Cloud Threat Detection Integration
AWS GuardDuty findings on iOS and Android — triage from anywhere.
PocketSOC connects to AWS GuardDuty using an IAM user with scoped read access. Responders can view GuardDuty findings, inspect resource and actor context, and archive or unarchive findings from mobile. Authentication uses AWS SigV4 request signing with credentials that you create and control in IAM.
Supported actions for AWS GuardDuty
- View GuardDuty findings across your detectors and regions
- Inspect finding type, severity, affected resource, and actor details
- Archive findings once a determination is made
- Unarchive findings if new context warrants reopening
- Push notifications for new high-severity findings
- Filter findings by region, severity, and finding type
Authentication and credentials
AWS GuardDuty uses IAM access keys signed with AWS Signature Version 4 (SigV4). PocketSOC recommends creating a dedicated IAM user (e.g., PocketSOC) and attaching the AmazonGuardDutyReadOnlyAccess managed policy if you only need view access, or a narrower custom policy that includes the GuardDuty archive/unarchive actions you want to permit. Access keys are stored in iOS Keychain or Android Keystore on device.
How PocketSOC authenticates to security platforms · Where credentials are stored · Trust Center
Quick setup for AWS GuardDuty
- In AWS Console, go to IAM → Users → Create user (e.g., PocketSOC)
- Attach AmazonGuardDutyReadOnlyAccess (or a custom least-privilege policy)
- Create an access key under Security credentials
- Copy Access Key ID and Secret Access Key
- In PocketSOC, enter Access Key ID, Secret Access Key, and the AWS region where GuardDuty is enabled
See the full Quick Start guide for Organization-mode setup with the PocketSOC Portal.
AWS GuardDuty integration FAQ
Does PocketSOC support multiple AWS regions?
Yes. Configure one PocketSOC vendor connection per region where GuardDuty is enabled. Each connection uses the same IAM credentials but a different region binding. PocketSOC will display findings from all configured regions in a single mobile feed.
Can PocketSOC use IAM roles instead of access keys?
Not in the current version. PocketSOC uses IAM access keys with SigV4 signing. Role assumption from a mobile device introduces additional complexity that we have not yet shipped. Use a dedicated, narrowly-scoped IAM user with rotation policies enforced through your IAM lifecycle.
What's the least-privilege policy for PocketSOC?
For read-only triage, attach AmazonGuardDutyReadOnlyAccess. To also permit archive and unarchive actions, create a custom policy that allows guardduty:ListFindings, guardduty:GetFindings, guardduty:ListDetectors, guardduty:GetDetector, and guardduty:ArchiveFindings / guardduty:UnarchiveFindings. Scope the policy to specific detector ARNs if you want to limit visibility to a subset of accounts.
Is PocketSOC affiliated with AWS?
No. PocketSOC is an independent application from WeaveHub Technologies LLC. Amazon Web Services® and Amazon GuardDuty® are trademarks of Amazon.com, Inc. or its affiliates. See the affiliation FAQ.
See the full PocketSOC FAQ covering all vendors and security topics.