# Document history for Amazon GuardDuty The following table describes important changes to the documentation since the last release of the *Amazon GuardDuty User Guide*. For notification about updates to this documentation, you can subscribe to an RSS feed. | Change | Description | Date | | --- |--- |--- | | [Updated functionality - Malware Protection for S3](#doc-history) | The EventBridge notification for S3 object scan results now includes a `statusReasons` field in `scanResultDetails` when a scan is skipped. This field provides the specific reason why the scan was skipped. For more information, see [S3 object potential scan status and result status](https://docs.aws.amazon.com/guardduty/latest/ug/monitoring-malware-protection-s3-scans-gdu.html#s3-object-scan-result-value-malware-protection). | April 10, 2026 | | [Updated functionality - Runtime Monitoring](#doc-history) | GuardDuty Runtime Monitoring releases new security agent version 1.9.2 for Amazon EC2 resources. For more information about new agent versions and a list of additional resources to update your security agent, see [GuardDuty security agent release versions](https://docs.aws.amazon.com/guardduty/latest/ug/runtime-monitoring-agent-release-history.html). | April 3, 2026 | | [Updated AmazonGuardDutyServiceRolePolicy](#doc-history) | Added the `cloudtrail:CreateServiceLinkedChannel` permission to enable an additional mechanism for consuming AWS CloudTrail events. For more information, see [GuardDuty updates to AWS managed policies](https://docs.aws.amazon.com/guardduty/latest/ug/security-iam-awsmanpol.html#security-iam-awsmanpol-updates). | March 25, 2026 | | [Updated functionality - Runtime Monitoring](#doc-history) | GuardDuty Runtime Monitoring Added support for Kubernetes version 1.35. For more information, see [Prerequisites for Runtime Monitoring](https://docs.aws.amazon.com/guardduty/latest/ug/runtime-monitoring-prerequisites.html). | March 20, 2026 | | [New scoped-down full access policy `AmazonGuardDutyFullAccess_v2` replaces `AmazonGuardDutyFullAccess`.](#doc-history) | Effective **March 13, 2026**, GuardDuty has deprecated the `AmazonGuardDutyFullAccess` policy and replaced it with a scoped-down policy named `AmazonGuardDutyFullAccess_v2`. For more information, see [AWS managed policy: AmazonGuardDutyFullAccess\$1v2](https://docs.aws.amazon.com/guardduty/latest/ug/security-iam-awsmanpol.html#security-iam-awsmanpol-AmazonGuardDutyFullAccess-v2). | March 13, 2026 | | [New finding type - CredentialAccess:IAMUser/CompromisedCredentials](#doc-history) | GuardDuty Introduces a new finding type that detects when an IAM access key observed to be potentially compromised is used to invoke API operations in AWS. For more information, see [CredentialAccess:IAMUser/CompromisedCredentials](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#credentialaccess-iam-compromisedcredentials). | March 6, 2026 | | [New finding type - UnauthorizedAccess:IAMUser/ResourceCredentialExfiltration.OutsideAWS](#doc-history) | GuardDuty introduces a new finding type that detects when a host outside of AWS attempts to run AWS API operations using temporary AWS credentials that were created on an AWS Lambda resource in your AWS environment. For more information, see [UnauthorizedAccess:IAMUser/ResourceCredentialExfiltration.OutsideAWS](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#unauthorizedaccess-iam-resourcecredentialexfiltrationoutsideaws). | December 16, 2025 | | [Updated functionality - Runtime Monitoring](#doc-history) | GuardDuty Runtime Monitoring releases new security agent version 1.9.1 for Amazon EC2 resources. For more information about new agent versions and a list of additional resources to update your security agent, see [GuardDuty security agent release versions](https://docs.aws.amazon.com/guardduty/latest/ug/runtime-monitoring-agent-release-history.html). | December 2, 2025 | | [Updated functionality - Runtime Monitoring](#doc-history) | GuardDuty Runtime Monitoring releases the new security agent version 1.12.1 for Amazon EKS resources. For more information about the new agent version and a list of additional resources to update your security agent, see [GuardDuty security agent release versions](https://docs.aws.amazon.com/guardduty/latest/ug/runtime-monitoring-agent-release-history.html). | December 2, 2025 | | [Updated functionality - Extended Threat Detection](#doc-history) | GuardDuty Extended Threat Detection introduces two new attack sequence finding types, [AttackSequence:EC2/CompromisedInstanceGroup](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-attack-sequence-finding-types.html) and [AttackSequence:ECS/CompromisedCluster](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-attack-sequence-finding-types.html), that help detect multi-stage attacks involving compromised Amazon EC2 instances and Amazon ECS clusters. Enable Runtime Monitoring to [maximize threat detection](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-extended-threat-detection.html#extended-threat-detection-related-gdu-protection-plans). For more information, see [Attack sequence finding types](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-attack-sequence-finding-types.html). | December 2, 2025 | | [New feature - Wildcards in Suppression Rules](#doc-history) | GuardDuty has enhanced its suppression capabilities with the introduction of Matches and NotMatches Conditions that support wildcards. Customers can now use \$1 (to match any number of characters) and ? (to match at most 1 character) as wildcards when creating suppression rules. [Suppression rules](https://docs.aws.amazon.com/guardduty/latest/ug/findings_suppression-rule.html). | December 2, 2025 | | [New feature - Amazon CloudWatch Usage Metrics Support](#doc-history) | GuardDuty introduces publishing usage metrics in Amazon CloudWatch for all protection plans, enabling customers to monitor usage. For more information, see [Monitoring GuardDuty Usage and Estimating Costs](https://docs.aws.amazon.com/guardduty/latest/ug/monitoring_costs.html) | November 25, 2025 | | [New finding type - DefenseEvasion:IAMUser/BedrockLoggingDisabled](#doc-history) | GuardDuty introduces a new finding type that detects when Amazon Bedrock model invocation logging is disabled, which may indicate attempts to evade detection of AI workload activity. For more information, see [DefenseEvasion:IAMUser/BedrockLoggingDisabled](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#defenseevasion-iam-bedrockloggingdisabled). | November 21, 2025 | | [New feature - Malware Protection for Backup](#doc-history) | GuardDuty Malware Protection for Backup is now available in all commercial Regions where GuardDuty is available. This feature helps you detect the potential presence of malware in your backup resources through full and incremental scans of Amazon EBS snapshots, EC2 AMIs, and Recovery Points. For more information on this feature see [Malware Protection for Backup](https://docs.aws.amazon.com/guardduty/latest/ug/malware-protection-backup.html) | November 19, 2025 | | [Change to AmazonGuardDutyFullAccess and AmazonGuardDutyFullAccess\$1V2](#doc-history) | Added permission that allows you to pass an IAM role to GuardDuty when you enable Malware Protection for Backup. | November 19, 2025 | | [New feature - Malware Protection for S3 on-demand scanning.](#doc-history) | GuardDuty announces Scan on Demand for Malware Protection for S3. Using this feature you can use the new SendObjectMalwareScan API to trigger scans on any already existing objects stored in your S3 buckets. For information, see [on-demand S3 malware scan](https://docs.aws.amazon.com/guardduty/latest/ug/malware-protection-s3-on-demand.html). | November 17, 2025 | | [Updated functionality - Runtime Monitoring](#doc-history) | GuardDuty Runtime Monitoring releases new security agent version 1.9.0 for Amazon ECS-AWS Fargate resources. For information about new agent versions and a list of additional resources to update your security agent, see [GuardDuty security agent release versions](https://docs.aws.amazon.com/guardduty/latest/ug/runtime-monitoring-agent-release-history.html). | October 28, 2025 | | [Updated functionality - Runtime Monitoring](#doc-history) | GuardDuty Runtime Monitoring releases new security agent version 1.9.0 for Amazon EC2 resources. For information about new agent versions and a list of additional resources to update your security agent, see [GuardDuty security agent release versions](https://docs.aws.amazon.com/guardduty/latest/ug/runtime-monitoring-agent-release-history.html). | October 23, 2025 | | [New Runtime Monitoring finding type - DefenseEvasion:Runtime/KernelModuleLoaded](#doc-history) | GuardDuty Runtime Monitoring introduces a new finding type that helps you identify defense evasion techniques where threat actors use kernel modules to bypass security controls, modify system operations, and gain persistent system access. For more information, see [DefenseEvasion:Runtime/KernelModuleLoaded](https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#defenseevasion-runtime-kernelmoduleloaded). | October 15, 2025 | | [Updated functionality - Runtime Monitoring](#doc-history) | Added support for Kubernetes version 1.34 for the OS distributions and security agent version for GuardDuty SageMaker Role Manager for Amazon EKS resources. For more information, see [Validate architectural requirements for Amazon EKS](https://docs.aws.amazon.com/guardduty/latest/ug/prereq-runtime-monitoring-eks-support.html#validating-architecture-req-eks). | October 3, 2025 | | [Added troubleshooting guidance for Amazon RDS database issues](#doc-history) | Added guidance for resolving RDS database issues that can impact GuardDuty RDS Protection monitoring capabilities, including `storage-full` status and RDS for PostgreSQL read replica requirements. For more information, see [Troubleshooting RDS Protection monitoring issues](https://docs.aws.amazon.com/guardduty/latest/ug/troubleshooting-rds-protection-guardduty.html). | September 15, 2025 | | [Updated functionality - Runtime Monitoring](#doc-history) | Added Ubuntu Noble OS distribution with support for kernel versions 6.13 and 6.14 for GuardDuty Runtime Monitoring for Amazon EC2. For information about EC2 agent version supported for this OS distribution, see [Validate architectural requirements for Amazon EC2](https://docs.aws.amazon.com/guardduty/latest/ug/prereq-runtime-monitoring-ec2-support.html#validating-architecture-req-ec2). | September 13, 2025 | | [Updated functionality - RDS Protection](#doc-history) | Added PostgreSQL 17 support for RDS for PostgreSQL databases monitored by GuardDuty RDS Protection. For more information, see [Supported databases](https://docs.aws.amazon.com/guardduty/latest/ug/rds-protection.html#rds-pro-supported-db) in RDS Protection. | September 13, 2025 | | [Updated functionality - Malware Protection for S3](#doc-history) | GuardDuty Malware Protection for S3 increases the **Extracted archive files** default quota from 1,000 to 10,000 files. For more information, see [Quotas in Malware Protection for S3](https://docs.aws.amazon.com/guardduty/latest/ug/malware-protection-s3-quotas-guardduty.html). | September 3, 2025 | | [Updated functionality - Runtime Monitoring](#doc-history) | GuardDuty Runtime Monitoring releases the new security agent version 1.11 for Amazon EKS resources. For more information about the new agent version and a list of additional resources to update your security agent, see [GuardDuty security agent release versions](https://docs.aws.amazon.com/guardduty/latest/ug/runtime-monitoring-agent-release-history.html). | August 29, 2025 | | [Updated functionality - Working with lists](#doc-history) | GuardDuty introduces custom trusted and threat entity lists that support both IP addresses and domain names. GuardDuty continues supporting IP address list and recommends using the entity list for custom threat detection. For more information, see [Customizing threat detection with entity lists and IP address lists](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_upload-lists.html). | August 15, 2025 | | [Updated functionality - Runtime Monitoring](#doc-history) | GuardDuty Runtime Monitoring releases the new security agent version 1.8.0 for both Amazon EC2 and Amazon ECS-AWS Fargate resources. For more information about new agent versions and a list of additional resources to update your security agent, see [GuardDuty security agent release versions](https://docs.aws.amazon.com/guardduty/latest/ug/runtime-monitoring-agent-release-history.html). | August 12, 2025 | | [Support for Asia Pacific (Taipei) Region](#doc-history) | Amazon GuardDuty is now available in the Asia Pacific (Taipei) (`ap-east-2`) Region. To enable GuardDuty in this Region, see [Getting started](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_settingup.html). You can receive notifications about updates to the GuardDuty features and threat detections by [Subscribing to Amazon SNS GuardDuty announcements](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_sns.html) in this Region. | July 31, 2025 | | [Updated functionality - Malware Protection for S3](#doc-history) | Malware Protection for S3 now supports scanning objects up to 100 GB, increased from 5 GB. This includes both individual objects and extracted archive files. For more information, see [Malware Protection for S3 quotas](https://docs.aws.amazon.com/guardduty/latest/ug/malware-protection-s3-quotas-guardduty.html). | July 23, 2025 | | [Updated functionality - Added expected bucket owner in trust IP and threat lists](#doc-history) | GuardDuty added the **Expected bucket owner** field for trusted IP and threat IP lists. In this optional field, you can specify an AWS account ID that GuardDuty will use to verify Amazon S3 bucket ownership. For more information, see [Working with trusted IP lists and threat lists](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_upload-lists.html). | July 16, 2025 | | [Updated functionality - Extended Threat Detection](#doc-history) | GuardDuty Extended Threat Detection now expands support for Amazon EKS clusters by correlating multiple security signals across EKS