Amazon GuardDuty has incorporated new machine learning techniques that are highly effective at detecting anomalous access to data stored in Amazon Simple Storage Service (Amazon S3) buckets. This new capability continuously models S3 data plane API invocations (e.g. GET, PUT, and DELETE) within an account, incorporating probabilistic predictions to more accurately alert on highly suspicious user access to data stored in S3 buckets, such as requests coming from an unusual geo-location, or unusually high volumes of API calls consistent with attempts to exfiltrate data. The new machine learning approach can more accurately identify malicious activity associated with known attack tactics, including data discovery, tampering, and exfiltration. The new threat detections are available for all existing Amazon GuardDuty customers that have GuardDuty S3 Protection enabled, with no action required and at no additional costs. If you are not using GuardDuty yet, S3 protection will be on by default when you enable the service. If you are using GuardDuty, and are yet to enable S3 Protection, you can enable this capability organization-wide with one-click in the GuardDuty console or through the API.

This latest enhancement upgrades GuardDuty’s existing CloudTrail S3 data plane-based anomaly threat detections to improve accuracy, and provide contextual data to assist in incident investigation and response. The contextual data produced in these new threat detections are viewable in the GuardDuty console and the finding JSON file pushed out through Amazon EventBridge. With this contextual data, you can more quickly answer questions such as, what was anomalous about the activity? From which locations is the S3 bucket usually accessed? And what is the normal number of API calls the user makes to retrieve objects from the accessed S3 bucket? This capability is now available in all Amazon GuardDuty supported regions, excluding the AWS Asia Pacific (Osaka), AWS Asia Pacific (Jakarta), AWS GovCloud (US-East), AWS GovCloud (US-West), AWS China (Beijing), and AWS China (Ningxia) regions, which will be added at a later date. The five new threat detections added are:

  • Discovery:S3/AnomalousBehavior
  • Impact:S3/AnomalousBehavior.Write
  • Impact:S3/AnomalousBehavior.Delete
  • Exfiltration:S3/AnomalousBehavior
  • Impact:S3/AnomalousBehavior.Permission

Available globally, Amazon GuardDuty continuously monitors for malicious or unauthorized behavior to help protect your AWS resources, including your AWS accounts, access keys, EC2 instances, EKS clusters, and data stored in S3. Powered by threat intelligence, machine learning, and anomaly detection techniques to detect threats, GuardDuty is continuously evolving to help you protect your AWS environment.

You can begin your 30-day free trial of Amazon GuardDuty with a single-click in the AWS Management Console. Please see the AWS Regions page for all the regions where GuardDuty is available. To receive programmatic updates on new GuardDuty features and threat detections, subscribe to the Amazon GuardDuty SNS topic.