Monitoring scan statuses and results in
Malware Protection for EC2
You can monitor the scan status of each GuardDuty Malware Protection for EC2 scan. The possible values for scan
Status are Completed, Running,
Skipped, and Failed.
After the scan completes, the Scan result is populated for scans that
have the Status as Completed. Possible values for
Scan result are Clean and Infected. Using
Scan type, you can identify if the malware scan was GuardDuty
initiated or On demand.
Scan results for each malware scan has a retention period of 90 days. Choose your
preferred access method to track the status of your malware scan.
- Console
-
- API/CLI
-
-
After the malware scan has a scan result, you can filter the malware
scans on the basis of EC2_INSTANCE_ARN,
SCAN_ID, ACCOUNT_ID,
SCAN_TYPE
GUARDDUTY_FINDING_ID, SCAN_STATUS, and
SCAN_START_TIME.
The GUARDDUTY_FINDING_ID filter criteria is available
when the SCAN_TYPE is GuardDuty initiated. For information
about any filter criteria, see Finding details.
-
You can change the example filter-criteria
in the command below. Presently, you can filter on the basis of one
CriterionKey at a time. The options for
CriterionKey are EC2_INSTANCE_ARN,
SCAN_ID, ACCOUNT_ID,
SCAN_TYPE
GUARDDUTY_FINDING_ID, SCAN_STATUS, and
SCAN_START_TIME.
If you use the same CriterionKey as below, ensure to
replace the example EqualsValue with your own valid AWS
scan-id.
Replace the example detector-id with your own valid
detector-idmax-results (up to 50) and the
sort-criteria. The
AttributeName is mandatory and must be
scanStartTime.
aws guardduty describe-malware-scans --detector-id 60b8777933648562554d637e0e4bb3b2 --max-results 1 --sort-criteria '{"AttributeName": "scanStartTime", "OrderBy": "DESC"}' --filter-criteria '{"FilterCriterion":[{"CriterionKey":"SCAN_ID", "FilterCondition":{"EqualsValue":"123456789012"}}] }'
-
The response of this command displays a maximum of one result with
details about the affected resource and malware findings (if
Infected).