audit logs, runtime behavior of processes, and AWS API activity. Enable EKS Protection, Runtime Monitoring (with EKS add-on), or both to [maximize threat detection](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-extended-threat-detection.html#extended-threat-detection-related-gdu-protection-plans). To identify potential threats, GuardDuty introduces a new finding type – [AttackSequence:EKS/CompromisedCluster](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-attack-sequence-finding-types.html). For more information, see [Extended Threat Detection](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-extended-threat-detection.html). | June 17, 2025 | | [Updated functionality - Malware Protection for S3](#doc-history) | Malware Protection for S3 doesn't support scanning archives with extremely high compression ratio. These files will be skipped during scanning and marked with a scan result of `UNSUPPORTED`. For more information, see [S3 object potential scan status and result status](https://docs.aws.amazon.com/guardduty/latest/ug/monitoring-malware-protection-s3-scans-gdu.html#s3-object-scan-result-value-malware-protection). | June 13, 2025 | | [Updated functionality - Malware Protection for EC2](#doc-history) | Malware Protection for EC2 has added support for scanning majority of instances with `productCode` as `marketplace`. This applies to both GuardDuty-initiated malware scan and On-demand malware scans. For more information, see [Reasons for skipping resource during malware scan](https://docs.aws.amazon.com/guardduty/latest/ug/malware-protection-auditing-scan-logs.html). | June 13, 2025 | | [New AmazonGuardDutyFullAccess\$1v2 policy](#doc-history) | Added a new AmazonGuardDutyFullAccess\$1v2 policy with permissions to enhance security by restricting administrative actions to GuardDuty service principals. For information about this recommended policy, see [AWS managed policy: AmazonGuardDutyFullAccess\$1v2](https://docs.aws.amazon.com/guardduty/latest/ug/security-iam-awsmanpol.html#security-iam-awsmanpol-AmazonGuardDutyFullAccess-v2). | June 4, 2025 | | [Expanded Region support for RDS Protection](#doc-history) | GuardDuty RDS Protection is now available in Mexico (Central), Asia Pacific (Thailand), and Asia Pacific (Malaysia) Regions. RDS Protection helps you detect potentially suspicious login behavior in supported Aurora MySQL, Aurora PostgreSQL (including Limitless Database), and RDS for PostgreSQL. In the event of threat detection, GuardDuty generates an RDS Protection finding. For more information about supported databases and enabling this protection plan in the newly supported Regions, see [RDS Protection](https://docs.aws.amazon.com/guardduty/latest/ug/rds-protection.html). | June 4, 2025 | | [Updated functionality - Runtime Monitoring](#doc-history) | GuardDuty Runtime Monitoring releases new security agent version 1.7.1 for Amazon EC2 resources. For more information about new agent versions and a list of additional resources to update your security agent, see [GuardDuty security agent release versions](https://docs.aws.amazon.com/guardduty/latest/ug/runtime-monitoring-agent-release-history.html). | June 3, 2025 | | [Support for Extended Threat Detection](#doc-history) | GuardDuty Extended Threat Detection is now available in Asia Pacific (Thailand) (ap-southeast-7). With no activation needed, it detects multi-stage attacks that span data sources, multiple types of AWS resources, and time, within an AWS account. When potential threats are detected, it generates an attack sequence finding. For more information, see [Extended Threat Detection](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-extended-threat-detection.html). | May 12, 2025 | | [Support for Mexico (Central) Region](#doc-history) | Amazon GuardDuty is now available in the Mexico (Central) (`mx-central-1`) Region. To enable GuardDuty in this Region, see [Getting started](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_settingup.html). You can receive notifications about updates to the GuardDuty features and threat detections by [Subscribing to Amazon SNS GuardDuty announcements](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_sns.html) in this Region. | May 7, 2025 | | [Updated functionality - Runtime Monitoring](#doc-history) | GuardDuty Runtime Monitoring releases new security agent version 1.10.0 for Amazon EKS resources. For more information about new agent versions and a list of additional resources to update your security agent, see [GuardDuty security agent release versions](https://docs.aws.amazon.com/guardduty/latest/ug/runtime-monitoring-agent-release-history.html). | April 4, 2025 | | [Updated functionality - Runtime Monitoring](#doc-history) | GuardDuty Runtime Monitoring releases new security agent version 1.7.0 for Amazon ECS-Fargate resources. For more information about new agent versions and a list of additional resources to update your security agent, see [GuardDuty security agent release versions](https://docs.aws.amazon.com/guardduty/latest/ug/runtime-monitoring-agent-release-history.html). | April 4, 2025 | | [Updated functionality - Runtime Monitoring](#doc-history) | GuardDuty Runtime Monitoring releases new security agent version 1.7.0 for Amazon EC2 resources. For more information about new agent versions and a list of additional resources to update your security agent, see [GuardDuty security agent release versions](https://docs.aws.amazon.com/guardduty/latest/ug/runtime-monitoring-agent-release-history.html). | April 3, 2025 | | [Support for Asia Pacific (Thailand) Region](#doc-history) | Amazon GuardDuty is now available in the Asia Pacific (Thailand) Region. For information about which features are supported in this Region, see [Region-specific feature availability](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_regions.html#gd-regional-feature-availability). To enable GuardDuty in this Region, see [Getting started](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_settingup.html). You can receive notifications about updates to the GuardDuty features and threat detections by [Subscribing to Amazon SNS GuardDuty announcements](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_sns.html). | April 1, 2025 | | [Updated functionality](#doc-history) | The Summary dashboard now shows insights based on all the generated security findings, removing the previous 5,000 findings constraint. For information about these insights, see [GuardDuty Summary dashboard](https://docs.aws.amazon.com/guardduty/latest/ug/mguardduty-summary.html). | March 17, 2025 | | [Updated functionality - Runtime Monitoring](#doc-history) | GuardDuty Runtime Monitoring releases new security agent version 1.9.0 for Amazon EKS resources. For more information about new agent versions and a list of additional resources to update your security agent, see [GuardDuty security agent release versions](https://docs.aws.amazon.com/guardduty/latest/ug/runtime-monitoring-agent-release-history.html). | March 2, 2025 | | [Updated functionality - Runtime Monitoring](#doc-history) | GuardDuty Runtime Monitoring has added a new coverage issue type (Agent Not Provisioned) for Amazon EC2 resources. For information about troubleshooting this issue, see [Troubleshooting Amazon EC2 runtime coverage issues](https://docs.aws.amazon.com/guardduty/latest/ug/gdu-assess-coverage-ec2.html#ec2-runtime-monitoring-coverage-issues-troubleshoot). | February 21, 2025 | | [Updated functionality - Runtime Monitoring](#doc-history) | GuardDuty Runtime Monitoring releases new security agents for Amazon EC2 and Amazon ECS-Fargate resources. For more information about new agent versions and a list of additional resources to update your security agents, see [GuardDuty security agent release versions](https://docs.aws.amazon.com/guardduty/latest/ug/runtime-monitoring-agent-release-history.html). | February 6, 2025 | | [GuardDuty support in existing Asia Pacific (Malaysia) Region](#doc-history) | GuardDuty Extended Threat Detection is now available in the Asia Pacific (Malaysia) Region. For more information, see [Extended Threat Detection](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-extended-threat-detection.html). | January 28, 2025 | | [Support for Asia Pacific (Malaysia) Region](#doc-history) | Amazon GuardDuty is now available in the Asia Pacific (Malaysia) Region. For information about which features are supported in this Region, see [Region-specific feature availability](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_regions.html#gd-regional-feature-availability). To enable GuardDuty in this Region, see [Getting started](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_settingup.html). You can receive notifications about updates to the GuardDuty features and threat detections by [Subscribing to Amazon SNS GuardDuty announcements](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_sns.html). | January 16, 2025 | | [Updated functionality - Runtime Monitoring](#doc-history) | GuardDuty Runtime Monitoring has updated extra information and troubleshooting steps for Amazon ECS-Fargate coverage issues associated with *Agent not provisioned*. For more information about *Agent not provisioned* issue type, see [Troubleshooting Amazon ECS-Fargate runtime coverage issues](https://docs.aws.amazon.com/guardduty/latest/ug/gdu-assess-coverage-ecs.html#ecs-runtime-monitoring-coverage-issues-troubleshoot). | January 8, 2025 | | [New finding type - Policy:IAMUser/ShortTermRootCredentialUsage](#doc-history) | GuardDuty introduces a new finding type that alerts you when restricted user credentials, created for the listed AWS accounts in your environment, are being used to make requests to AWS services. For more information, see [Policy:IAMUser/ShortTermRootCredentialUsage](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#policy-iam-user-short-term-root-credential-usage). | January 8, 2025 | | [New feature - GuardDuty Extended Threat Detection](#doc-history) | GuardDuty announces Extended Threat Detection to detects multi-stage attack sequences that span GuardDuty foundational data sources and AWS resources in your AWS account, over a specific time period. At no additional cost, this capability is automatically enabled for all accounts that have enabled GuardDuty. This feature announces two new GuardDuty finding types, called [Attack sequence finding types](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-attack-sequence-finding-types.html). For more information, see [Extended Threat Detection](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-extended-threat-detection.html). | December 1, 2024 | | [Enhanced cross-service functionality - Runtime Monitoring and Malware Protection for EC2](#doc-history) | Impact of new Amazon Elastic Kubernetes Service (Amazon EKS) features on Amazon GuardDuty features: Amazon EKS Auto Mode – Both Runtime Monitoring for Amazon EKS and Malware Protection for EC2 support this. Amazon EKS Hybrid Nodes – Both Runtime Monitoring for Amazon EKS and Malware Protection for EC2 don't support this. For more information, see [How Runtime Monitoring works with Amazon EKS clusters](https://docs.aws.amazon.com/guardduty/latest/ug/how-runtime-monitoring-works-eks.html) and [Malware Protection for EC2](https://docs.aws.amazon.com/guardduty/latest/ug/malware-protection.html). | December 1, 2024 | | [Updated functionality in Runtime Monitoring - Amazon EKS](#doc-history) | Runtime Monitoring released a new agent version 1.8.1 (*v1.8.1-eks-build.2*) for Amazon EKS resources. With this new agent version, GuardDuty extends Runtime Monitoring support for Amazon EKS resources that run on RedHat, CentOS, and Fedora. For more information, see [Validating architectural requirements](https://docs.aws.amazon.com/guardduty/latest/ug/prereq-runtime-monitoring-eks-support.html#eksrunmon-supported-platform-concepts). For information about release notes, see [GuardDuty security agent for Amazon EKS resources](https://docs.aws.amazon.com/guardduty/latest/ug/runtime-monitoring-agent-release-history.html). | November 23, 2024 | | [Updated functionality in Runtime Monitoring - Amazon EC2](#doc-history) | Runtime Monitoring released a new agent version 1.5.0 for Amazon EC2 resources. With this new agent version, GuardDuty extends Runtime Monitoring support for Amazon EC2 resources that run on RedHat, CentOS, and Fedora. For more information, see [Validating architectural requirements](https://docs.aws.amazon.com/guardduty/latest/ug/prereq-runtime-monitoring-ec2-support.html#runtime-monitoring-ec2-fedora-agent-support). For information about release notes, see [GuardDuty security agent for Amazon EC2 resources](https://docs.aws.amazon.com/guardduty/latest/ug/runtime-monitoring-agent-release-history.html). | November 20, 2024 | | [Updated functionality in Runtime Monitoring - Amazon ECS-Fargate](#doc-history) | Runtime Monitoring released a new agent version 1.5.0 for Amazon ECS-Fargate resources. For more information about release notes, see [GuardDuty security agent for AWS Fargate (Amazon ECS only)](https://docs.aws.amazon.com/guardduty/latest/ug/runtime-monitoring-agent-release-history.html). | November 14, 2024 | | [Updated functionality in Malware Protection for EC2](#doc-history) | GuardDuty Malware Protection for EC2 has added three Runtime Monitoring finding types to the list of [Findings that invoke GuardDuty-initiated malware scan](https://docs.aws.amazon.com/guardduty/latest/ug/gd-findings-initiate-malware-protection-scan.html) on Amazon EC2 instances. Accounts that have enabled Malware Protection for EC2 will observe GuardDuty-initiated malware scan when GuardDuty generates any of the following findings: [https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#execution-runtime-malicious-file-executed](https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#execution-runtime-malicious-file-executed) [https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#execution-runtime-suspicious-shell-created](https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#execution-runtime-suspicious-shell-created) [https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#privilegeesc-runtime-elevation-to-root](https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#privilegeesc-runtime-elevation-to-root) | November 