Amazon GuardDuty against AWS Backup requests

0

Hello, I want to ask regarding Guard Duty because it has caused the billing to increase in recent months, so the analyzed events exceeds 500Mil events. So after I checked the CloudTrail there are some requests to the S3 when the AWS Backup Job running, something like this:

273ab8768706e347a3fb4550fa8cc3012fb3f59a6b9e0f595f18a133f035ad00 <BUCKET_NAME> [07/Jul/2024:09:33:43 +0000] - arn:aws:sts::<ACCOUNT_ID>:assumed-role/AWSBackupDefaultServiceRole/<AWS_BACKUP_ROLE> DZ206W9WC7XG6APM REST.GET.OBJECT_TAGGING demo/A/2/2024/2/19/11/0_22_440.jpg "GET /demo/A/2/2024/2/19/11/0_22_440.jpg?tagging&versionId=DDmmqZSgLrVw42N5dW5BV60X1JPOraNa HTTP/1.1" 200 - 115 - 13 10 "-" "-" DDmmqZSgLrVw42N5dW5BV60X1JPOraNa fQCpSbnaPLPgCt8ckxWISxgdjcuo12Dxv8Ee4tRtTqYZqWsvKrjGgbR3hT/C/dSAwZO5Lr+86vO6FPtYiva3Yw== SigV4 TLS_AES_128_GCM_SHA256 AuthHeader <BUCKET_NAME>.s3.ap-southeast-1.amazonaws.com TLSv1.3 - -

273ab8768706e347a3fb4550fa8cc3012fb3f59a6b9e0f595f18a133f035ad00 <BUCKET_NAME> [07/Jul/2024:09:33:43 +0000] - arn:aws:sts::<ACCOUNT_ID>:assumed-role/AWSBackupDefaultServiceRole/<AWS_BACKUP_ROLE> DZ20MZY0BWR21HYP REST.GET.ACL demo/A/2/2024/2/19/11/0_22_542.jpg "GET /demo/A/2/2024/2/19/11/0_22_542.jpg?acl&versionId=at0YzlQ2uRgGuaZC4vmSRW4xvmZiuH6f HTTP/1.1" 200 - 542 - 12 - "-" "-" at0YzlQ2uRgGuaZC4vmSRW4xvmZiuH6f g6zN1R8dDbxkV5aCFmvERVdp6M0MxXwC57PGPO8Rr0p9F9CxNhfHqSA0QBwHbjctbW9POYOmzm5JGau212BMqw== SigV4 TLS_AES_128_GCM_SHA256 AuthHeader <BUCKET_NAME>.s3.ap-southeast-1.amazonaws.com TLSv1.3 - -

Are those requests/events also included in the AWS Guard Duty analyzing process?

1 Answer
2
Accepted Answer

Hi,

Yes, GuardDuty monitors S3 calls incl. backup: see https://docs.aws.amazon.com/guardduty/latest/ug/s3-protection.html

But, you can disable S3 Protection in GuardDuty: see section called "To enable or disable S3 Protection" in page above.

Pls, think twice before disabling this protection: you'll lose the GuardDuty alerts in case of suspect activity on your buckets.

Best,

Didier

profile pictureAWS
EXPERT
answered 3 months ago
profile picture
EXPERT
reviewed 3 months ago
profile picture
EXPERT
reviewed 3 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions