GuardDuty.10: GuardDuty S3 Protection is off

What does AWS Security Hub GuardDuty.10 check?

GuardDuty.10 fails when S3 Protection is not enabled on the GuardDuty detector. S3 Protection tells GuardDuty to analyse CloudTrail S3 data events — the object-level GetObject, PutObject, ListObjects, and DeleteObject calls that show who is actually reading and writing the bytes in your buckets.

Why does GuardDuty.10 matter?

With S3 Protection off, GuardDuty still catches compromised-credential and network signals but never inspects the object-level activity inside the buckets where the highest-value data lives — so bucket exfiltration goes undetected. Time-to-detection is the variable that most determines breach cost: incidents caught in days cost a fraction of those that run for months, and this feature is what lets GuardDuty see the exfiltration as it happens.

How do I fix GuardDuty.10?

1. Enable S3 Protection on the GuardDuty detector in each region.
2. Manage it centrally from the delegated GuardDuty administrator across the org.
3. Confirm S3 data-event analysis appears as active in the coverage view.
4. Wire the S3-related findings into your alerting and response runbooks.

# Enable the GuardDuty base detector in every Region (run from the delegated admin account).
for region in $(aws ec2 describe-regions --query 'Regions[].RegionName' --output text); do
  existing=$(aws guardduty list-detectors --region "$region" --query 'DetectorIds[0]' --output text)
  if [ "$existing" = "None" ]; then
    aws guardduty create-detector --enable \
      --finding-publishing-frequency FIFTEEN_MINUTES --region "$region"
    echo "$region: GuardDuty detector created"
  fi
done

# Turn on Inspector EC2/ECR/Lambda scanning for this account and Region.
aws inspector2 enable --resource-types EC2 ECR LAMBDA

# Enable Macie (free bucket inventory clears Macie.1; discovery jobs are scoped separately by risk).
aws macie2 enable-macie --status ENABLED --finding-publishing-frequency FIFTEEN_MINUTES