7, 2024 | | [Updated functionality in RDS Protection](#doc-history) | GuardDuty RDS Protection adds the newly released [Aurora PostgreSQL Limitless Database](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/limitless.html) engine version `16.4-limitless` to the list of supported databases. For AWS accounts that have already enabled RDS Protection, GuardDuty will automatically start monitoring the login behavior for the Limitless Database. Accounts that have already consumed the 30-day free trial for RDS Protection will incur usage cost associated with Limitless Database, along with other supported databases that are monitored. For more information, see [RDS Protection](https://docs.aws.amazon.com/guardduty/latest/ug/rds-protection.html). | November 6, 2024 | | [Region expansion ‐ GuardDuty and AWS PrivateLink integration](#doc-history) | GuardDuty now extends Region support for [Amazon GuardDuty and interface VPC endpoints (AWS PrivateLink)](https://docs.aws.amazon.com/guardduty/latest/ug/security-vpc-endpoints.html). Earlier, the Region support was available for US East (N. Virginia), Europe (Ireland), and Israel (Tel Aviv). This support is now extended to all the AWS Regions where GuardDuty is available. For more information on regional differences, see [Region-specific feature availability](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_regions.html#gd-regional-feature-availability). | November 6, 2024 | | [Updated functionality in Runtime Monitoring - Amazon ECS-Fargate](#doc-history) | Runtime Monitoring released a new agent version 1.4.1 for Amazon ECS-Fargate resources. For more information about release notes, see [GuardDuty security agent for AWS Fargate (Amazon ECS only)](https://docs.aws.amazon.com/guardduty/latest/ug/runtime-monitoring-agent-release-history.html). | October 24, 2024 | | [Added support for GuardDuty CloudFormation tag operations](#doc-history) | GuardDuty now supports updating tag key and value, and stack-level tags. To do this, add `guardduty:tagResource` permission to the IAM role. For information about GuardDuty CloudFormation, see [Amazon GuardDuty resource type reference](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_GuardDuty.html) in the *AWS CloudFormation User Guide*. | October 24, 2024 | | [Updated functionality in GuardDuty Malware Protection for S3](#doc-history) | When enabling malware protection for S3, you can choose a service role that has the necessary permissions to perform malware scan actions on your behalf. For more information about enabling Malware Protection for S3, see [Configuring Malware Protection for S3 for your S3 bucket](https://docs.aws.amazon.com/guardduty/latest/ug/configuring-malware-protection-for-s3-guardduty). | October 22, 2024 | | [Updated functionality](#doc-history) | GuardDuty enhances the [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#unauthorizedaccess-iam-instancecredentialexfiltrationinsideaws](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#unauthorizedaccess-iam-instancecredentialexfiltrationinsideaws) finding type to detect the use of Amazon EC2 instance AWS credentials from VPC endpoints (AWS PrivateLink) in AWS accounts that are not associated with the Amazon EC2 instance role. This new GuardDuty capability detects potential Amazon EC2 instance credential misuse and provides context of the remote AWS account using the exfiltrating session credentials. For more information about AWS service endpoints supported by this new detection, see [Logging network activity events](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-network-events-with-cloudtrail.html) in the *AWS CloudTrail User Guide*. | October 21, 2024 | | [Updated functionality - GuardDuty Runtime Monitoring](#doc-history) | GuardDuty Runtime Monitoring added the following three finding types that notify you when suspicious commands are executed on an Amazon EC2 instance or container workload within your AWS environment: [https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#discovery-runtime-suspicious-command](https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#discovery-runtime-suspicious-command) [https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#persistence-runtime-suspicious-command](https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#persistence-runtime-suspicious-command) [https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#privilege-escalation-runtime-suspicious-command](https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#privilege-escalation-runtime-suspicious-command) | October 10, 2024 | | [New feature ‐ Added support for VPC endpoints](#doc-history) | GuardDuty is now integrated with AWS PrivateLink and supports VPC endpoints. For more information about the AWS PrivateLink integration, see [Amazon GuardDuty and interface VPC endpoints (AWS PrivateLink)](https://docs.aws.amazon.com/guardduty/latest/ug/security-vpc-endpoints.html). | September 17, 2024 | | [Updated functionality in Runtime Monitoring - Amazon EKS](#doc-history) | Runtime Monitoring released a new agent version 1.7.1 for Amazon EKS resources. For more information about release notes, see [GuardDuty security agent for Amazon EKS](https://docs.aws.amazon.com/guardduty/latest/ug/runtime-monitoring-agent-release-history.html). | September 13, 2024 | | [Updated functionality in Malware Protection for S3](#doc-history) | Malware Protection for S3 added a new field, `s3Throttled`, to the S3 object scan result Amazon EventBridge (EventBridge) schema. The `s3Throttled` field indicates whether or not there was a delay in uploading or retrieving storage from Amazon Simple Storage Service (Amazon S3) buckets. For more information, see [Monitoring S3 object scans with Amazon EventBridge](https://docs.aws.amazon.com/guardduty/latest/ug/monitor-with-eventbridge-s3-malware-protection.html). | September 13, 2024 | | [Updated functionality in Runtime Monitoring - Amazon EC2](#doc-history) | Runtime Monitoring released a new agent version 1.3.1 for Amazon EC2 resources. For more information about release notes, see [GuardDuty security agent for Amazon EC2](https://docs.aws.amazon.com/guardduty/latest/ug/runtime-monitoring-agent-release-history.html). | September 12, 2024 | | [Updated functionality in Runtime Monitoring - Amazon ECS-Fargate](#doc-history) | Runtime Monitoring released a new agent version 1.3.1 for Amazon ECS-Fargate resources. For more information about release notes, see [GuardDuty security agent for AWS Fargate (Amazon ECS only)](https://docs.aws.amazon.com/guardduty/latest/ug/runtime-monitoring-agent-release-history.html). | September 11, 2024 | | [Updated GuardDuty service-linked role (SLR)](#doc-history) | GuardDuty has updated the SLR to include the `ec2:Describe:Vpcs` permission in the Amazon EC2 actions. For more information, see [Service-linked role permissions for GuardDuty](https://docs.aws.amazon.com/guardduty/latest/ug/slr-permissions.html). | August 22, 2024 | | [Significant content addition](#doc-history) | GuardDuty added significant content updates to the Malware Protection for S3 feature. Added new examples of sample notification schema to set up Amazon EventBridge rules to receive notification related to **Malware Protection plan resource status** and **S3 object scan result**. For more information, see [Monitoring S3 object scans with Amazon EventBridge](https://docs.aws.amazon.com/guardduty/latest/ug/monitor-with-eventbridge-s3-malware-protection.html). Added information about [Troubleshooting S3 object post-scan tag failures](https://docs.aws.amazon.com/guardduty/latest/ug/troubleshoot-s3-post-scan-tag-failures.html). | August 20, 2024 | | [Updated functionality in GuardDuty Runtime Monitoring - Amazon EC2](#doc-history) | Runtime Monitoring released a new agent version 1.3.0 for Amazon EC2 resources. For more information about release notes, see [GuardDuty security agent for Amazon EC2](https://docs.aws.amazon.com/guardduty/latest/ug/runtime-monitoring-agent-release-history.html). | August 19, 2024 | | [Updated functionality in GuardDuty Runtime Monitoring - Amazon EKS](#doc-history) | Runtime Monitoring released a new agent version 1.7.0 for Amazon EKS resources. For more information about release notes, see [GuardDuty security agent for Amazon EKS clusters](https://docs.aws.amazon.com/guardduty/latest/ug/runtime-monitoring-agent-release-history.html). | August 17, 2024 | | [Significant content addition](#doc-history) | GuardDuty added new information about malware detection methodology and scan engines that it uses for the Malware Protection for S3 and Malware Protection for EC2 features. For more information, see [GuardDuty malware detection scan engine](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-malware-detection-scan-engine.html). | August 15, 2024 | | [New feature ‐ Protecting AI workloads](#doc-history) | GuardDuty foundational threat detection and Lambda Protection helps you to better secure and detect threats to AI workloads built on AWS. For more information, see [Protecting AI workloads with GuardDuty](https://docs.aws.amazon.com/guardduty/latest/ug/ai-protection.html). | August 14, 2024 | | [Updated functionality in GuardDuty Runtime Monitoring - Fargate (Amazon ECS only)](#doc-history) | Runtime Monitoring released a new agent version 1.3.0 for AWS Fargate (Amazon ECS only) resources. For more information about release notes, see [GuardDuty security agent for Fargate-ECS](https://docs.aws.amazon.com/guardduty/latest/ug/runtime-monitoring-agent-release-history.html#ecs-gdu-agent-release-history). | August 9, 2024 | | [Updated functionality - Malware Protection for S3](#doc-history) | GuardDuty Malware Protection for S3 increases the maximum number of S3 buckets quota from 10 to 25 buckets. This quota applies to an AWS account per each AWS Region. For more information, see [Malware Protection for S3](https://docs.aws.amazon.com/guardduty/latest/ug/gdu-malware-protection-s3.html). | August 8, 2024 | | [Updated - New finding types in Runtime Monitoring](#doc-history) | GuardDuty has added two new Runtime Monitoring finding types that will help you detect threats involving suspicious shell creation on the monitored resource, and privilege escalation where a process suspiciously elevates its privileges to root. [https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#execution-runtime-suspicious-shell-created](https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#execution-runtime-suspicious-shell-created) [https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#privilegeesc-runtime-elevation-to-root](https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#privilegeesc-runtime-elevation-to-root) | August 6, 2024 | | [Updated - Integrating with AWS Security Hub CSPM](#doc-history) | AWS Security Hub CSPM provides a list of GuardDuty security controls to evaluate your resources, and check your compliance against security industry standards and best practices. For more information, see [Using GuardDuty controls in Security Hub CSPM](https://docs.aws.amazon.com/guardduty/latest/ug/securityhub-integration-using-guardduty-controls.html). | July 11, 2024 | | [Updated GuardDuty tester script for findings](#doc-history) | GuardDuty now supports over 100 findings with different AWS resources in a dedicated account. For more information, see [Test GuardDuty findings in dedicated accounts](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings-scripts.html). | June 28, 2024 | | [Updated functionality in Runtime Monitoring](#doc-history) | Runtime Monitoring released a new security agent version 1.2.0 for the Amazon EC2 resource. For information about release notes, see [GuardDuty security agent for Amazon EC2 instance](https://docs.aws.amazon.com/guardduty/latest/ug/runtime-monitoring-agent-release-history.html#ec2-gdu-agent-release-history). For information about updating the security agent to this release version manually, see [Managing security agent manually for Amazon EC2 instance](https://docs.aws.amazon.com/guardduty/latest/ug/managing-gdu-agent-ec2-manually.html). | June 13, 2024 | | [New feature - Malware Protection for S3 Region availability](#doc-history) | GuardDuty Malware Protection for S3 is now available in all the commercial Regions where GuardDuty is available. This feature helps you scan newly uploaded objects to Amazon S3 buckets for potential malware and suspicious uploads, and take action to isolate them before they are ingested into downstream processes. For information about enabling Malware Protection for S3, see [GuardDuty Malware Protection for S3](https://docs.aws.amazon.com/guardduty/latest/ug/gdu-malware-protection-s3.html). | June 12, 2024 | | [New feature - Malware Protection for S3](#doc-history) | GuardDuty announces general availability of Malware Protection for S3 that helps you scan newly uploaded objects to Amazon S3 buckets for potential malware and suspicious uploads, and take action to isolate them before they are ingested into downstream processes. This feature is fully managed by AWS. GuardDuty publishes the S3 object scan result to your EventBridge default event bus. You can allow GuardDuty to add tags to your scanned S3 objects. You can build downstream workflows, such as isolation to a quarantine bucket, or define bucket policies using tags that prevent users or applications from accessing certain objects. For more information, see [GuardDuty Malware Protection for S3](https://docs.aws.amazon.com/guardduty/latest/ug/gdu-malware-protection-s3.html). Presently, it is available in the following Regions: US East (N. Virginia) US East (Ohio) US West (Oregon) Europe (Ireland) Europe (Frankfurt) Europe (Stockholm) Asia Pacific (Sydney) Asia Pacific (Tokyo) Asia Pacific (Singapore) | June 11, 2024 | | [Updated AmazonGuardDutyFullAccess policy](#doc-history) | Added permission that allows you to pass an IAM role to GuardDuty when you enable Malware Protection for S3. For more information about this policy update, see [AWS managed policy: AmazonGuardDutyFullAccess](https://docs.aws.amazon.com/guardduty/latest/ug/security-iam-awsmanpol.html#security-iam-awsmanpol-AmazonGuardDutyFullAccess-v2). | June 