IAMTrail - GuardDuty Announcements

NEW_FEATURES: GuardDuty Malware Protection for Amazon S3 Object Scan Result notifications in EventBridge now includes statusReasons field to provide visibility into

Mon, 13 Apr 2026 21:16:42 GMT

GuardDuty Malware Protection for Amazon S3 Object Scan Result notifications in EventBridge now includes statusReasons field to provide visibility into reason behind skipped scans.

AWS Documentation

View on IAMTrail

UPDATED_FINDINGS: Impact:EC2/SuspiciousDomainRequest.Reputation

Fri, 27 Mar 2026 22:11:54 GMT

GuardDuty has expanded its threat intelligence sources to include an additional vendor, providing broader coverage of known malicious domains. You may observe an increase in findings for this finding type as a result of this expanded coverage.

AWS Documentation

View on IAMTrail

UPDATED_FINDINGS: Trojan:EC2/DriveBySourceTraffic!DNS

Fri, 27 Mar 2026 22:11:54 GMT

AWS Documentation

View on IAMTrail

UPDATED_FINDINGS: Backdoor:EC2/C&CActivity.B!DNS

Fri, 27 Mar 2026 22:11:54 GMT

AWS Documentation

View on IAMTrail

UPDATED_FINDINGS: Trojan:EC2/PhishingDomainRequest!DNS

Fri, 27 Mar 2026 22:11:54 GMT

AWS Documentation

View on IAMTrail

NEW_FINDINGS: CredentialAccess:IAMUser/CompromisedCredentials

Tue, 10 Mar 2026 22:45:12 GMT

Amazon GuardDuty now delivers findings for compromised IAM credentials. When abnormal credential activity is detected, you will receive notification through GuardDuty's standard channels.

AWS Documentation

Raw SNS message

View on IAMTrail

NEW_FINDINGS: UnauthorizedAccess:IAMUser/ResourceCredentialExfiltration.OutsideAWS

Wed, 17 Dec 2025 19:57:30 GMT

This finding informs you that a host outside of AWS has attempted to run AWS API operations using temporary AWS credentials that were created on a Lambda resource in your AWS environment.

AWS Documentation

Raw SNS message

View on IAMTrail

NEW_FEATURES: Amazon GuardDuty now supports wildcard characters (* and ?) in finding suppression rules. Wildcards are supported through new Matches and NotMatches o

Wed, 03 Dec 2025 01:06:44 GMT

Amazon GuardDuty now supports wildcard characters (* and ?) in finding suppression rules. Wildcards are supported through new Matches and NotMatches operators, giving you more flexibility in managing security findings. The findings that match this criteria are automatically archived. Suppressed findings are also excluded from Extended Threat Detection sequencing, further helping you customize your security alerts.

AWS Documentation

Raw SNS message

View on IAMTrail

NEW_FEATURES: GuardDuty introduces two new critical-severity findings: AttackSequence:EC2/CompromisedInstanceGroup and AttackSequence:ECS/CompromisedCluster. These

Wed, 03 Dec 2025 00:01:00 GMT

GuardDuty introduces two new critical-severity findings: AttackSequence:EC2/CompromisedInstanceGroup and AttackSequence:ECS/CompromisedCluster. These findings provide attack sequence information, allowing you to spend less time on initial analysis and more time responding to critical threats, minimizing business impact. For example, GuardDuty can identify suspicious processes followed by persistence attempts, crypto-mining activities, and reverse shell creation, representing these related events as a single, critical-severity finding. To improve attack sequence coverage and threat analysis of Amazon EC2 instances, enable Runtime Monitoring for EC2. To enable detection of compromised ECS clusters, enable Runtime Monitoring for Fargate or EC2 depending on your infrastructure.

AWS Documentation

Raw SNS message

View on IAMTrail

NEW_FINDINGS: DefenseEvasion:IAMUser/BedrockLoggingDisabled

Sat, 22 Nov 2025 00:18:52 GMT

Amazon GuardDuty has added a new finding type that notifies you when logging for Amazon Bedrock model invocations is disabled. This finding helps detect attempts to evade detection by disabling audit logs that track AI workload activity.

