Amazon GuardDuty is a continuous security monitoring service that analyzes and processes the following data sources: VPC flow logs, Amazon Web Services CloudTrail management event logs, CloudTrail S3 data event logs, EKS audit logs, DNS logs, and Amazon EBS volume data. It uses threat intelligence feeds, such as lists of malicious IPs and domains, and machine learning to identify unexpected, potentially unauthorized, and malicious activity within your Amazon Web Services environment. This can include issues like escalations of privileges, uses of exposed credentials, or communication with malicious IPs, domains, or presence of malware on your Amazon EC2 instances and container workloads. For example, GuardDuty can detect compromised EC2 instances and container workloads serving malware, or mining bitcoin.
GuardDuty also monitors Amazon Web Services account access behavior for signs of compromise, such as unauthorized infrastructure deployments like EC2 instances deployed in a Region that has never been used, or unusual API calls like a password policy change to reduce password strength.
GuardDuty informs you about the status of your Amazon Web Services environment by producing security findings that you can view in the GuardDuty console or through Amazon EventBridge. For more information, see the AmazonGuardDuty User Guide .
guardduty(
config = list(),
credentials = list(),
endpoint = NULL,
region = NULL
)A client for the service. You can call the service's operations using
syntax like svc$operation(...), where svc is the name you've assigned
to the client. The available operations are listed in the
Operations section.
Optional configuration of credentials, endpoint, and/or region.
credentials:
creds:
access_key_id: AWS access key ID
secret_access_key: AWS secret access key
session_token: AWS temporary session token
profile: The name of a profile to use. If not given, then the default profile is used.
anonymous: Set anonymous credentials.
endpoint: The complete URL to use for the constructed client.
region: The AWS Region used in instantiating the client.
close_connection: Immediately close all HTTP connections.
timeout: The time in seconds till a timeout exception is thrown when attempting to make a connection. The default is 60 seconds.
s3_force_path_style: Set this to true to force the request to use path-style addressing, i.e. http://s3.amazonaws.com/BUCKET/KEY.
sts_regional_endpoint: Set sts regional endpoint resolver to regional or legacy https://docs.aws.amazon.com/sdkref/latest/guide/feature-sts-regionalized-endpoints.html
Optional credentials shorthand for the config parameter
creds:
access_key_id: AWS access key ID
secret_access_key: AWS secret access key
session_token: AWS temporary session token
profile: The name of a profile to use. If not given, then the default profile is used.
anonymous: Set anonymous credentials.
Optional shorthand for complete URL to use for the constructed client.
Optional shorthand for AWS Region used in instantiating the client.
svc <- guardduty(
config = list(
credentials = list(
creds = list(
access_key_id = "string",
secret_access_key = "string",
session_token = "string"
),
profile = "string",
anonymous = "logical"
),
endpoint = "string",
region = "string",
close_connection = "logical",
timeout = "numeric",
s3_force_path_style = "logical",
sts_regional_endpoint = "string"
),
credentials = list(
creds = list(
access_key_id = "string",
secret_access_key = "string",
session_token = "string"
),
profile = "string",
anonymous = "logical"
),
endpoint = "string",
region = "string"
)
| accept_administrator_invitation | Accepts the invitation to be a member account and get monitored by a GuardDuty administrator account that sent the invitation |
| accept_invitation | Accepts the invitation to be monitored by a GuardDuty administrator account |
| archive_findings | Archives GuardDuty findings that are specified by the list of finding IDs |
| create_detector | Creates a single Amazon GuardDuty detector |
| create_filter | Creates a filter using the specified finding criteria |
| create_ip_set | Creates a new IPSet, which is called a trusted IP list in the console user interface |
| create_members | Creates member accounts of the current Amazon Web Services account by specifying a list of Amazon Web Services account IDs |
| create_publishing_destination | Creates a publishing destination to export findings to |
| create_sample_findings | Generates sample findings of types specified by the list of finding types |
| create_threat_intel_set | Creates a new ThreatIntelSet |
| decline_invitations | Declines invitations sent to the current member account by Amazon Web Services accounts specified by their account IDs |
| delete_detector | Deletes an Amazon GuardDuty detector that is specified by the detector ID |
| delete_filter | Deletes the filter specified by the filter name |
| delete_invitations | Deletes invitations sent to the current member account by Amazon Web Services accounts specified by their account IDs |
| delete_ip_set | Deletes the IPSet specified by the ipSetId |
| delete_members | Deletes GuardDuty member accounts (to the current GuardDuty administrator account) specified by the account IDs |
