AWS Security ChangesHomeSearch

AWS guardduty medium security documentation change

Service: guardduty · 2025-07-18 · Security-related medium

File: guardduty/latest/ug/guardduty_upload-lists.md

Summary

Updated IAM role ARN example and added 'Expected bucket owner' validation for S3 bucket ownership checks

Security assessment

Added validation of S3 bucket ownership through account ID verification to prevent potential misconfigurations or unauthorized bucket access. This addresses potential security risks by ensuring bucket ownership matches specified account.

Diff

diff --git a/guardduty/latest/ug/guardduty_upload-lists.md b/guardduty/latest/ug/guardduty_upload-lists.md
index e896425a0..49ba44973 100644
--- a//guardduty/latest/ug/guardduty_upload-lists.md
+++ b//guardduty/latest/ug/guardduty_upload-lists.md
@@ -164 +164 @@ If your list is encrypted using server-side encryption SSE-KMS you must grant th
-        "AWS": "arn:aws:iam::123456789123:role/aws-service-role/guardduty.amazonaws.com/AWSServiceRoleForAmazonGuardDuty"
+        "AWS": "arn:aws:iam::123456789012:role/aws-service-role/guardduty.amazonaws.com/AWSServiceRoleForAmazonGuardDuty"
@@ -226 +226 @@ By default, at any given point in time, you can have only one trusted IP list. S
-    3. Select the **I agree** check box.
+    3. (Optional) For **Expected bucket owner** , you can enter the AWS account ID that owns the Amazon S3 bucket specified in the **Location** field.
@@ -228 +228,5 @@ By default, at any given point in time, you can have only one trusted IP list. S
-    4. Choose **Add list**. By default, the **Status** of the added list is **Inactive**. For the list to be effective, you must activate the list.
+When you enter this AWS account ID, GuardDuty will validate that the S3 bucket provided in the **Location** field belongs to this account ID. If GuardDuty finds that this S3 bucket doesn't belong to the specified account ID, you will get an error at the time of activating the list. If you don't specify an AWS account ID owner, GuardDuty doesn't perform any validation.
+
+    4. Select the **I agree** check box.
+
+    5. Choose **Add list**. By default, the **Status** of the added list is **Inactive**. For the list to be effective, you must activate the list.
@@ -298 +302,5 @@ Console
-  6. Choose the **I agree** check box, and then choose **Update list**. The value in the **Status** column will change to **Inactive**.
+  6. (Optional) For **Expected bucket owner** , you can enter the AWS account ID that owns the Amazon S3 bucket specified in the **Location** field.
+
+When you enter this AWS account ID, GuardDuty will validate that the S3 bucket provided in the **Location** field belongs to this account ID. If GuardDuty finds that this S3 bucket doesn't belong to the specified account ID, you will get an error at the time of activating the list. If you don't specify an AWS account ID owner, GuardDuty doesn't perform any validation.
+
+  7. Choose the **I agree** check box, and then choose **Update list**. The value in the **Status** column will change to **Inactive**.
@@ -300 +308 @@ Console
-  7. ###### Reactivating the updated list
+  8. ###### Reactivating the updated list