AWS Security ChangesHomeSearch

AWS guardduty documentation change

Service: guardduty · 2025-06-07 · Documentation medium

File: guardduty/latest/ug/guardduty_data-sources.md

Summary

Clarified handling of global service events in findings and expanded recommendation to enable GuardDuty in all Regions

Security assessment

The update emphasizes enabling GuardDuty in all Regions to detect threats via global services, improving security posture. However, it does not address a specific security vulnerability.

Diff

diff --git a/guardduty/latest/ug/guardduty_data-sources.md b/guardduty/latest/ug/guardduty_data-sources.md
index 545b886ca..504ec3f0c 100644
--- a//guardduty/latest/ug/guardduty_data-sources.md
+++ b//guardduty/latest/ug/guardduty_data-sources.md
@@ -53 +53 @@ For most AWS services, CloudTrail events are recorded in the AWS Region where th
-When GuardDuty consumes CloudTrail [Global service events](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-concepts.html#cloudtrail-concepts-global-service-events) with security value such as network configurations or user permissions, it replicates those events and processes them in each Region where you have enabled GuardDuty. This behavior helps GuardDuty maintain user and role profiles in each Region, which is vital to detecting anomalous events.
+When GuardDuty consumes CloudTrail [Global service events](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-concepts.html#cloudtrail-concepts-global-service-events) (GSE) with security value such as network configurations or user permissions, it replicates those events and processes them in each Region where you have enabled GuardDuty. This behavior helps GuardDuty maintain user and role profiles in each Region, which is vital to detecting anomalous events.
@@ -55 +55,5 @@ When GuardDuty consumes CloudTrail [Global service events](https://docs.aws.amaz
-We highly recommend that you enable GuardDuty in all AWS Regions which are enabled for your AWS account. This helps GuardDuty generate findings about unauthorized or unusual activity even in those Regions that you may not be using actively.
+###### Note
+
+For findings generated from these global service events, the Region value in the finding may differ from the Region where GuardDuty creates the detection. For example, a finding might show `us-east-1` as the Region even if GuardDuty creates the detection in a different Region.
+
+We recommend that you enable GuardDuty in all AWS Regions available in your AWS account. Even if you don't have resources deployed in certain Regions, enabling GuardDuty helps protect your account from potential threats. Threat actors can potentially launch attacks through global services (such as IAM, AWS STS, or Amazon CloudFront). They can attempt to create unauthorized resources to exploit Regions where you have limited presence. GuardDuty processes global service events in all Regions where you've enabled the service, including both default and opt-in Regions. This helps GuardDuty detect potentially suspicious activities across your AWS account, including Regions where you don't actively use resources.