10, 2024 | | [Updated functionality in GuardDuty RDS Protection](#doc-history) | RDS Protection extends support to monitor the login activity on your RDS for PostgreSQL databases. As part of this expansion, GuardDuty will automatically begin monitoring login data from RDS for PostgreSQL databases for accounts that have already enabled GuardDuty RDS Protection. For more information, see [RDS Protection](https://docs.aws.amazon.com/guardduty/latest/ug/rds-protection.html). | June 6, 2024 | | [Updated functionality in GuardDuty Runtime Monitoring - Fargate (Amazon ECS only)](#doc-history) | Runtime Monitoring released a new agent version 1.2.0 for AWS Fargate (Amazon ECS only) resources. For more information about release notes, see [GuardDuty security agent for Fargate-ECS](https://docs.aws.amazon.com/guardduty/latest/ug/runtime-monitoring-agent-release-history.html#ecs-gdu-agent-release-history). | May 31, 2024 | | [Updated functionality in GuardDuty Malware Protection for EC2](#doc-history) | For each Amazon EBS volume that is attached to your Amazon EC2 instances and container workloads, GuardDuty Malware Protection for EC2 has increased the size of the EBS volume that it scans to up to 2048 GB. For information about scanning Amazon EBS volumes attached to your instances, see [GuardDuty Malware Protection for EC2](https://docs.aws.amazon.com/guardduty/latest/ug/malware-protection.html). | May 29, 2024 | | [Updated functionality in Runtime Monitoring](#doc-history) | Runtime Monitoring for Amazon ECS-Fargate resources now supports detecting potential threats on your tasks launched by AWS Batch and AWS CodePipeline. For more information, see [How Runtime Monitoring works with Fargate (Amazon ECS only)](https://docs.aws.amazon.com/guardduty/latest/ug/how-runtime-monitoring-works-ecs-fargate.html). | May 28, 2024 | | [Updated functionality in Runtime Monitoring](#doc-history) | Runtime Monitoring released a new agent version 1.6.1 for Amazon EKS resources. For information about release notes, see [EKS add-on agent release history](https://docs.aws.amazon.com/guardduty/latest/ug/runtime-monitoring-agent-release-history.html#eks-runtime-monitoring-agent-release-history). | May 14, 2024 | | [Expanded Region support for Runtime Monitoring](#doc-history) | GuardDuty expands the support for Runtime Monitoring to the Canada West (Calgary) Region. For information about getting started with Runtime Monitoring, see [Enabling Runtime Monitoring](https://docs.aws.amazon.com/guardduty/latest/ug/runtime-monitoring-configuration.html). | May 7, 2024 | | [Expanded Region support for RDS Protection](#doc-history) | GuardDuty expands RDS Protection support to the following AWS Regions: Canada West (Calgary) Asia Pacific (Hyderabad) Europe (Spain) Europe (Zurich) Middle East (UAE) Israel (Tel Aviv) Asia Pacific (Melbourne) For information about enabling this feature, see [RDS Protection](https://docs.aws.amazon.com/guardduty/latest/ug/rds-protection.html). | May 3, 2024 | | [Updated functionality in Runtime Monitoring](#doc-history) | Runtime Monitoring released a new agent version 1.1.0 for AWS Fargate (Amazon ECS only) resources. For more information about release notes, see [GuardDuty security agent for Fargate-ECS](https://docs.aws.amazon.com/guardduty/latest/ug/runtime-monitoring-agent-release-history.html#ecs-gdu-agent-release-history). | May 1, 2024 | | [Updated functionality in Runtime Monitoring](#doc-history) | Runtime Monitoring released a new agent version 1.6.0 for Amazon EKS resources. For information about release notes, see [EKS add-on agent release history](https://docs.aws.amazon.com/guardduty/latest/ug/runtime-monitoring-agent-release-history.html#eks-runtime-monitoring-agent-release-history). | April 29, 2024 | | [Support for IPAddressv6](#doc-history) | GuardDuty has added IPAddressv6 support for both local and remote IP details. You can use the associated [Filter attributes](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_filter-findings.html) to filter GuardDuty findings or [create suppression rules](https://docs.aws.amazon.com/guardduty/latest/ug/findings_suppression-rule.html). | April 18, 2024 | | [Updated console experience to configure exporting findings](#doc-history) | GuardDuty has updated the console experience to export the findings generated in your AWS accounts, to an Amazon S3 bucket. For more information, see [Exporting GuardDuty findings](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_exportfindings). | April 1, 2024 | | [Updated functionality in Runtime Monitoring](#doc-history) | Runtime Monitoring released a new security agent version 1.1.0 for the Amazon EC2 resource. This version supports GuardDuty automated agent configuration in Runtime Monitoring for Amazon EC2 instances. For information about release notes, see [GuardDuty security agent for Amazon EC2 instance](https://docs.aws.amazon.com/guardduty/latest/ug/runtime-monitoring-agent-release-history.html#ec2-gdu-agent-release-history). | March 28, 2024 | | [General availability of Runtime Monitoring for Amazon EC2 instances](#doc-history) | GuardDuty announces general availability(GA) of Runtime Monitoring for Amazon EC2 instances. Now, you have an option to [enable automated agent configuration](https://docs.aws.amazon.com/guardduty/latest/ug/managing-gdu-agent-ec2-automated.html) that permits GuardDuty to install and manage the security agent for your Amazon EC2 instances on your behalf. With GuardDuty automated agent, you can also use inclusion or exclusion tags to inform GuardDuty to install and manage the security agent on selected Amazon EC2 instances only. For more information, see [How Runtime Monitoring works with Amazon EC2 instances](https://docs.aws.amazon.com/guardduty/latest/ug/how-runtime-monitoring-works-ec2.html). List of new finding types released along with this GA [Execution:Runtime/SuspiciousTool](https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#execution-runtime-suspicioustool) [Execution:Runtime/SuspiciousCommand](https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#execution-runtime-suspiciouscommand) [DefenseEvasion:Runtime/SuspiciousCommand](https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#defenseevasion-runtime-suspicious-command) [DefenseEvasion:Runtime/PtraceAntiDebugging](https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#defenseevasion-runtime-ptrace-anti-debug) [Execution:Runtime/MaliciousFileExecuted](https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#execution-runtime-malicious-file-executed) | March 28, 2024 | | [Amazon GuardDuty has updated the Service-linked role (SLR)](https://docs.aws.amazon.com/guardduty/latest/ug/slr-permissions.html) | Use AWS Systems Manager actions to manage SSM associations on Amazon EC2 instances when you enable GuardDuty Runtime Monitoring with automated agent for Amazon EC2. When GuardDuty automated agent configuration is disabled, GuardDuty considers only those EC2 instances that have an inclusion tag (`GuardDutyManaged`:`true`). The following list shows the new permissions: 
"ssm:DescribeAssociation",
"ssm:DeleteAssociation",
"ssm:UpdateAssociation",
"ssm:CreateAssociation",
"ssm:StartAssociationsOnce",
"ssm:AddTagsToResource",
"ssm:CreateAssociation",
"ssm:UpdateAssociation",
"ssm:SendCommand",
"ssm:GetCommandInvocation"
| March 26, 2024 | | [Updated functionality in Runtime Monitoring](#doc-history) | With the latest GuardDuty security agent (add-on) v1.5.0 release for Amazon EKS, Runtime Monitoring now supports configuring specific parameters of your GuardDuty security agent, such as CPU and memory settings, `PriorityClass` settings, and DNS policy settings. For more information, see [Configuring GuardDuty security agent (EKS add-on) parameters](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-configure-security-agent-eks-addon.html). | March 7, 2024 | | [Updated functionality in Runtime Monitoring](#doc-history) | Runtime Monitoring released a new agent version 1.5.0 for Amazon EKS resources. For information about release notes, see [EKS add-on agent release history](https://docs.aws.amazon.com/guardduty/latest/ug/runtime-monitoring-agent-release-history.html#eks-runtime-monitoring-agent-release-history). | March 7, 2024 | | [Support for Canada West (Calgary)](#doc-history) | Amazon GuardDuty is now available in the Canada West (Calgary) Region. Some of the protection plans within GuardDuty might not be available in this Region. For the latest information, see [Regions and endpoints](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_regions.html). | March 6, 2024 | | [Updated functionality in Runtime Monitoring](#doc-history) | The GuardDuty security agent versions 1.0.0 and 1.1.0 for Amazon EKS clusters will no longer be supported starting May 14, 2024. For information about what steps you can take before the end of standard support, see [GuardDuty security agent for Amazon EKS clusters](https://docs.aws.amazon.com/guardduty/latest/ug/runtime-monitoring-agent-release-history.html#eks-runtime-monitoring-agent-release-history). | February 16, 2024 | | [Updated functionality in Runtime Monitoring](#doc-history) | Runtime Monitoring supports the latest [Kubernetes version 1.29](https://docs.aws.amazon.com/eks/latest/userguide/kubernetes-versions-standard.html) with the existing security agent version 1.4.1. The support has been available since the launch of this Kubernetes version. For information about supported Kubernetes versions, see [Kubernetes versions supported by GuardDuty security agent](https://docs.aws.amazon.com/guardduty/latest/ug/prereq-runtime-monitoring-eks-support.html#gdu-agent-supported-k8-version). | February 16, 2024 | | [Updated functionality in Runtime Monitoring - Regional availability](#doc-history) | GuardDuty Runtime Monitoring now supports shared Amazon VPC within the same AWS Organizations. [GuardDuty service-linked role (SLR)](https://docs.aws.amazon.com/guardduty/latest/ug/slr-permissions.html) has a new permission – `organizations:DescribeOrganization` that helps retrieving the organization ID for the shared Amazon VPC account to set the endpoint policy. For information about prerequisites to using a shared Amazon VPC endpoint in Runtime Monitoring, see [Support for shared Amazon VPC](https://docs.aws.amazon.com/guardduty/latest/ug/runtime-monitoring-shared-vpc.html). This capability is available in all the Regions where GuardDuty supports Runtime Monitoring. | February 12, 2024 | | [Updated functionality in Runtime Monitoring - Regional availability](#doc-history) | GuardDuty Runtime Monitoring now supports shared Amazon VPC within the same AWS Organizations. [GuardDuty service-linked role (SLR)](https://docs.aws.amazon.com/guardduty/latest/ug/slr-permissions.html) has a new permission – `organizations:DescribeOrganization` that helps retrieving the organization ID for the shared Amazon VPC account to set the endpoint policy. For information about prerequisites to using a shared Amazon VPC endpoint in Runtime Monitoring, see [Support for shared Amazon VPC](https://docs.aws.amazon.com/guardduty/latest/ug/runtime-monitoring-shared-vpc.html). Presently, this capability is available in some of the AWS Regions. For more information, see [Regions and endpoints](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_regions.html). | February 9, 2024 | | [Updated functionality with support for new AWS Regions – Malware Protection for EC2](#doc-history) | Malware Protection for EC2 now supports scanning the EBS volumes encrypted with AWS managed keys in the US West (Oregon) Region. | February 6, 2024 | | [Updated functionality with support for new AWS Regions – Malware Protection for EC2](#doc-history) | Malware Protection for EC2 now supports scanning the EBS volumes encrypted with AWS managed keys in the [following AWS Regions:](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_regions.html) Asia Pacific (Singapore) (`ap-southeast-1`) Europe (Frankfurt) (`eu-central-1`) Asia Pacific (Osaka) (`ap-northeast-3`) US East (Ohio) (`us-east-2`) Europe (Milan) (`eu-south-1`) Asia Pacific (Tokyo) (`ap-northeast-1`) Asia Pacific (Seoul) (`ap-northeast-2`) Canada (Central) (`ca-central-1`) Europe (Ireland) (`eu-west-1`) US East (N. Virginia) (`us-east-1`) | February 5, 2024 | | [Updated functionality in Runtime Monitoring](#doc-history) | GuardDuty Runtime Monitoring has released a new GuardDuty security agent version (v1.0.2) for Amazon EC2 instances. This agent version includes support for the latest Amazon ECS AMIs. For more information about agent release history, see [GuardDuty security agent for Amazon EC2 instances](https://docs.aws.amazon.com/guardduty/latest/ug/runtime-monitoring-agent-release-history.html#ec2-gdu-agent-release-history). | February 2, 2024 | | [Updated functionality with support for new AWS Regions – Malware Protection for EC2](#doc-history) | Malware Protection for EC2 now supports scanning the Amazon EBS volumes encrypted with AWS managed keys in the [following AWS Regions:](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_regions.html) Europe (London) (`eu-west-2`) Europe (Stockholm) (`eu-north-1`) Asia Pacific (Hong Kong) (`ap-east-1`) Africa (Cape Town) (`af-south-1`) Middle East (Bahrain) (`me-south-1`) Asia Pacific (Hyderabad) (`ap-south-2`) Europe (Spain) (`eu-south-2`) Asia Pacific (Melbourne) (`ap-southeast-4`) Asia Pacific (Sydney) (`ap-southeast-2`) Israel (Tel Aviv) (`il-central-1`) | January 31, 2024 | | [Updated Managing accounts with AWS Organizations](#doc-history) | Reorganized the content under [Managing accounts with AWS Organizations.](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_organizations.html), added steps to change the delegated GuardDuty administrator account, and updated [Understanding the relationship between GuardDuty administrator account and member accounts](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_accounts.html#administrator_member_relationships). | January 30, 2024 | | [Updated functionality with support for new AWS Regions](#doc-history) | Malware Protection for EC2 now supports scanning the EBS volumes encrypted with AWS