Confirm that Amazon GuardDuty is enabled for threat detection
Why this matters
Amazon GuardDuty is a key AWS service that monitors your environment for suspicious activity and signs of compromise, such as unusual API calls or potentially unauthorized deployments.
By integrating GuardDuty with AWS Security Hub, you gain a centralized view to:
Detect, prioritize, and respond to security threats faster
Combine findings from other AWS services like Inspector and Macie
Ensure visibility into security issues across accounts and regions
Without GuardDuty enabled, your ability to identify real-time threats in your AWS environment is severely limited.
Best practice: Enable GuardDuty across all accounts and regions and use Security Hub to consolidate and triage findings.
What this check does
This Auto Check confirms whether:
Amazon GuardDuty is activated in the AWS account
Findings are integrated into AWS Security Hub for centralized threat monitoring
The check passes if GuardDuty is enabled and producing findings.
How to fix it
You can enable GuardDuty and Security Hub via the AWS Console or CLI.
From the AWS Console
Go to the AWS Security Hub Console
Click Go to Security Hub
In the Security Standards section, select and enable relevant standards (e.g. AWS Foundational Security Best Practices)
Click Enable Security Hub
GuardDuty will be automatically integrated if it’s already enabled in your account.
If GuardDuty is not yet enabled, you can activate it via the GuardDuty Console
Using AWS CLI
# Enable Security Hub with default standards aws securityhub enable-security-hub --enable-default-standards # Enable GuardDuty (if not already enabled) aws guardduty create-detector --enable
Exceptions
If your organization uses centralized logging or a delegated administrator model, make sure GuardDuty and Security Hub are enabled at the management account level and findings are aggregated across member accounts.