Wave 12 · Multi-Cloud Security & Cost Operations AWS / GuardDuty / threat triage proof Synthetic detector + finding exports

AWS GuardDuty detectors, threat findings, and response posture that stay operator-readable.

This control plane turns raw GuardDuty exports into one buyer-readable threat-operations surface: detector coverage, credential abuse, runtime compromise, exfiltration signals, stale findings, and the response packets needed before incidents, audits, or release windows drift.

Overview Detector Lane Finding Risks Response Posture Verification Docs

Finding Risks

severity · owner · principal

Risk	Owner	Subject	Principal	Message
high credential-exfiltration	Cloud Security Engineering	i-0f014c9e11appapi us-east-1	arn:aws:iam::111122223333:role/app-prod-ec2	Instance or IAM credentials tied to "i-0f014c9e11appapi" show exfiltration posture and need immediate containment.
high anomalous-api-call	Cloud Security Engineering	i-0f014c9e11appapi us-east-1	arn:aws:iam::111122223333:role/app-prod-ec2	Anomalous API behavior on "i-0f014c9e11appapi" should be triaged before trust or blast radius expands.
high data-exfiltration-s3	Data Security	s3://kg-finance-exports-prod us-east-1	—	S3 exfiltration signal is active on "s3://kg-finance-exports-prod" and should be contained before more data leaves the perimeter.
medium s3-protection-missing	Cloud Security Engineering	111122223333 us-east-1	—	GuardDuty detector in us-east-1 is missing S3 data-event protection for exfiltration visibility.
medium detector-disabled	Cloud Security Engineering	444455556666 eu-west-1	—	GuardDuty detector in eu-west-1 is disabled and will not surface new compromise or exfiltration signals.
medium stale-active-finding	Cloud Security Engineering	i-0f014c9e11appapi us-east-1	—	Finding "EC2 instance credentials used outside AWS" has remained active since 2026-05-26T13:42Z.
medium crypto-mining-runtime	Platform SRE	i-0a91b2mediaworker us-east-1	—	Runtime compromise signal on "i-0a91b2mediaworker" suggests crypto-mining or malware behavior that should be isolated fast.
medium stale-active-finding	Platform SRE	i-0a91b2mediaworker us-east-1	—	Finding "Crypto-mining signal on media worker" has remained active since 2026-05-26T00:40Z.
medium stale-active-finding	Cluster Security	eks/prod-growth-cluster us-east-1	—	Finding "Anonymous access succeeded against EKS control plane" has remained active since 2026-05-24T18:55Z.
medium stale-active-finding	Data Security	s3://kg-finance-exports-prod us-east-1	—	Finding "Unusual object read from finance bucket" has remained active since 2026-05-24T09:15Z.