How does Malware Protection for S3 work?
This section describes components of Malware Protection for S3, how it works after you enable it for an S3 bucket, and how you can review the malware scan status and result.
Overview
You can enable Malware Protection for S3 for an Amazon S3 bucket that belongs to your own AWS account. GuardDuty provides you flexibility to enable this feature for your entire bucket, or limit the scope of the malware scan to specific object prefixes where GuardDuty scans each uploaded object that starts with one of the selected prefixes. You can add up to 5 prefixes. When you enable the feature for an S3 bucket, then that bucket is called a protected bucket.
IAM role permissions
Malware Protection for S3 uses an IAM role that permits GuardDuty to perform the malware scan actions on your behalf. These actions include being notified of the newly uploaded objects in your selected bucket, scanning those objects, and optionally adding tags to your scanned objects. This is a prerequisite to configuring your S3 bucket with this feature.
You have the option to either update an existing IAM role, or create a new role for this purpose. When you enable Malware Protection for S3 for more than one bucket, you can update the existing IAM role to include the other bucket name, as needed. For more information, see Create or update IAM role policy.
Optional tagging of objects based on scan result
At the time of enabling Malware Protection for S3 for your bucket, there is an optional step to enable tagging for scanned S3 objects. The IAM role already includes the permission to add tags to your object after the scan. However, GuardDuty will add tags only when you enable this option at the time of setup.
You must enable this option before an object gets uploaded. After the scan ends, GuardDuty adds a predefined tag to the scanned S3 object with the following key:value pair:
GuardDutyMalwareScanStatus
:Potential scan
result
The potential scan result tag values include NO_THREATS_FOUND
,
THREATS_FOUND
, UNSUPPORTED
, ACCESS_DENIED
, and
FAILED
. For more information about these values, see S3 object potential
scan status and result status.
Enabling tagging is one of the ways to know about the S3 object scan result. You can further use these tags to add a tag-based access control (TBAC) S3 resource policy so that you can take actions on the potentially malicious objects. For more information, see Adding TBAC on S3 bucket resource.
We recommend you to enable tagging at the time of configuring Malware Protection for S3 for your bucket. If you enable tagging after an object gets uploaded and potentially the scan initiates, GuardDuty will not be able to add tags to the scanned object. For information about associated S3 Object Tagging cost, see Pricing and usage cost for Malware Protection for S3.
Process after you enable Malware Protection for S3 for a bucket
After you enable Malware Protection for S3, a Malware Protection plan resource gets
created exclusively for the selected S3 bucket. This resource is associated with a Malware Protection plan ID, a
unique identifier for your protected resource. By using one of the IAM permissions, GuardDuty then
creates and manages an EventBridge managed rule by the name of
DO-NOT-DELETE-AmazonGuardDutyMalwareProtectionS3*
.
How GuardDuty handles your data - guardrails for data protection
Malware Protection for S3 listens to the Amazon EventBridge notifications. When an object gets uploaded to the selected bucket or one of the prefixes, GuardDuty downloads that object from S3 bucket by using an AWS PrivateLink and then reads, decrypts, and scans it in an isolated environment in the same Region. The scanning environment runs in a locked down virtual private cloud (VPC) with no internet access. The VPC is attached to a DNS Firewall rule group that allows communication only to the allowslisted domains that AWS owns. For the duration of the scan, GuardDuty temporarily stores the downloaded S3 object within the scanning environment that is encrypted with AWS Key Management Service (AWS KMS) keys.
Note
By default, all the Amazon S3 APIs listed under the Object Created Event type in the Amazon S3 User Guide, will initiate the Malware Protection for S3 scan.
These Event types include PutObject, POST Object, CopyObject, and CompleteMultipartUpload.
For information about GuardDuty malware detection methodology and the scan engines that it uses, see GuardDuty malware detection scan engine.
After the malware scan completes, GuardDuty processes the scan metadata with the scan status and then deletes the downloaded copy of the object.
GuardDuty cleans the scanning environment each time before a new scan begins. GuardDuty uses contingent authorization for operator access to the scanning environment, and every access request is reviewed, approved, and audited.
Reviewing S3 object scan status and result
GuardDuty publishes the S3 object scan result event to Amazon EventBridge default event bus. GuardDuty also
sends the scan metrics such as number of objects scanned and bytes scanned to Amazon CloudWatch. If you
enabled tagging, then GuardDuty will add the predefined tag GuardDutyMalwareScanStatus
and
a potential scan result as the tag value.
For more information, see Monitoring S3 object scans in Malware Protection for S3.
Reviewing generated findings
Reviewing the findings depends on whether or not you are using Malware Protection for S3 with GuardDuty. Consider the following scenarios:
- Using Malware Protection for S3 when you have GuardDuty service enabled (detector ID)
-
If the malware scan detects a potentially malicious file in an S3 object, GuardDuty will generate an associated finding. You can view the finding details and use the recommended steps to potentially remediate the finding. Based on your Export findings frequency, the generated finding gets exported to an S3 bucket and EventBridge event bus.
For information about the finding type that would get generated, see Malware Protection for S3 finding type.
- Using Malware Protection for S3 as an independent feature (no detector ID)
-
GuardDuty will not be able to generate findings because there is no associated detector ID. To know the S3 object malware scan status, you can view the scan result that GuardDuty automatically publishes to your default event bus. You can also view the CloudWatch metrics to assess the number of objects and bytes that GuardDuty attempted to scan. You can set up CloudWatch alarms to get notified about the scan results. If you have enabled S3 Object Tagging, you can also view the malware scan status by checking the S3 object for the
GuardDutyMalwareScanStatus
tag key and the scan result tag value.For information about the S3 object scan status and result, see Monitoring S3 object scans in Malware Protection for S3.