Trusted IP List and Threat Lists

Trusted IP lists consist of IP addresses that you have whitelisted for secure communication with your AWS infrastructure and applications. GuardDuty does not generate findings for IP addresses on trusted IP lists. At any given time, you can have only one uploaded trusted IP list per AWS account per region.

Threat lists consist of known malicious IP addresses. GuardDuty generates findings based on threat lists. At any given time, you can have up to six uploaded threat lists per AWS account per region. You can configure a trusted IP list as well as threat lists by selecting Guard Duty -> Trusted IP List (Threat Lists), where you can create lists, add addresses to it and activate/deactivate lists. You can also configure CDSB to automatically add threats of low, medium and high severity to a threat list you configure within the General tab of CDSB Settings.