AWS guardduty documentation change
Summary
Added note that GuardDuty runtime monitoring findings do not include full command line arguments to protect sensitive data
Security assessment
This change documents a security feature that protects sensitive data by not including full command line arguments in findings. This is a security-by-design feature to prevent exposure of sensitive information, but there is no evidence it addresses a specific security vulnerability. The change adds documentation about existing security protections.
Diff
diff --git a/guardduty/latest/ug/findings-runtime-monitoring.md b/guardduty/latest/ug/findings-runtime-monitoring.md index 1a8e75121..076150337 100644 --- a//guardduty/latest/ug/findings-runtime-monitoring.md +++ b//guardduty/latest/ug/findings-runtime-monitoring.md @@ -824,0 +825,4 @@ If this activity is unexpected, your resource might have been compromised. For m +###### Note + +Process command line arguments may contain sensitive data. To protect sensitive data, GuardDuty runtime monitoring findings do not include full command line arguments. Instead, `Service.RuntimeDetails.Context.CommandLineExample` provides a representative example of the command line pattern that generated the finding. +