S3 Protection

S3 Protection Overview:

S3 Protection helps detect potential security risks like data exfiltration and destruction in Amazon S3 buckets. It uses Amazon GuardDuty to monitor AWS CloudTrail data events at the object level, identifying threats across all S3 buckets in your account.

How GuardDuty Works with S3 Protection:

  • Security Findings: GuardDuty generates findings based on suspicious object-level activities such as GetObject, PutObject, ListObjects, and DeleteObject API operations.

  • CloudTrail Data vs. Management Events:

    • Data events: Focus on object-level operations within S3.

    • Management events: Focus on management-level operations (e.g., creating or deleting buckets). Both are monitored by GuardDuty to detect threats.

  • Monitoring Scope: GuardDuty only monitors authenticated access to S3 objects using IAM or STS credentials. Public access (unauthenticated) events are ignored.

Enabling and Managing S3 Protection:

  • Enablement and Regional Scope: S3 Protection must be enabled for each Region where you use GuardDuty. It monitors only the buckets in the same Region where it is active.

  • Disabling: If S3 Protection is disabled, monitoring stops, and no further S3-specific findings will be generated.

Enabling S3 Protection for Multi-Account Environment

LogoEnabling S3 Protection in multiple-account environments - Amazon GuardDutyAmazon GuardDuty

Enabling S3 Protection Standalone account enviroment

LogoEnabling S3 Protection for a standalone account - Amazon GuardDutyAmazon GuardDuty
PreviousGuardDuty Finding ReferencesNextMalware Protection

Last updated