managed keys in the [following AWS Regions:](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_regions.html) Asia Pacific (Jakarta) (`ap-southeast-3`) US West (N. California) (`us-west-1`) Middle East (UAE) (`me-central-1`) Europe (Zurich) (`eu-central-2`) Asia Pacific (Mumbai) (`ap-south-1`) South America (São Paulo) (`sa-east-1`) | January 29, 2024 | | [Updated functionality in Malware Protection for EC2](#doc-history) | Malware Protection for EC2 now supports scanning the EBS volumes encrypted using AWS managed keys. [Malware Protection for EC2 service-linked role (SLR)](https://docs.aws.amazon.com/guardduty/latest/ug/slr-permissions-malware-protection.html) has two new permissions – `GetSnapshotBlock` and `ListSnapshotBlocks`. These permissions will help GuardDuty fetch the snapshot of an EBS volume (encrypted using AWS managed key) from your AWS account and copy it to the [GuardDuty service account](https://docs.aws.amazon.com/guardduty/latest/ug/gdu-service-account-region-list.html) before starting the malware scan. Presently, this functionality is available in Europe (Paris) (`eu-west-3`) only. For more information, see [Supported volumes for malware scan](https://docs.aws.amazon.com/guardduty/latest/ug/gdu-malpro-supported-volumes.html). | January 25, 2024 | | [Updated functionality in Runtime Monitoring](#doc-history) | GuardDuty Runtime Monitoring has released a new GuardDuty security agent version (v1.0.1) with general performance tuning and enhancements. For more information about agent release history, see [GuardDuty security agent for Amazon EC2 instances](https://docs.aws.amazon.com/guardduty/latest/ug/runtime-monitoring-agent-release-history.html#ec2-gdu-agent-release-history). | January 23, 2024 | | [Updated functionality in Runtime Monitoring](#doc-history) | Runtime Monitoring released a new agent version 1.4.1 for Amazon EKS resources. For more information, see [EKS add-on agent release history](https://docs.aws.amazon.com/guardduty/latest/ug/runtime-monitoring-agent-release-history.html#eks-runtime-monitoring-agent-release-history). | January 16, 2024 | | [Runtime Monitoring released new agent v1.4.0 for Amazon EKS resources](#doc-history) | Runtime Monitoring released a new agent version 1.4.0 for Amazon EKS resources. For more information, see [EKS add-on agent release history](https://docs.aws.amazon.com/guardduty/latest/ug/runtime-monitoring-agent-release-history.html#eks-runtime-monitoring-agent-release-history). | December 21, 2023 | | [Added S3 and AWS CloudTrail machine learning (ML)-based findings types to the Europe (Zurich) , Europe (Spain), Asia Pacific (Hyderabad), Asia Pacific (Melbourne), and Israel (Tel Aviv)](#doc-history) | The following S3 and CloudTrail findings that identify the anomalous behavior using the GuardDuty's anomaly detection machine learning (ML) model are now available in the Europe (Zurich) , Europe (Spain), Asia Pacific (Hyderabad), Asia Pacific (Melbourne), and Israel (Tel Aviv) Regions: [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#discovery-s3-anomalousbehavior](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#discovery-s3-anomalousbehavior) [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#impact-s3-anomalousbehavior-write](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#impact-s3-anomalousbehavior-write) [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#impact-s3-anomalousbehavior-delete](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#impact-s3-anomalousbehavior-delete) [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#impact-s3-anomalousbehavior-permission](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#impact-s3-anomalousbehavior-permission) [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#exfiltration-s3-anomalousbehavior](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#exfiltration-s3-anomalousbehavior) [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#exfiltration-iam-anomalousbehavior](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#exfiltration-iam-anomalousbehavior) [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#impact-iam-anomalousbehavior](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#impact-iam-anomalousbehavior) [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#credentialaccess-iam-anomalousbehavior](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#credentialaccess-iam-anomalousbehavior) [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#defenseevasion-iam-anomalousbehavior](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#defenseevasion-iam-anomalousbehavior) [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#initialaccess-iam-anomalousbehavior](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#initialaccess-iam-anomalousbehavior) [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#persistence-iam-anomalousbehavior](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#persistence-iam-anomalousbehavior) [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#privilegeescalation-iam-anomalousbehavior](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#privilegeescalation-iam-anomalousbehavior) [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#discovery-iam-anomalousbehavior](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#discovery-iam-anomalousbehavior) | December 21, 2023 | | [GuardDuty supports 50,000 member accounts through AWS Organizations](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_organizations.html) | A delegated GuardDuty administrator can now manage a maximum of 50,000 member accounts through AWS Organizations. This also includes a maximum of 5000 member accounts that associated with the GuardDuty administrator account by invitation. | December 20, 2023 | | [[GuardDuty Runtime Monitoring](https://docs.aws.amazon.com/guardduty/latest/ug/runtime-monitoring.html) support expanded to 19 AWS Regions](#doc-history) | Runtime Monitoring is now available in Asia Pacific (Jakarta), Europe (Paris), Asia Pacific (Osaka), Asia Pacific (Seoul), Middle East (Bahrain), Europe (Spain), Asia Pacific (Hyderabad), Asia Pacific (Melbourne), Israel (Tel Aviv), US West (N. California), Europe (London), Asia Pacific (Hong Kong), Europe (Milan), Middle East (UAE), South America (São Paulo), Asia Pacific (Mumbai), Canada (Central), Africa (Cape Town), Europe (Zurich). | December 6, 2023 | | [GuardDuty expands Runtime Monitoring capability](https://docs.aws.amazon.com/guardduty/latest/ug/runtime-monitoring.html) | In addition to detecting threats to your Amazon EKS clusters, GuardDuty announces general availability of Runtime Monitoring to detect threats to your Amazon ECS workloads and a preview release to detect threats to your Amazon EC2 instances. For more information about which AWS Regions presently support Runtime Monitoring, see [Regions and endpoints](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_regions.html). | November 26, 2023 | | [Amazon GuardDuty has updated the Service-linked role (SLR)](https://docs.aws.amazon.com/guardduty/latest/ug/slr-permissions.html) | GuardDuty has added new permissions to use Amazon ECS actions to manage and retrieve information about the Amazon ECS clusters, and manage the Amazon ECS account setting with `guarddutyActivate`. The actions pertaining to Amazon ECS also retrieve the information about the tags associated with GuardDuty. The following permissions have been added as a part of GuardDuty expanding the [Runtime Monitoring](https://docs.aws.amazon.com/guardduty/latest/ug/runtime-monitoring.html) capability: 
"ecs:ListClusters",
"ecs:DescribeClusters",
"ecs:PutAccountSettingDefault"
| November 26, 2023 | | [Updated the AWS managed policies](https://docs.aws.amazon.com/guardduty/latest/ug/security-iam-awsmanpol.html#security-iam-awsmanpol-updates) | GuardDuty added a new permission, `organizations:ListAccounts` to the [AWS managed policy: AmazonGuardDutyFullAccess](https://docs.aws.amazon.com/guardduty/latest/ug/security-iam-awsmanpol.html#security-iam-awsmanpol-AmazonGuardDutyFullAccess-v2) and [https://docs.aws.amazon.com/guardduty/latest/ug/security-iam-awsmanpol.html#security-iam-awsmanpol-AmazonGuardDutyReadOnlyAccess](https://docs.aws.amazon.com/guardduty/latest/ug/security-iam-awsmanpol.html#security-iam-awsmanpol-AmazonGuardDutyReadOnlyAccess). | November 16, 2023 | | [GuardDuty released new finding types that use EKS Audit Log Monitoring.](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-finding-types-eks-audit-logs.html) | EKS Audit Log Monitoring now supports the following finding types in Asia Pacific (Melbourne)(`ap-southeast-4`). CredentialAccess:Kubernetes/AnomalousBehavior.SecretsAccessed PrivilegeEscalation:Kubernetes/AnomalousBehavior.RoleBindingCreated Execution:Kubernetes/AnomalousBehavior.ExecInPod PrivilegeEscalation:Kubernetes/AnomalousBehavior.WorkloadDeployed\$1PrivilegedContainer PrivilegeEscalation:Kubernetes/AnomalousBehavior.WorkloadDeployed\$1ContainerWithSensitiveMount Execution:Kubernetes/AnomalousBehavior.WorkloadDeployed PrivilegeEscalation:Kubernetes/AnomalousBehavior.RoleCreated Discovery:Kubernetes/AnomalousBehavior.PermissionChecked | November 11, 2023 | | [GuardDuty released new finding types that use EKS Audit Log Monitoring.](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-kubernetes.html) | EKS Audit Log Monitoring now supports the following finding types in Asia Pacific (Hyderabad) (`ap-south-2`), Europe (Zurich) (`eu-central-2`), and Europe (Spain) (`eu-south-2`) Regions. CredentialAccess:Kubernetes/AnomalousBehavior.SecretsAccessed PrivilegeEscalation:Kubernetes/AnomalousBehavior.RoleBindingCreated Execution:Kubernetes/AnomalousBehavior.ExecInPod PrivilegeEscalation:Kubernetes/AnomalousBehavior.WorkloadDeployed\$1PrivilegedContainer PrivilegeEscalation:Kubernetes/AnomalousBehavior.WorkloadDeployed\$1ContainerWithSensitiveMount Execution:Kubernetes/AnomalousBehavior.WorkloadDeployed PrivilegeEscalation:Kubernetes/AnomalousBehavior.RoleCreated Discovery:Kubernetes/AnomalousBehavior.PermissionChecked | November 10, 2023 | | [GuardDuty released new finding types that use EKS Audit Log Monitoring.](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-kubernetes.html) | EKS Audit Log Monitoring now supports the following finding types. These finding types are not yet available in Asia Pacific (Hyderabad) (`ap-south-2`), Europe (Zurich) (`eu-central-2`), Europe (Spain) (`eu-south-2`), and Asia Pacific (Melbourne) (`ap-southeast-4`) Regions. CredentialAccess:Kubernetes/AnomalousBehavior.SecretsAccessed PrivilegeEscalation:Kubernetes/AnomalousBehavior.RoleBindingCreated Execution:Kubernetes/AnomalousBehavior.ExecInPod PrivilegeEscalation:Kubernetes/AnomalousBehavior.WorkloadDeployed\$1PrivilegedContainer PrivilegeEscalation:Kubernetes/AnomalousBehavior.WorkloadDeployed\$1ContainerWithSensitiveMount Execution:Kubernetes/AnomalousBehavior.WorkloadDeployed PrivilegeEscalation:Kubernetes/AnomalousBehavior.RoleCreated Discovery:Kubernetes/AnomalousBehavior.PermissionChecked | November 8, 2023 | | [EKS Runtime Monitoring released new agent v1.3.1](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-eks-runtime-monitoring.html) | EKS Runtime Monitoring released a new agent version 1.3.1 that includes important security patches and updates. | October 23, 2023 | | [New filter attribute for finding](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_filter-findings.html#filter_criteria) | GuardDuty has added a new criteria to filter the generated findings. DNS request domain suffix provides the second- and top-level domain involved in the activity that prompted GuardDuty to generate the finding. | October 17, 2023 | | [EKS Runtime Monitoring released new agent v1.3.0 that supports Kubernetes version 1.28](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-eks-runtime-monitoring.html) | EKS Runtime Monitoring released a new agent version 1.3.0 that supports Kubernetes version 1.28. Added support for Ubuntu. For more information, see [EKS add-on agent release history](https://docs.aws.amazon.com/guardduty/latest/ug/eks-runtime-monitoring-agent-release-history.html). | October 5, 2023 | | [Added S3 and AWS CloudTrail machine learning (ML)-based findings types to the Asia Pacific (Jakarta) and Middle East (UAE) Regions](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-active.html) | The following S3 and CloudTrail findings that identify the anomalous behavior using the GuardDuty's anomaly detection machine learning (ML) model are now available in the Asia Pacific (Jakarta) and Middle East (UAE) Regions: [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#discovery-s3-anomalousbehavior](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#discovery-s3-anomalousbehavior) [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#impact-s3-anomalousbehavior-write](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#impact-s3-anomalousbehavior-write) [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#impact-s3-anomalousbehavior-delete](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#impact-s3-anomalousbehavior-delete) [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#impact-s3-anomalousbehavior-permission](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#impact-s3-anomalousbehavior-permission) [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#exfiltration-s3-anomalousbehavior](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#exfiltration-s3-anomalousbehavior) [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#exfiltration-iam-anomalousbehavior](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#exfiltration-iam-anomalousbehavior) [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#impact-iam-anomalousbehavior](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#impact-iam-anomalousbehavior) [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#credentialaccess-iam-anomalousbehavior](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#credentialaccess-iam-anomalousbehavior) [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#defenseevasion-iam-anomalousbehavior](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#defenseevasion-iam-anomalousbehavior) [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#initialaccess-iam-anomalousbehavior](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#initialaccess-iam-anomalousbehavior) [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#persistence-iam-anomalousbehavior](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#persistence-iam-anomalousbehavior) [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#privilegeescalation-iam-anomalousbehavior](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#privilegeescalation-iam-anomalousbehavior) [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#discovery-iam-anomalousbehavior](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#discovery-iam-anomalousbehavior) | September 20, 2023 | | [GuardDuty EKS Runtime Monitoring introduces managing GuardDuty security agent at the cluster level](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-eks-runtime-monitoring.html) | EKS Runtime Monitoring adds support to manage the GuardDuty security agent for individual EKS clusters to monitor the runtime events from only these selective clusters. EKS Runtime Monitoring extends this capability with the support of tags. | September 13, 2023 | | [GuardDuty Malware Protection for EC2 extends support to more AWS Regions](https://docs.aws.amazon.com/guardduty/latest/ug/malware-protection.html) | Malware Protection for EC2 is now available in Asia Pacific (Hyderabad), Asia Pacific (Melbourne), Europe (Zurich), and Europe (Spain). | September 11, 2023 | | [GuardDuty is now available in Israel (Tel Aviv) Region](https://docs.aws.amazon.com/guardduty/latest/ug/what-is-guardduty) | Added Israel (Tel Aviv) Region to the list of AWS Regions where GuardDuty is now available. The following protection plans are also available in the Israel (Tel Aviv) Region: [EKS Protection](kubernetes-protection.md) includes both EKS Audit Log Monitoring and EKS Runtime Monitoring. [Lambda Protection](lambda-protection.md). [Malware Protection for EC2](malware-protection.md). [S3 Protection](s3-protection.md). For more information about protection plan availability in the Israel (Tel Aviv) Region, see [Regions and endpoints](guardduty_regions.md). | August 24, 2023 | | [GuardDuty added auto-enable configuration for your organization at protection plan level](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_organizations.html#step-2-configure-auto-enable-console) | Update organization configuration for the protection plans in your Region. Possible configuration options are either enable for all accounts, auto-enable for new accounts, or do not auto-enable for any account in your organization. | August 16, 2023 | | [S3 finding types which identify anomalous behavior using GuardDuty's anomaly detection machine learning (ML) model are now available in Asia Pacific (Osaka)](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html) | The following findings types are now available in the Asia Pacific (Osaka) Region: [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#discovery-s3-anomalousbehavior](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#discovery-s3-anomalousbehavior) [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#impact-s3-anomalousbehavior-write](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#impact-s3-anomalousbehavior-write) [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#impact-s3-anomalousbehavior-delete](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#impact-s3-anomalousbehavior-delete) [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#impact-s3-anomalousbehavior-permission](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#impact-s3-anomalousbehavior-permission) [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#exfiltration-s3-anomalousbehavior](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#exfiltration-s3-anomalousbehavior) | August 10, 2023 | | [EKS Runtime Monitoring is now available in Asia Pacific (Melbourne)](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-eks-runtime-monitoring.html) | EKS Runtime Monitoring within GuardDuty EKS Protection provides runtime threat detection for your Amazon EKS clusters in AWS environment. It is now supported in the Asia Pacific (Melbourne) Region. | August 8, 2023 | | [Updated the list of GuardDuty findings that invoke GuardDuty-initiated malware scan](https://docs.aws.amazon.com/guardduty/latest/ug/gd-findings-initiate-malware-protection-scan.html) | Certain EKS Runtime Monitoring finding types can now invoke GuardDuty-initiated malware scan in your AWS account. | July 19, 2023 | | [GuardDuty supports 10,000 member accounts through AWS Organizations](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_organizations.html) | A GuardDuty administrator account can now manage a maximum of 10,000 member accounts through AWS Organizations. This also includes a maximum of 5000 member accounts that associated with the GuardDuty administrator account by invitation. | June 29, 2023 | | [EKS Runtime Monitoring announces three new finding types.](https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html) | EKS Runtime Monitoring supports three new finding types that are based on the process injection technique. The new finding types are DefenseEvasion:Runtime/ProcessInjection.Proc, DefenseEvasion:Runtime/ProcessInjection.Ptrace, and DefenseEvasion:Runtime/ProcessInjection.VirtualMemoryWrite. | June 22, 2023 | | [EKS Runtime Monitoring released new agent v1.2.0 that supports Kubernetes version 1.27](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-eks-runtime-monitoring.html) | EKS Runtime Monitoring released a new agent version 1.2.0 that also supports ARM64-based instances. Added support for Bottlerocket. For more information, see [EKS add-on agent release history](https://docs.aws.amazon.com/guardduty/latest/ug/eks-runtime-monitoring-agent-release-history.html). | June 16, 2023 | | [GuardDuty console provides a summarized view of your findings.](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-summary.html) | The summary dashboard in the GuardDuty console provides an aggregated view of the GuardDuty findings. Presently, the dashboard displays data through various widgets for the last 10,000 findings generated for your account (or member accounts if you're a GuardDuty administrator account) for the current Region. | June 12, 2023 | | [EKS Audit Log Monitoring is now available in Asia Pacific (Hyderabad), Asia Pacific (Melbourne), Europe (Zurich), and Europe (Spain)](https://docs.aws.amazon.com/guardduty/latest/ug/kubernetes-protection.html) | Enable EKS Audit Log Monitoring (in EKS Protection) for your accounts to monitor EKS audit logs from your Amazon EKS clusters and analyze them for potentially malicious and suspicious activity. | June 1, 2023 | | [EKS Audit Log Monitoring is now available in Middle East (UAE)](https://docs.aws.amazon.com/guardduty/latest/ug/kubernetes-protection.html) | EKS Audit Log Monitoring is now available in Middle East (UAE). Enable EKS Audit Log Monitoring for your accounts to monitor EKS audit logs from your Amazon EKS clusters and analyze them for potentially malicious and suspicious activity. | May 3, 2023 | | [GuardDuty Malware Protection for EC2 announces On-demand malware scan](https://docs.aws.amazon.com/guardduty/latest/ug/malware-protection.html) | Malware Protection for EC2 helps you detect the potential presence of malware in the Amazon EBS volumes attached to your Amazon EC2 instances and container workloads. It now offers two types of scans – GuardDuty initiated and on-demand. GuardDuty-initiated malware scan initiates an agentless scan in the Amazon EBS volumes automatically only when GuardDuty generates one of the [Findings that invoke GuardDuty-initiated malware scan](https://docs.aws.amazon.com/guardduty/latest/ug/gd-findings-initiate-malware-protection-scan.html). You can initiate an On-demand malware scan for Amazon EC2 instances in your account by providing the Amazon Resource Name (ARN) associated to that Amazon EC2 instance. For more information about how both the scan types differ, see [Malware Protection for EC2](https://docs.aws.amazon.com/guardduty/latest/ug/malware-protection.html). [GuardDuty-initiated malware scan](https://docs.aws.amazon.com/guardduty/latest/ug/gdu-initiated-malware-scan.html) [On-demand malware scan](https://docs.aws.amazon.com/guardduty/latest/ug/on-demand-malware-scan.html) | April 27, 2023 | | [GuardDuty announces Lambda Protection](https://docs.aws.amazon.com/guardduty/latest/ug/lambda-protection.html) | Lambda Protection helps you identify potential security threats in your AWS Lambda functions. [Lambda Protection finding types](lambda-protection-finding-types.md) [Remediating a potentially compromised Lambda function](remediate-lambda-protection-finding-types.md) | April 20, 2023 | | [GuardDuty is now available in the Asia Pacific (Melbourne) Region](https://docs.aws.amazon.com/guardduty/latest/ug/what-is-guardduty.html) | Added Asia Pacific (Melbourne) to the list of AWS Regions where GuardDuty is available. For information about which features are available in this Region, see [Regions and endpoints](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_regions.html). | April 19, 2023 | | [GuardDuty added 3 new EC2 findings types](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html) | GuardDuty introduces new finding types to detect the use of external DNS resolvers and encrypted DNS technologies. For information about AWS Regions where these finding types are supported, see [Regions and endpoints](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_regions.html). [DefenseEvasion:EC2/UnusualDNSResolver](guardduty_finding-types-ec2.md#defenseevasion-ec2-unusualdnsresolver) [DefenseEvasion:EC2/UnusualDoHActivity](guardduty_finding-types-ec2.md#defenseevasion-ec2-unsualdohactivity) [DefenseEvasion:EC2/UnusualDoTActivity](guardduty_finding-types-ec2.md#defenseevasion-ec2-unusualdotactivity) | April 5, 2023 | | [GuardDuty announces EKS Runtime Monitoring in EKS Protection](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-eks-runtime-monitoring.html) | EKS Runtime Monitoring within EKS Protection provides runtime threat detection for your Amazon EKS clusters in AWS environment. It uses an Amazon EKS add-on agent (`aws-guardduty-agent`) that collects [Runtime events](https://docs.aws.amazon.com/guardduty/latest/ug/runtime-monitoring-collected-events.html) from your EKS workloads. After GuardDuty receives these runtime events, it monitors and analyzes them to identify potential suspicious security threats. For more information, see [Finding details](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings-summary.html) and [EKS Runtime Monitoring finding types](https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html). | March 30, 2023 | | [GuardDuty adds a new functionality – `autoEnableOrganizationMembers`](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-legacy-parameters.html) | Amazon GuardDuty adds a new organization configuration option that helps GuardDuty administrator accounts audit and enforce (if required) that GuardDuty is enabled for `ALL` the members of their organization. The best practice now is to use `autoEnableOrganizationMembers` instead of `autoEnable`. `autoEnable` is deprecated but still supported. The following APIs are impacted by this new functionality: [DescribeOrganizationConfiguration](https://docs.aws.amazon.com/guardduty/latest/APIReference/API_DescribeOrganizationConfiguration.html) [UpdateOrganizationConfiguration](https://docs.aws.amazon.com/guardduty/latest/APIReference/API_UpdateOrganizationConfiguration.html) [DisassociateMembers](https://docs.aws.amazon.com/guardduty/latest/APIReference/API_DisassociateMembers.html) [DeleteMembers](https://docs.aws.amazon.com/guardduty/latest/APIReference/API_DeleteMembers.html) [DisassociateFromAdministratorAccount](https://docs.aws.amazon.com/guardduty/latest/APIReference/API_DisassociateFromAdministratorAccount.html) [StopMonitoringMembers](https://docs.aws.amazon.com/guardduty/latest/APIReference/API_StopMonitoringMembers.html) | March 23, 2023 | | [The RDS Protection feature in Amazon GuardDuty is now generally available](https://docs.aws.amazon.com/guardduty/latest/ug/rds-protection.html) | GuardDuty RDS Protection monitors and profiles RDS login activity to identify suspicious login behavior on your Amazon Aurora database instances. For information about which AWS Regions support RDS Protection, see [Regions and endpoints](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_regions.html). | March 16, 2023 | | [GuardDuty announces feature activation](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-features-activation-model.html) | Historically, the GuardDuty API allowed configuration of both features and data sources, but now, all new GuardDuty protection types will be configured as features and not as data sources. GuardDuty still supports the data sources via API but will not add a new API. Features activation affects the behavior of the APIs used to enable GuardDuty or a protection type within GuardDuty. If you manage your GuardDuty accounts through API, SDK, or CFN template, see [GuardDuty API changes in March 2023](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-feature-object-api-changes-march2023.html). | March 16, 2023 | | [GuardDuty Malware Protection for EC2 is now available in Middle East (UAE) Region](https://docs.aws.amazon.com/guardduty/latest/ug/malware-protection.html) | The Malware Protection for EC2 feature in GuardDuty is supported in the Middle East (UAE) Region. For more information, see [Regions and endpoints](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_regions.html). | March 13, 2023 | | [Amazon GuardDuty has updated the Service-linked role (SLR)](https://docs.aws.amazon.com/guardduty/latest/ug/slr-permissions.html) | GuardDuty added the following new permissions to support the upcoming GuardDuty EKS Runtime Monitoring feature. Use Amazon EKS actions to manage and retrieve information about the EKS clusters, and manage EKS add-ons on EKS clusters. The EKS actions also retrieve the information about the tags associated with GuardDuty. 
