Remediating a potentially malicious S3 object
When GuardDuty generates Malware Protection for S3 finding type, it indicates that a newly uploaded object in your Amazon S3 bucket contains malware. The resource type is an S3Object.
Use the following recommended steps to potentially remediate the generated finding:
-
Identify the potentially malicious S3 object by checking the S3ObjectDetails associated with the finding.
-
Isolate the impacted S3 object. If you had enabled tagging at the time of enabling Malware Protection for S3 for the associated Amazon S3 bucket, GuardDuty must have assigned a Malicious tag to this object. Use tag-based access control (TBAC) to restrict access to this S3 object. For more information, see Using tag-based access control (TBAC).
Alternatively, if you do not need this object any longer, you can also choose to delete it or move it to an isolated S3 bucket. For information about considerations for deleting an S3 object, see Deleting objects in the Amazon S3 User Guide.