Enabling Malware Protection for S3 for your bucket - Amazon GuardDuty

Enabling Malware Protection for S3 for your bucket

This section provides detailed steps on how to enable Malware Protection for S3 for a bucket in your own account.

You can choose a preferred access method to enable Malware Protection for S3 for your buckets - GuardDuty console or API/AWS CLI.

Topics

    The following sections provide a step-by-step walkthrough as you will experience in the GuardDuty console.

    To enable Malware Protection for S3 by using GuardDuty console

    Enter S3 bucket details

    Use the following steps to provide the Amazon S3 bucket details:

    1. Sign in to the AWS Management Console and open the GuardDuty console at https://console.aws.amazon.com/guardduty/.

    2. By using the AWS Region selector in the upper-right corner of the page, select the Region where you want to enable Malware Protection for S3.

    3. In the navigation pane, choose Malware Protection for S3.

    4. In the Protected buckets section, choose Enable to enable Malware Protection for S3 for an S3 bucket that belongs to your own AWS account.

    5. Under Enter S3 bucket details, enter the Amazon S3 bucket name. Alternatively, choose Browse S3 to select an S3 bucket.

      The AWS Region of the S3 bucket and the AWS account where you enable Malware Protection for S3 must be the same. For example, if your account belongs to the us-east-1 Region, then your Amazon S3 bucket Region must also be us-east-1.

    6. Under Prefix, you can select either All the objects in the S3 bucket or Objects beginning with a specific prefix.

      • Select All the objects in the S3 bucket when you want GuardDuty can scan all the newly uploaded objects in the selected bucket.

      • Select Objects beginning with a specific prefix when you want scan the newly uploaded objects that belong to a specific prefix. This option helps you focus the scope of the malware scan on the selected object prefixes only. For more information about using prefixes, see Organizing objects in Amazon S3 console by using folders in the Amazon S3 User Guide.

        Choose Add prefix and enter prefix. You can add up to five prefixes.

    Enable tagging for scanned objects

    This is an optional step. When you enable the tagging option before an object gets uploaded to your bucket, then after completing the scan, GuardDuty will add a predefined tag with key as GuardDutyMalwareScanStatus and the value as the scan result. To use Malware Protection for S3 optimally, we recommend to enable the option to add tag to the S3 objects after the scan ends. Standard S3 Object Tagging cost applies. For more information, see Pricing and usage cost for Malware Protection for S3.

    Why should you enable tagging?

    Considerations for GuardDuty to add a tag to your S3 object:

    • By default, you can associate up to 10 tags with an object. For more information, see Categorizing your storage using tags in the Amazon S3 User Guide.

      If all 10 tags are already in use, GuardDuty can't add the predefined tag to the scanned object. GuardDuty also publishes the scan result to your default EventBridge event bus. For more information, see Monitoring S3 object scans with Amazon EventBridge.

    • When the selected IAM role doesn't include the permission for GuardDuty to tag the S3 object, then even with tagging enabled for your protected bucket, GuardDuty will be unable to add tag to this scanned S3 object. For more information about the required IAM role permission for tagging, see Create or update IAM role policy.

      GuardDuty also publishes the scan result to your default EventBridge event bus. For more information, see Monitoring S3 object scans with Amazon EventBridge.

    To select an option under Tag scanned objects

    • When you want GuardDuty to add tags to your scanned S3 objects, select Tag objects.

    • When you don't want GuardDuty to add tags to your scanned S3 objects, select Do not tag objects.

    Service access

    Use the following steps to choose an existing service role or create a new service role that has the necessary permissions to perform malware scan actions on your behalf. These actions may include scanning the newly uploaded S3 objects and (optionally) adding tags to those objects.

    In the Service access section, you can do one of the following:

    1. Create and use a new service role — You can use create a new service role that has the necessary permissions to perform malware scan.

      Under the Role name you can choose to use the name pre-populated by GuardDuty or enter a meaningful name of your choice to identify the role. For example GuardDutyS3MalwareScanRole. The Role name must be 1-64 characters. Valid characters are are a-z, A-Z, 0-9, and '+=,.@-_' characters.

    2. Use an existing service role — You can choose an existing service role from the Service role name list.

      1. Under Policy template you can view the policy for your S3 bucket. Make sure that you entered or selected an S3 bucket in the Enter S3 bucket details section.

      2. Under Service role name choose a service role from the list of service roles.

    You can make changes to the policy based on your requirements For more details on how you can create or update an IAM role, see Create or update IAM role policy.

    (Optional) Tag Malware Protection plan ID

    This is an optional step that helps you add tags to the Malware Protection plan resource that would get created for your S3 bucket resource.

    Each tag has two parts: A tag key and an optional tag value. For more information about tagging and its benefits, see Tagging AWS resources.

    To add tags to your Malware Protection plan resource

    1. Enter Key and an optional Value for the tag. Both tag key and tag value are case sensitive. For information about names of tag key and tag value, see Tag naming limits and requirements.

    2. To add more tags to your Malware Protection plan resource, choose Add new tag and repeat the previous step. You can add up to 50 tags to each resource.

    3. Choose Enable.

    This section includes the steps for when you want to enable Malware Protection for S3 programmatically in your AWS environment. This requires the IAM role Amazon Resource Name (ARN) that you created in this step - Create or update IAM role policy.

    To enable Malware Protection for S3 programmatically by using API/CLI

    • By using the API

      Run the CreateMalwareProtectionPlan to enable Malware Protection for S3 for a bucket that belongs to your own account.

    • By using AWS CLI

      Depending on how you want to enable Malware Protection for S3, the following list provides AWS CLI example commands for specific use case. When you run these commands, replace the placeholder examples shown in red, with the values that are appropriate for your account.

      AWS CLI example commands

      • Use the following AWS CLI command to enable Malware Protection for S3 for a bucket with no tagging for scanned S3 objects:

        aws guardduty create-malware-protection-plan --role "arn:aws:iam::111122223333:role/role-name" --protected-resource "S3Bucket"={"BucketName"="amzn-s3-demo-bucket1"}

      • Use the following AWS CLI command to enable Malware Protection for S3 for a bucket with specific object prefixes and no tagging for scanned S3 objects:

        aws guardduty create-malware-protection-plan --role "arn:aws:iam::111122223333:role/role-name" --protected-resource '{"S3Bucket":{"BucketName":"amzn-s3-demo-bucket1", "ObjectPrefixes": ["Object1","Object1"]}}'

      • Use the following AWS CLI command to enable Malware Protection for S3 for a bucket with scanned S3 object tagging enabled:

        aws guardduty create-malware-protection-plan --role "arn:aws:iam::111122223333:role/role-name" --protected-resource "S3Bucket"={"BucketName"="amzn-s3-demo-bucket1"} --actions "Tagging"={"Status"="ENABLED"}

      After you run these commands successfully, a unique Malware Protection plan ID will get generated. To perform actions such as updating or disabling the protection plan for your bucket, you will need this Malware Protection plan ID.