"eks:ListClusters",
"eks:DescribeCluster",
"ec2:DescribeVpcEndpointServices",
"ec2:DescribeSecurityGroups"
| March 8, 2023 | | [Amazon GuardDuty has updated the Service-linked role (SLR)](https://docs.aws.amazon.com/guardduty/latest/ug/slr-permissions.html) | The GuardDuty SLR has been updated to allow creation of Malware Protection for EC2 SLR after Malware Protection for EC2 has been enabled. | February 21, 2023 | | [GuardDuty requires TLS v1.2 or later](https://docs.aws.amazon.com/guardduty/latest/ug/what-is-guardduty.html) | To communicate with AWS resources, GuardDuty requires and supports TLS v1.2 or later. For more information, see [Data protection](https://docs.aws.amazon.com/guardduty/latest/ug/data-protection.html) and [Infrastructure security](https://docs.aws.amazon.com/guardduty/latest/ug/infrastructure-security.html). | February 14, 2023 | | [GuardDuty is now available in Asia Pacific (Hyderabad) Region](https://docs.aws.amazon.com/guardduty/latest/ug/what-is-guardduty.html) | Added Asia Pacific (Hyderabad) Region to the list of AWS Regions where GuardDuty is available. For more information, see [Regions and endpoints](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_regions.html). | February 14, 2023 | | [Amazon GuardDuty User Guide is aligned with IAM best practices](https://docs.aws.amazon.com/guardduty/latest/ug/what-is-guardduty.html) | Updated guide to align with the IAM best practices. For more information, see [Security best practices in IAM](https://docs.aws.amazon.com//IAM/latest/UserGuide/best-practices.html). | February 10, 2023 | | [GuardDuty is now available in Europe (Spain) Region](https://docs.aws.amazon.com/guardduty/latest/ug/what-is-guardduty.html) | Added Europe (Spain) to the list of AWS Regions where GuardDuty is available. For more information, see [Regions and endpoints](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_regions.html). | February 8, 2023 | | [GuardDuty is now available in Europe (Zurich) Region](https://docs.aws.amazon.com/guardduty/latest/ug/what-is-guardduty.html) | Added Europe (Zurich) to the list of AWS Regions where GuardDuty is available. For more information, see [Regions and endpoints](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_regions.html). | December 12, 2022 | | [Preview release of a new feature – GuardDuty RDS Protection](https://docs.aws.amazon.com/guardduty/latest/ug/rds-protection.html) | GuardDuty RDS Protection monitors and profiles RDS login activity to identify suspicious login behavior on your Amazon Aurora database instances. Presently, it is available for a preview release in five AWS Regions. For more information, see [Regions and endpoints](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_regions.html). | November 30, 2022 | | [GuardDuty is now available in Middle East (UAE) Region](https://docs.aws.amazon.com/guardduty/latest/ug/what-is-guardduty.html) | Added Middle East (UAE) to the list of AWS Regions where GuardDuty is available. For more information, see [Regions and endpoints](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_regions.html). | October 6, 2022 | | [Added content for a new feature – GuardDuty Malware Protection for EC2](https://docs.aws.amazon.com/guardduty/latest/ug/malware-protection.html) | GuardDuty Malware Protection for EC2 is an optional enhancement to Amazon GuardDuty. While GuardDuty identifies the resources at risk, Malware Protection for EC2 detects the malware that may be the source of the compromise. With Malware Protection for EC2 enabled, whenever GuardDuty detects suspicious behavior on an Amazon EC2 instance or a container workload indicative of malware, GuardDuty Malware Protection for EC2 initiates an agentless scan on the EBS volumes attached to impacted EC2 instance or container workloads to detect the presence of malware. For information about how Malware Protection for EC2 works and configuring this feature, see [GuardDuty Malware Protection for EC2](https://docs.aws.amazon.com/guardduty/latest/ug/malware-protection.html). For information about Malware Protection for EC2 findings, see [Finding details](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings-summary.html). For information about remediating the compromised EC2 instance and a standalone container, see [Remediating security issues discovered by GuardDuty](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html). For information about auditing CloudWatch logs for malware scans and reasons for skipping a resource during malware scan, see [Understanding CloudWatch Logs and skip reasons](https://docs.aws.amazon.com/guardduty/latest/ug/malware-protection-auditing-scan-logs.html). For information about false positive threat detections, see [Reporting false positives in GuardDuty Malware Protection for EC2](https://docs.aws.amazon.com/guardduty/latest/ug/malware-protection-false-positives.html). | July 26, 2022 | | [Retired one finding type](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-retired.html) | [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-retired.html#exfiltration-s3-objectreadunusual](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-retired.html#exfiltration-s3-objectreadunusual) has been retired. | July 5, 2022 | | [Added new S3 finding types which identify anomalous behavior using GuardDuty's anomaly detection machine learning (ML) model.](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html) | Added the following new S3 finding types. These finding types identify if an API request invoked an IAM entity in an anomalous way. The ML model evaluates all API requests in your account and identifies anomalous events that are associated with techniques used by adversaries. To learn more about each of these new findings, see [S3 finding types](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html). [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#discovery-s3-anomalousbehavior](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#discovery-s3-anomalousbehavior) [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#impact-s3-anomalousbehavior-write](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#impact-s3-anomalousbehavior-write) [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#impact-s3-anomalousbehavior-delete](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#impact-s3-anomalousbehavior-delete) [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#impact-s3-anomalousbehavior-permission](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#impact-s3-anomalousbehavior-permission) [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#exfiltration-s3-anomalousbehavior](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#exfiltration-s3-anomalousbehavior) | July 5, 2022 | | [Added GuardDuty EKS Protection content for GuardDuty](https://docs.aws.amazon.com/guardduty/latest/ug/kubernetes-protection.html) | GuardDuty can now generate findings for your Amazon EKS resources through the monitoring of EKS audit logs. To learn how to configure this feature, see [EKS Protection in Amazon GuardDuty](https://docs.aws.amazon.com/guardduty/latest/ug/kubernetes-protection.html). For a list of findings GuardDuty can generate for Amazon EKS resources, see [Kubernetes findings](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-kubernetes.html). New remediation guidance has been added to support remediating these findings in the [Kubernetes finding remediation guide](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-remediate-kubernetes.html). | January 25, 2022 | | [Added 1 new finding](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#unauthorizedaccess-iam-instancecredentialexfiltrationinsideaws) | A new finding UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.InsideAWS has been added. This finding informs you when your instance credentials are accessed by an AWS account outside your AWS environment. | January 20, 2022 | | [Updated the finding types to help identify issues related to log4j](guardduty_finding-types-ec2.md) | Amazon GuardDuty has updated the following finding types to help identify and prioritize issues related to CVE-2021-44228 and CVE-2021-45046: Backdoor:EC2/C&CActivity.B; Backdoor:EC2/C&CActivity.B\$1DNS; Behavior:EC2/NetworkPortUnusual. | December 22, 2021 | | [Finding Changes](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html) | UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration has been changed to UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.OutsideAWS. This improved version of the finding learns the typical locations your credentials are used from to reduce findings from traffic routed through on premise networks. [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#unauthorizedaccess-iam-instancecredentialexfiltrationoutsideaws](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#unauthorizedaccess-iam-instancecredentialexfiltrationoutsideaws) | September 7, 2021 | | [Update to GuardDuty SLR](https://docs.aws.amazon.com/guardduty/latest/ug/security-iam-awsmanpol.html) | The GuardDuty SLR has been updated with new actions to improve finding accuracy. | August 3, 2021 | | [Added data source information for each finding type.](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_data-sources.html) | Finding descriptions now contain information about data sources that GuardDuty uses to generate that finding. | May 10, 2021 | | [Retired 13 finding types.](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-retired.html) | 13 findings have been retired to be replaced with new AnomalousBehavoir findings. [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-retired.html#persistence-iam-networkpermissions](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-retired.html#persistence-iam-networkpermissions), [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-retired.html#persistence-iam-resourcepermissions](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-retired.html#persistence-iam-resourcepermissions), [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-retired.html#persistence-iam-userpermissions](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-retired.html#persistence-iam-userpermissions), [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-retired.html#privilegeescalation-iam-administrativepermissions](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-retired.html#privilegeescalation-iam-administrativepermissions), [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-retired.html#recon-iam-networkpermissions](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-retired.html#recon-iam-networkpermissions), [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-retired.html#recon-iam-resourcepermissions](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-retired.html#recon-iam-resourcepermissions), [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-retired.html#recon-iam-userpermissions](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-retired.html#recon-iam-userpermissions), [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-retired.html#resourceconsumption-iam-computeresources](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-retired.html#resourceconsumption-iam-computeresources), [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-retired.html#stealth-iam-loggingconfigurationmodified](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-retired.html#stealth-iam-loggingconfigurationmodified), [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-retired.html#discovery-s3-bucketenumerationunusual](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-retired.html#discovery-s3-bucketenumerationunusual), [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-retired.html#impact-s3-objectdeleteunusual](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-retired.html#impact-s3-objectdeleteunusual), [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-retired.html#impact-s3-permissionsmodificationunusual](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-retired.html#impact-s3-permissionsmodificationunusual), and [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-retired.html#unauthorizedaccess-iam-consolelogin](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-retired.html#unauthorizedaccess-iam-consolelogin). | March 12, 2021 | | [Added 8 new finding types for anomalous behavior.](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html) | Added 8 new IAMUser finding types based on anomalous behavior for IAM principals. [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#credentialaccess-iam-anomalousbehavior](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#credentialaccess-iam-anomalousbehavior), [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#defenseevasion-iam-anomalousbehavior](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#defenseevasion-iam-anomalousbehavior), [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#discovery-iam-anomalousbehavior](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#discovery-iam-anomalousbehavior), [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#exfiltration-iam-anomalousbehavior](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#exfiltration-iam-anomalousbehavior), [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#impact-iam-anomalousbehavior](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#impact-iam-anomalousbehavior), [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#initialaccess-iam-anomalousbehavior](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#initialaccess-iam-anomalousbehavior), [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#persistence-iam-anomalousbehavior](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#persistence-iam-anomalousbehavior), [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#privilegeescalation-iam-anomalousbehavior](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#privilegeescalation-iam-anomalousbehavior). | March 12, 2021 | | [Added EC2 findings based on domain reputation.](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-acive.html) | Added 4 new Impact finding types based on domain reputation. [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#impact-ec2-abuseddomainrequestreputation](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#impact-ec2-abuseddomainrequestreputation), [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#Impact:EC2/BitcoinDomainRequest.Reputation](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#Impact:EC2/BitcoinDomainRequest.Reputation), [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#impact-ec2-bitcoindomainrequestreputation](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#impact-ec2-bitcoindomainrequestreputation). Also added a new EC2 finding for C&CActivity. [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#impact-ec2-suspiciousdomainrequestreputation](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#impact-ec2-suspiciousdomainrequestreputation) | January 27, 2021 | | [Added 4 new finding