GuardDuty Malware Protection for S3
Malware Protection for S3 helps you detect potential presence of malware by scanning newly uploaded objects to your selected Amazon Simple Storage Service (Amazon S3) bucket. When an S3 object or a new version of an existing S3 object gets uploaded to your selected bucket, GuardDuty automatically starts a malware scan.
- Two approaches to enable Malware Protection for S3
-
You can enable Malware Protection for S3 when your AWS account enables the GuardDuty service and you use Malware Protection for S3 as a part of the overall GuardDuty experience, or when you want to use the Malware Protection for S3 feature by itself without enabling the GuardDuty service. When you enable Malware Protection for S3 by itself, the GuardDuty documentation refers to it as using Malware Protection for S3 as an independent feature.
Considerations for using Malware Protection for S3 independently
-
GuardDuty security findings – Detector ID is a unique identifier that is associated with your account in a Region. When you enable GuardDuty in one or more Regions in an account, a detector ID gets created automatically for this account in each Region where you enable GuardDuty. For more information, see Detector in the Concepts and terminology document.
When you enable Malware Protection for S3 independently in an account, that account will not have an associated detector ID. This impacts what GuardDuty features may be available to you. For example, when an S3 malware scan detects the presence of malware, no GuardDuty finding will get generated in your AWS account because all GuardDuty findings are associated with a detector ID.
-
Checking if the scanned object is malicious – By default, GuardDuty publishes the malware scan results to your default Amazon EventBridge event bus and an Amazon CloudWatch namespace. When you enable tagging at the time of enabling Malware Protection for S3 for a bucket, the scanned S3 object gets a tag that mentions the scan result. For more information about tagging, see Optional tagging of objects based on scan result.
-
- General considerations for enabling Malware Protection for S3
-
The following general consideration apply whether you use Malware Protection for S3 independently or as a part of the GuardDuty experience:
-
You can enable Malware Protection for S3 for an Amazon S3 bucket that belongs to your own account. As a delegated GuardDuty administrator account you can't enable this feature in an Amazon S3 bucket that belongs to a member account.
-
As a delegated GuardDuty administrator account, you will receive an Amazon EventBridge notification each time a member account enables this feature for their Amazon S3 bucket.
-
Currently, Malware Protection for S3 finding type doesn't support integration with AWS Security Hub and Amazon Detective. This applies to the Malware Protection for S3 finding type only.
-
Contents
- How does Malware Protection for S3 work?
- Pricing for Malware Protection for S3
- (Optional) Get started with GuardDuty Malware Protection for S3 independently (console only)
- Configuring Malware Protection for S3 for your bucket
- Malware Protection plan resource status
- Troubleshooting Malware Protection plan status details
- Monitoring S3 object scan status
- Using tag-based access control (TBAC) with Malware Protection for S3
- Editing Malware Protection for S3 for a protected bucket
- Viewing usage and cost for Malware Protection for S3
- Disable Malware Protection for S3 for a protected bucket
- Quotas in Malware Protection for S3
