# GuardDuty S3 Protection
<a name="s3-protection"></a>

S3 Protection helps you detect potential security risks for data, such as data exfiltration and destruction, in your Amazon Simple Storage Service (Amazon S3) buckets. GuardDuty monitors AWS CloudTrail data events for Amazon S3, that includes object-level API operations to identify these risks in all the Amazon S3 buckets in your account. 

When GuardDuty detects a potential threat based on S3 data event monitoring, it generates a security finding. For information about the finding types that GuardDuty may generate when you enable S3 Protection, see [GuardDuty S3 Protection finding types](guardduty_finding-types-s3.md). 

By default, foundational threat detection includes monitoring [AWS CloudTrail management events](guardduty_data-sources.md#guardduty_controlplane) to identify potential threats in your Amazon S3 resources. This data source is different from the AWS CloudTrail data events for S3 as they both monitor different kinds of activities in your environment. 

You can enable S3 Protection in an account in any Region where GuardDuty [supports this feature](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_regions.html). This will help you monitor CloudTrail data events for S3 in that account and Region. After you enable S3 Protection, GuardDuty will be able to fully monitor your Amazon S3 buckets and generate findings for suspicious access to the data stored in your S3 buckets. 

To use S3 Protection, you don't need to explicitly enable or configure S3 data event logging in AWS CloudTrail.

**30-day free trial**  
The following list explains how the 30-day free trial would work for your account:  
+ When you enable GuardDuty in an AWS account in a new Region for the first time, you get a 30-day free trial. In this case, GuardDuty will also enable S3 Protection, which is included in the free trial. 
+ When you are already using GuardDuty and decide to enable S3 Protection for the first time, your account in this Region will get a 30-day free trial for S3 Protection.
+ You can choose to disable S3 Protection in any Region at any time.
+ During the 30-day free trial, you can get an estimate of your usage costs in that account and Region. After the 30-day free trial ends, S3 Protection doesn't get disabled automatically. Your account in this Region will start incurring usage cost. For more information, see [Monitoring GuardDuty Usage and Estimating Costs](monitoring_costs.md).

## AWS CloudTrail data events for S3
<a name="guardduty_s3dataplane"></a>

Data events, also known as data plane operations, provide insight into the resource operations performed on or within a resource. They are often high-volume activities. 

The following are examples of CloudTrail data events for S3 that GuardDuty can monitor:  
+ `GetObject` API operations
+ `PutObject` API operations
+ `ListObjects` API operations
+ `DeleteObject` API operations
For more information about these APIs, see [Amazon Simple Storage Service API Reference](https://docs.aws.amazon.com/AmazonS3/latest/API/API_Operations_Amazon_Simple_Storage_Service.html).

## How GuardDuty uses CloudTrail data events for S3
<a name="s3-data-source"></a>

When you enable S3 Protection, GuardDuty begins to analyze CloudTrail data events for S3 from all of your S3 buckets, and monitors them for malicious and suspicious activity. For more information, see [AWS CloudTrail management events](guardduty_data-sources.md#guardduty_controlplane). 

When an unauthenticated user accesses an S3 object, it means that the S3 object is publicly accessible. Therefore, GuardDuty doesn't process such requests. GuardDuty processes the requests made to the S3 objects by using valid IAM (AWS Identity and Access Management) or AWS STS (AWS Security Token Service) credentials.

**Note**  
After enabling S3 Protection, GuardDuty monitors the data events from those Amazon S3 buckets that reside in the same Region where you enabled GuardDuty.

If you disable S3 Protection in your account in a specific Region, GuardDuty stops S3 data event monitoring of the data stored in your S3 buckets. GuardDuty will no longer generate S3 Protection finding types for your account in that Region.

### GuardDuty using CloudTrail data events for S3 for attack sequences
<a name="s3-protection-attack-sequence"></a>

[GuardDuty Extended Threat Detection](guardduty-extended-threat-detection.md) detects multi-stage attack sequences that span foundational data sources, AWS resources, and timeline, in an account. When GuardDuty observes a sequence of events that is indicative of a recent or an in-progress suspicious activity in your account, GuardDuty generates associated attack sequence finding. 

By default, when you enable GuardDuty, Extended Threat Detection also gets enabled in your account. This capability covers the threat scenario associated with CloudTrail management events at no additional cost. However, to use Extended Threat Detection at its full potential, GuardDuty recommends enabling S3 Protection to cover threat scenarios associated with CloudTrail data events for S3.

After you enable S3 Protection, GuardDuty will automatically cover the attack sequence threat scenarios, such as compromise or destruction of data, where your Amazon S3 resources might be involved.

