Enabling GuardDuty-initiated malware scan in multiple-account environments - Amazon GuardDuty
Establishing trusted access to enable GuardDuty-initiated malware scan

Enabling GuardDuty-initiated malware scan in multiple-account environments

In a multiple-account environment, only GuardDuty administrator account can enable GuardDuty-initiated malware scan on behalf of their member accounts. Additionally, an administrator account that manages the member accounts with AWS Organizations support can choose to have GuardDuty-initiated malware scan enabled automatically on all the existing and new accounts in the organization. For more information, see Managing GuardDuty accounts with AWS Organizations.

Establishing trusted access to enable GuardDuty-initiated malware scan

If the GuardDuty delegated administrator account is not the same as the management account in your organization, the management account must enable GuardDuty-initiated malware scan for their organization. This way, the delegated administrator account can create the Service-linked role permissions for Malware Protection for EC2 in member accounts that are managed through AWS Organizations.

Note

Before you designate a delegated GuardDuty administrator account, see Considerations and recommendations.

Choose your preferred access method to allow the delegated GuardDuty administrator account to enable GuardDuty-initiated malware scan for member accounts in the organization.

Console

  1. Open the GuardDuty console at https://console.aws.amazon.com/guardduty/.

    To log in, use the management account for your AWS Organizations organization.

    1. If you have not designated a delegated GuardDuty administrator account, then:

      On the Settings page, under delegated GuardDuty administrator account, enter the 12-digit account ID that you want to designate to administer the GuardDuty policy in your organization. Choose Delegate.

      1. If you've already designated a delegated GuardDuty administrator account that is different from the management account, then:

        On the Settings page, under Delegated Administrator, turn on the Permissions setting. This action will allow the delegated GuardDuty administrator account to attach relevant permissions to the member accounts and enable GuardDuty-initiated malware scan in these member accounts.

      2. If you've already designated a delegated GuardDuty administrator account that is the same as the management account, then you can directly enable GuardDuty-initiated malware scan for the member accounts. For more information, see Auto-enable GuardDuty-initiated malware scan for all member accounts.

      Tip

      If the delegated GuardDuty administrator account is different from your management account, you must provide permissions to the delegated GuardDuty administrator account to allow enabling GuardDuty-initiated malware scan for member accounts.

  3. If you want to allow the delegated GuardDuty administrator account to enable GuardDuty-initiated malware scan for member accounts in other Regions, change your AWS Region, and repeat the steps above.

API/CLI

  1. Using your management account credentials, run the following command:

    aws organizations enable-aws-service-access --service-principal malware-protection.guardduty.amazonaws.com

  2. (Optional) to enable GuardDuty-initiated malware scan for the management account that is not a delegated administrator account, the management account will first create the Service-linked role permissions for Malware Protection for EC2 explicitly in their account, and then enable GuardDuty-initiated malware scan from the delegated administrator account, similar to any other member account.

    aws iam create-service-linked-role --aws-service-name malware-protection.guardduty.amazonaws.com

  3. You have designated the delegated GuardDuty administrator account in the currently selected AWS Region. If you have designated an account as a delegated GuardDuty administrator account in one region, that account must be your delegated GuardDuty administrator account in all other regions. Repeat the step above for all other Regions.

Choose your preferred access method to enable or disable GuardDuty-initiated malware scan for a delegated GuardDuty administrator account.

Console

  1. Open the GuardDuty console at https://console.aws.amazon.com/guardduty/.

  2. In the navigation pane, choose Malware Protection for EC2.

  3. On the Malware Protection for EC2 page, choose Edit next to GuardDuty-initiated malware scan.

  4. Do one of the following:

    Using Enable for all accounts

    • Choose Enable for all accounts. This will enable the protection plan for all the active GuardDuty accounts in your AWS organization, including the new accounts that join the organization.

    • Choose Save.

    Using Configure accounts manually

    • To enable the protection plan only for the delegated GuardDuty administrator account account, choose Configure accounts manually.

    • Choose Enable under the delegated GuardDuty administrator account (this account) section.

    • Choose Save.

API/CLI

Run the updateDetector API operation using your own regional detector ID and passing the features object name as EBS_MALWARE_PROTECTION and status as ENABLED.

You can enable GuardDuty-initiated malware scan by running the following AWS CLI command. Make sure to use delegated GuardDuty administrator account's valid detector ID.

To find the detectorId for your account and current Region, see the Settings page in the https://console.aws.amazon.com/guardduty/ console, or run the ListDetectors API.

aws guardduty update-detector --detector-id 12abc34d567e8fa901bc2d34e56789f0 /
              --account-ids 555555555555 /
              --features '[{"Name": "EBS_MALWARE_PROTECTION", "Status": "ENABLED"}]'

Choose your preferred access method to enable the GuardDuty-initiated malware scan feature for all member accounts. This includes existing member accounts and the new accounts that join the organization.

