AWS GuardDuty disabled
Description
AlphaSOC detected that AWS GuardDuty was disabled. AWS GuardDuty is a threat detection service that monitors AWS accounts and workloads for malicious activity and delivers security findings. Disabling it may indicate that threat actors are attempting to disrupt defensive mechanisms, potentially as part of a broader attack strategy.
Impact
Disabling AWS GuardDuty reduces the ability to detect and respond to security threats in the AWS environment, increasing the risk of unauthorized access, data exfiltration, and resource abuse.
Severity
Severity | Condition |
---|---|
Medium | AWS GuardDuty was disabled |
Investigation and Remediation
Review AWS CloudTrail logs to identify the user or IAM role responsible for disabling AWS GuardDuty and verify whether this action was authorized. If unauthorized, re-enable AWS GuardDuty, rotate affected credentials, and analyze account activity to detect any signs of compromise or additional malicious actions.