Why did GuardDuty send me alert findings for a trusted IP list address?

2 minute read

I followed the instructions to set up a trusted IP address list for Amazon GuardDuty. Why is GuardDuty sending me alert findings for my trusted IP address?


Use the following best practices to verify the trusted IP list settings:

  • Be sure that the trusted IP lists uploaded in the same AWS Region as your GuardDuty findings.
  • Verify that the trusted IP lists are activated. For instructions, see To activate or deactivate trusted IP lists and threat lists.
  • If you changed the trusted IP list, you must reactivate it in GuardDuty. For instructions, see To update trusted IP lists and threat lists.
  • Be sure that IP addresses added in the trusted IP list are publicly routable IPv4 addresses. Support for IPv6 addresses isn't available.
  • Adding a domain name, private IP address, or IPv6 address in a trusted IP list doesn't prevent GuardDuty from generating findings.
  • In member accounts, GuardDuty generates findings for malicious IP addresses from the threat lists uploaded in the GuardDuty administrator account, not the trusted IP lists. For more information, see Managing GuardDuty accounts with AWS Organizations.

Related information

Working with trusted IP lists and threat lists

How to use Amazon GuardDuty and AWS Web Application Firewall to automatically block suspicious hosts

AWS OFFICIALUpdated 2 years ago