GuardDuty.11: GuardDuty Runtime Monitoring is off

What does AWS Security Hub GuardDuty.11 check?

GuardDuty.11 checks whether Runtime Monitoring is enabled on the GuardDuty detector at all. It is the umbrella feature toggle that sits above the per-resource agent controls for EKS (GuardDuty.7), ECS-Fargate (GuardDuty.12), and EC2 (GuardDuty.13).

Why does GuardDuty.11 matter?

With Runtime Monitoring off, GuardDuty sees only the control plane — API calls, network flows, DNS — and nothing inside the workload, so a compromised instance running a cryptominer or a container spawning a reverse shell goes unseen. Because this is the parent switch, leaving it off cascades: the EKS, ECS, and EC2 runtime controls cannot pass while it is disabled, so one off switch becomes several failing findings.

How do I fix GuardDuty.11?

1. Enable Runtime Monitoring on the GuardDuty detector.
2. Turn on the per-resource agents you need (EC2, ECS-Fargate, EKS).
3. Manage it from the delegated administrator so coverage applies org-wide.
4. Verify the runtime coverage dashboard shows resources as monitored.

# Enable the GuardDuty base detector in every Region (run from the delegated admin account).
for region in $(aws ec2 describe-regions --query 'Regions[].RegionName' --output text); do
  existing=$(aws guardduty list-detectors --region "$region" --query 'DetectorIds[0]' --output text)
  if [ "$existing" = "None" ]; then
    aws guardduty create-detector --enable \
      --finding-publishing-frequency FIFTEEN_MINUTES --region "$region"
    echo "$region: GuardDuty detector created"
  fi
done

# Turn on Inspector EC2/ECR/Lambda scanning for this account and Region.
aws inspector2 enable --resource-types EC2 ECR LAMBDA

# Enable Macie (free bucket inventory clears Macie.1; discovery jobs are scoped separately by risk).
aws macie2 enable-macie --status ENABLED --finding-publishing-frequency FIFTEEN_MINUTES