Console

  1. Sign in to the AWS Management Console and open the GuardDuty console at https://console.aws.amazon.com/guardduty/.

    Make sure to use the delegated GuardDuty administrator account credentials.

  2. Do one of the following:

    Using the Malware Protection for EC2 page

    1. In the navigation pane, choose Malware Protection for EC2.

    2. On the Malware Protection for EC2 page, choose Edit in the GuardDuty-initiated malware scan section.

    3. Choose Enable for all accounts. This action automatically enables GuardDuty-initiated malware scan for both existing and new accounts in the organization.

    4. Choose Save.

      Note

      It may take up to 24 hours to update the configuration for the member accounts.

    Using the Accounts page

    1. In the navigation pane, choose Accounts.

    2. On the Accounts page, choose Auto-enable preferences before Add accounts by invitation.

    3. In the Manage auto-enable preferences window, choose Enable for all accounts under GuardDuty-initiated malware scan.

    4. On the Malware Protection for EC2 page, choose Edit in the GuardDuty-initiated malware scan section.

    5. Choose Enable for all accounts. This action automatically enables GuardDuty-initiated malware scan for both existing and new accounts in the organization.

    6. Choose Save.

      Note

      It may take up to 24 hours to update the configuration for the member accounts.

    Using the Accounts page

    1. In the navigation pane, choose Accounts.

    2. On the Accounts page, choose Auto-enable preferences before Add accounts by invitation.

    3. In the Manage auto-enable preferences window, choose Enable for all accounts under GuardDuty-initiated malware scan.

    4. Choose Save.

    If you can't use the Enable for all accounts option, see Selectively enable GuardDuty-initiated malware scan for member accounts.

API/CLI

  • To selectively enable GuardDuty-initiated malware scan for your member accounts, invoke the updateMemberDetectors API operation using your own detector ID.

  • The following example shows how you can enable GuardDuty-initiated malware scan for a single member account. To disable a member account, replace ENABLED with DISABLED.

    To find the detectorId for your account and current Region, see the Settings page in the https://console.aws.amazon.com/guardduty/ console, or run the ListDetectors API.

    aws guardduty update-member-detectors --detector-id 12abc34d567e8fa901bc2d34e56789f0 --account-ids 111122223333 --features '[{"Name": "EBS_MALWARE_PROTECTION", "Status": "ENABLED"}]'

    You can also pass a list of account IDs separated by a space.

  • When the code has successfully executed, it returns an empty list of UnprocessedAccounts. If there were any problems changing the detector settings for an account, that account ID is listed along with a summary of the issue.

Choose your preferred access method to enable GuardDuty-initiated malware scan for all the existing active member accounts in the organization.

To configure GuardDuty-initiated malware scan for all existing active member accounts

  1. Sign in to the AWS Management Console and open the GuardDuty console at https://console.aws.amazon.com/guardduty/.

    Sign in using the delegated GuardDuty administrator account credentials.

  2. In the navigation pane, choose Malware Protection for EC2.

  3. On the Malware Protection for EC2, you can view the current status of the GuardDuty-initiated malware scan configuration. Under the Active member accounts section, choose Actions.

  4. From the Actions dropdown menu, choose Enable for all existing active member accounts.

  5. Choose Save.

The newly added member accounts must Enable GuardDuty before selecting configuring GuardDuty-initiated malware scan. The member accounts managed by invitation can configure GuardDuty-initiated malware scan manually for their accounts. For more information, see Step 3 - Accept an invitation.

Choose your preferred access method to enable GuardDuty-initiated malware scan for new accounts that join your organization.

Console

The delegated GuardDuty administrator account can enable GuardDuty-initiated malware scan for new member accounts in an organization, using either the Malware Protection for EC2 or Accounts page.

To auto-enable GuardDuty-initiated malware scan for new member accounts

  1. Open the GuardDuty console at https://console.aws.amazon.com/guardduty/.

    Make sure to use the delegated GuardDuty administrator account credentials.

  2. Do one of the following:

    • Using the Malware Protection for EC2 page:

      1. In the navigation pane, choose Malware Protection for EC2.

      2. On the Malware Protection for EC2 page, choose Edit in the GuardDuty-initiated malware scan.

      3. Choose Configure accounts manually.

      4. Select Automatically enable for new member accounts. This step ensures that whenever a new account joins your organization, GuardDuty-initiated malware scan will be automatically enabled for their account. Only the organization delegated GuardDuty administrator account can modify this configuration.

      5. Choose Save.

    • Using the Accounts page:

      1. In the navigation pane, choose Accounts.

      2. On the Accounts page, choose Auto-enable preferences.

      3. In the Manage auto-enable preferences window, select Enable for new accounts under GuardDuty-initiated malware scan.

      4. Choose Save.

API/CLI

  • To enable or disable GuardDuty-initiated malware scan for new member accounts, invoke the UpdateOrganizationConfiguration API operation using your own detector ID.

  • The following example shows how you can enable GuardDuty-initiated malware scan for a single member account. To disable it, see Selectively enable GuardDuty-initiated malware scan for member accounts. If you don't want to enable it for all the new accounts joining the organization, set AutoEnable to NONE.

    To find the detectorId for your account and current Region, see the Settings page in the https://console.aws.amazon.com/guardduty/ console, or run the ListDetectors API.

    aws guardduty update-organization-configuration --detector-id 12abc34d567e8fa901bc2d34e56789f0 --AutoEnable --features '[{"Name": "EBS_MALWARE_PROTECTION", "AutoEnable": NEW}]'

    You can also pass a list of account IDs separated by a space.

  • When the code has successfully executed, it returns an empty list of UnprocessedAccounts. If there were any problems changing the detector settings for an account, that account ID is listed along with a summary of the issue.

Choose your preferred access method to configure GuardDuty-initiated malware scan for member accounts selectively.

Console

  1. Open the GuardDuty console at https://console.aws.amazon.com/guardduty/.

  2. In the navigation pane, choose Accounts.

  3. On the Accounts page, review the GuardDuty-initiated malware scan column for the status of your member account.

  4. Select the account for which you want to configure GuardDuty-initiated malware scan. You can select multiple accounts at a time.

  5. From the Edit protection plans menu, choose the appropriate option for GuardDuty-initiated malware scan.

API/CLI

To selectively enable or disable GuardDuty-initiated malware scan for your member accounts, invoke the updateMemberDetectors API operation using your own detector ID.

The following example shows how you can enable GuardDuty-initiated malware scan for a single member account.

To find the detectorId for your account and current Region, see the Settings page in the https://console.aws.amazon.com/guardduty/ console, or run the ListDetectors API.

aws guardduty update-member-detectors --detector-id 12abc34d567e8fa901bc2d34e56789f0 --account-ids 111122223333 --features '[{"Name": "EBS_MALWARE_PROTECTION", "Status": "ENABLED"}]'

You can also pass a list of account IDs separated by a space.

When the code has successfully executed, it returns an empty list of UnprocessedAccounts. If there were any problems changing the detector settings for an account, that account ID is listed along with a summary of the issue.

To selectively enable GuardDuty-initiated malware scan for your member accounts, run the updateMemberDetectors API operation using your own detector ID. The following example shows how you can enable GuardDuty-initiated malware scan for a single member account.

To find the detectorId for your account and current Region, see the Settings page in the https://console.aws.amazon.com/guardduty/ console, or run the ListDetectors API.

aws guardduty update-member-detectors --detector-id 12abc34d567e8fa901bc2d34e56789f0 --account-ids 111122223333 --data-sources '{"MalwareProtection":{"ScanEc2InstanceWithFindings":{"EbsVolumes":true}}}'

You can also pass a list of account IDs separated by a space.

When the code has successfully executed, it returns an empty list of UnprocessedAccounts. If there were any problems changing the detector settings for an account, that account ID is listed along with a summary of the issue.

The GuardDuty Malware Protection for EC2 service-linked role (SLR) must be created in member accounts. The administrator account can't enable the GuardDuty-initiated malware scan feature in member accounts that are not managed by AWS Organizations.

Presently, you can perform the following steps through the GuardDuty console at https://console.aws.amazon.com/guardduty/ to enable GuardDuty-initiated malware scan for the existing member accounts.

Console

  1. Open the GuardDuty console at https://console.aws.amazon.com/guardduty/.

    Sign in using your administrator account credentials.

  2. In the navigation pane, choose Accounts.

  3. Select the member account for which you want to enable GuardDuty-initiated malware scan. You can select multiple accounts at a time.

  4. Choose Actions.

  5. Choose Disassociate member.

  6. In your member account, choose Malware Protection under Protection plans on the navigation pane.

  7. Choose Enable GuardDuty-initiated malware scan. GuardDuty will create an SLR for the member account. For more information on SLR, see Service-linked role permissions for Malware Protection for EC2.

  8. In your administrator account account, choose Accounts on the navigation pane.

  9. Choose the member account that needs to be added back to the organization.

  10. Choose Actions and then, choose Add member.

API/CLI

  1. Use administrator account account to run DisassociateMembers API on the member accounts that want to enable GuardDuty-initiated malware scan.

  2. Use your member account to invoke UpdateDetector to enable GuardDuty-initiated malware scan.

    To find the detectorId for your account and current Region, see the Settings page in the https://console.aws.amazon.com/guardduty/ console, or run the ListDetectors API.

    aws guardduty update-detector --detector-id 12abc34d567e8fa901bc2d34e56789f0 --data-sources '{"MalwareProtection":{"ScanEc2InstanceWithFindings":{"EbsVolumes":true}}}'

  3. Use administrator account account to run the CreateMembers API to add the member back to the organization.