AWS Security ChangesHomeSearch

AWS guardduty high security documentation change

Service: guardduty · 2025-07-01 · Security-related high

File: guardduty/latest/ug/validate-vpc-endpoint-config-runtime-monitoring.md

Summary

Modified VPC endpoint validation steps to require CIDR-based security group rules instead of 0.0.0.0/0 access

Security assessment

Changes security group configuration from open internet (0.0.0.0/0) to VPC CIDR restrictions, reducing attack surface

Diff

diff --git a/guardduty/latest/ug/validate-vpc-endpoint-config-runtime-monitoring.md b/guardduty/latest/ug/validate-vpc-endpoint-config-runtime-monitoring.md
index 8e3e82e1d..4538cf74c 100644
--- a//guardduty/latest/ug/validate-vpc-endpoint-config-runtime-monitoring.md
+++ b//guardduty/latest/ug/validate-vpc-endpoint-config-runtime-monitoring.md
@@ -13 +13 @@ Use the following steps to validate that VPC endpoint configuration for your res
-  2. In the navigation pane, under **Virtual private cloud** , choose **Endpoints**.
+  2. In the navigation pane, under **Virtual private cloud** , choose **Your VPCs**.
@@ -15 +15 @@ Use the following steps to validate that VPC endpoint configuration for your res
-  3. In the **Endpoints** table, select the row that has the **Service name** similar to **com.amazonaws.`us-east-1`.guardduty-data**. The Region (`us-east-1`) may be different for your endpoint.
+  3. On the **Your VPCs** page, choose **IPv4 CIDR** associated with your **VPC ID**.
@@ -17 +17 @@ Use the following steps to validate that VPC endpoint configuration for your res
-  4. A panel for endpoint details will appear. Under the **Security Groups** tab, select the associated **Group ID** link for more details.
+  4. In the navigation pane, under **Virtual private cloud** , choose **Endpoints**.
@@ -19 +19 @@ Use the following steps to validate that VPC endpoint configuration for your res
-  5. In the **Security Groups** table, select the row that with the associated **Security group ID** to view the details.
+  5. In the **Endpoints** table, select the row that has the **Service name** similar to **com.amazonaws.`us-east-1`.guardduty-data**. The Region (`us-east-1`) might be different for your endpoint.
@@ -21 +21 @@ Use the following steps to validate that VPC endpoint configuration for your res
-  6. Under the **Inbound rules** tab, ensure that there is an ingress policy with **Port range** as **443** and **Source** as **0.0.0.0/0**. Inbound rules control the incoming traffic that is allowed to reach the instance. The following image shows the inbound rules for a security group that is associated with the VPC used by the GuardDuty security agent.
+  6. A panel for endpoint details will appear. Under the **Security Groups** tab, select the associated **Group ID** link for more details.
@@ -23 +23,3 @@ Use the following steps to validate that VPC endpoint configuration for your res
-![A security group ID that has inbound rules.](/images/guardduty/latest/ug/images/validate-vpc-endpoint-config-security-group-console.png)
+  7. In the **Security Groups** table, select the row that with the associated **Security group ID** to view the details.
+
+  8. Under the **Inbound rules** tab, ensure that there is an ingress policy with **Port range** as **443** and **Source** as the value copied from the **IPv4 CIDR**. Inbound rules control the incoming traffic that is allowed to reach the instance. The following image shows the inbound rules for a security group that is associated with the VPC used by the GuardDuty security agent.