/
Integrating AWS GuardDuty

Integrating AWS GuardDuty

Jun 19, 2026

To set up AWS GuardDuty

  1. Log into AWS GuardDuty.

  2. Copy your Account ID and save it in a secure place to use in step 6 and the To enable the AWS GuardDuty integration procedure below.

  3. Under Settings, copy your detector ID and save it in a secure place to use in step 6 and the To enable the AWS GuardDuty integration procedure below.

    DetectorID.png

  4. To create the encryption key for GuardDuty to write findings to AWS S3, do the following:

    1. Navigate to AWS KMS service.

    2. Under Customer Managed Key, create a new key named "guardduty-findings".
      Key type: Symmetric
      Alias: "guardduty-findings"

    3. Select "AWSServiceRoleForAmazonGuardDuty" for key administrator and key usage permissions.
      NOTE Do not attach a key policy during the initial setup.

    4. Copy your KMS Key ID and save it in a secure place to use in step 6 and the To enable the AWS GuardDuty integration procedure below.

  5. Copy and paste the following code to a text file:
    {
    "Sid":
    "AllowGuardDutyKey", "Effect": "Allow", "Principal": {
    "Service": "guardduty.us-east-1.amazonaws.com"
    },
    "Action": "kms:GenerateDataKey",
    "Resource": "arn:aws:kms:us-east-1:<ACCOUNT_NUMBER>:key/<KEY_ID>", "Condition": {
    "StringEquals": {
    "aws:SourceAccount": "<ACCOUNT_NUMBER>", "aws:SourceArn": "arn:aws:guardduty:us-east-
    1:<ACCOUNT_NUMBER>:detector/<GUARDDUTY_DETECTOR_ID>"
    }
    }
    }

  6. In the code you just pasted, change the following to the information you just selected:

    1. <ACCOUNT_NUMBER> to your Account ID

    2. <KEY_ID> to your KMS Key ID

    3. <GUARDDUTY_DETECTOR_ID> to your detector ID

  7. Navigate to the KMS key created in the previous step.

  8. Add the edited policy from step 6 to the array.

    For more information, see Exporting generated GuardDuty findings to Amazon S3 buckets.

  9. Next, create a new S3 bucket. Set the encryption to use the KMS key generated in step 4.

    DefaultEncryption.png

  10. Once the S3 bucket is created, navigate back to AWS GuardDuty.

  11. Select Settings and configure the S3 bucket you created as the export for findings.

    FindingExportOptions.png

  12. Paste in the ARN of the S3 bucket and KMS you created previously.

    FindingExportOptions.png

  13. Select View Policy for S3 Bucket copy and paste this policy. In a new tab, open the S3 bucket you created in step 9. Select the permissions tab and click Edit next to Bucket Policy. Copy and paste the policy and save your changes.

  14. Click the GuardDuty tab, then click Save.
    NOTE If the setting does not save, that indicates that your KMS or S3 policy is incorrectly setup.

  15. Navigate to AWS SQS service.

  16. Create a new queue of named guardduty-findings.

  17. Leave the default configurations and click Save.

  18. Make sure the access policy (permissions has S3 in it) is like below
    {
    "Version": "2008-10-17",
    "Id": " default_policy_ID", "Statement": [
    {
    "Sid": " owner_statement", "Effect": "Allow", "Principal": {
    "Service": "s3.amazonaws.com"
    },
    "Action": "SQS:*",
    "Resource": "arn:aws:sqs:us-east-1:<AWS_ACCOUNT_NUMBER>:guardduty-findings"
    }
    ]
    }

  19. Navigate to AWS S3 and click the bucket that was just created from GuardDuty.

  20. Click the Properties tab.

  21. Create a new event notification and name the event notification guardduty-findings.

  22. Enable the All object create events checkbox. Ensure all others are cleared.

  23. In the Destinations section, select SQS.

  24. Select the SQS you created in previous steps called guardduty-findings and click Save Changes.
    From this point, all GuardDuty events created in the S3 bucket are also notified in SQS queue.

  25. Navigate to IAM.

    1. Create a new user with the policy that can read the SQS queue and receive messages.
      NOTE The policy should also allow the user to Get objects from the S3 bucket created previously.

The following is a sample policy:

{

"Version": "2012-10-17",

"Statement": [

{

"Sid": "VisualEditor0", "Effect": "Allow", "Action": [
"s3:GetObject", "sqs:GetQueueUrl",
"sqs:ListDeadLetterSourceQueues", "sqs:ListMessageMoveTasks", "sqs:ReceiveMessage", "sqs:GetQueueAttributes", "sqs:ListQueueTags"
],

"Resource": [

"arn:aws:s3:::test-guardduty-cuda/*",

"arn:aws:sqs:us-east-1:521187741917:jlevineguardduty2"

]

},

{

"Sid": "VisualEditor1", "Effect": "Allow",
"Action": "sqs:ListQueues", "Resource": "*"
}

To enable the AWS GuardDuty integration

Before doing this procedure, collect the following information (See steps 2, 3, and step 4 in To set up AWS GuardDuty above.):

  • SQS Queue URL

  • AWS Access Key

  • AWS Secret Access Key

  1. In the Barracuda XDR Dashboard, navigate to Integrations Integrations.png.

  2. On the AWS GuardDuty card, click Setup.

    GuardDuty Card.png

  3. Select the Enable check box.

  4. Enter the following:

    • SQS Queue URL

    • AWS Access Key

    • AWS Secret Access Key

      GuardDutyEnabled.png

  5. Optionally, click Test to verify the credentials.

  6. Click Save.

 

We value your feedback.
If you have questions, suggestions, or feedback on our documentation, contact the Campus Product Documentation team.
For general product inquiries or technical support, please contact the global Barracuda Support team.