# Enabling S3 Protection in multiple-account environments
<a name="s3-multiaccount"></a>

In a multi-account environment, only the delegated GuardDuty administrator account has the option to configure (enable or disable) S3 Protection for the member accounts in their AWS organization. The GuardDuty member accounts can't modify this configuration from their accounts. The delegated GuardDuty administrator account manages their member accounts using AWS Organizations. The delegated GuardDuty administrator account can choose to have S3 Protection automatically enabled on all accounts, only new accounts, or no accounts in the organization. For more information, see [Managing accounts with AWS Organizations](guardduty_organizations.md).

## Enabling S3 Protection for delegated GuardDuty administrator account
<a name="configure-s3-pro-delegatedadmin"></a>

Choose your preferred access method to enable S3 Protection for the delegated GuardDuty administrator account.

------
#### [ Console ]

1. Open the GuardDuty console at [https://console.aws.amazon.com/guardduty/](https://console.aws.amazon.com/guardduty/).

1. In the navigation pane, choose **S3 Protection**.

1. On the **S3 Protection** page, choose **Edit**.

1. Do one of the following:

**Using **Enable for all accounts****
   + Choose **Enable for all accounts**. This will enable the protection plan for all the active GuardDuty accounts in your AWS organization, including the new accounts that join the organization.
   + Choose **Save**.

**Using **Configure accounts manually****
   + To enable the protection plan only for the delegated GuardDuty administrator account account, choose **Configure accounts manually**.
   + Choose **Enable** under the **delegated GuardDuty administrator account (this account)** section.
   + Choose **Save**.

------
#### [ API/CLI ]

Run [https://docs.aws.amazon.com/guardduty/latest/APIReference/API_UpdateDetector.html](https://docs.aws.amazon.com/guardduty/latest/APIReference/API_UpdateDetector.html) by using the detector ID of the delegated GuardDuty administrator account for the current Region and passing the `features` object `name` as `S3_DATA_EVENTS` and `status` as `ENABLED`.

Alternatively, you can configure S3 Protection by using AWS Command Line Interface. Run the following command, and make sure to replace *12abc34d567e8fa901bc2d34e56789f0* with the detector ID of the delegated GuardDuty administrator account for the current Region.

To find the `detectorId` for your account and current Region, see the **Settings** page in the [https://console.aws.amazon.com/guardduty/](https://console.aws.amazon.com/guardduty/) console, or run the [https://docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html](https://docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html) API.

```
aws guardduty update-detector --detector-id 12abc34d567e8fa901bc2d34e56789f0 --features '[{"Name": "S3_DATA_EVENTS", "Status": "ENABLED"}]'
```

------

## Auto-enable S3 Protection for all member accounts in the organization
<a name="s3-autoenable"></a>

Choose your preferred access method to enable S3 Protection for the delegated GuardDuty administrator account.

------
#### [ Console ]

1. Open the GuardDuty console at [https://console.aws.amazon.com/guardduty/](https://console.aws.amazon.com/guardduty/).

   Sign in using your administrator account account.

1. Do one of the following:

**Using the **S3 Protection** page**

   1. In the navigation pane, choose **S3 Protection**.

   1. Choose **Enable for all accounts**. This action automatically enables S3 Protection for both existing and new accounts in the organization.

   1. Choose **Save**.
**Note**  
It may take up to 24 hours to update the configuration for the member accounts.

**Using the **Accounts** page**

   1. In the navigation pane, choose **Accounts**.

   1. On the **Accounts** page, choose **Auto-enable** preferences before **Add accounts by invitation**.

   1. In the **Manage auto-enable preferences** window, choose **Enable for all accounts** under **S3 Protection**.

   1. Choose **Save**.

   If you can't use the **Enable for all accounts** option, see [Selectively enable S3 Protection in member accounts](#s3-enable-members).

------
#### [ API/CLI ]
+ To selectively enable S3 Protection for your member accounts, invoke the [https://docs.aws.amazon.com/guardduty/latest/APIReference/API_UpdateMemberDetectors.html](https://docs.aws.amazon.com/guardduty/latest/APIReference/API_UpdateMemberDetectors.html) API operation using your own *detector ID*. 
+ The following example shows how you can enable S3 Protection for a single member account. Make sure to replace *12abc34d567e8fa901bc2d34e56789f0* with the `detector-id` of the delegated GuardDuty administrator account, and *111122223333*.

  To find the `detectorId` for your account and current Region, see the **Settings** page in the [https://console.aws.amazon.com/guardduty/](https://console.aws.amazon.com/guardduty/) console, or run the [https://docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html](https://docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html) API.

  ```
  aws guardduty update-member-detectors --detector-id 12abc34d567e8fa901bc2d34e56789f0 --account-ids 111122223333 --features '[{"name": "S3_DATA_EVENTS", "status": "ENABLED"}]'
  ```
**Note**  
You can also pass a list of account IDs separated by a space.
+ When the code has successfully executed, it returns an empty list of `UnprocessedAccounts`. If there were any problems changing the detector settings for an account, that account ID is listed along with a summary of the issue.

