Control: 10 GuardDuty S3 Protection should be enabled
Description
This control checks whether GuardDuty S3 Protection is enabled. For a standalone account, the control fails if GuardDuty S3 Protection is disabled in the account. In a multi-account environment, the control fails if the delegated GuardDuty administrator account and all member accounts don't have S3 Protection enabled.
In a multi-account environment, the control generates findings in only the delegated GuardDuty administrator account. Only the delegated administrator can enable or disable the S3 Protection feature for the member accounts in the organization. GuardDuty member accounts can't modify this configuration from their accounts. This control generates FAILED findings if the delegated GuardDuty administrator has a suspended member account that doesn't have GuardDuty S3 Protection enabled. To receive a PASSED finding, the delegated administrator must disassociate these suspended accounts in GuardDuty.
S3 Protection enables GuardDuty to monitor object-level API operations to identify potential security risks for data within your Amazon Simple Storage Service (Amazon S3) buckets. GuardDuty monitors threats against your S3 resources by analyzing AWS CloudTrail management events and CloudTrail S3 data events.
Remediation
To enable GuardDuty S3 Protection, see Amazon S3 Protection in Amazon GuardDuty in the Amazon GuardDuty User Guide.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.foundational_security_guardduty_10
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.foundational_security_guardduty_10 --share
SQL
This control uses a named query:
with s3_protection as ( select arn from aws_guardduty_detector, jsonb_array_elements(features) as f where f ->> 'Name' = 'S3_DATA_EVENTS' and f ->> 'Status' = 'ENABLED')select d.arn as resource, case when m.arn is not null then 'ok' else 'alarm' end as status, case when m.arn is not null then title || ' has S3 protection enabled.' else title || ' has S3 protection disabled.' end as reason , region, account_idfrom aws_guardduty_detector as d left join s3_protection as m on m.arn = d.arn