This section explains how Malware Protection for EC2, including both GuardDuty-initiated malware scan and On-demand malware scan, scans the Amazon EBS volumes associated with your Amazon EC2 instances and container workloads. Before proceeding, consider the following customizations:
-
Scan options – Malware Protection for EC2 offers the capability to specify tags to either include or exclude Amazon EC2 instances and Amazon EBS volumes from the scanning process. Only GuardDuty-initiated malware scan supports scan options with user-defined tags. Both GuardDuty-initiated malware scan and On-demand malware scan support the global
GuardDutyExcludedtag. For more information, see Scan options with user-defined tags. -
Snapshots retention – Malware Protection for EC2 provides an option to retain the snapshots of your Amazon EBS volumes in your AWS account. By default, this setting is turned off. You can opt in for snapshots retention for both GuardDuty initiated and on-demand malware scans. For more information, see Snapshots retention.
When GuardDuty generates one or more Findings that invoke GuardDuty-initiated malware scan, then this activity will be a reason for GuardDuty to initiate a malware scan. If your scan options do not exclude this instance, then GuardDuty will initiate the scan.
To initiate an On-demand malware scan on the Amazon EBS volumes associated with an Amazon EC2 instance, provide the Amazon Resource Name (ARN) of the Amazon EC2 instance.
As a response to starting an on-demand malware scan or an automatic GuardDuty-initiated malware scan, GuardDuty
creates snapshots of the relevant EBS volumes attached to the potentially impacted resource,
and shares them with the GuardDuty service
account. When GuardDuty creates snapshot of your EBS volumes, it adds a default tag
called GuardDutyScanId. This tag helps GuardDuty to access the snapshot. Make sure that you don't remove this tag.
From these snapshots, GuardDuty creates
an encrypted replica EBS volume in the service account.
After the scan completes, GuardDuty deletes the encrypted replica EBS volumes and the snapshots of your EBS volumes. By default, snapshots retention setting is turned off. However, snapshots are retained if Amazon EBS snapshot locking is enabled for them, regardless of the scan results and settings. GuardDuty can't modify the Amazon EBS snapshot lock settings.
The following list describes snapshots retention behavior, regardless of EBS snapshot locking:
- Snapshots retention is turned on:
-
-
When malware is found, GuardDuty retains the snapshots in your AWS account.
-
When no malware is found, GuardDuty doesn't retain the snapshots unless they are locked.
-
- Snapshots retention is turned off (default setting):
-
-
Whether or not malware is found, the snapshots are not retained.
-
GuardDuty can't delete locked Amazon EBS snapshots.
-
GuardDuty will retain each replica EBS volume in the service account for up to 55 hours. If there is a service outage, or failure with a replica EBS volume and its malware scan, GuardDuty will retain such an EBS volume for no more than seven days. The extended volume retention period is to triage and address the outage or failure. GuardDuty Malware Protection for EC2 will delete the replica EBS volumes from the service account after the outage or failure is addressed, or once the extended retention period lapses.
For information about GuardDuty malware detection methodology and the scan engines that it uses, see GuardDuty malware detection scan engine.