------

## Enable S3 Protection for all existing active member accounts
<a name="enable-for-all-existing-members"></a>

Choose your preferred access method to enable S3 Protection for all the existing active member accounts in your organization.

------
#### [ Console ]

1. Sign in to the AWS Management Console and open the GuardDuty console at [https://console.aws.amazon.com/guardduty/](https://console.aws.amazon.com/guardduty/).

   Sign in using the delegated GuardDuty administrator account credentials.

1. In the navigation pane, choose **S3 Protection**.

1. On the **S3 Protection** page, you can view the current status of the configuration. Under the **Active member accounts** section, choose **Actions**.

1. From the **Actions** dropdown menu, choose **Enable for all existing active member accounts**.

1. Choose **Confirm**.

------
#### [ API/CLI ]
+ To selectively enable S3 Protection for your member accounts, invoke the [https://docs.aws.amazon.com/guardduty/latest/APIReference/API_UpdateMemberDetectors.html](https://docs.aws.amazon.com/guardduty/latest/APIReference/API_UpdateMemberDetectors.html) API operation using your own *detector ID*. 
+ The following example shows how you can enable S3 Protection for a single member account. Make sure to replace *12abc34d567e8fa901bc2d34e56789f0* with the `detector-id` of the delegated GuardDuty administrator account, and *111122223333*.

  To find the `detectorId` for your account and current Region, see the **Settings** page in the [https://console.aws.amazon.com/guardduty/](https://console.aws.amazon.com/guardduty/) console, or run the [https://docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html](https://docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html) API.

  ```
  aws guardduty update-member-detectors --detector-id 12abc34d567e8fa901bc2d34e56789f0 --account-ids 111122223333 --features '[{"name": "S3_DATA_EVENTS", "status": "ENABLED"}]'
  ```
**Note**  
You can also pass a list of account IDs separated by a space.
+ When the code has successfully executed, it returns an empty list of `UnprocessedAccounts`. If there were any problems changing the detector settings for an account, that account ID is listed along with a summary of the issue.

------

## Auto-enable S3 Protection for new member accounts
<a name="auto-enable-s3-pro-new-members"></a>

Choose your preferred access method to enable S3 Protection for new accounts that join your organization.

------
#### [ Console ]

The delegated GuardDuty administrator account can enable for new member accounts in an organization through the console, using either the **S3 Protection** or **Accounts** page.

**To auto-enable S3 Protection for new member accounts**

1. Open the GuardDuty console at [https://console.aws.amazon.com/guardduty/](https://console.aws.amazon.com/guardduty/).

   Make sure to use the delegated GuardDuty administrator account credentials.

1. Do one of the following:
   + Using the **S3 Protection** page:

     1. In the navigation pane, choose **S3 Protection**.

     1. On the **S3 Protection** page, choose **Edit**.

     1. Choose **Configure accounts manually**.

     1. Select **Automatically enable for new member accounts**. This step ensures that whenever a new account joins your organization, S3 Protection will be automatically enabled for their account. Only the organization delegated GuardDuty administrator account can modify this configuration.

     1. Choose **Save**.
   + Using the **Accounts** page:

     1. In the navigation pane, choose **Accounts**.

     1. On the **Accounts** page, choose **Auto-enable** preferences.

     1. In the **Manage auto-enable preferences** window, select **Enable for new accounts** under **S3 Protection**.

     1. Choose **Save**.

------
#### [ API/CLI ]
+ To selectively enable S3 Protection for your member accounts, invoke the [https://docs.aws.amazon.com/guardduty/latest/APIReference/API_UpdateOrganizationConfiguration.html](https://docs.aws.amazon.com/guardduty/latest/APIReference/API_UpdateOrganizationConfiguration.html) API operation using your own *detector ID*. 
+ The following example shows how you can enable S3 Protection for a single member account. Set the preferences to automatically enable or disable the protection plan in that Region for new accounts (`NEW`) that join the organization, all the accounts (`ALL`), or none of the accounts (`NONE`) in the organization. For more information, see [autoEnableOrganizationMembers](https://docs.aws.amazon.com/guardduty/latest/APIReference/API_UpdateOrganizationConfiguration.html#guardduty-UpdateOrganizationConfiguration-request-autoEnableOrganizationMembers). Based on your preference, you may need to replace `NEW` with `ALL` or `NONE`.

  To find the `detectorId` for your account and current Region, see the **Settings** page in the [https://console.aws.amazon.com/guardduty/](https://console.aws.amazon.com/guardduty/) console, or run the [https://docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html](https://docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html) API.

  ```
  aws guardduty update-organization-configuration --detector-id 12abc34d567e8fa901bc2d34e56789f0 --auto-enable --features '[{"Name": "S3_DATA_EVENTS", "autoEnable": "NEW"}]'
  ```
+ When the code has successfully executed, it returns an empty list of `UnprocessedAccounts`. If there were any problems changing the detector settings for an account, that account ID is listed along with a summary of the issue.