| delete_publishing_destination | Deletes the publishing definition with the specified destinationId |
| delete_threat_intel_set | Deletes the ThreatIntelSet specified by the ThreatIntelSet ID |
| describe_malware_scans | Returns a list of malware scans |
| describe_organization_configuration | Returns information about the account selected as the delegated administrator for GuardDuty |
| describe_publishing_destination | Returns information about the publishing destination specified by the provided destinationId |
| disable_organization_admin_account | Disables an Amazon Web Services account within the Organization as the GuardDuty delegated administrator |
| disassociate_from_administrator_account | Disassociates the current GuardDuty member account from its administrator account |
| disassociate_from_master_account | Disassociates the current GuardDuty member account from its administrator account |
| disassociate_members | Disassociates GuardDuty member accounts (from the current administrator account) specified by the account IDs |
| enable_organization_admin_account | Enables an Amazon Web Services account within the organization as the GuardDuty delegated administrator |
| get_administrator_account | Provides the details for the GuardDuty administrator account associated with the current GuardDuty member account |
| get_coverage_statistics | Retrieves aggregated statistics for your account |
| get_detector | Retrieves an Amazon GuardDuty detector specified by the detectorId |
| get_filter | Returns the details of the filter specified by the filter name |
| get_findings | Describes Amazon GuardDuty findings specified by finding IDs |
| get_findings_statistics | Lists Amazon GuardDuty findings statistics for the specified detector ID |
| get_invitations_count | Returns the count of all GuardDuty membership invitations that were sent to the current member account except the currently accepted invitation |
| get_ip_set | Retrieves the IPSet specified by the ipSetId |
| get_malware_scan_settings | Returns the details of the malware scan settings |
| get_master_account | Provides the details for the GuardDuty administrator account associated with the current GuardDuty member account |
| get_member_detectors | Describes which data sources are enabled for the member account's detector |
| get_members | Retrieves GuardDuty member accounts (of the current GuardDuty administrator account) specified by the account IDs |
| get_remaining_free_trial_days | Provides the number of days left for each data source used in the free trial period |
| get_threat_intel_set | Retrieves the ThreatIntelSet that is specified by the ThreatIntelSet ID |
| get_usage_statistics | Lists Amazon GuardDuty usage statistics over the last 30 days for the specified detector ID |
| invite_members | Invites Amazon Web Services accounts to become members of an organization administered by the Amazon Web Services account that invokes this API |
| list_coverage | Lists coverage details for your GuardDuty account |
| list_detectors | Lists detectorIds of all the existing Amazon GuardDuty detector resources |
| list_filters | Returns a paginated list of the current filters |
| list_findings | Lists Amazon GuardDuty findings for the specified detector ID |
| list_invitations | Lists all GuardDuty membership invitations that were sent to the current Amazon Web Services account |
| list_ip_sets | Lists the IPSets of the GuardDuty service specified by the detector ID |
| list_members | Lists details about all member accounts for the current GuardDuty administrator account |
| list_organization_admin_accounts | Lists the accounts configured as GuardDuty delegated administrators |
| list_publishing_destinations | Returns a list of publishing destinations associated with the specified detectorId |
| list_tags_for_resource | Lists tags for a resource |
| list_threat_intel_sets | Lists the ThreatIntelSets of the GuardDuty service specified by the detector ID |
| start_malware_scan | Initiates the malware scan |
| start_monitoring_members | Turns on GuardDuty monitoring of the specified member accounts |
| stop_monitoring_members | Stops GuardDuty monitoring for the specified member accounts |
| tag_resource | Adds tags to a resource |
| unarchive_findings | Unarchives GuardDuty findings specified by the findingIds |
| untag_resource | Removes tags from a resource |
| update_detector | Updates the Amazon GuardDuty detector specified by the detectorId |
| update_filter | Updates the filter specified by the filter name |
| update_findings_feedback | Marks the specified GuardDuty findings as useful or not useful |
| update_ip_set | Updates the IPSet specified by the IPSet ID |
| update_malware_scan_settings | Updates the malware scan settings |
| update_member_detectors | Contains information on member accounts to be updated |
| update_organization_configuration | Configures the delegated administrator account with the provided values |
| update_publishing_destination | Updates information about the publishing destination specified by the destinationId |
| update_threat_intel_set | Updates the ThreatIntelSet specified by the ThreatIntelSet ID |
if (FALSE) {
svc <- guardduty()
svc$accept_administrator_invitation(
Foo = 123
)
}
Run the code above in your browser using DataLab