Skip to content
Data Landing Zone

GuardDuty

The Data Landing Zone enables Amazon GuardDuty at the organization level and delegates administration to the security audit account. The audit account becomes the single pane of glass for findings across the entire organization.

When guardDuty is set on DataLandingZoneProps, DLZ:

  • delegates GuardDuty administration from the management account to the audit account
  • creates the GuardDuty detector in the audit account
  • configures organization-wide auto-enable behavior
  • enrols member accounts according to autoEnableOrgMembers and per-account guardDutyEnabled flags

Findings flow through the standard DLZ notification path: GuardDuty → Security Hub → EventBridge → SNS → Slack/Email. No additional notification plumbing is required — see the Security Hub page for filtering by severity and workflow status.

Enabling GuardDuty at the organization level

The minimal configuration delegates administration and creates the detector, but does not enrol any members:

import { App } from 'aws-cdk-lib';
import { DataLandingZone } from 'aws-data-landing-zone';


const app = new App();
const dlz = new DataLandingZone(app, {
  guardDuty: {
    autoEnableOrgMembers: 'ALL',
    features: {
      s3DataEvents: true,
      eksAuditLogs: true,
      ebsMalwareProtection: true,
      rdsLoginEvents: true,
      lambdaNetworkLogs: true,
      runtimeMonitoring: true,
    },
  },
 ...
});

Auto-enable behavior

autoEnableOrgMembers controls which member accounts AWS auto-enrols into the delegated administrator’s GuardDuty:

ValueBehavior
'ALL'All existing and new member accounts are auto-enrolled. Per-account flags are not needed.
'NEW'Only new accounts joining the org are auto-enrolled. Existing accounts must opt in.
'NONE'No auto-enrolment. Each account opts in via guardDutyEnabled: true.

When autoEnableOrgMembers is 'NEW' or 'NONE', set guardDutyEnabled: true on the relevant DLzAccount entries to enrol existing accounts.

Per-account feature overrides

The org-level features set the mandatory floor applied across the organization. Individual accounts can opt in to additional features via DLzAccount.guardDutyFeatures. The merge is OR-only — accounts cannot disable an org-level feature.

import { App } from 'aws-cdk-lib';
import { DataLandingZone } from 'aws-data-landing-zone';


const app = new App();
const dlz = new DataLandingZone(app, {
  guardDuty: {
    autoEnableOrgMembers: 'NEW',
    features: {
      s3DataEvents: true,
    },
  },
  organization: {
    ous: {
      workloads: {
        accounts: [
          {
            name: 'data-prod',
            type: DlzAccountType.PRODUCTION,
            guardDutyEnabled: true,
            guardDutyFeatures: {
              eksAuditLogs: true,
              runtimeMonitoring: true,
            },
            ...
          },
        ],
      },
      ...
    },
    ...
  },
 ...
});

Available features

All features default to false. Enable explicitly per the protection plans you intend to operate.

FeatureDescription
s3DataEventsMonitor S3 data access events for threat detection.
eksAuditLogsMonitor Kubernetes audit logs for EKS clusters.
ebsMalwareProtectionScan EBS volumes for malware when GuardDuty detects suspicious behavior on EC2.
rdsLoginEventsMonitor RDS login activity for anomalous access patterns.
lambdaNetworkLogsMonitor Lambda function network activity for threats.
runtimeMonitoringRuntime monitoring for EC2, ECS, and EKS workloads.

Defaults

Defaults.guardDutyFeatures() returns the conservative baseline: every additional feature disabled. Use it as a starting point and explicitly opt in to the features you want.

API References