Select your cookie preferences

We use essential cookies and similar tools that are necessary to provide our site and services. We use performance cookies to collect anonymous statistics, so we can understand how customers use our site and make improvements. Essential cookies cannot be deactivated, but you can choose “Customize” or “Decline” to decline performance cookies.

If you agree, AWS and approved third parties will also use cookies to provide useful site features, remember your preferences, and display relevant content, including relevant advertising. To accept or decline all non-essential cookies, choose “Accept” or “Decline.” To make more detailed choices, choose “Customize.”

Preferences
Contact Us
Feedback
AWS Documentation
Create an AWS Account

Starting On-demand malware scan in GuardDuty

PDF
RSS
Focus mode
Starting On-demand malware scan in GuardDuty - Amazon GuardDuty
PrerequisitesStart On-demand malware scan

This section provides a list of prerequisites before initiating an on-demand malware scan and steps to start the scan on a resource for the first time.

As a GuardDuty administrator account, you can start an on-demand malware scan on behalf of your active member accounts that have the following prerequisites set up in their accounts. Standalone accounts and active member accounts in GuardDuty can also start an on-demand malware scan for their own Amazon EC2 instances.

Prerequisites

Before you start an On-demand malware scan, your account must meet the following prerequisites:

  • GuardDuty must be enabled in the AWS Regions where you want to start the on-demand malware scan.

  • Ensure that the AWS managed policy: AmazonGuardDutyFullAccess is attached to the IAM user or the IAM role. You will need the access key and secret key associated with the IAM user or the IAM role.

  • As a delegated GuardDuty administrator account, you have the option to start an on-demand malware scan on behalf of an active member account.

  • Before you start an on-demand malware scan, make sure that no scan was started on the same resource in the past 1 hour; otherwise, it will be de-duped. For more information, see Re-scanning previously scanned Amazon EC2 instance.

  • If you're a member account that doesn't have the Service-linked role permissions for Malware Protection for EC2, then initiating an on-demand malware scan for an Amazon EC2 instance that belongs to your account, will automatically create the SLR for Malware Protection for EC2.

Important

Ensure that no one deletes the SLR permissions for Malware Protection for EC2 when the malware scan is still in progress. This malware scan could be either started by GuardDuty or started on-demand. Deleting the SLR will prevent the scan from completing successfully, and providing definite scan result.

Start On-demand malware scan

You can start an on-demand malware scan in your account through GuardDuty console or by using AWS CLI. You will need to provide the Amazon EC2 Amazon Resource Name (ARN) for which you want to start the scan. The detailed steps are provided in both console and API/AWS CLI instructions in the following section.

Choose your preferred access method to start an on-demand malware scan.

Console

  1. Open the GuardDuty console at https://console.aws.amazon.com/guardduty/.

  2. Start the scan using one of the following options:

    1. Using the Malware Protection for EC2 page:

      1. In the navigation pane, under Protection plans, choose Malware Protection for EC2.

      2. On the Malware Protection for EC2 page, provide the Amazon EC2 instance ARN1 for which you want to start the scan.

    2. Using the Malware Scans page:

      1. In the navigation pane, choose Malware Scans.

      2. Choose Start on-demand scan and provide the Amazon EC2 instance ARN1 for which you want to start the scan.

      3. If this is a re-scan, select an Amazon EC2 instance ID on the Malware Scans page.

        Expand the Start on-demand scan dropdown and choose Re-scan selected instance.

  3. After you successfully start a scan using either method, a scan ID gets generated. You can use this scan ID to track the progress of the scan. For more information, see Monitoring malware scan statuses and results.

API/CLI

Invoke StartMalwareScan that accepts the resourceArn of the Amazon EC2 instance1 for which you want to start an on-demand malware scan.

aws guardduty start-malware-scan --resource-arn "arn:aws:ec2:us-east-1:555555555555:instance/i-b188560f"

After you successfully start a scan, StartMalwareScan returns a scanId. Invoke DescribeMalwareScans monitor the progress of the started scan.

anchoranchor

  1. Open the GuardDuty console at https://console.aws.amazon.com/guardduty/.

  2. Start the scan using one of the following options:

    1. Using the Malware Protection for EC2 page:

      1. In the navigation pane, under Protection plans, choose Malware Protection for EC2.

      2. On the Malware Protection for EC2 page, provide the Amazon EC2 instance ARN1 for which you want to start the scan.

    2. Using the Malware Scans page:

      1. In the navigation pane, choose Malware Scans.

      2. Choose Start on-demand scan and provide the Amazon EC2 instance ARN1 for which you want to start the scan.

      3. If this is a re-scan, select an Amazon EC2 instance ID on the Malware Scans page.

        Expand the Start on-demand scan dropdown and choose Re-scan selected instance.

  3. After you successfully start a scan using either method, a scan ID gets generated. You can use this scan ID to track the progress of the scan. For more information, see Monitoring malware scan statuses and results.

1For information about the format of your Amazon EC2 instance ARN, see Amazon Resource Name (ARN). For Amazon EC2 instances, you can use the following example ARN format by replacing the values for the partition, Region, AWS account ID, and Amazon EC2 instance ID. For information about length of your instance ID, see Resource IDs.

arn:aws:ec2:us-east-1:555555555555:instance/i-b188560f

AWS Organizations service control policy – Denied access

Using the Service control policies (SCPs) in AWS Organizations, the delegated GuardDuty administrator account can restrict permissions and deny actions such as initiating an on-demand malware scan for Amazon EC2 instance owned by your accounts.

As a GuardDuty member account, when you start an on-demand malware scan for your Amazon EC2 instances, you may receive an error. You can connect with the management account to understand why an SCP was set up for your member account. For more information, see SCP effects on permissions.

On this page

PrivacySite termsCookie preferences
© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved.