Amazon GuardDuty new machine learning capabilities that more accurately detect potentially malicious access to data stored in S3 buckets are now available in the Amazon Web Services China Regions

The new Amazon GuardDuty machine learning techniques that are highly effective at detecting anomalous access to data stored in Amazon Simple Storage Service (Amazon S3) buckets are now available in the Amazon Web Services China (Beijing) Region, operated by Sinnet, and the Amazon Web Services China (Ningxia) Region, operated by NWCD. This new capability continuously models S3 data plane API invocations (e.g. GET, PUT, and DELETE) within an account, incorporating probabilistic predictions to more accurately alert on highly suspicious user access to data stored in S3 buckets, such as requests coming from an unusual geo-location, or unusually high volumes of API calls consistent with attempts to exfiltrate data. The new machine learning approach can more accurately identify malicious activity associated with known attack tactics, including data discovery, tampering, and exfiltration. The new threat detections are available for all existing Amazon GuardDuty customers in the Amazon Web Services China Regions that have GuardDuty S3 Protection enabled, with no action required and at no additional costs. If you are not using GuardDuty yet, S3 protection will be on by default when you enable the service. If you are using GuardDuty, and are yet to enable S3 Protection, you can enable this capability organization-wide with one-click in the GuardDuty console or through the API.

This latest enhancement upgrades GuardDuty’s existing CloudTrail S3 data plane-based anomaly threat detections to improve accuracy, and provide contextual data to assist in incident investigation and response. The contextual data produced in these new threat detections are viewable in the GuardDuty console and the finding JSON file pushed out through Amazon EventBridge. With this contextual data, you can more quickly answer questions such as, what was anomalous about the activity? From which locations is the S3 bucket usually accessed? And what is the normal number of API calls the user makes to retrieve objects from the accessed S3 bucket? The five new threat detections added are:

1.     Discovery:S3/AnomalousBehavior

2.     Impact:S3/AnomalousBehavior.Write

3.     Impact:S3/AnomalousBehavior.Delete

4.     Exfiltration:S3/AnomalousBehavior

5.     Impact:S3/AnomalousBehavior.Permission

You can begin your 30-day free trial of Amazon GuardDuty with a single-click in the Amazon Web Services Management Console. To receive programmatic updates on new GuardDuty features and threat detections, subscribe to the Amazon GuardDuty SNS topic.