AWS Documentation

Raw SNS message

View on IAMTrail

NEW_FEATURES: Amazon GuardDuty announces Malware Protection for AWS Backup. This fully managed feature simplifies malware scanning of your backups where it automati

Thu, 20 Nov 2025 01:36:54 GMT

Amazon GuardDuty announces Malware Protection for AWS Backup. This fully managed feature simplifies malware scanning of your backups where it automatically scans new backups upon creation, lets you run on-demand scans of existing backups, and allows you to verify integrity of backups before restoration. Using this feature, you can now perform full and incremental malware scans on your EBS Snapshots, EC2 AMIs, and Backup Recovery Points by using the StartMalwareScan API. The feature publishes scan results to Amazon EventBridge. You can use this feature without enabling the foundational GuardDuty in your account.

AWS Documentation

Raw SNS message

View on IAMTrail

NEW_FEATURES: Amazon GuardDuty announces Scan on Demand for Malware Protection for S3. Using this feature you can use the new SendObjectMalwareScan API to trigger s

Mon, 17 Nov 2025 23:26:24 GMT

Amazon GuardDuty announces Scan on Demand for Malware Protection for S3. Using this feature you can use the new SendObjectMalwareScan API to trigger scans on any already existing objects stored in your S3 buckets.

AWS Documentation

Raw SNS message

View on IAMTrail

GuardDuty new findings

Wed, 15 Oct 2025 23:49:16 GMT

Raw SNS message

View on IAMTrail

NEW_FEATURES: Amazon GuardDuty Malware Protection for S3 enhances archive processing to support up to 10,000 files per archive (up from 1,000 files).

Thu, 04 Sep 2025 19:02:03 GMT

Amazon GuardDuty Malware Protection for S3 enhances archive processing to support up to 10,000 files per archive (up from 1,000 files).

AWS Documentation

Raw SNS message

View on IAMTrail

NEW_FEATURES: Customers can now use their own trusted and threat domain lists to customize how GuardDuty generates and alerts on findings, along with several other

Fri, 15 Aug 2025 19:44:04 GMT

Customers can now use their own trusted and threat domain lists to customize how GuardDuty generates and alerts on findings, along with several other improvements, extending the existing support for trusted and threat IP lists.

AWS Documentation

Raw SNS message

View on IAMTrail

NEW_FEATURES: Amazon GuardDuty is now available in Asia Pacific (Taipei) Region

Fri, 01 Aug 2025 21:46:03 GMT

Amazon GuardDuty is now available in Asia Pacific (Taipei) Region

AWS Documentation

Raw SNS message

View on IAMTrail

NEW_FEATURES: Amazon GuardDuty Malware Protection for S3 now supports scanning objects up to 100 GB, increased from 5 GB. This includes both individual objects and

Wed, 23 Jul 2025 22:55:42 GMT

Amazon GuardDuty Malware Protection for S3 now supports scanning objects up to 100 GB, increased from 5 GB. This includes both individual objects and extracted archive files.

AWS Documentation

Raw SNS message

View on IAMTrail

NEW_FEATURES: GuardDuty Extended Threat Detection connects individual findings and signals into an attack sequence, a critical severity finding. This capability now

Tue, 17 Jun 2025 16:41:54 GMT

GuardDuty Extended Threat Detection connects individual findings and signals into an attack sequence, a critical severity finding. This capability now includes coverage for multi-stage attacks targeting Amazon EKS clusters in your AWS environment. GuardDuty correlates multiple security signals across Amazon EKS audit logs, runtime behavior of processes, and AWS API activity to detect sophisticated attack patterns. Enable EKS Protection, Runtime Monitoring (EKS), or both to maximize your detection coverage. Feature availability varies in AWS GovCloud (US) and AWS China Regions.

AWS Documentation

Raw SNS message

View on IAMTrail

NEW_FEATURES: Amazon GuardDuty Malware Protection has added limited support for scanning instances with marketplace product codes in AWS Commercial Regions. This ap

Fri, 13 Jun 2025 22:47:00 GMT

Amazon GuardDuty Malware Protection has added limited support for scanning instances with marketplace product codes in AWS Commercial Regions. This applies to both GuardDuty-initiated and on-demand malware scans.

