AWS Security ChangesHomeSearch

AWS guardduty documentation change

Service: guardduty · 2025-03-30 · Documentation low

File: guardduty/latest/ug/guardduty-remediate-kubernetes.md

Summary

Updated documentation links to point to official Amazon EKS Best Practices Guide URLs instead of GitHub repository links. Fixed formatting of guide references (changed &EKS; to __Amazon EKS User Guide__). Corrected a typo ('identyifying' to 'identifying').

Security assessment

Changes improve references to security best practices and incident response procedures but do not address a specific disclosed vulnerability. Updates enhance existing security documentation quality.

Diff

diff --git a/guardduty/latest/ug/guardduty-remediate-kubernetes.md b/guardduty/latest/ug/guardduty-remediate-kubernetes.md
index 2ccc5d35c..1baed7f51 100644
--- a/guardduty/latest/ug/guardduty-remediate-kubernetes.md
+++ b/guardduty/latest/ug/guardduty-remediate-kubernetes.md
@@ -32 +32 @@ Before Kubernetes version 1.14, the `system:unauthenticated` group was associate
-For more information about removing these permissions, see [Security best practices for Amazon EKS](https://docs.aws.amazon.com/eks/latest/userguide/security-best-practices.html) in the _Amazon EKS User Guide_.
+For more information about removing these permissions, see [Secure Amazon EKS clusters with best practices](https://docs.aws.amazon.com/eks/latest/userguide/security-best-practices.html) in the __Amazon EKS User Guide__.
@@ -95 +95 @@ You can use Amazon Detective to further investigate the IAM role or user identif
-**AWS-Auth ConfigMap defined user** – An IAM user that was granted access through an AWS-auth ConfigMap. For more information, see [Managing users or IAM roles for your cluster](https://docs.aws.amazon.com/eks/latest/userguide/add-user-role.html) in the &EKS; user guide. You can review their permissions using the following command: `kubectl edit configmaps aws-auth --namespace kube-system`
+**AWS-Auth ConfigMap defined user** – An IAM user that was granted access through an AWS-auth ConfigMap. For more information, see [Managing users or IAM roles for your cluster](https://docs.aws.amazon.com/eks/latest/userguide/add-user-role.html) in the __Amazon EKS User Guide__. You can review their permissions using the following command: `kubectl edit configmaps aws-auth --namespace kube-system`
@@ -174 +174 @@ If the `type` field inside the `resource.kubernetesDetails.kubernetesWorkloadDet
-For information about identifying the worker node running the pods, see [Identify the offending pods and worker node](https://aws.github.io/aws-eks-best-practices/security/docs/incidents/#identify-the-offending-pod-and-worker-node).
+For information about identifying the worker node running the pods, see [Identify the offending pods and worker node](https://docs.aws.amazon.com/eks/latest/best-practices/incident-response-and-forensics.html#_identify_the_offending_pod_and_worker_node) in the _Amazon EKS Best Practices Guide_.
@@ -181 +181 @@ If the `type` field inside the `resource.kubernetesDetails.kubernetesWorkloadDet
-For information about identifying all the pods of the workload resource and the nodes on which they are running, see [Identify the offending pods and worker nodes using workload name](https://aws.github.io/aws-eks-best-practices/security/docs/incidents/#identify-the-offending-pods-and-worker-nodes-using-workload-name).
+For information about identifying all the pods of the workload resource and the nodes on which they are running, see [Identify the offending pods and worker nodes using workload name](https://docs.aws.amazon.com/eks/latest/best-practices/incident-response-and-forensics.html#_identify_the_offending_pods_and_worker_nodes_using_workload_name) in the _Amazon EKS Best Practices Guide_.
@@ -188 +188 @@ If a GuardDuty finding identifies a Service Account in the `resource.kubernetesD
-For information about identyifying all the pods using the service account and the nodes on which they are running, see [Identify the offending pods and worker nodes using service account name](https://aws.github.io/aws-eks-best-practices/security/docs/incidents/#identify-the-offending-pods-and-worker-nodes-using-service-account-name).
