Skip to main content
emnode / learn
Compliance High severity

AWS Security Hub · GuardDuty

GuardDuty.13: GuardDuty runtime monitoring is off for EC2

Written and reviewed by Emnode · Last reviewed

What does AWS Security Hub GuardDuty.13 check?

GuardDuty.13 fails when EC2 Runtime Monitoring is not enabled. Classic GuardDuty analyses only external signals — VPC Flow Logs, DNS, and CloudTrail; runtime monitoring adds a lightweight eBPF agent (deployed via SSM Distributor) that observes process executions, file accesses, and DNS resolutions on the instance itself.

Why does GuardDuty.13 matter?

Without runtime telemetry GuardDuty has a blind spot for an entire class of attacks: cryptominers running from /tmp, fileless malware injected into a long-running process, and reverse shells riding an existing outbound connection — none of which generate distinctive network flows. Runtime Monitoring surfaces these in-host signals within minutes of the malicious process starting, cutting attacker dwell time from weeks.

How do I fix GuardDuty.13?

  1. Enable Runtime Monitoring on the GuardDuty detector (the parent control, GuardDuty.11).
  2. Turn on EC2 Runtime Monitoring and allow GuardDuty to deploy the agent via SSM Distributor.
  3. Ensure target instances are SSM-managed and can reach the GuardDuty endpoints.
  4. Confirm the runtime coverage status shows the instances as covered.

Remediation script · bash

# Enable the GuardDuty base detector in every Region (run from the delegated admin account).
for region in $(aws ec2 describe-regions --query 'Regions[].RegionName' --output text); do
  existing=$(aws guardduty list-detectors --region "$region" --query 'DetectorIds[0]' --output text)
  if [ "$existing" = "None" ]; then
    aws guardduty create-detector --enable \
      --finding-publishing-frequency FIFTEEN_MINUTES --region "$region"
    echo "$region: GuardDuty detector created"
  fi
done

# Turn on Inspector EC2/ECR/Lambda scanning for this account and Region.
aws inspector2 enable --resource-types EC2 ECR LAMBDA

# Enable Macie (free bucket inventory clears Macie.1; discovery jobs are scoped separately by risk).
aws macie2 enable-macie --status ENABLED --finding-publishing-frequency FIFTEEN_MINUTES

Full walkthrough (console steps, edge cases and verification) in the lesson Enable threat detection and vulnerability scanning.

Is GuardDuty.13 a false positive?

The agent depends on the instance being SSM-managed with a network path to GuardDuty — instances that aren't enrolled in Systems Manager won't gain coverage even with the feature enabled.

Full lesson Enable threat detection and vulnerability scanning Step-by-step remediation with CLI, code and persona-specific context.
AWS documentation for GuardDuty controls ↗ Check your own account for GuardDuty.13 →
Part of the learning path See what's happening

More GuardDuty controls