AWS Documentation

Raw SNS message

View on IAMTrail

NEW_FEATURES: Now available: (1) New GuardDuty agent versions featuring security updates for Amazon EKS, Amazon EC2, and Amazon ECS Fargate; (2) Enhanced visibility

Thu, 22 May 2025 22:45:58 GMT

Now available: (1) New GuardDuty agent versions featuring security updates for Amazon EKS, Amazon EC2, and Amazon ECS Fargate; (2) Enhanced visibility into underlying runtime coverage issues. For assessing coverage across computes and troubleshooting steps, check https://docs.aws.amazon.com/guardduty/latest/ug/runtime-monitoring-assessing-coverage.html in the Amazon GuardDuty User Guide.

AWS Documentation

Raw SNS message

View on IAMTrail

NEW_FEATURES: Amazon GuardDuty is now available in AWS Mexico (Central) Region

Wed, 07 May 2025 20:14:37 GMT

Amazon GuardDuty is now available in AWS Mexico (Central) Region

AWS Documentation

Raw SNS message

View on IAMTrail

NEW_FEATURES: Amazon GuardDuty is now available in AWS Asia Pacific (Thailand) Region

Wed, 02 Apr 2025 02:10:39 GMT

Amazon GuardDuty is now available in AWS Asia Pacific (Thailand) Region

AWS Documentation

Raw SNS message

View on IAMTrail

GuardDuty general

Tue, 25 Feb 2025 17:33:20 GMT

Raw SNS message

View on IAMTrail

NEW_FEATURES: Amazon GuardDuty is now available in AWS Asia Pacific (Malaysia) Region

Thu, 16 Jan 2025 22:53:18 GMT

Amazon GuardDuty is now available in AWS Asia Pacific (Malaysia) Region

AWS Documentation

Raw SNS message

View on IAMTrail

NEW_FEATURES: Now available: Amazon GuardDuty Extended Threat Detection automatically detects multi-stage attacks sequences. An attack sequence is a critical severi

Tue, 03 Dec 2024 23:22:55 GMT

Now available: Amazon GuardDuty Extended Threat Detection automatically detects multi-stage attacks sequences. An attack sequence is a critical severity finding that identifies a sophisticated attack across time and AWS resources. Extended Threat Detection connects individual findings and signals into a cohesive attack narrative. An attack sequence involves multiple steps, such as gaining initial access, escalating privileges, moving laterally, and exfiltrating data. Additionally, enable GuardDuty S3 Protection to further enhance the security value of the attack sequences.

Raw SNS message

View on IAMTrail

NEW_FEATURES: Amazon GuardDuty Malware Protection for EC2 has added three Runtime Monitoring finding types that invoke automatic (GuardDuty-initiated) malware scans

Wed, 13 Nov 2024 01:11:20 GMT

Amazon GuardDuty Malware Protection for EC2 has added three Runtime Monitoring finding types that invoke automatic (GuardDuty-initiated) malware scans - Execution:Runtime/MaliciousFileExecuted, Execution:Runtime/SuspiciousShellCreated, and PrivilegeEscalation:Runtime/ElevationToRoot. AWS accounts that have the Malware Protection for EC2 feature enabled may observe malware scans being initiated when these findings are generated.

AWS Documentation

Raw SNS message

View on IAMTrail

NEW_FEATURES: Amazon GuardDuty expands its generally available RDS Protection feature to now also support monitoring login activity from Amazon Aurora PostgreSQL Li

Wed, 06 Nov 2024 20:20:13 GMT

Amazon GuardDuty expands its generally available RDS Protection feature to now also support monitoring login activity from Amazon Aurora PostgreSQL Limitless Databases. As a part of this expansion, GuardDuty will automatically begin monitoring login data from Aurora PostgreSQL Limitless Databases for accounts that currently have RDS Protection enabled. For accounts that have not yet enabled RDS Protection, enable the feature with a single step in the GuardDuty console. This will begin continuous monitoring of existing and new databases in your account.

AWS Documentation

Raw SNS message

View on IAMTrail

NEW_FEATURES: GuardDuty Malware Protection for S3 launches zero-click role creation when enabling protection on a bucket. GuardDuty now allows you to use a pre-exis

Wed, 23 Oct 2024 23:52:10 GMT

GuardDuty Malware Protection for S3 launches zero-click role creation when enabling protection on a bucket. GuardDuty now allows you to use a pre-existing role or can automatically create a new role with permissions scoped down to perform actions on that specific bucket.

