AWS Security ChangesHomeSearch

AWS guardduty documentation change

Service: guardduty · 2026-05-22 · Documentation medium

File: guardduty/latest/ug/guardduty_findings-summary.md

Summary

Added five new security indicator types (MALICIOUS_PACKAGE, MISCONFIGURATION, REACHABILITY, SENSITIVE_DATA, VULNERABILITY) to attack sequence findings.

Security assessment

Introduces documentation for new threat detection capabilities integrating Security Hub/Inspector/Macie. While security-related, it describes feature enhancements rather than addressing specific vulnerabilities.

Diff

diff --git a/guardduty/latest/ug/guardduty_findings-summary.md b/guardduty/latest/ug/guardduty_findings-summary.md
index 9b3e2efda..004d3cc71 100644
--- a//guardduty/latest/ug/guardduty_findings-summary.md
+++ b//guardduty/latest/ug/guardduty_findings-summary.md
@@ -446,0 +447 @@ Indicator name | Description
+`MALICIOUS_PACKAGE` |  Indicates that a resource involved in the attack sequence contains a software package identified as malicious. The indicator values include malicious package identifiers using OSV designation (MAL-*) associated with the detected packages.  
@@ -447,0 +449,3 @@ Indicator name | Description
+`MISCONFIGURATION` |  Indicates that a resource involved in the attack sequence has a security misconfiguration that may increase the potential impact. Examples include administrative access policies, disabled versioning, or missing encryption. These misconfigurations are identified by AWS Security Hub CSPM. For more information, see [Supported trait types](https://docs.aws.amazon.com/securityhub/latest/userguide/exposure-findings-supported-traits.html) in the _AWS Security Hub CSPM User Guide_.  
+`REACHABILITY` |  Indicates that a resource involved in the attack sequence is reachable from the internet or is publicly accessible. Examples include internet-reachable Amazon EC2 instances, Amazon EKS clusters, Amazon ECS clusters, or publicly accessible Amazon S3 buckets. For more information, see [Supported trait types](https://docs.aws.amazon.com/securityhub/latest/userguide/exposure-findings-supported-traits.html) in the _AWS Security Hub CSPM User Guide_.  
+`SENSITIVE_DATA` |  Indicates that an Amazon S3 bucket involved in the attack sequence contains sensitive data, as identified by Amazon Macie through AWS Security Hub CSPM.  
@@ -454,0 +459 @@ Indicator name | Description
+`VULNERABILITY` |  Indicates that a resource involved in the attack sequence has known vulnerabilities with critical, high, medium, or low severity. The indicator values include CVE identifiers and their severity levels. These vulnerabilities are detected by Amazon Inspector and may increase the potential impact of the attack sequence. For more information about severity levels, see [Understanding severity levels](https://docs.aws.amazon.com/inspector/latest/user/findings-understanding-severity.html) in the _Amazon Inspector User Guide_.