AWS Security ChangesHomeSearch

AWS guardduty documentation change

Service: guardduty · 2026-03-28 · Documentation low

File: guardduty/latest/ug/findings-runtime-monitoring.md

Summary

Added note that GuardDuty runtime monitoring findings do not include full command line arguments to protect sensitive data

Security assessment

This change documents a security feature that protects sensitive data by not including full command line arguments in findings. This is a security-by-design feature to prevent exposure of sensitive information, but there is no evidence it addresses a specific security vulnerability. The change adds documentation about existing security protections.

Diff

diff --git a/guardduty/latest/ug/findings-runtime-monitoring.md b/guardduty/latest/ug/findings-runtime-monitoring.md
index 1a8e75121..076150337 100644
--- a//guardduty/latest/ug/findings-runtime-monitoring.md
+++ b//guardduty/latest/ug/findings-runtime-monitoring.md
@@ -824,0 +825,4 @@ If this activity is unexpected, your resource might have been compromised. For m
+###### Note
+
+Process command line arguments may contain sensitive data. To protect sensitive data, GuardDuty runtime monitoring findings do not include full command line arguments. Instead, `Service.RuntimeDetails.Context.CommandLineExample` provides a representative example of the command line pattern that generated the finding.
+