This is the new *CloudFormation Template Reference Guide*. Please update your bookmarks and links. For help getting started with CloudFormation, see the [AWS CloudFormation User Guide](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/Welcome.html). # Amazon GuardDuty **Resource types** + [AWS::GuardDuty::Detector](aws-resource-guardduty-detector.md) + [AWS::GuardDuty::Filter](aws-resource-guardduty-filter.md) + [AWS::GuardDuty::IPSet](aws-resource-guardduty-ipset.md) + [AWS::GuardDuty::MalwareProtectionPlan](aws-resource-guardduty-malwareprotectionplan.md) + [AWS::GuardDuty::Master](aws-resource-guardduty-master.md) + [AWS::GuardDuty::Member](aws-resource-guardduty-member.md) + [AWS::GuardDuty::PublishingDestination](aws-resource-guardduty-publishingdestination.md) + [AWS::GuardDuty::ThreatEntitySet](aws-resource-guardduty-threatentityset.md) + [AWS::GuardDuty::ThreatIntelSet](aws-resource-guardduty-threatintelset.md) + [AWS::GuardDuty::TrustedEntitySet](aws-resource-guardduty-trustedentityset.md) # AWS::GuardDuty::Detector The `AWS::GuardDuty::Detector` resource specifies a new GuardDuty detector. A detector is an object that represents the GuardDuty service. A detector is required for GuardDuty to become operational. Make sure you use either `DataSources` or `Features` in a one request, and not both. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "Type" : "AWS::GuardDuty::Detector", "Properties" : { "[DataSources](#cfn-guardduty-detector-datasources)" : CFNDataSourceConfigurations, "[Enable](#cfn-guardduty-detector-enable)" : Boolean, "[Features](#cfn-guardduty-detector-features)" : [ CFNFeatureConfiguration, ... ], "[FindingPublishingFrequency](#cfn-guardduty-detector-findingpublishingfrequency)" : String, "[Tags](#cfn-guardduty-detector-tags)" : [ TagItem, ... ] } } ``` ### YAML ``` Type: AWS::GuardDuty::Detector Properties: [DataSources](#cfn-guardduty-detector-datasources): CFNDataSourceConfigurations [Enable](#cfn-guardduty-detector-enable): Boolean [Features](#cfn-guardduty-detector-features): - CFNFeatureConfiguration [FindingPublishingFrequency](#cfn-guardduty-detector-findingpublishingfrequency): String [Tags](#cfn-guardduty-detector-tags): - TagItem ``` ## Properties `DataSources` Describes which data sources will be enabled for the detector. *Required*: No *Type*: [CFNDataSourceConfigurations](aws-properties-guardduty-detector-cfndatasourceconfigurations.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Enable` Specifies whether the detector is to be enabled on creation. *Required*: Yes *Type*: Boolean *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Features` A list of features that will be configured for the detector. *Required*: No *Type*: Array of [CFNFeatureConfiguration](aws-properties-guardduty-detector-cfnfeatureconfiguration.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `FindingPublishingFrequency` Specifies how frequently updated findings are exported. *Required*: No *Type*: String *Allowed values*: `FIFTEEN_MINUTES | ONE_HOUR | SIX_HOURS` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Tags` Specifies tags added to a new detector resource. Each tag consists of a key and an optional value, both of which you define. Currently, support is available only for creating and deleting a tag. No support exists for updating the tags. For more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html). *Required*: No *Type*: Array of [TagItem](aws-properties-guardduty-detector-tagitem.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) ## Return values ### Ref When you pass the logical ID of this resource to the intrinsic `Ref` function, `Ref` returns the unique ID of the detector. For more information about using the `Ref` function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html). ### Fn::GetAtt The `Fn::GetAtt` intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values. For more information about using the `Fn::GetAtt` intrinsic function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html). #### `Id` The unique ID of the detector. ## Examples ### Declare a Detector Resource The following example shows how to declare a GuardDuty`Detector` resource: #### JSON ``` "mydetector": { "Type" : "AWS::GuardDuty::Detector", "Properties" : { "Enable" : True, "FindingPublishingFrequency" : "FIFTEEN_MINUTES" } } ``` #### YAML ``` mydetector: Type: AWS::GuardDuty::Detector Properties: Enable: True FindingPublishingFrequency: FIFTEEN_MINUTES ``` # AWS::GuardDuty::Detector CFNDataSourceConfigurations Describes whether S3 data event logs, Kubernetes audit logs, or Malware Protection will be enabled as a data source when the detector is created. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Kubernetes](#cfn-guardduty-detector-cfndatasourceconfigurations-kubernetes)" : CFNKubernetesConfiguration, "[MalwareProtection](#cfn-guardduty-detector-cfndatasourceconfigurations-malwareprotection)" : CFNMalwareProtectionConfiguration, "[S3Logs](#cfn-guardduty-detector-cfndatasourceconfigurations-s3logs)" : CFNS3LogsConfiguration } ``` ### YAML ``` [Kubernetes](#cfn-guardduty-detector-cfndatasourceconfigurations-kubernetes): CFNKubernetesConfiguration [MalwareProtection](#cfn-guardduty-detector-cfndatasourceconfigurations-malwareprotection): CFNMalwareProtectionConfiguration [S3Logs](#cfn-guardduty-detector-cfndatasourceconfigurations-s3logs): CFNS3LogsConfiguration ``` ## Properties `Kubernetes` Describes which Kubernetes data sources are enabled for a detector. *Required*: No *Type*: [CFNKubernetesConfiguration](aws-properties-guardduty-detector-cfnkubernetesconfiguration.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `MalwareProtection` Describes whether Malware Protection will be enabled as a data source. *Required*: No *Type*: [CFNMalwareProtectionConfiguration](aws-properties-guardduty-detector-cfnmalwareprotectionconfiguration.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `S3Logs` Describes whether S3 data event logs are enabled as a data source. *Required*: No *Type*: [CFNS3LogsConfiguration](aws-properties-guardduty-detector-cfns3logsconfiguration.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::GuardDuty::Detector CFNFeatureAdditionalConfiguration Information about the additional configuration of a feature in your account. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Name](#cfn-guardduty-detector-cfnfeatureadditionalconfiguration-name)" : String, "[Status](#cfn-guardduty-detector-cfnfeatureadditionalconfiguration-status)" : String } ``` ### YAML ``` [Name](#cfn-guardduty-detector-cfnfeatureadditionalconfiguration-name): String [Status](#cfn-guardduty-detector-cfnfeatureadditionalconfiguration-status): String ``` ## Properties `Name` Name of the additional configuration. *Required*: No *Type*: String *Minimum*: `1` *Maximum*: `256` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Status` Status of the additional configuration. *Required*: No *Type*: String *Minimum*: `1` *Maximum*: `128` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::GuardDuty::Detector CFNFeatureConfiguration Information about the configuration of a feature in your account. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[AdditionalConfiguration](#cfn-guardduty-detector-cfnfeatureconfiguration-additionalconfiguration)" : [ CFNFeatureAdditionalConfiguration, ... ], "[Name](#cfn-guardduty-detector-cfnfeatureconfiguration-name)" : String, "[Status](#cfn-guardduty-detector-cfnfeatureconfiguration-status)" : String } ``` ### YAML ``` [AdditionalConfiguration](#cfn-guardduty-detector-cfnfeatureconfiguration-additionalconfiguration): - CFNFeatureAdditionalConfiguration [Name](#cfn-guardduty-detector-cfnfeatureconfiguration-name): String [Status](#cfn-guardduty-detector-cfnfeatureconfiguration-status): String ``` ## Properties `AdditionalConfiguration` Information about the additional configuration of a feature in your account. *Required*: No *Type*: Array of [CFNFeatureAdditionalConfiguration](aws-properties-guardduty-detector-cfnfeatureadditionalconfiguration.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Name` Name of the feature. For a list of allowed values, see [DetectorFeatureConfiguration](https://docs.aws.amazon.com/guardduty/latest/APIReference/API_DetectorFeatureConfiguration.html#guardduty-Type-DetectorFeatureConfiguration-name) in the *GuardDuty API Reference*. *Required*: Yes *Type*: String *Maximum*: `128` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Status` Status of the feature configuration. *Required*: Yes *Type*: String *Allowed values*: `ENABLED | DISABLED` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::GuardDuty::Detector CFNKubernetesAuditLogsConfiguration Describes which optional data sources are enabled for a detector. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Enable](#cfn-guardduty-detector-cfnkubernetesauditlogsconfiguration-enable)" : Boolean } ``` ### YAML ``` [Enable](#cfn-guardduty-detector-cfnkubernetesauditlogsconfiguration-enable): Boolean ``` ## Properties `Enable` Describes whether Kubernetes audit logs are enabled as a data source for the detector. *Required*: Yes *Type*: Boolean *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::GuardDuty::Detector CFNKubernetesConfiguration Describes which Kubernetes protection data sources are enabled for the detector. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[AuditLogs](#cfn-guardduty-detector-cfnkubernetesconfiguration-auditlogs)" : CFNKubernetesAuditLogsConfiguration } ``` ### YAML ``` [AuditLogs](#cfn-guardduty-detector-cfnkubernetesconfiguration-auditlogs): CFNKubernetesAuditLogsConfiguration ``` ## Properties `AuditLogs` Describes whether Kubernetes audit logs are enabled as a data source for the detector. *Required*: Yes *Type*: [CFNKubernetesAuditLogsConfiguration](aws-properties-guardduty-detector-cfnkubernetesauditlogsconfiguration.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::GuardDuty::Detector CFNMalwareProtectionConfiguration Describes whether Malware Protection will be enabled as a data source. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[ScanEc2InstanceWithFindings](#cfn-guardduty-detector-cfnmalwareprotectionconfiguration-scanec2instancewithfindings)" : CFNScanEc2InstanceWithFindingsConfiguration } ``` ### YAML ``` [ScanEc2InstanceWithFindings](#cfn-guardduty-detector-cfnmalwareprotectionconfiguration-scanec2instancewithfindings): CFNScanEc2InstanceWithFindingsConfiguration ``` ## Properties `ScanEc2InstanceWithFindings` Describes the configuration of Malware Protection for EC2 instances with findings. *Required*: No *Type*: [CFNScanEc2InstanceWithFindingsConfiguration](aws-properties-guardduty-detector-cfnscanec2instancewithfindingsconfiguration.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::GuardDuty::Detector CFNS3LogsConfiguration Describes whether S3 data event logs will be enabled as a data source when the detector is created. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Enable](#cfn-guardduty-detector-cfns3logsconfiguration-enable)" : Boolean } ``` ### YAML ``` [Enable](#cfn-guardduty-detector-cfns3logsconfiguration-enable): Boolean ``` ## Properties `Enable` The status of S3 data event logs as a data source. *Required*: Yes *Type*: Boolean *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::GuardDuty::Detector CFNScanEc2InstanceWithFindingsConfiguration Describes whether Malware Protection for EC2 instances with findings will be enabled as a data source. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[EbsVolumes](#cfn-guardduty-detector-cfnscanec2instancewithfindingsconfiguration-ebsvolumes)" : Boolean } ``` ### YAML ``` [EbsVolumes](#cfn-guardduty-detector-cfnscanec2instancewithfindingsconfiguration-ebsvolumes): Boolean ``` ## Properties `EbsVolumes` Describes the configuration for scanning EBS volumes as data source. *Required*: No *Type*: Boolean *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::GuardDuty::Detector TagItem Describes a tag. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Key](#cfn-guardduty-detector-tagitem-key)" : String, "[Value](#cfn-guardduty-detector-tagitem-value)" : String } ``` ### YAML ``` [Key](#cfn-guardduty-detector-tagitem-key): String [Value](#cfn-guardduty-detector-tagitem-value): String ``` ## Properties `Key` The tag key. *Required*: Yes *Type*: String *Minimum*: `1` *Maximum*: `128` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Value` The tag value. *Required*: Yes *Type*: String *Minimum*: `0` *Maximum*: `256` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::GuardDuty::Filter The `AWS::GuardDuty::Filter` resource specifies a new filter defined by the provided `findingCriteria`. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "Type" : "AWS::GuardDuty::Filter", "Properties" : { "[Action](#cfn-guardduty-filter-action)" : String, "[Description](#cfn-guardduty-filter-description)" : String, "[DetectorId](#cfn-guardduty-filter-detectorid)" : String, "[FindingCriteria](#cfn-guardduty-filter-findingcriteria)" : FindingCriteria, "[Name](#cfn-guardduty-filter-name)" : String, "[Rank](#cfn-guardduty-filter-rank)" : Integer, "[Tags](#cfn-guardduty-filter-tags)" : [ TagItem, ... ] } } ``` ### YAML ``` Type: AWS::GuardDuty::Filter Properties: [Action](#cfn-guardduty-filter-action): String [Description](#cfn-guardduty-filter-description): String [DetectorId](#cfn-guardduty-filter-detectorid): String [FindingCriteria](#cfn-guardduty-filter-findingcriteria): FindingCriteria [Name](#cfn-guardduty-filter-name): String [Rank](#cfn-guardduty-filter-rank): Integer [Tags](#cfn-guardduty-filter-tags): - TagItem ``` ## Properties `Action` Specifies the action that is to be applied to the findings that match the filter. *Required*: No *Type*: String *Allowed values*: `NOOP | ARCHIVE` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Description` The description of the filter. Valid characters include alphanumeric characters, and special characters such as hyphen, period, colon, underscore, parentheses (`{ }`, `[ ]`, and `( )`), forward slash, horizontal tab, vertical tab, newline, form feed, return, and whitespace. *Required*: No *Type*: String *Minimum*: `0` *Maximum*: `512` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `DetectorId` The detector ID associated with the GuardDuty account for which you want to create a filter. To find the `detectorId` in the current Region, see the Settings page in the GuardDuty console, or run the [ListDetectors](https://docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html) API. *Required*: Yes *Type*: String *Minimum*: `1` *Maximum*: `300` *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `FindingCriteria` Represents the criteria to be used in the filter for querying findings. *Required*: Yes *Type*: [FindingCriteria](aws-properties-guardduty-filter-findingcriteria.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Name` The name of the filter. Valid characters include period (.), underscore (\$1), dash (-), and alphanumeric characters. A whitespace is considered to be an invalid character. *Required*: Yes *Type*: String *Minimum*: `1` *Maximum*: `64` *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `Rank` Specifies the position of the filter in the list of current filters. Also specifies the order in which this filter is applied to the findings. The minimum value for this property is 1 and the maximum is 100. By default, filters may not be created in the same order as they are ranked. To ensure that the filters are created in the expected order, you can use an optional attribute, [DependsOn](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-attribute-dependson.html), with the following syntax: `"DependsOn":[ "ObjectName" ]`. *Required*: No *Type*: Integer *Minimum*: `1` *Maximum*: `100` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Tags` The tags to be added to a new filter resource. Each tag consists of a key and an optional value, both of which you define. For more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html). *Required*: No *Type*: Array of [TagItem](aws-properties-guardduty-filter-tagitem.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) ## Return values ### Ref When you pass the logical ID of this resource to the intrinsic `Ref` function, `Ref` returns the name of the filter, such as `SampleFilter`. For more information about using the `Ref` function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html). ## Examples ### Declare a Filter Resource The following example shows how to declare a GuardDuty`Filter` resource: #### JSON ``` { "Type": "AWS::GuardDuty::Filter", "Properties": { "Action": "ARCHIVE", "Description": "SampleFilter", "DetectorId": "a12abc34d567e8fa901bc2d34e56789f0", "FindingCriteria": { "Criterion": { "updatedAt": { "Gte": 0 }, "severity": { "Gte": 0 } }, "Rank": 1, "Name": "SampleFilter" } } ``` #### YAML ``` Type: "AWS::GuardDuty::Filter" Properties: Action : "ARCHIVE" Description : "SampleFilter" DetectorId : "a12abc34d567e8fa901bc2d34e56789f0" FindingCriteria : Criterion: "updatedAt": Gte: 0 "severity": Gte: 0 Rank : 1 Name : "SampleFilter" ``` # AWS::GuardDuty::Filter Condition Specifies the condition to apply to a single field when filtering through GuardDuty findings. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Eq](#cfn-guardduty-filter-condition-eq)" : [ String, ... ], "[Equals](#cfn-guardduty-filter-condition-equals)" : [ String, ... ], "[GreaterThan](#cfn-guardduty-filter-condition-greaterthan)" : Integer, "[GreaterThanOrEqual](#cfn-guardduty-filter-condition-greaterthanorequal)" : Integer, "[Gt](#cfn-guardduty-filter-condition-gt)" : Integer, "[Gte](#cfn-guardduty-filter-condition-gte)" : Integer, "[LessThan](#cfn-guardduty-filter-condition-lessthan)" : Integer, "[LessThanOrEqual](#cfn-guardduty-filter-condition-lessthanorequal)" : Integer, "[Lt](#cfn-guardduty-filter-condition-lt)" : Integer, "[Lte](#cfn-guardduty-filter-condition-lte)" : Integer, "[Neq](#cfn-guardduty-filter-condition-neq)" : [ String, ... ], "[NotEquals](#cfn-guardduty-filter-condition-notequals)" : [ String, ... ] } ``` ### YAML ``` [Eq](#cfn-guardduty-filter-condition-eq): - String [Equals](#cfn-guardduty-filter-condition-equals): - String [GreaterThan](#cfn-guardduty-filter-condition-greaterthan): Integer [GreaterThanOrEqual](#cfn-guardduty-filter-condition-greaterthanorequal): Integer [Gt](#cfn-guardduty-filter-condition-gt): Integer [Gte](#cfn-guardduty-filter-condition-gte): Integer [LessThan](#cfn-guardduty-filter-condition-lessthan): Integer [LessThanOrEqual](#cfn-guardduty-filter-condition-lessthanorequal): Integer [Lt](#cfn-guardduty-filter-condition-lt): Integer [Lte](#cfn-guardduty-filter-condition-lte): Integer [Neq](#cfn-guardduty-filter-condition-neq): - String [NotEquals](#cfn-guardduty-filter-condition-notequals): - String ``` ## Properties `Eq` Represents the equal condition to apply to a single field when querying for findings. *Required*: No *Type*: Array of String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Equals` Represents an *equal***** condition to be applied to a single field when querying for findings. *Required*: No *Type*: Array of String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `GreaterThan` Represents a *greater than* condition to be applied to a single field when querying for findings. *Required*: No *Type*: Integer *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `GreaterThanOrEqual` Represents a *greater than or equal* condition to be applied to a single field when querying for findings. *Required*: No *Type*: Integer *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Gt` Represents a *greater than* condition to be applied to a single field when querying for findings. *Required*: No *Type*: Integer *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Gte` Represents the greater than or equal condition to apply to a single field when querying for findings. *Required*: No *Type*: Integer *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `LessThan` Represents a *less than* condition to be applied to a single field when querying for findings. *Required*: No *Type*: Integer *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `LessThanOrEqual` Represents a *less than or equal* condition to be applied to a single field when querying for findings. *Required*: No *Type*: Integer *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Lt` Represents the less than condition to apply to a single field when querying for findings. *Required*: No *Type*: Integer *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Lte` Represents the less than or equal condition to apply to a single field when querying for findings. *Required*: No *Type*: Integer *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Neq` Represents the not equal condition to apply to a single field when querying for findings. *Required*: No *Type*: Array of String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `NotEquals` Represents a *not equal***** condition to be applied to a single field when querying for findings. *Required*: No *Type*: Array of String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::GuardDuty::Filter FindingCriteria Represents a map of finding properties that match specified conditions and values when querying findings. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Criterion](#cfn-guardduty-filter-findingcriteria-criterion)" : {Key: Value, ...} } ``` ### YAML ``` [Criterion](#cfn-guardduty-filter-findingcriteria-criterion): Key: Value ``` ## Properties `Criterion` Represents a map of finding properties that match specified conditions and values when querying findings. For information about JSON criterion mapping to their console equivalent, see [Finding criteria](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_filter-findings.html#filter_criteria). The following are the available criterion: + accountId + id + region + severity To filter on the basis of severity, the API and AWS CLI use the following input list for the `FindingCriteria` condition: + **Low**: `["1", "2", "3"]` + **Medium**: `["4", "5", "6"]` + **High**: `["7", "8", "9"]` For more information, see [Severity levels for GuardDuty findings](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html#guardduty_findings-severity) in the *Amazon GuardDuty User Guide*. + type + updatedAt Type: ISO 8601 string format: `YYYY-MM-DDTHH:MM:SS.SSSZ` or `YYYY-MM-DDTHH:MM:SSZ` depending on whether the value contains milliseconds. + resource.accessKeyDetails.accessKeyId + resource.accessKeyDetails.principalId + resource.accessKeyDetails.userName + resource.accessKeyDetails.userType + resource.instanceDetails.iamInstanceProfile.id + resource.instanceDetails.imageId + resource.instanceDetails.instanceId + resource.instanceDetails.tags.key + resource.instanceDetails.tags.value + resource.instanceDetails.networkInterfaces.ipv6Addresses + resource.instanceDetails.networkInterfaces.privateIpAddresses.privateIpAddress + resource.instanceDetails.networkInterfaces.publicDnsName + resource.instanceDetails.networkInterfaces.publicIp + resource.instanceDetails.networkInterfaces.securityGroups.groupId + resource.instanceDetails.networkInterfaces.securityGroups.groupName + resource.instanceDetails.networkInterfaces.subnetId + resource.instanceDetails.networkInterfaces.vpcId + resource.instanceDetails.outpostArn + resource.resourceType + resource.s3BucketDetails.publicAccess.effectivePermissions + resource.s3BucketDetails.name + resource.s3BucketDetails.tags.key + resource.s3BucketDetails.tags.value + resource.s3BucketDetails.type + service.action.actionType + service.action.awsApiCallAction.api + service.action.awsApiCallAction.callerType + service.action.awsApiCallAction.errorCode + service.action.awsApiCallAction.remoteIpDetails.city.cityName + service.action.awsApiCallAction.remoteIpDetails.country.countryName + service.action.awsApiCallAction.remoteIpDetails.ipAddressV4 + service.action.awsApiCallAction.remoteIpDetails.ipAddressV6 + service.action.awsApiCallAction.remoteIpDetails.organization.asn + service.action.awsApiCallAction.remoteIpDetails.organization.asnOrg + service.action.awsApiCallAction.serviceName + service.action.dnsRequestAction.domain + service.action.dnsRequestAction.domainWithSuffix + service.action.networkConnectionAction.blocked + service.action.networkConnectionAction.connectionDirection + service.action.networkConnectionAction.localPortDetails.port + service.action.networkConnectionAction.protocol + service.action.networkConnectionAction.remoteIpDetails.city.cityName + service.action.networkConnectionAction.remoteIpDetails.country.countryName + service.action.networkConnectionAction.remoteIpDetails.ipAddressV4 + service.action.networkConnectionAction.remoteIpDetails.ipAddressV6 + service.action.networkConnectionAction.remoteIpDetails.organization.asn + service.action.networkConnectionAction.remoteIpDetails.organization.asnOrg + service.action.networkConnectionAction.remotePortDetails.port + service.action.awsApiCallAction.remoteAccountDetails.affiliated + service.action.kubernetesApiCallAction.remoteIpDetails.ipAddressV4 + service.action.kubernetesApiCallAction.remoteIpDetails.ipAddressV6 + service.action.kubernetesApiCallAction.namespace + service.action.kubernetesApiCallAction.remoteIpDetails.organization.asn + service.action.kubernetesApiCallAction.requestUri + service.action.kubernetesApiCallAction.statusCode + service.action.networkConnectionAction.localIpDetails.ipAddressV4 + service.action.networkConnectionAction.localIpDetails.ipAddressV6 + service.action.networkConnectionAction.protocol + service.action.awsApiCallAction.serviceName + service.action.awsApiCallAction.remoteAccountDetails.accountId + service.additionalInfo.threatListName + service.resourceRole + resource.eksClusterDetails.name + resource.kubernetesDetails.kubernetesWorkloadDetails.name + resource.kubernetesDetails.kubernetesWorkloadDetails.namespace + resource.kubernetesDetails.kubernetesUserDetails.username + resource.kubernetesDetails.kubernetesWorkloadDetails.containers.image + resource.kubernetesDetails.kubernetesWorkloadDetails.containers.imagePrefix + service.ebsVolumeScanDetails.scanId + service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames.name + service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames.severity + service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames.filePaths.hash + service.malwareScanDetails.threats.name + resource.ecsClusterDetails.name + resource.ecsClusterDetails.taskDetails.containers.image + resource.ecsClusterDetails.taskDetails.definitionArn + resource.containerDetails.image + resource.rdsDbInstanceDetails.dbInstanceIdentifier + resource.rdsDbInstanceDetails.dbClusterIdentifier + resource.rdsDbInstanceDetails.engine + resource.rdsDbUserDetails.user + resource.rdsDbInstanceDetails.tags.key + resource.rdsDbInstanceDetails.tags.value + service.runtimeDetails.process.executableSha256 + service.runtimeDetails.process.name + service.runtimeDetails.process.name + resource.lambdaDetails.functionName + resource.lambdaDetails.functionArn + resource.lambdaDetails.tags.key + resource.lambdaDetails.tags.value *Required*: No *Type*: Object of [Condition](aws-properties-guardduty-filter-condition.