+
+**Resource type:** `AWS::GuardDuty::Detector`
+
+**AWS Config rule:** [guardduty-runtime-monitoring-enabled](https://docs.aws.amazon.com/config/latest/developerguide/guardduty-runtime-monitoring-enabled.html)
+
+**Schedule type:** Periodic
+
+**Parameters:** None
+
+This control checks whether Runtime Monitoring is enabled in Amazon GuardDuty. For a standalone account, the control fails if GuardDuty Runtime Monitoring is disabled for the account. In a multi-account environment, the control fails if GuardDuty Runtime Monitoring is disabled for the delegated GuardDuty administrator account and all member accounts.
+
+In a multi-account environment, only the delegated GuardDuty administrator can enable or disable GuardDuty Runtime Monitoring for accounts in their organization. In addition, only the GuardDuty administrator can configure and manage the security agents that GuardDuty uses for runtime monitoring of AWS workloads and resources for accounts in the organization. GuardDuty member accounts can't enable, configure, or disable Runtime Monitoring for their own accounts.
+
+GuardDuty Runtime Monitoring observes and analyzes operating system-level, networking, and file events to help you detect potential threats in specific AWS workloads in your environment. It uses GuardDuty security agents that add visibility into runtime behavior, such as file access, process execution, command line arguments, and network connections. You can enable and manage the security agent for each type of resource that you want to monitor for potential threats, such as Amazon EKS clusters and Amazon EC2 instances.
+
+### Remediation
+
+For more information about GuardDuty Runtime Monitoring, including configuration options and requirements, see [GuardDuty Runtime Monitoring](https://docs.aws.amazon.com/guardduty/latest/ug/runtime-monitoring.html) in the _Amazon GuardDuty User Guide_.
+
+## [GuardDuty.12] GuardDuty ECS Runtime Monitoring should be enabled
+
+**Category:** Detect > Detection Services
+
+**Severity:** Medium
+
+**Resource type:** `AWS::GuardDuty::Detector`
+
+**AWS Config rule:** [guardduty-ecs-protection-runtime-enabled](https://docs.aws.amazon.com/config/latest/developerguide/guardduty-ecs-protection-runtime-enabled.html)
+
+**Schedule type:** Periodic
+
+**Parameters:** None
+
+This control checks whether the Amazon GuardDuty automated security agent is enabled for runtime monitoring of Amazon ECS clusters on AWS Fargate. For a standalone account, the control fails if the security agent is disabled for the account. In a multi-account environment, the control fails if the security agent is disabled for the delegated GuardDuty administrator account and all member accounts.
+
+In a multi-account environment, this control generates findings only in the delegated GuardDuty administrator account. This is because only the delegated GuardDuty administrator can enable or disable Runtime Monitoring of ECS-Fargate resources for accounts in their organization. GuardDuty member accounts can't do this for their own accounts. In addition, this control generates `FAILED` findings if GuardDuty is suspended for a member account and Runtime Monitoring of ECS-Fargate resources is disabled for the member account. To receive a `PASSED` finding, the GuardDuty administrator must disassociate the suspended member account from their administrator account by using GuardDuty.
+
+GuardDuty Runtime Monitoring observes and analyzes operating system-level, networking, and file events to help you detect potential threats in specific AWS workloads in your environment. It uses GuardDuty security agents that add visibility into runtime behavior, such as file access, process execution, command line arguments, and network connections. You can enable and manage the security agent for each type of resource that you want to monitor for potential threats. This includes Amazon ECS clusters on AWS Fargate.
+
+### Remediation
+
+To enable and manage the security agent for GuardDuty Runtime Monitoring of ECS-Fargate resources, you must use GuardDuty directly. You can't enable or manage it manually for ECS-Fargate resources. For information about enabling and managing the security agent, see [Prerequisites for AWS Fargate (Amazon ECS only) support](https://docs.aws.amazon.com/guardduty/latest/ug/prereq-runtime-monitoring-ecs-support.html) and [Managing the automated security agent for AWS Fargate (Amazon ECS only)](https://docs.aws.amazon.com/guardduty/latest/ug/managing-gdu-agent-ecs-automated.html) in the _Amazon GuardDuty User Guide_.
+
+## [GuardDuty.13] GuardDuty EC2 Runtime Monitoring should be enabled
+
+**Category:** Detect > Detection Services
+
+**Severity:** Medium
+
+**Resource type:** `AWS::GuardDuty::Detector`
+
+**AWS Config rule:** [guardduty-ec2-protection-runtime-enabled](https://docs.aws.amazon.com/config/latest/developerguide/guardduty-ec2-protection-runtime-enabled.html)
+
+**Schedule type:** Periodic
+
+**Parameters:** None
+
+This control checks whether the Amazon GuardDuty automated security agent is enabled for runtime monitoring of Amazon EC2 instances. For a standalone account, the control fails if the security agent is disabled for the account. In a multi-account environment, the control fails if the security agent is disabled for the delegated GuardDuty administrator account and all member accounts.
+
+In a multi-account environment, this control generates findings only in the delegated GuardDuty administrator account. This is because only the delegated GuardDuty administrator can enable or disable Runtime Monitoring of Amazon EC2 instances for accounts in their organization. GuardDuty member accounts can't do this for their own accounts. In addition, this control generates `FAILED` findings if GuardDuty is suspended for a member account and Runtime Monitoring of EC2 instances is disabled for the member account. To receive a `PASSED` finding, the GuardDuty administrator must disassociate the suspended member account from their administrator account by using GuardDuty.
+
+GuardDuty Runtime Monitoring observes and analyzes operating system-level, networking, and file events to help you detect potential threats in specific AWS workloads in your environment. It uses GuardDuty security agents that add visibility into runtime behavior, such as file access, process execution, command line arguments, and network connections. You can enable and manage the security agent for each type of resource that you want to monitor for potential threats. This includes Amazon EC2 instances.
+
+### Remediation
+
+For information about configuring and managing the automated security agent for GuardDuty Runtime Monitoring of EC2 instances, see [Prerequisites for Amazon EC2 instance support](https://docs.aws.amazon.com/guardduty/latest/ug/prereq-runtime-monitoring-ec2-support.html) and [Enabling the automated security agent for Amazon EC2 instances](https://docs.aws.amazon.com/guardduty/latest/ug/managing-gdu-agent-ec2-automated.html) in the _Amazon GuardDuty User Guide_.
+