AWS Documentation

Raw SNS message

View on IAMTrail

GuardDuty new findings

Mon, 21 Oct 2024 18:00:28 GMT

Raw SNS message

View on IAMTrail

GuardDuty new findings

Fri, 11 Oct 2024 00:23:28 GMT

Raw SNS message

View on IAMTrail

NEW_FEATURES: AWS PrivateLink now available with GuardDuty. You can now establish a private connection between your VPC and Amazon GuardDuty.

Wed, 18 Sep 2024 01:42:25 GMT

AWS PrivateLink now available with GuardDuty. You can now establish a private connection between your VPC and Amazon GuardDuty.

AWS Documentation

Raw SNS message

View on IAMTrail

NEW_FEATURES: Amazon GuardDuty adds new functionality to the GetFindingsStatistics API. Customers can now query aggregate finding counts broken down by: account, da

Fri, 13 Sep 2024 00:04:34 GMT

Amazon GuardDuty adds new functionality to the GetFindingsStatistics API. Customers can now query aggregate finding counts broken down by: account, daily counts, finding type, finding severity and affected resources. Link: https://docs.aws.amazon.com/guardduty/latest/APIReference/API_GetFindingsStatistics.html

AWS Documentation

Raw SNS message

View on IAMTrail

NEW_FEATURES: Amazon GuardDuty Malware Protection for S3 has increased the quota for the number of Amazon S3 buckets that you can protect, from 10 to 25 buckets per

Fri, 09 Aug 2024 19:55:04 GMT

Amazon GuardDuty Malware Protection for S3 has increased the quota for the number of Amazon S3 buckets that you can protect, from 10 to 25 buckets per AWS account in each AWS Region.

AWS Documentation

Raw SNS message

View on IAMTrail

GuardDuty new findings

Wed, 07 Aug 2024 02:39:16 GMT

Raw SNS message

View on IAMTrail

GENERAL: Pay increased threat awareness regarding DNS-related findings

Wed, 24 Jul 2024 21:17:33 GMT

Amazon GuardDuty observed a trend where threat actors are setting up malicious domains to compromise organizations working on software patching related to CrowdStrike's recent sensor issue. Currently, GuardDuty is observing an uptick in Command and Control (C&C) Activity findings that correspond with domains identified in CrowdStrike CSA-240832. As a proactive measure, we strongly advise all customers to increase vigilance regarding DNS-related findings. Recommended steps include: 1. Monitor DNS-related findings: Pay close attention to alerts such as Backdoor:EC2/ C&CActivity.B!DNS findings and Backdoor:Runtime/C&CActivity.B!DNS (if using GuardDuty's runtime protection for EKS, ECS Fargate, and EC2). They indicate potential communication with suspicious and malicious command and control (C&C) activities, which could be part of or evolve into a broader attacks targeting your workloads. 2. Validate and evaluate findings: Get started with the GuardDuty console, API, or other preferred method to review findings promptly. Start with a finding's severity label, which would be marked as “High” for more important ones. GuardDuty continually updates its threat intelligence from CrowdStrike and other AWS internal and external sources, which helps ensure a current list of suspicious and malicious domains. 3 Take action on suspicious activity: If the flagged activity is unexpected, your instance may be compromised. Consider quickly taking action on affected resources, conducting a thorough investigation, and remediating any identified threats. For more information, see remediating a potentially compromised Amazon EC2 instance. Maintaining heightened awareness and promptly responding to GuardDuty findings can help you reduce the risk of malicious actors compromising your environments. For further assistance, refer to the AWS GuardDuty documentation or contact AWS Support.

AWS Documentation

Raw SNS message

View on IAMTrail

NEW_FEATURES: Now available: Extending operating systems support to Ubuntu and Debian OS for Amazon GuardDuty for EC2 runtime monitoring. Get visibility into operat

Wed, 19 Jun 2024 23:31:42 GMT

Now available: Extending operating systems support to Ubuntu and Debian OS for Amazon GuardDuty for EC2 runtime monitoring. Get visibility into operating system-level, network and file activities and container-level context of the identified threats.

