amazon-guardduty — quality + safety report

---
name: amazon-guardduty
description: "Amazon GuardDuty API skill. Use when working with Amazon GuardDuty for detector, malware-protection-plan, invitation. Covers 74 endpoints."
version: 1.0.0
generator: lapsh
---

# Amazon GuardDuty
API version: 2017-11-28

## Auth
AWS SigV4

## Base URL
Not specified.

## Setup
1. Configure auth: AWS SigV4
2. GET /invitation/count -- verify access
3. POST /detector/{detectorId}/administrator -- create first administrator

## Endpoints

74 endpoints across 7 groups. See references/api-spec.lap for full details.

### detector
| Method | Path | Description |
|--------|------|-------------|
| POST | /detector/{detectorId}/administrator | Accepts the invitation to be a member account and get monitored by a GuardDuty administrator account that sent the invitation. |
| POST | /detector/{detectorId}/master | Accepts the invitation to be monitored by a GuardDuty administrator account. |
| POST | /detector/{detectorId}/findings/archive | Archives GuardDuty findings that are specified by the list of finding IDs.  Only the administrator account can archive findings. Member accounts don't have permission to archive findings from their accounts. |
| POST | /detector | Creates a single GuardDuty detector. A detector is a resource that represents the GuardDuty service. To start using GuardDuty, you must create a detector in each Region where you enable the service. You can have only one detector per account per Region. All data sources are enabled in a new detector by default.   When you don't specify any features, with an exception to RUNTIME_MONITORING, all the optional features are enabled by default.   When you specify some of the features, any feature that is not specified in the API call gets enabled by default, with an exception to RUNTIME_MONITORING.    Specifying both EKS Runtime Monitoring (EKS_RUNTIME_MONITORING) and Runtime Monitoring (RUNTIME_MONITORING) will cause an error. You can add only one of these two features because Runtime Monitoring already includes the threat detection for Amazon EKS resources. For more information, see Runtime Monitoring. There might be regional differences because some data sources might not be available in all the Amazon Web Services Regions where GuardDuty is presently supported. For more information, see Regions and endpoints. |
| POST | /detector/{detectorId}/filter | Creates a filter using the specified finding criteria. The maximum number of saved filters per Amazon Web Services account per Region is 100. For more information, see Quotas for GuardDuty. |
| POST | /detector/{detectorId}/ipset | Creates a new IPSet, which is called a trusted IP list in the console user interface. An IPSet is a list of IP addresses that are trusted for secure communication with Amazon Web Services infrastructure and applications. GuardDuty doesn't generate findings for IP addresses that are included in IPSets. Only users from the administrator account can use this operation. |
| POST | /detector/{detectorId}/member | Creates member accounts of the current Amazon Web Services account by specifying a list of Amazon Web Services account IDs. This step is a prerequisite for managing the associated member accounts either by invitation or through an organization. As a delegated administrator, using CreateMembers will enable GuardDuty in the added member accounts, with the exception of the organization delegated administrator account. A delegated administrator must enable GuardDuty prior to being added as a member. When you use CreateMembers as an Organizations delegated administrator, GuardDuty applies your organization's auto-enable settings to the member accounts in this request, irrespective of the accounts being new or existing members. For more information about the existing auto-enable settings for your organization, see DescribeOrganizationConfiguration. If you disassociate a member account that was added by invitation, the member account details obtained from this API, including the associated email addresses, will be retained. This is done so that the delegated administrator can invoke the InviteMembers API without the need to invoke the CreateMembers API again. To remove the details associated with a member account, the delegated administrator must invoke the DeleteMembers API.  When the member accounts added through Organizations are later disassociated, you (administrator) can't invite them by calling the InviteMembers API. You can create an association with these member accounts again only by calling the CreateMembers API. |
| POST | /detector/{detectorId}/publishingDestination | Creates a publishing destination to export findings to. The resource to export findings to must exist before you use this operation. |
| POST | /detector/{detectorId}/findings/create | Generates sample findings of types specified by the list of finding types. If 'NULL' is specified for findingTypes, the API generates sample findings of all supported finding types. |
| POST | /detector/{detectorId}/threatintelset | Creates a new ThreatIntelSet. ThreatIntelSets consist of known malicious IP addresses. GuardDuty generates findings based on ThreatIntelSets. Only users of the administrator account can use this operation. |
| DELETE | /detector/{detectorId} | Deletes an Amazon GuardDuty detector that is specified by the detector ID. |
| DELETE | /detector/{detectorId}/filter/{filterName} | Deletes the filter specified by the filter name. |
| DELETE | /detector/{detectorId}/ipset/{ipSetId} | Deletes the IPSet specified by the ipSetId. IPSets are called trusted IP lists in the console user interface. |
| POST | /detector/{detectorId}/member/delete | Deletes GuardDuty member accounts (to the current GuardDuty administrator account) specified by the account IDs. With autoEnableOrganizationMembers configuration for your organization set to ALL, you'll receive an error if you attempt to disable GuardDuty for a member account in your organization. |
