Features activation in GuardDuty

When you enable Amazon GuardDuty for the first time or enable a protection type within GuardDuty, GuardDuty starts processing the corresponding Foundational data sources within your AWS environment. GuardDuty uses these data sources to process a stream of events, such as VPC flow logs, DNS logs, and AWS CloudTrail event and management logs. It then analyzes these events to identify potential security threats and generates findings in your account.

In addition to log data sources, GuardDuty can use additional data from other AWS services in your AWS environment to monitor and analyze for potential security threats.

Feature activation

When you add additional GuardDuty protections, for example, S3 Protection, Runtime Monitoring, or EKS Protection, you can configure the GuardDuty feature corresponding to the protection type. Historically, GuardDuty protections were called dataSources in the APIs. However, after March 2023, new GuardDuty protection types are now configured as features and not dataSources. GuardDuty still supports configuring protection types launched before March 2023, as dataSources through the API, but new protection types are only available as features.

If you manage GuardDuty configuration and protection types through the console, you are not directly impacted by this change and don't need to take any action. Feature activation affects the behavior of the APIs that are invoked to enable GuardDuty or protection types within GuardDuty. For more information, see GuardDuty API changes.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Concepts and terminology

GuardDuty API changes