AWS Documentation

Raw SNS message

View on IAMTrail

NEW_FEATURES: Amazon GuardDuty announces Malware Protection for S3 that automatically scans newly uploaded objects to your selected Amazon S3 buckets for potential

Thu, 13 Jun 2024 00:33:34 GMT

Amazon GuardDuty announces Malware Protection for S3 that automatically scans newly uploaded objects to your selected Amazon S3 buckets for potential malware, viruses, and other suspicious uploads. The feature provides an option to add tags to your scanned objects and publishes the S3 object scan result to Amazon EventBridge. You can further build downstream workflows, such as isolation to a quarantine bucket, or define bucket policies using tags that prevent users or applications from accessing certain objects. You can use this feature without enabling the GuardDuty service in your account.

AWS Documentation

Raw SNS message

View on IAMTrail

NEW_FEATURES: Amazon GuardDuty expands its generally-available RDS Protection feature to now also support RDS for PostgreSQL login activity monitoring, in addition

Thu, 06 Jun 2024 21:53:48 GMT

Amazon GuardDuty expands its generally-available RDS Protection feature to now also support RDS for PostgreSQL login activity monitoring, in addition to already monitoring Amazon Aurora databases. As part of this expansion, GuardDuty will automatically begin monitoring login data from RDS for PostgreSQL databases for accounts that are currently enabled with GuardDuty RDS Protection monitors. For new accounts that are not enabled with GuardDuty RDS Protection yet, customers can enable the feature with a single step in the GuardDuty console that will begin continuous monitoring for existing and new Amazon Aurora and RDS for PostgreSQL database workloads.

AWS Documentation

Raw SNS message

View on IAMTrail

NEW_FEATURES: GuardDuty Malware Protection has increased the EBS volume size limit for malware scanning from 1 TB to 2TB. This applies to both GuardDuty-initiated a

Thu, 30 May 2024 00:42:45 GMT

GuardDuty Malware Protection has increased the EBS volume size limit for malware scanning from 1 TB to 2TB. This applies to both GuardDuty-initiated and on-demand malware scans.

AWS Documentation

Raw SNS message

View on IAMTrail

NEW_FEATURES: GuardDuty Runtime Monitoring for ECS workloads deployed on Fargate now also supports batch tasks.

Tue, 28 May 2024 22:22:15 GMT

GuardDuty Runtime Monitoring for ECS workloads deployed on Fargate now also supports batch tasks.

AWS Documentation

Raw SNS message

View on IAMTrail

NEW_FINDINGS: Execution:Runtime/MaliciousFileExecuted

Fri, 05 Apr 2024 20:30:27 GMT

This finding informs you that a known malicious executable has been executed on Amazon EC2 instance or a container within your AWS environment. This is a strong indicator that the instance or container has been potentially compromised and that malware has been executed.

AWS Documentation

Raw SNS message

View on IAMTrail

NEW_FEATURES: Now available: Detect potential runtime security threats to your EC2 workloads with Amazon GuardDuty. Get visibility into operating system-level, netw

Fri, 29 Mar 2024 21:18:52 GMT

Now available: Detect potential runtime security threats to your EC2 workloads with Amazon GuardDuty. Get visibility into operating system-level, network, file activities and container-level context of the identified threats. Try it for 30 days at no cost.

AWS Documentation

Raw SNS message

View on IAMTrail

NEW_FEATURES: Starting with the GuardDuty Runtime Monitoring EKS addon v1.5.0, you can set custom values for the following configurable parameters: CPU and memory s

Tue, 19 Mar 2024 00:51:10 GMT

Starting with the GuardDuty Runtime Monitoring EKS addon v1.5.0, you can set custom values for the following configurable parameters: CPU and memory settings, PriorityClass and dnsPolicy during creation or update of the addon. The custom values of the configurable parameters will be honored during addon update to future releases. With this update, you can ensure the agent performance impact, as well as its scheduling priority and DNS policy, conforms with your organizational guidance. For more information, refer to the documentation.

