GuardDuty enabled

AWS-GD-001 is an AWS security check performed by cloud-audit, an open-source AWS security scanner. Checks if Amazon GuardDuty is enabled in each scanned region for threat detection.

Why it matters

GuardDuty is AWS-managed threat detection that analyzes CloudTrail logs, VPC Flow Logs, and DNS logs using machine learning and threat intelligence feeds from CrowdStrike, Proofpoint, and AWS internal security research. Without it, you lack automated detection for cryptocurrency mining (the most common post-compromise activity), credential exfiltration, unauthorized API calls from known malicious IPs, and C2 (command and control) communication. AWS reports that GuardDuty detects threats in customer accounts within an average of 7 minutes. The service costs approximately $4/million CloudTrail events and $1/GB of VPC flow log data analyzed - typically $30-100/month for small to mid-size accounts, making it one of the highest-ROI security investments available.

Common causes

GuardDuty is not enabled because teams are unaware it exists or assume CloudTrail and VPC Flow Logs alone provide sufficient threat detection. Cost concerns lead some organizations to skip GuardDuty, especially in development accounts where security monitoring is deprioritized. Accounts provisioned through automated pipelines may not include GuardDuty activation if the account baseline template was created before the service launched in 2017.

Detection

Run cloud-audit to detect this issue:

pip install cloud-audit
cloud-audit scan -R

The -R flag includes remediation details for every finding, including this one.

Remediation: AWS CLI

aws guardduty create-detector --enable --region REGION

Remediation: Terraform

resource "aws_guardduty_detector" "main" {
  enable = true
}