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::GuardDuty::Filter TagItem Describes a tag. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Key](#cfn-guardduty-filter-tagitem-key)" : String, "[Value](#cfn-guardduty-filter-tagitem-value)" : String } ``` ### YAML ``` [Key](#cfn-guardduty-filter-tagitem-key): String [Value](#cfn-guardduty-filter-tagitem-value): String ``` ## Properties `Key` The tag key. *Required*: Yes *Type*: String *Minimum*: `1` *Maximum*: `128` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Value` The tag value. *Required*: Yes *Type*: String *Minimum*: `0` *Maximum*: `256` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::GuardDuty::IPSet The `AWS::GuardDuty::IPSet` resource helps you create a list of trusted IP addresses that you can use for secure communication with AWS infrastructure and applications. Once you activate this list, GuardDuty will not generate findings when there is an activity associated with these safe IP addresses. Only the users of the GuardDuty administrator account can manage this list. These settings are also applied to the member accounts. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "Type" : "AWS::GuardDuty::IPSet", "Properties" : { "[Activate](#cfn-guardduty-ipset-activate)" : Boolean, "[DetectorId](#cfn-guardduty-ipset-detectorid)" : String, "[ExpectedBucketOwner](#cfn-guardduty-ipset-expectedbucketowner)" : String, "[Format](#cfn-guardduty-ipset-format)" : String, "[Location](#cfn-guardduty-ipset-location)" : String, "[Name](#cfn-guardduty-ipset-name)" : String, "[Tags](#cfn-guardduty-ipset-tags)" : [ TagItem, ... ] } } ``` ### YAML ``` Type: AWS::GuardDuty::IPSet Properties: [Activate](#cfn-guardduty-ipset-activate): Boolean [DetectorId](#cfn-guardduty-ipset-detectorid): String [ExpectedBucketOwner](#cfn-guardduty-ipset-expectedbucketowner): String [Format](#cfn-guardduty-ipset-format): String [Location](#cfn-guardduty-ipset-location): String [Name](#cfn-guardduty-ipset-name): String [Tags](#cfn-guardduty-ipset-tags): - TagItem ``` ## Properties `Activate` A boolean value that determines if GuardDuty can start using this list for custom threat detection. For GuardDuty to prevent generating findings based on an activity associated with these entries, this list must be active. *Required*: No *Type*: Boolean *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `DetectorId` The unique ID of the detector of the GuardDuty account for which you want to create an IPSet. To find the `detectorId` in the current Region, see the Settings page in the GuardDuty console, or run the [ListDetectors](https://docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html) API. *Required*: No *Type*: String *Minimum*: `1` *Maximum*: `300` *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `ExpectedBucketOwner` The AWS account ID that owns the Amazon S3 bucket specified in the *Location* field. When you provide this account ID, GuardDuty will validate that the S3 bucket belongs to this account. If you don't specify an account ID owner, GuardDuty doesn't perform any validation. *Required*: No *Type*: String *Minimum*: `12` *Maximum*: `12` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Format` The format of the file that contains the IPSet. For information about supported formats, see [List formats](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_upload-lists.html#prepare_list) in the *Amazon GuardDuty User Guide*. *Required*: Yes *Type*: String *Allowed values*: `TXT | STIX | OTX_CSV | ALIEN_VAULT | PROOF_POINT | FIRE_EYE` *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `Location` The URI of the file that contains the IPSet. *Required*: Yes *Type*: String *Minimum*: `1` *Maximum*: `300` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Name` The user-friendly name to identify the IPSet. The name of your list must be unique within an AWS account and Region. Valid characters are alphanumeric, whitespace, dash (-), and underscores (\$1). *Required*: No *Type*: String *Minimum*: `1` *Maximum*: `300` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Tags` The tags to be added to a new threat entity set resource. Each tag consists of a key and an optional value, both of which you define. For more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html). *Required*: No *Type*: Array of [TagItem](aws-properties-guardduty-ipset-tagitem.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) ## Return values ### Ref When you pass the logical ID of this resource to the intrinsic `Ref` function, `Ref` returns the unique ID of the `IPSet`. For more information about using the `Ref` function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html). ### Fn::GetAtt The `Fn::GetAtt` intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values. For more information about using the `Fn::GetAtt` intrinsic function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html). ## Examples ### Declare an IPSet Resource The following example shows how to declare a GuardDuty`IPSet` resource: #### JSON ``` "myipset": { "Type" : "AWS::GuardDuty::IPSet", "Properties" : { "Activate" : True, "DetectorId" : "12abc34d567e8f4912ab3d45e67891f2", "ExpectedBucketOwner" : "111122223333", "Format" : "TXT", "Location" : "https://s3-us-west-2.amazonaws.com/amzn-s3-demo-bucket/myipset.txt", "Name" : "MyIPSet" } } ``` #### YAML ``` myipset: Type: AWS::GuardDuty::IPSet Properties: Activate: True DetectorId: "12abc34d567e8f4912ab3d45e67891f2" ExpectedBucketOwner : "111122223333" Format: "TXT" Location: "https://s3-us-west-2.amazonaws.com/amzn-s3-demo-bucket/myipset.txt" Name: "MyIPSet" ``` # AWS::GuardDuty::IPSet TagItem Describes a tag. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Key](#cfn-guardduty-ipset-tagitem-key)" : String, "[Value](#cfn-guardduty-ipset-tagitem-value)" : String } ``` ### YAML ``` [Key](#cfn-guardduty-ipset-tagitem-key): String [Value](#cfn-guardduty-ipset-tagitem-value): String ``` ## Properties `Key` The tag key. *Required*: Yes *Type*: String *Minimum*: `1` *Maximum*: `128` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Value` The tag value. *Required*: Yes *Type*: String *Minimum*: `0` *Maximum*: `256` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::GuardDuty::MalwareProtectionPlan Creates a new Malware Protection plan for the protected resource. When you create a Malware Protection plan, the [AWS service terms for GuardDuty Malware Protection](https://aws.amazon.com/service-terms/#87._Amazon_GuardDuty) will apply. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "Type" : "AWS::GuardDuty::MalwareProtectionPlan", "Properties" : { "[Actions](#cfn-guardduty-malwareprotectionplan-actions)" : CFNActions, "[ProtectedResource](#cfn-guardduty-malwareprotectionplan-protectedresource)" : CFNProtectedResource, "[Role](#cfn-guardduty-malwareprotectionplan-role)" : String, "[Tags](#cfn-guardduty-malwareprotectionplan-tags)" : [ TagItem, ... ] } } ``` ### YAML ``` Type: AWS::GuardDuty::MalwareProtectionPlan Properties: [Actions](#cfn-guardduty-malwareprotectionplan-actions): CFNActions [ProtectedResource](#cfn-guardduty-malwareprotectionplan-protectedresource): CFNProtectedResource [Role](#cfn-guardduty-malwareprotectionplan-role): String [Tags](#cfn-guardduty-malwareprotectionplan-tags): - TagItem ``` ## Properties `Actions` Specifies the action that is to be applied to the Malware Protection plan resource. *Required*: No *Type*: [CFNActions](aws-properties-guardduty-malwareprotectionplan-cfnactions.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ProtectedResource` Information about the protected resource. Presently, `S3Bucket` is the only supported protected resource. *Required*: Yes *Type*: [CFNProtectedResource](aws-properties-guardduty-malwareprotectionplan-cfnprotectedresource.