------

## Selectively enable S3 Protection in member accounts
<a name="s3-enable-members"></a>

Choose your preferred access method to selectively enable S3 Protection for member accounts.

------
#### [ Console ]

1. Open the GuardDuty console at [https://console.aws.amazon.com/guardduty/](https://console.aws.amazon.com/guardduty/).

   Make sure to use the delegated GuardDuty administrator account credentials.

1. In the navigation pane, choose **Accounts**.

   On the **Accounts** page, review the **S3 Protection** column for the status of your member account. 

1. 

**To selectively enable S3 Protection**

   Select the account for which you want to enable S3 Protection. You can select multiple accounts at a time. In the **Edit Protection Plans** dropdown menu, choose **S3Pro**, and then choose the appropriate option.

------
#### [ API/CLI ]

To selectively enable S3 Protection for your member accounts, run the [https://docs.aws.amazon.com/guardduty/latest/APIReference/API_UpdateMemberDetector.html](https://docs.aws.amazon.com/guardduty/latest/APIReference/API_UpdateMemberDetector.html) API operation using your own detector ID. The following example shows how you can enable S3 Protection for a single member account. To disable it, replace `true` with `false`. 

To find the `detectorId` for your account and current Region, see the **Settings** page in the [https://console.aws.amazon.com/guardduty/](https://console.aws.amazon.com/guardduty/) console, or run the [https://docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html](https://docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html) API.

```
 aws guardduty update-member-detectors --detector-id 12abc34d567e8fa901bc2d34e56789f0 --account-ids 123456789012 --features '[{"Name" : "S3_DATA_EVENTS", "Status" : "ENABLED"}]'
```

**Note**  
You can also pass a list of account IDs separated by a space.

When the code has successfully executed, it returns an empty list of `UnprocessedAccounts`. If there were any problems changing the detector settings for an account, that account ID is listed along with a summary of the issue.

**Note**  
If you use scripts to on-board new accounts and want to disable S3 Protection in your new accounts, you can modify the [https://docs.aws.amazon.com/guardduty/latest/APIReference/API_CreateDetector.html](https://docs.aws.amazon.com/guardduty/latest/APIReference/API_CreateDetector.html) API operation with the optional `dataSources` object as described in this topic.

------

# Enabling S3 Protection for a standalone account
<a name="data-source-configure"></a>

A standalone account owns the decision to enable or disable a protection plan in their AWS account in a specific AWS Region. 

If your account is associated with a GuardDuty administrator account through AWS Organizations, or by the method of invitation, this section doesn't apply to your account. For more information, see [Enabling S3 Protection in multiple-account environments](s3-multiaccount.md).

After you enable S3 Protection, GuardDuty will start monitoring AWS CloudTrail data events for the S3 buckets in your account.

Choose your preferred access method to configure S3 Protection for a standalone account.

------
#### [ Console ]

1. Sign in to the AWS Management Console and open the GuardDuty console at [https://console.aws.amazon.com/guardduty/](https://console.aws.amazon.com/guardduty/).

1. From the **Region** selector in the upper-right corner, select a Region where you want to enable S3 Protection.

1. In the navigation pane, choose **S3 Protection**.

1. The **S3 Protection** page provides the current status of S3 Protection for your account. Choose **Enable** or **Disable** to enable or disable S3 Protection at any point in time.

1. Choose **Confirm** to confirm your selection.

------
#### [ API/CLI ]

Run [https://docs.aws.amazon.com/guardduty/latest/APIReference/API_UpdateDetector.html](https://docs.aws.amazon.com/guardduty/latest/APIReference/API_UpdateDetector.html) by using your valid detector ID for the current Region and passing the `features` object `name` as `S3_DATA_EVENTS` set to `ENABLED` to enable S3 Protection, respectively.

**Note**  
To find the `detectorId` for your account and current Region, see the **Settings** page in the [https://console.aws.amazon.com/guardduty/](https://console.aws.amazon.com/guardduty/) console, or run the [https://docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html](https://docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html) API.

Alternatively, you can use AWS Command Line Interface. To enable S3 Protection, run the following command, and replace *12abc34d567e8fa901bc2d34e56789f0* with your account's detector ID and *us-east-1* with the Region where you want to enable S3 Protection. 

```
aws guardduty update-detector --detector-id 12abc34d567e8fa901bc2d34e56789f0 --region us-east-1 --features '[{"Name" : "S3_DATA_EVENTS", "Status" : "ENABLED"}]'
```

------