GuardDuty unresolved findings

AWS-GD-002 is an AWS security check performed by cloud-audit, an open-source AWS security scanner. Checks for unresolved GuardDuty findings older than 30 days that have not been investigated.

Why it matters

Unresolved GuardDuty findings older than 30 days indicate potential active threats that your team has not investigated. High-severity findings like UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration or CryptoCurrency:EC2/BitcoinTool.B require immediate response - delays allow attackers to establish deeper persistence. AWS Security Hub benchmark data shows that organizations taking more than 48 hours to respond to critical findings experience 4x higher incident costs on average. Even medium-severity findings like Recon:EC2/PortProbeUnprotectedPort indicate active reconnaissance that often precedes a larger attack. Establish a process to triage new findings within 24 hours and archive only after documented investigation.

Common causes

Findings accumulate because teams lack a defined triage process and treat GuardDuty as a passive monitoring tool rather than an active alert system. Security teams overwhelmed by the volume of low and medium severity findings let them pile up without investigation. Organizations without GuardDuty-to-ticketing integration rely on manual console checks, and the findings page is visited less frequently over time.

Detection

Run cloud-audit to detect this issue:

pip install cloud-audit
cloud-audit scan -R

The -R flag includes remediation details for every finding, including this one.

Remediation: AWS CLI

# List active findings:
aws guardduty list-findings --detector-id DETECTOR_ID --region REGION
# Archive after investigation:
aws guardduty archive-findings --detector-id DETECTOR_ID --finding-ids FINDING_ID --region REGION

Remediation: Terraform

# GuardDuty findings are operational, not managed by Terraform.
# Use AWS Console or CLI to review and archive findings.