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Role` Amazon Resource Name (ARN) of the IAM role that includes the permissions required to scan and (optionally) add tags to the associated protected resource. To find the ARN of your IAM role, go to the IAM console, and select the role name for details. *Required*: Yes *Type*: String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Tags` The tags to be added to the created Malware Protection plan resource. Each tag consists of a key and an optional value, both of which you need to specify. *Required*: No *Type*: Array of [TagItem](aws-properties-guardduty-malwareprotectionplan-tagitem.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) ## Return values ### Ref When you pass the logical ID of this resource to the intrinsic `Ref` function, `Ref` returns ### Fn::GetAtt The `Fn::GetAtt` intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values. For more information about using the `Fn::GetAtt` intrinsic function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html). #### `Arn` Amazon Resource Name (ARN) associated with this Malware Protection plan. `CreatedAt` The timestamp when the Malware Protection plan resource was created. `MalwareProtectionPlanId` A unique identifier associated with Malware Protection plan. `Status` Status of the Malware Protection plan resource. `StatusReasons` Status details associated with the Malware Protection plan resource status. # AWS::GuardDuty::MalwareProtectionPlan CFNActions Specifies the action that is to be applied to the Malware Protection plan resource. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Tagging](#cfn-guardduty-malwareprotectionplan-cfnactions-tagging)" : CFNTagging } ``` ### YAML ``` [Tagging](#cfn-guardduty-malwareprotectionplan-cfnactions-tagging): CFNTagging ``` ## Properties `Tagging` Contains information about tagging status of the Malware Protection plan resource. *Required*: No *Type*: [CFNTagging](aws-properties-guardduty-malwareprotectionplan-cfntagging.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::GuardDuty::MalwareProtectionPlan CFNProtectedResource Information about the protected resource. Presently, `S3Bucket` is the only supported protected resource. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[S3Bucket](#cfn-guardduty-malwareprotectionplan-cfnprotectedresource-s3bucket)" : S3Bucket } ``` ### YAML ``` [S3Bucket](#cfn-guardduty-malwareprotectionplan-cfnprotectedresource-s3bucket): S3Bucket ``` ## Properties `S3Bucket` Information about the protected S3 bucket resource. *Required*: Yes *Type*: [S3Bucket](aws-properties-guardduty-malwareprotectionplan-s3bucket.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::GuardDuty::MalwareProtectionPlan CFNStatusReasons Information about the status code and status details associated with the status of the Malware Protection plan. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Code](#cfn-guardduty-malwareprotectionplan-cfnstatusreasons-code)" : String, "[Message](#cfn-guardduty-malwareprotectionplan-cfnstatusreasons-message)" : String } ``` ### YAML ``` [Code](#cfn-guardduty-malwareprotectionplan-cfnstatusreasons-code): String [Message](#cfn-guardduty-malwareprotectionplan-cfnstatusreasons-message): String ``` ## Properties `Code` The status code of the Malware Protection plan. For more information, see [Malware Protection plan resource status](https://docs.aws.amazon.com/guardduty/latest/ug/malware-protection-s3-bucket-status-gdu.html) in the *GuardDuty User Guide*. *Required*: No *Type*: String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Message` Issue message that specifies the reason. For information about potential troubleshooting steps, see [Troubleshooting Malware Protection for S3 status issues](https://docs.aws.amazon.com/guardduty/latest/ug/troubleshoot-s3-malware-protection-status-errors.html) in the *Amazon GuardDuty User Guide*. *Required*: No *Type*: String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::GuardDuty::MalwareProtectionPlan CFNTagging Contains information about tagging status of the Malware Protection plan resource. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Status](#cfn-guardduty-malwareprotectionplan-cfntagging-status)" : String } ``` ### YAML ``` [Status](#cfn-guardduty-malwareprotectionplan-cfntagging-status): String ``` ## Properties `Status` Indicates whether or not you chose GuardDuty to add a predefined tag to the scanned S3 object. Potential values include `ENABLED` and `DISABLED`. These values are case-sensitive. *Required*: No *Type*: String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::GuardDuty::MalwareProtectionPlan S3Bucket Information about the protected S3 bucket resource. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[BucketName](#cfn-guardduty-malwareprotectionplan-s3bucket-bucketname)" : String, "[ObjectPrefixes](#cfn-guardduty-malwareprotectionplan-s3bucket-objectprefixes)" : [ String, ... ] } ``` ### YAML ``` [BucketName](#cfn-guardduty-malwareprotectionplan-s3bucket-bucketname): String [ObjectPrefixes](#cfn-guardduty-malwareprotectionplan-s3bucket-objectprefixes): - String ``` ## Properties `BucketName` Name of the S3 bucket. *Required*: No *Type*: String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ObjectPrefixes` Information about the specified object prefixes. An S3 object will be scanned only if it belongs to any of the specified object prefixes. *Required*: No *Type*: Array of String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::GuardDuty::MalwareProtectionPlan TagItem Describes a tag. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Key](#cfn-guardduty-malwareprotectionplan-tagitem-key)" : String, "[Value](#cfn-guardduty-malwareprotectionplan-tagitem-value)" : String } ``` ### YAML ``` [Key](#cfn-guardduty-malwareprotectionplan-tagitem-key): String [Value](#cfn-guardduty-malwareprotectionplan-tagitem-value): String ``` ## Properties `Key` The tag key. *Required*: Yes *Type*: String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Value` The tag value. *Required*: Yes *Type*: String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::GuardDuty::Master You can use the `AWS::GuardDuty::Master` resource in a GuardDuty member account to accept an invitation from a GuardDuty administrator account. The invitation to the member account must be sent prior to using the `AWS::GuardDuty::Master` resource to accept the administrator account's invitation. You can invite a member account by using the `InviteMembers` operation of the GuardDuty API, or by creating an `AWS::GuardDuty::Member` resource. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "Type" : "AWS::GuardDuty::Master", "Properties" : { "[DetectorId](#cfn-guardduty-master-detectorid)" : String, "[InvitationId](#cfn-guardduty-master-invitationid)" : String, "[MasterId](#cfn-guardduty-master-masterid)" : String } } ``` ### YAML ``` Type: AWS::GuardDuty::Master Properties: [DetectorId](#cfn-guardduty-master-detectorid): String [InvitationId](#cfn-guardduty-master-invitationid): String [MasterId](#cfn-guardduty-master-masterid): String ``` ## Properties `DetectorId` The unique ID of the detector of the GuardDuty member account. To find the `detectorId` in the current Region, see the Settings page in the GuardDuty console, or run the [ListDetectors](https://docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html) API. *Required*: Yes *Type*: String *Minimum*: `1` *Maximum*: `300` *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `InvitationId` The ID of the invitation that is sent to the account designated as a member account. You can find the invitation ID by running the [ListInvitations](https://docs.aws.amazon.com/guardduty/latest/APIReference/API_ListInvitations.html) in the *GuardDuty API Reference*. *Required*: No *Type*: String *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `MasterId` The AWS account ID of the account designated as the GuardDuty administrator account. *Required*: Yes *Type*: String *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) ## Return values ### Ref When you pass the logical ID of this resource to the intrinsic `Ref` function, `Ref` returns the unique ID of the GuardDuty administrator account, such as `111122223333`. For more information about using the `Ref` function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html). ## Examples ### Declare a Master Resource To declare a GuardDuty`Master` resource: #### JSON ``` "GDMaster": { "Type" : "AWS::GuardDuty::Master", "Properties" : { "DetectorId" : "a12abc34d567e8fa901bc2d34e56789f0", "MasterId" : "111122223333", "InvitationId" : "84b097800250d17d1872b34c4daadcf5" } } ``` #### YAML ``` GDMaster: Type: AWS::GuardDuty::Master Properties: DetectorId: "a12abc34d567e8fa901bc2d34e56789f0" MasterId: "111122223333" InvitationId: "84b097800250d17d1872b34c4daadcf5" ``` # AWS::GuardDuty::Member You can use the `AWS::GuardDuty::Member` resource to add an AWS account as a GuardDuty member account to the current GuardDuty administrator account. If the value of the `Status` property is not provided or is set to `Created`, a member account is created but not invited. If the value of the `Status` property is set to `Invited`, a member account is created and invited. An `AWS::GuardDuty::Member` resource must be created with the `Status` property set to `Invited` before the `AWS::GuardDuty::Master` resource can be created in a GuardDuty member account. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "Type" : "AWS::GuardDuty::Member", "Properties" : { "[DetectorId](#cfn-guardduty-member-detectorid)" : String, "[DisableEmailNotification](#cfn-guardduty-member-disableemailnotification)" : Boolean, "[Email](#cfn-guardduty-member-email)" : String, "[MemberId](#cfn-guardduty-member-memberid)" : String, "[Message](#cfn-guardduty-member-message)" : String, "[Status](#cfn-guardduty-member-status)" : String } } ``` ### YAML ``` Type: AWS::GuardDuty::Member Properties: [DetectorId](#cfn-guardduty-member-detectorid): String [DisableEmailNotification](#cfn-guardduty-member-disableemailnotification): Boolean [Email](#cfn-guardduty-member-email): String [MemberId](#cfn-guardduty-member-memberid): String [Message](#cfn-guardduty-member-message): String [Status](#cfn-guardduty-member-status): String ``` ## Properties `DetectorId` The ID of the detector associated with the GuardDuty service to add the member to. *Required*: No *Type*: String *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `DisableEmailNotification` Specifies whether or not to disable email notification for the member account that you invite. *Required*: No *Type*: Boolean *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Email` The email address associated with the member account. *Required*: Yes *Type*: String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `MemberId` The AWS account ID of the account to designate as a member. *Required*: No *Type*: String *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `Message` The invitation message that you want to send to the accounts that you're inviting to GuardDuty as members. *Required*: No *Type*: String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Status` You can use the `Status` property to update the status of the relationship between the member account and its administrator account. Valid values are `Created` and `Invited` when using an `AWS::GuardDuty::Member` resource. If the value for this property is not provided or set to `Created`, a member account is created but not invited. If the value of this property is set to `Invited`, a member account is created and invited. *Required*: No *Type*: String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) ## Return values ### Ref When you pass the logical ID of this resource to the intrinsic `Ref` function, `Ref` returns the unique ID of the GuardDuty member account, such as `111122223333`. For more information about using the `Ref` function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html). ## Examples ### Declare a Member Resource The following example shows how to declare a GuardDuty`Member` resource: #### JSON ``` "GDmaster": { "Type": "AWS::GuardDuty::Member", "Properties": { "Status": "Invited", "MemberId": "555555555555", "Email": "guardduty-member@amazon.com", "Message": "You are invited to enable Amazon Guardduty.", "DetectorId": "a12abc34d567e8fa901bc2d34e56789f0", "DisableEmailNotification": true } } ``` #### YAML ``` Type: AWS::GuardDuty::Member Properties: Status: Invited MemberId: 555555555555 Email: guardduty-member@amazon.com Message: You are invited to enable Amazon Guardduty. DetectorId: a12abc34d567e8fa901bc2d34e56789f0 DisableEmailNotification: true ``` # AWS::GuardDuty::PublishingDestination Creates a publishing destination where you can export your GuardDuty findings. Before you start exporting the findings, the destination resource must exist. For more information about considerations and permissions, see [Exporting GuardDuty findings to Amazon S3 buckets](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_exportfindings.html) in the *Amazon GuardDuty User Guide*. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "Type" : "AWS::GuardDuty::PublishingDestination", "Properties" : { "[DestinationProperties](#cfn-guardduty-publishingdestination-destinationproperties)" : CFNDestinationProperties, "[DestinationType](#cfn-guardduty-publishingdestination-destinationtype)" : String, "[DetectorId](#cfn-guardduty-publishingdestination-detectorid)" : String, "[Tags](#cfn-guardduty-publishingdestination-tags)" : [ TagItem, ... ] } } ``` ### YAML ``` Type: AWS::GuardDuty::PublishingDestination Properties: [DestinationProperties](#cfn-guardduty-publishingdestination-destinationproperties): CFNDestinationProperties [DestinationType](#cfn-guardduty-publishingdestination-destinationtype): String [DetectorId](#cfn-guardduty-publishingdestination-detectorid): String [Tags](#cfn-guardduty-publishingdestination-tags): - TagItem ``` ## Properties `DestinationProperties` Contains the Amazon Resource Name (ARN) of the resource to publish to, such as an S3 bucket, and the ARN of the KMS key to use to encrypt published findings. *Required*: Yes *Type*: [CFNDestinationProperties](aws-properties-guardduty-publishingdestination-cfndestinationproperties.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `DestinationType` The type of publishing destination. GuardDuty supports Amazon S3 buckets as a publishing destination. *Required*: Yes *Type*: String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `DetectorId` The ID of the GuardDuty detector where the publishing destination exists. *Required*: Yes *Type*: String *Minimum*: `1` *Maximum*: `300` *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `Tags` Describes a tag. *Required*: No *Type*: Array of [TagItem](aws-properties-guardduty-publishingdestination-tagitem.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) ## Return values ### Ref When you pass the logical ID of this resource to the intrinsic `Ref` function, `Ref` returns the resource publishing destination ID. For more information about using the `Ref` function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html). ### Fn::GetAtt The `Fn::GetAtt` intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values. For more information about using the `Fn::GetAtt` intrinsic function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html). #### `Id` The ID of the publishing destination. `PublishingFailureStartTimestamp` The time, in epoch millisecond format, at which GuardDuty was first unable to publish findings to the destination. `Status` The status of the publishing destination. # AWS::GuardDuty::PublishingDestination CFNDestinationProperties Contains the Amazon Resource Name (ARN) of the resource that receives the published findings, such as an S3 bucket, and the ARN of the KMS key that is used to encrypt these published findings. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[DestinationArn](#cfn-guardduty-publishingdestination-cfndestinationproperties-destinationarn)" : String, "[KmsKeyArn](#cfn-guardduty-publishingdestination-cfndestinationproperties-kmskeyarn)" : String } ``` ### YAML ``` [DestinationArn](#cfn-guardduty-publishingdestination-cfndestinationproperties-destinationarn): String [KmsKeyArn](#cfn-guardduty-publishingdestination-cfndestinationproperties-kmskeyarn): String ``` ## Properties `DestinationArn` The ARN of the resource where the findings are published. *Required*: No *Type*: String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `KmsKeyArn` The ARN of the KMS key to use for encryption. *Required*: No *Type*: String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::GuardDuty::PublishingDestination TagItem Describes a tag. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Key](#cfn-guardduty-publishingdestination-tagitem-key)" : String, "[Value](#cfn-guardduty-publishingdestination-tagitem-value)" : String } ``` ### YAML ``` [Key](#cfn-guardduty-publishingdestination-tagitem-key): String [Value](#cfn-guardduty-publishingdestination-tagitem-value): String ``` ## Properties `Key` The tag key. *Required*: Yes *Type*: String *Minimum*: `1` *Maximum*: `128` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Value` The tag value. *Required*: Yes *Type*: String *Minimum*: `0` *Maximum*: `256` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::GuardDuty::ThreatEntitySet The `AWS::GuardDuty::ThreatEntitySet` resource helps you create a list of known malicious IP addresses and domain names in your AWS environment. Once you activate this list, GuardDuty will use the entries in this list as an additional source of threat detection and generate findings when there is an activity associated with these known malicious IP addresses and domain names. GuardDuty continues to monitor independently of this custom threat entity set. Only the users of the GuardDuty administrator account can manage this list. These settings automatically apply to the member accounts. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "Type" : "AWS::GuardDuty::ThreatEntitySet", "Properties" : { "[Activate](#cfn-guardduty-threatentityset-activate)" : Boolean, "[DetectorId](#cfn-guardduty-threatentityset-detectorid)" : String, "[ExpectedBucketOwner](#cfn-guardduty-threatentityset-expectedbucketowner)" : String, "[Format](#cfn-guardduty-threatentityset-format)" : String, "[Location](#cfn-guardduty-threatentityset-location)" : String, "[Name](#cfn-guardduty-threatentityset-name)" : String, "[Tags](#cfn-guardduty-threatentityset-tags)" : [ TagItem, ... ] } } ``` ### YAML ``` Type: AWS::GuardDuty::ThreatEntitySet Properties: [Activate](#cfn-guardduty-threatentityset-activate): Boolean [DetectorId](#cfn-guardduty-threatentityset-detectorid): String [ExpectedBucketOwner](#cfn-guardduty-threatentityset-expectedbucketowner): String [Format](#cfn-guardduty-threatentityset-format): String [Location](#cfn-guardduty-threatentityset-location): String [Name](#cfn-guardduty-threatentityset-name): String [Tags](#cfn-guardduty-threatentityset-tags): - TagItem ``` ## Properties `Activate` A boolean value that determines if GuardDuty can start using this list for custom threat detection. For GuardDuty to consider the entries in this list and generate findings based on associated activity, this list must be active. *Required*: No *Type*: Boolean *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `DetectorId` The unique regional detector ID of the GuardDuty account for which you want to create a threat entity set. To find the `detectorId` in the current Region, see the Settings page in the GuardDuty console, or run the [ListDetectors](https://docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html) API. *Required*: No *Type*: String *Minimum*: `1` *Maximum*: `32` *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `ExpectedBucketOwner` The AWS account ID that owns the Amazon S3 bucket specified in the *Location* field. Whether or not you provide the account ID for this optional field, GuardDuty validates that the account ID associated with the `DetectorId` owns the S3 bucket in the `Location` field. If GuardDuty finds that this S3 bucket doesn't belong to the specified account ID, you will get an error at the time of activating this list. *Required*: No *Type*: String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Format` The format of the file that contains the threat entity set. For information about supported formats, see [List formats](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_upload-lists.html#prepare_list) in the *Amazon GuardDuty User Guide*. *Required*: Yes *Type*: String *Minimum*: `1` *Maximum*: `300` *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `Location` The URI of the file that contains the threat entity set. *Required*: Yes *Type*: String *Minimum*: `1` *Maximum*: `300` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Name` The user-friendly name to identify the threat entity set. Valid characters are alphanumeric, whitespace, dash (-), and underscores (\$1). *Required*: No *Type*: String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Tags` The tags to be added to a new threat entity set resource. Each tag consists of a key and an optional value, both of which you define. For more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html). *Required*: No *Type*: Array of [TagItem](aws-properties-guardduty-threatentityset-tagitem.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) ## Return values ### Ref When you pass the logical ID of this resource to the intrinsic `Ref` function, `Ref` returns the unique ID associated with the newly created threat entity set. For more information about using the `Ref` function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html). ### Fn::GetAtt The `Fn::GetAtt` intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values. For more information about using the `Fn::GetAtt` intrinsic function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html). #### `CreatedAt` The timestamp when the threat entity set was created. `ErrorDetails` The details associated with the **Error** status of your threat entity list. `Id` Returns the unique ID associated with the newly created threat entity set. `Status` The status of your `ThreatEntitySet`. For information about valid status values, see [Understanding list statuses](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_upload-lists.html#guardduty-entity-list-statuses) in the *Amazon GuardDuty User Guide*. `UpdatedAt` The timestamp when the threat entity set was updated. # AWS::GuardDuty::ThreatEntitySet TagItem Describes a tag. For more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html). ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Key](#cfn-guardduty-threatentityset-tagitem-key)" : String, "[Value](#cfn-guardduty-threatentityset-tagitem-value)" : String } ``` ### YAML ``` [Key](#cfn-guardduty-threatentityset-tagitem-key): String [Value](#cfn-guardduty-threatentityset-tagitem-value): String ``` ## Properties `Key` The tag key. *Required*: Yes *Type*: String *Minimum*: `1` *Maximum*: `128` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Value` The tag value. This is optional. *Required*: Yes *Type*: String *Minimum*: `0` *Maximum*: `256` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::GuardDuty::ThreatIntelSet The `AWS::GuardDuty::ThreatIntelSet` resource helps you create a list of known malicious IP addresses in your AWS environment. Once you activate this list, GuardDuty will use list the entries in this list as an additional source for threat detection and generate findings when there is an activity associated with these known malicious IP addresses. GuardDuty continues to monitor independently of this custom threat intelligence set. Only the users of the GuardDuty administrator account can manage this list. These settings automatically apply to the member accounts. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "Type" : "AWS::GuardDuty::ThreatIntelSet", "Properties" : { "[Activate](#cfn-guardduty-threatintelset-activate)" : Boolean, "[DetectorId](#cfn-guardduty-threatintelset-detectorid)" : String, "[ExpectedBucketOwner](#cfn-guardduty-threatintelset-expectedbucketowner)" : String, "[Format](#cfn-guardduty-threatintelset-format)" : String, "[Location](#cfn-guardduty-threatintelset-location)" : String, "[Name](#cfn-guardduty-threatintelset-name)" : String, "[Tags](#cfn-guardduty-threatintelset-tags)" : [ TagItem, ... ] } } ``` ### YAML ``` Type: AWS::GuardDuty::ThreatIntelSet Properties: [Activate](#cfn-guardduty-threatintelset-activate): Boolean [DetectorId](#cfn-guardduty-threatintelset-detectorid): String [ExpectedBucketOwner](#cfn-guardduty-threatintelset-expectedbucketowner): String [Format](#cfn-guardduty-threatintelset-format): String [Location](#cfn-guardduty-threatintelset-location): String [Name](#cfn-guardduty-threatintelset-name): String [Tags](#cfn-guardduty-threatintelset-tags): - TagItem ``` ## Properties `Activate` A boolean value that determines if GuardDuty can start using this list for custom threat detection. For GuardDuty to be able to generate findings based on an activity associated with these entries, this list must be active. *Required*: No *Type*: Boolean *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `DetectorId` The unique ID of the detector of the GuardDuty account for which you want to create a `threatIntelSet`. To find the `detectorId` in the current Region, see the Settings page in the GuardDuty console, or run the [ListDetectors](https://docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html) API. *Required*: No *Type*: String *Minimum*: `1` *Maximum*: `32` *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `ExpectedBucketOwner` The AWS account ID that owns the Amazon S3 bucket specified in the *Location* field. When you provide this account ID, GuardDuty will validate that the S3 bucket belongs to this account. If you don't specify an account ID owner, GuardDuty doesn't perform any validation. *Required*: No *Type*: String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Format` The format of the file that contains the `ThreatIntelSet`. For information about supported formats, see [List formats](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_upload-lists.html#prepare_list) in the *Amazon GuardDuty User Guide*. *Required*: Yes *Type*: String *Minimum*: `1` *Maximum*: `300` *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `Location` The URI of the file that contains the ThreatIntelSet. *Required*: Yes *Type*: String *Minimum*: `1` *Maximum*: `300` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Name` The user-friendly name to identify the ThreatIntelSet. The name of your list must be unique within an AWS account and Region. Valid characters are alphanumeric, whitespace, dash (-), and underscores (\$1). *Required*: No *Type*: String *Minimum*: `1` *Maximum*: `300` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Tags` The tags to be added to a new threat entity set resource. Each tag consists of a key and an optional value, both of which you define. For more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html). *Required*: No *Type*: Array of [TagItem](aws-properties-guardduty-threatintelset-tagitem.