+For information about identifying all the pods using the service account and the nodes on which they are running, see [Identify the offending pods and worker nodes using service account name](https://docs.aws.amazon.com/eks/latest/best-practices/incident-response-and-forensics.html#_identify_the_offending_pods_and_worker_nodes_using_service_account_name) in the _Amazon EKS Best Practices Guide_.
@@ -190 +190 @@ For information about identyifying all the pods using the service account and th
-After you have identified all the compromised pods and the nodes on which they are running, see [Amazon EKS best practices guide](https://aws.github.io/aws-eks-best-practices/security/docs/incidents/#isolate-the-pod-by-creating-a-network-policy-that-denies-all-ingress-and-egress-traffic-to-the-pod) to isolate the pod, rotate its credentials, and gather data for forensic analysis.
+After you have identified all the compromised pods and the nodes on which they are running, see [Isolate the pod by creating a network policy that denies all ingress and egress traffic to the pod](https://docs.aws.amazon.com/eks/latest/best-practices/incident-response-and-forensics.html#_isolate_the_pod_by_creating_a_network_policy_that_denies_all_ingress_and_egress_traffic_to_the_pod) in the _Amazon EKS Best Practices Guide_.
@@ -200 +200 @@ After you have identified all the compromised pods and the nodes on which they a
-For more information, see [Redeploy compromised pod or workload resource](https://github.com/aws/aws-eks-best-practices/blob/master/content/security/docs/incidents.md#redeploy-compromised-pod-or-workload-resource).
+For more information, see [Redeploy compromised pod or workload resource](https://docs.aws.amazon.com/eks/latest/best-practices/incident-response-and-forensics.html#_redeploy_compromised_pod_or_workload_resource) in the _Amazon EKS Best Practices Guide_.
@@ -217 +217 @@ When a GuardDuty finding indicates a pod compromise, the image used to launch th
-For more information, see [Identify pods with potentially vulnerable or compromised container images and worker nodes](https://aws.github.io/aws-eks-best-practices/security/docs/incidents/#identify-pods-with-vulnerable-or-compromised-images-and-worker-nodes).
+For more information, see [Identify pods with vulnerable or compromised images and worker nodes](https://docs.aws.amazon.com/eks/latest/best-practices/incident-response-and-forensics.html#_identify_pods_with_vulnerable_or_compromised_images_and_worker_nodes) in the _Amazon EKS Best Practices Guide_.
@@ -219 +219 @@ For more information, see [Identify pods with potentially vulnerable or compromi
-  3. Isolate the potentially compromised pods, rotate credentials, and gather data for analysis. For more information, see [Amazon EKS best practices guide](https://aws.github.io/aws-eks-best-practices/security/docs/incidents/#isolate-the-pod-by-creating-a-network-policy-that-denies-all-ingress-and-egress-traffic-to-the-pod).
+  3. Isolate the potentially compromised pods, rotate credentials, and gather data for analysis. For more information, see [Isolate the pod by creating a network policy that denies all ingress and egress traffic to the pod](https://docs.aws.amazon.com/eks/latest/best-practices/incident-response-and-forensics.html#_isolate_the_pod_by_creating_a_network_policy_that_denies_all_ingress_and_egress_traffic_to_the_pod) in the _Amazon EKS Best Practices Guide_.
@@ -238 +238 @@ A finding indicates the use of a privileged container if one or more of the cont
-For more information, see [Amazon EKS best practices guide](https://aws.github.io/aws-eks-best-practices/security/docs/incidents/#isolate-the-pod-by-creating-a-network-policy-that-denies-all-ingress-and-egress-traffic-to-the-pod).
+For more information, see [Isolate the pod by creating a network policy that denies all ingress and egress traffic to the pod](https://docs.aws.amazon.com/eks/latest/best-practices/incident-response-and-forensics.html#_isolate_the_pod_by_creating_a_network_policy_that_denies_all_ingress_and_egress_traffic_to_the_pod) in the _Amazon EKS Best Practices Guide_.