Raw SNS message

View on IAMTrail

NEW_FEATURES: Amazon GuardDuty is now available in AWS Canada West (Calgary) Region

Wed, 06 Mar 2024 22:21:14 GMT

Amazon GuardDuty is now available in AWS Canada West (Calgary) Region

Raw SNS message

View on IAMTrail

NEW_FEATURES: Amazon GuardDuty Runtime Monitoring, which detects potential runtime-based threats, now protects workloads running in shared virtual private cloud (VP

Thu, 15 Feb 2024 01:10:15 GMT

Amazon GuardDuty Runtime Monitoring, which detects potential runtime-based threats, now protects workloads running in shared virtual private cloud (VPCs) across all supported compute services. With this launch, customers who are already opted into automated agent management in GuardDuty will benefit from a renewed 30-day trial of GuardDuty Runtime Monitoring where we will automatically start monitoring the resources (clusters) deployed in shared VPC setup. Customers also have the option to manually manage the agent and provision the VPC endpoint in their shared VPC environment.

AWS Documentation

Raw SNS message

View on IAMTrail

NEW_FEATURES: Amazon GuardDuty extends Malware Protection for EC2 instance and container workloads by now also supporting malware scan of EBS volumes encrypted with

Tue, 06 Feb 2024 03:09:05 GMT

Amazon GuardDuty extends Malware Protection for EC2 instance and container workloads by now also supporting malware scan of EBS volumes encrypted with an AWS managed key. Scans can be initiated by GuardDuty, or by the user through the GuardDuty console, or programmatically via the API, without the need to deploy security software and with no impact to running workloads.

Raw SNS message

View on IAMTrail

NEW_FEATURES: Amazon GuardDuty Runtime Monitoring is now generally available for Amazon Elastic Containers Service (Amazon ECS), including AWS Fargate, and in previ

Thu, 07 Dec 2023 00:27:21 GMT

Amazon GuardDuty Runtime Monitoring is now generally available for Amazon Elastic Containers Service (Amazon ECS), including AWS Fargate, and in preview for other Amazon Elastic Compute Cloud (Amazon EC2) instances. Runtime Monitoring uses an agent that is deployed as a sidecar container on Fargate and a service on the EC2 instance. Runtime Monitoring supports only automated deployment on ECS Fargate and manual deployment on EC2 instance. You can also deploy the agent on EC2 instance automatically by using RPM via AWS Systems Manager (SSM). The agent collects security telemetry from your workloads on ECS Fargate and EC2 to identify suspicious activity. GuardDuty customers can enable Runtime Monitoring on the Amazon GuardDuty console Runtime Monitoring page, which includes the optional automated agent configuration for all the Fargate tasks in an account, across an AWS organization, or only for tagged ECS clusters. A 30-day free trial starts for an account when an agent sends the telemetry to GuardDuty for the first time. EKS Runtime Monitoring is now a part of Runtime Monitoring. You can now migrate from using EKS Runtime Monitoring to Runtime Monitoring and your agent configuration will remain the same. Runtime Monitoring includes the same runtime finding types previously released for EKS Runtime Monitoring.

Raw SNS message

View on IAMTrail

NEW_FEATURES: Amazon GuardDuty has incorporated new machine learning techniques to more accurately detect anomalous activities indicative of threats to your Amazon

Thu, 09 Nov 2023 11:07:50 GMT

Amazon GuardDuty has incorporated new machine learning techniques to more accurately detect anomalous activities indicative of threats to your Amazon Elastic Kubernetes Service (Amazon EKS) clusters.

AWS Documentation

Raw SNS message

View on IAMTrail

NEW_FEATURES: For all DNS_REQUEST findings a new finding field containing the finding's 'domain' truncated to the top level and second level domain is now available

Wed, 18 Oct 2023 16:03:25 GMT

For all DNS_REQUEST findings a new finding field containing the finding's 'domain' truncated to the top level and second level domain is now available. This new field called 'domainWithSuffix' is available for use in finding filters and suppression rules.

AWS Documentation

Raw SNS message

View on IAMTrail

NEW_FEATURES: Amazon GuardDuty announces a new capability in GuardDuty EKS Runtime Monitoring that allows you to selectively configure the EKS clusters that are to

Thu, 14 Sep 2023 18:57:37 GMT

Amazon GuardDuty announces a new capability in GuardDuty EKS Runtime Monitoring that allows you to selectively configure the EKS clusters that are to be monitored for threat detection.

AWS Documentation

Raw SNS message

View on IAMTrail