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) ## Return values ### Ref When you pass the logical ID of this resource to the intrinsic `Ref` function, `Ref` returns the unique ID of the `ThreatIntelSet`. For more information about using the `Ref` function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html). ### Fn::GetAtt The `Fn::GetAtt` intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values. For more information about using the `Fn::GetAtt` intrinsic function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html). #### `Id` The unique ID of the `threatIntelSet`. ## Examples ### Declare a ThreatIntelSet Resource The following example shows how to declare a GuardDuty`ThreatIntelSet` resource: #### JSON ``` "mythreatintelset": { "Type": "AWS::GuardDuty::ThreatIntelSet", "Properties": { "Activate": true, "DetectorId": "12abc34d567e8f4912ab3d45e67891f2", "ExpectedBucketOwner" : "111122223333", "Format": "TXT", "Location": "https://s3-us-west-2.amazonaws.com/amzn-s3-demo-bucket1/mythreatintelset.txt", "Name": "MyThreatIntelSet" } } ``` #### YAML ``` mythreatintelset: Type: AWS::GuardDuty::ThreatIntelSet Properties: Activate: true DetectorId: "12abc34d567e8f4912ab3d45e67891f2" ExpectedBucketOwner : "111122223333" Format: "TXT" Location: "https://s3-us-west-2.amazonaws.com/amzn-s3-demo-bucket1/mythreatintelset.txt" Name: "MyThreatIntelSet" ``` # AWS::GuardDuty::ThreatIntelSet TagItem Describes a tag. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Key](#cfn-guardduty-threatintelset-tagitem-key)" : String, "[Value](#cfn-guardduty-threatintelset-tagitem-value)" : String } ``` ### YAML ``` [Key](#cfn-guardduty-threatintelset-tagitem-key): String [Value](#cfn-guardduty-threatintelset-tagitem-value): String ``` ## Properties `Key` The tag key. *Required*: Yes *Type*: String *Minimum*: `1` *Maximum*: `128` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Value` The tag value. *Required*: Yes *Type*: String *Minimum*: `0` *Maximum*: `256` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::GuardDuty::TrustedEntitySet Creates a new trusted entity set. In the trusted entity set, you can provide IP addresses and domains that you believe are secure for communication in your AWS environment. GuardDuty will not generate findings for the entries that are specified in a trusted entity set. At any given time, you can have only one trusted entity set. Only users of the administrator account can manage the entity sets, which automatically apply to member accounts. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "Type" : "AWS::GuardDuty::TrustedEntitySet", "Properties" : { "[Activate](#cfn-guardduty-trustedentityset-activate)" : Boolean, "[DetectorId](#cfn-guardduty-trustedentityset-detectorid)" : String, "[ExpectedBucketOwner](#cfn-guardduty-trustedentityset-expectedbucketowner)" : String, "[Format](#cfn-guardduty-trustedentityset-format)" : String, "[Location](#cfn-guardduty-trustedentityset-location)" : String, "[Name](#cfn-guardduty-trustedentityset-name)" : String, "[Tags](#cfn-guardduty-trustedentityset-tags)" : [ TagItem, ... ] } } ``` ### YAML ``` Type: AWS::GuardDuty::TrustedEntitySet Properties: [Activate](#cfn-guardduty-trustedentityset-activate): Boolean [DetectorId](#cfn-guardduty-trustedentityset-detectorid): String [ExpectedBucketOwner](#cfn-guardduty-trustedentityset-expectedbucketowner): String [Format](#cfn-guardduty-trustedentityset-format): String [Location](#cfn-guardduty-trustedentityset-location): String [Name](#cfn-guardduty-trustedentityset-name): String [Tags](#cfn-guardduty-trustedentityset-tags): - TagItem ``` ## Properties `Activate` A boolean value that determines if GuardDuty can start using this list for custom threat detection. For GuardDuty to prevent generating findings based on an activity associated with these entries, this list must be active. *Required*: No *Type*: Boolean *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `DetectorId` The unique regional detector ID of the GuardDuty account for which you want to create a trusted entity set. To find the `detectorId` in the current Region, see the Settings page in the GuardDuty console, or run the [ListDetectors](https://docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html) API. *Required*: No *Type*: String *Minimum*: `1` *Maximum*: `32` *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `ExpectedBucketOwner` The AWS account ID that owns the Amazon S3 bucket specified in the *Location* field. Whether or not you provide the account ID for this optional field, GuardDuty validates that the account ID associated with the `DetectorId` value owns the S3 bucket in the `Location` field. If GuardDuty finds that this S3 bucket doesn't belong to the specified account ID, you will get an error at the time of activating this list. *Required*: No *Type*: String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Format` The format of the file that contains the trusted entity set. For information about supported formats, see [List formats](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_upload-lists.html#prepare_list) in the *Amazon GuardDuty User Guide*. *Required*: Yes *Type*: String *Minimum*: `1` *Maximum*: `300` *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `Location` The URI of the file that contains the trusted entity set. *Required*: Yes *Type*: String *Minimum*: `1` *Maximum*: `300` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Name` A user-friendly name to identify the trusted entity set. Valid characters include lowercase letters, uppercase letters, numbers, dash(-), and underscore (\$1). *Required*: No *Type*: String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Tags` The tags to be added to a new trusted entity set resource. Each tag consists of a key and an optional value, both of which you define. For more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html). *Required*: No *Type*: Array of [TagItem](aws-properties-guardduty-trustedentityset-tagitem.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) ## Return values ### Ref When you pass the logical ID of this resource to the intrinsic `Ref` function, `Ref` returns the unique ID of the `TrustedEntitySet`. For more information about using the `Ref` function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html). ### Fn::GetAtt The `Fn::GetAtt` intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values. For more information about using the `Fn::GetAtt` intrinsic function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html). #### `CreatedAt` The timestamp when the trusted entity set was created. `ErrorDetails` Specifies the error details when the status of the trusted entity set shows as **Error**. `Status` The status of your `TrustedEntitySet`. For information about valid status values, see [Understanding list statuses](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_upload-lists.html#guardduty-entity-list-statuses) in the *Amazon GuardDuty User Guide*. `UpdatedAt` The timestamp when the trusted entity set was updated. # AWS::GuardDuty::TrustedEntitySet TagItem Describes a tag. For more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html). ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Key](#cfn-guardduty-trustedentityset-tagitem-key)" : String, "[Value](#cfn-guardduty-trustedentityset-tagitem-value)" : String } ``` ### YAML ``` [Key](#cfn-guardduty-trustedentityset-tagitem-key): String [Value](#cfn-guardduty-trustedentityset-tagitem-value): String ``` ## Properties `Key` The tag key. *Required*: Yes *Type*: String *Minimum*: `1` *Maximum*: `128` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Value` The tag value. This is optional. *Required*: Yes *Type*: String *Minimum*: `0` *Maximum*: `256` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)