| DELETE | /detector/{detectorId}/publishingDestination/{destinationId} | Deletes the publishing definition with the specified destinationId. |
| DELETE | /detector/{detectorId}/threatintelset/{threatIntelSetId} | Deletes the ThreatIntelSet specified by the ThreatIntelSet ID. |
| POST | /detector/{detectorId}/malware-scans | Returns a list of malware scans. Each member account can view the malware scans for their own accounts. An administrator can view the malware scans for all the member accounts. There might be regional differences because some data sources might not be available in all the Amazon Web Services Regions where GuardDuty is presently supported. For more information, see Regions and endpoints. |
| GET | /detector/{detectorId}/admin | Returns information about the account selected as the delegated administrator for GuardDuty. There might be regional differences because some data sources might not be available in all the Amazon Web Services Regions where GuardDuty is presently supported. For more information, see Regions and endpoints. |
| GET | /detector/{detectorId}/publishingDestination/{destinationId} | Returns information about the publishing destination specified by the provided destinationId. |
| POST | /detector/{detectorId}/administrator/disassociate | Disassociates the current GuardDuty member account from its administrator account. When you disassociate an invited member from a GuardDuty delegated administrator, the member account details obtained from the CreateMembers API, including the associated email addresses, are retained. This is done so that the delegated administrator can invoke the InviteMembers API without the need to invoke the CreateMembers API again. To remove the details associated with a member account, the delegated administrator must invoke the DeleteMembers API.  With autoEnableOrganizationMembers configuration for your organization set to ALL, you'll receive an error if you attempt to disable GuardDuty in a member account. |
| POST | /detector/{detectorId}/master/disassociate | Disassociates the current GuardDuty member account from its administrator account. When you disassociate an invited member from a GuardDuty delegated administrator, the member account details obtained from the CreateMembers API, including the associated email addresses, are retained. This is done so that the delegated administrator can invoke the InviteMembers API without the need to invoke the CreateMembers API again. To remove the details associated with a member account, the delegated administrator must invoke the DeleteMembers API. |
| POST | /detector/{detectorId}/member/disassociate | Disassociates GuardDuty member accounts (from the current administrator account) specified by the account IDs. When you disassociate an invited member from a GuardDuty delegated administrator, the member account details obtained from the CreateMembers API, including the associated email addresses, are retained. This is done so that the delegated administrator can invoke the InviteMembers API without the need to invoke the CreateMembers API again. To remove the details associated with a member account, the delegated administrator must invoke the DeleteMembers API.  With autoEnableOrganizationMembers configuration for your organization set to ALL, you'll receive an error if you attempt to disassociate a member account before removing them from your organization. If you disassociate a member account that was added by invitation, the member account details obtained from this API, including the associated email addresses, will be retained. This is done so that the delegated administrator can invoke the InviteMembers API without the need to invoke the CreateMembers API again. To remove the details associated with a member account, the delegated administrator must invoke the DeleteMembers API.  When the member accounts added through Organizations are later disassociated, you (administrator) can't invite them by calling the InviteMembers API. You can create an association with these member accounts again only by calling the CreateMembers API. |
| GET | /detector/{detectorId}/administrator | Provides the details of the GuardDuty administrator account associated with the current GuardDuty member account.  If the organization's management account or a delegated administrator runs this API, it will return success (HTTP 200) but no content. |
| POST | /detector/{detectorId}/coverage/statistics | Retrieves aggregated statistics for your account. If you are a GuardDuty administrator, you can retrieve the statistics for all the resources associated with the active member accounts in your organization who have enabled Runtime Monitoring and have the GuardDuty security agent running on their resources. |
| GET | /detector/{detectorId} | Retrieves an Amazon GuardDuty detector specified by the detectorId. There might be regional differences because some data sources might not be available in all the Amazon Web Services Regions where GuardDuty is presently supported. For more information, see Regions and endpoints. |
| GET | /detector/{detectorId}/filter/{filterName} | Returns the details of the filter specified by the filter name. |
| POST | /detector/{detectorId}/findings/get | Describes Amazon GuardDuty findings specified by finding IDs. |
| POST | /detector/{detectorId}/findings/statistics | Lists Amazon GuardDuty findings statistics for the specified detector ID. There might be regional differences because some flags might not be available in all the Regions where GuardDuty is currently supported. For more information, see Regions and endpoints. |
| GET | /detector/{detectorId}/ipset/{ipSetId} | Retrieves the IPSet specified by the ipSetId. |
| GET | /detector/{detectorId}/malware-scan-settings | Returns the details of the malware scan settings. There might be regional differences because some data sources might not be available in all the Amazon Web Services Regions where GuardDuty is presently supported. For more

… (truncated)