types.](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-acive.html) | Added 3 new S3 MaliciousIPCaller findings. [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#discovery-s3-maliciousipcaller](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#discovery-s3-maliciousipcaller), [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#exfiltration-s3-maliciousipcaller](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#exfiltration-s3-maliciousipcaller), [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#impact-s3-maliciousipcaller](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#impact-s3-maliciousipcaller). Also added a new EC2 finding for C&CActivity. [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#backdoor-ec2-ccactivityb](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#backdoor-ec2-ccactivityb) | December 21, 2020 | | [Retired the UnauthorizedAccess:EC2/TorIPCaller finding type.](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-retired.html#unauthorizedaccess-ec2-toripcaller) | The UnauthorizedAccess:EC2/TorIPCaller finding type is now retired from GuardDuty. [Learn more](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-retired.html#unauthorizedaccess-ec2-toripcaller). | October 1, 2020 | | [Added the Impact:EC2/WinRmBruteForce finding type.](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#impact-ec2-winrmbruteforce) | Added a new Impact finding, Impact:EC2/WinRmBruteForce. [Learn more](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#impact-ec2-winrmbruteforce). | September 17, 2020 | | [Added the Impact:EC2/PortSweep finding type.](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#impact-ec2-portsweep) | Added a new Impact finding, Impact:EC2/PortSweep. [Learn more](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#impact-ec2-portsweep). | September 17, 2020 | | [GuardDuty is now available in the Africa (Cape Town) and Europe (Milan) Regions.](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_regions.html) | Added Africa (Cape Town) and Europe (Milan) to the list of AWS Regions in which GuardDuty is available. [Learn more](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_regions.html) | July 31, 2020 | | [Added new usage details for monitoring GuardDuty costs.](https://docs.aws.amazon.com/guardduty/latest/ug/monitoring_costs.html) | You can now use new metrics to query GuardDuty usage cost data for your account and accounts you manage. A new overview of usage costs is available in the console at [https://console.aws.amazon.com/guardduty/](https://console.aws.amazon.com/guardduty/). More detailed information can be accessed through the API. | July 31, 2020 | | [Added content covering S3 protection through S3 data event monitoring in GuardDuty.](https://docs.aws.amazon.com/guardduty/latest/ug/s3-protection.html) | GuardDuty S3 Protection is now available through the monitoring of S3 data plane events as a new data source. New accounts will have this feature enabled automatically. If you are already using GuardDuty you can enable the new data source for yourself or your member accounts. | July 31, 2020 | | [Added 14 new S3 Findings.](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html) | 14 new S3 finding types have been added for S3 control plane and data plane sources. | July 31, 2020 | | [Added additional support for S3 findings and changed 2 existing finding types names.](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html#guardduty_working-with-findings) | GuardDuty findings now include more details for findings involving S3 buckets. Existing finding types that were related to S3 activity have been renamed: Policy:IAMUser/S3BlockPublicAccessDisabled has been changed to Policy:S3/BucketBlockPublicAccessDisabled. Stealth:IAMUser/S3ServerAccessLoggingDisabled has been changed to Stealth:S3/ServerAccessLoggingDisabled. | May 28, 2020 | | [Added content for AWS Organizations integration.](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_organizations.html) | GuardDuty now integrates with AWS Organizations delegated administrators to allow you to manage GuardDuty accounts within your organization. When you set a delegated administrator as your GuardDuty administrator account you can automatically enable GuardDuty for any organization member to be managed by the delegated administrator account. You can also automatically enable GuardDuty in new AWS Organizations member accounts. [Learn more](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_organizations.html). | April 20, 2020 | | [Added content for the export findings feature.](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_exportfindings.html) | Added content that describes the **Export Findings** feature of GuardDuty. | November 14, 2019 | | [Added the UnauthorizedAccess:EC2/MetadataDNSRebind finding type.](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_unauthorized.html#ec2-metadatadnsrebind) | Added a new Unauthorized finding, UnauthorizedAccess:EC2/MetadataDNSRebind. [Learn more](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_unauthorized.html#ec2-metadatadnsrebind). | October 10, 2019 | | [Added the Stealth:IAMUser/S3ServerAccessLoggingDisabled finding type.](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_stealth.html#stealth4) | Added a new Stealth finding, Stealth:IAMUser/S3ServerAccessLoggingDisabled. [Learn more](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_stealth.html#stealth4). | October 10, 2019 | | [Added the Policy:IAMUser/S3BlockPublicAccessDisabled finding type.](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_policy.html#policy2) | Added a new Policy finding, Policy:IAMUser/S3BlockPublicAccessDisabled. [Learn more](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_policy.html#policy2). | October 10, 2019 | | [Retired the Backdoor:EC2/XORDDOS finding type.](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-retired.html#backdoor2) | The Backdoor:EC2/XORDDOS finding type is now retired from GuardDuty.[Learn more](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-retired.html#backdoor2) | June 12, 2019 | | [Added the PrivilegeEscalation finding type.](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_privilegeescalation.html) | The PrivilegeEscalation finding type detects when users attempt to assign escalated, more permissive privileges to their accounts. [Learn more](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_privilegeescalation.html) | May 14, 2019 | | [GuardDuty is now available in the Europe (Stockholm) Region.](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_regions.html) | Added Europe (Stockholm) to the list of AWS Regions in which GuardDuty is available. [Learn more](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_regions.html) | May 9, 2019 | | [Added a new finding type, Recon:EC2/PortProbeEMRUnprotectedPort.](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_recon.html#PortProbeEMRUnprotectedPort) | This finding informs you that an EMR-related sensitive port on an EC2 Instance is not blocked and is being actively probed. [Learn more](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_recon.html#PortProbeEMRUnprotectedPort) | May 8, 2019 | | [Added 5 new finding types that detect if your EC2 instances are potentially being used for denial of service (DoS) attacks.](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_backdoor.html) | These findings inform you of EC2 instances in your environment that are behaving in a manner that may indicate they is being used to perform Denial of Service (DoS) attacks. [Learn more](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_backdoor.html) | March 8, 2019 | | [Added a new finding type: Policy:IAMUser/RootCredentialUsage](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_policy.html#policy1) | Policy:IAMUser/RootCredentialUsage finding type informs you that the root user sign-in credentials of your AWS account are being used to make programmatic requests to AWS services. [Learn more](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_policy.html#policy1) | January 24, 2019 | | [UnauthorizedAccess:IAMUser/UnusualASNCaller finding type has been retired](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-retired.html) | The UnauthorizedAccess:IAMUser/UnusualASNCaller finding type has been retired. You will now be notified about activity invoked from unusual networks via other active GuardDuty finding types. The generated finding type will be based on the category of the API that was invoked from an unusual network. [Learn more](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-retired.html) | December 21, 2018 | | [Added two new finding types: PenTest:IAMUser/ParrotLinux and PenTest:IAMUser/PentooLinux](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_pentest.html) | PenTest:IAMUser/ParrotLinux finding type informs you that a computer running Parrot Security Linux is making API calls using credentials that belong to your AWS account. PenTest:IAMUser/PentooLinux finding type informs you that a machine running Pentoo Linux is making API calls using credentials that belong to your AWS account. [Learn more](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_pentest.html) | December 21, 2018 | | [Added support for the Amazon GuardDuty announcements SNS topic](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_sns.html) | You can now subscribe to the GuardDuty announcements SNS topic to receive notifications about newly released finding types, updates to the existing finding types, and other functionality changes. Notifications are available in all formats that Amazon SNS supports. [Learn more](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_sns.html) | November 21, 2018 | | [Added two new finding types: UnauthorizedAccess:EC2/TorClient and UnauthorizedAccess:EC2/TorRelay](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_unauthorized.html) | UnauthorizedAccess:EC2/TorClient finding type informs you that an EC2 instance in your AWS environment is making connections to a Tor Guard or an Authority node. UnauthorizedAccess:EC2/TorRelay finding type informs you that an EC2 instance in your AWS environment is making connections to a Tor network in a manner that suggests that it's acting as a Tor relay. [Learn more](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_unauthorized.html) | November 16, 2018 | | [Added a new finding type: CryptoCurrency:EC2/BitcoinTool.B](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_crypto.html) | This finding informs you that an EC2 instance in your AWS environment is querying a domain name that is associated with Bitcoin, or other cryptocurrency-related activity. [Learn more](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_crypto.html) | November 9, 2018 | | [Added support for updating the frequency of notifications sent to CloudWatch Events](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings_eventbridge.html) | You can now update the frequency of notifications sent to CloudWatch Events for the subsequent occurrences of existing findings. Possible values are 15 minutes, 1 hour, or the default 6 hours. [Learn more](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings_eventbridge.html) | October 9, 2018 | | [Added Region support](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_regions.html) | Added Region support for AWS GovCloud (US-West) [Learn more](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_regions.html) | July 25, 2018 | | [Added support for CloudFormation StackSets in GuardDuty](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_accounts.html) | You can use the Enable Amazon GuardDuty template to enable GuardDuty simultaneously in multiple accounts. [Learn more](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_accounts.html) | June 25, 2018 | | [Added support for GuardDuty auto-archive rules](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html#guardduty_filter-findings) | Customers can now build granular auto-archive rules for suppression of findings. For findings that match an auto-archive rule, GuardDuty automatically marks them as archived. This enables customers to further tune GuardDuty to keep only relevant findings in the current findings table. [Learn more](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html#guardduty_filter-findings) | May 4, 2018 | | [GuardDuty is available in the Europe (Paris) Region](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_regions.html) | GuardDuty is now available in Europe (Paris), allowing you to extend continuous security monitoring and threat detection in this Region. [Learn more](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_regions.html) | March 29, 2018 | | [Creating GuardDuty administrator account and member accounts through CloudFormation is now supported.](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-guardduty-master.html) | For more information, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-guardduty-master.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-guardduty-master.html) and [https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-guardduty-member.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-guardduty-member.html). | March 6, 2018 | | [Added nine new CloudTrail-based anomaly detections.](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types.html) | These new finding types are automatically enabled in GuardDuty in all supported Regions. [ Learn more](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types.html) | February 28, 2018 | | [Added three new threat intelligence detections (finding types).](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types.html) | These new finding types are automatically enabled in GuardDuty in all supported Regions. [Learn more ](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types.html) | February 5, 2018 | | [Limit increase for GuardDuty member accounts.](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_accounts.html) | With this release, you can have up to 1000 GuardDuty member accounts added per AWS account (GuardDuty administrator account account). [Learn more](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_accounts.html) | January 25, 2018 | | [Changes in upload and further management of trusted IP lists and threat lists for GuardDuty administrator account and member accounts.](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_upload-lists.html) | With this release, Users from administrator account GuardDuty accounts can upload and manage trusted IP lists and threat lists. Users from member GuardDuty accounts can't upload and manage lists. Trusted IP lists and threat lists that are uploaded by the administrator account account are imposed on GuardDuty functionality in its member accounts. [Learn more](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_upload-lists.html) | January 25, 2018 | ## Earlier updates | Change | Description | Date | | --- | --- | --- | | Initial publication | Initial publication of the Amazon GuardDuty User Guide. | November 28, 2017 |