Monitoring S3 object scans with Amazon EventBridge - Amazon GuardDuty

Monitoring S3 object scans with Amazon EventBridge

Amazon EventBridge is a serverless event bus service that makes it easy to connect your applications with data from a variety of sources. EventBridge delivers a stream of real-time data from your own applications, Software-as-a-Service (SaaS) applications, and AWS services and routes that data to targets such as Lambda. This enables you to monitor events that happen in services, and build event-driven architectures. For more information, see the Amazon EventBridge User Guide.

As the owner account of an S3 bucket that is protected with Malware Protection for S3, GuardDuty publishes EventBridge notifications to the default event bus in the following scenarios:

  • Malware Protection plan resource status changes for any of your protected buckets. For information about various statuses, see Malware Protection plan resource status.

    For setting up Amazon EventBridge (EventBridge) rule for the resource status, see Malware Protection plan resource status.

  • The S3 object scan result gets published to your default EventBridge event bus.

    The s3Throttled field indicates whether or not there was a delay in uploading or retrieving storage from Amazon S3. The value true indicates that there was a delay, and false indicates that there was no delay.

    If s3Throttled is true for your scan result, then Amazon S3 recommends setting up prefixes in a way that helps you reduce the transactions per second (TPS) for each prefix. For more information, see Best practices design patterns: optimizing Amazon S3 performance in the Amazon S3 User Guide.

    For setting up Amazon EventBridge (EventBridge) rule for the S3 object scan results, see S3 object scan result.

  • There is a post-scan tag failure event because of the following reasons:

    • Your IAM role is missing permissions to tag the object.

      The Adding IAM policy permissions template includes the permission for GuardDuty to tag an object.

    • The bucket resource or object specified in the IAM role no longer exists.

    • The associated S3 object has already reached the maximum tag limit. For more information about the tag limit, see Categorizing your storage using tags in the Amazon S3 User Guide.

    For setting up Amazon EventBridge (EventBridge) rule for the post-scan tag failure events, see Post-scan tag failure events.

Set up EventBridge rules

You can set up EventBridge rules in your account to send either resource status, post-scan tag failure events, or the S3 object scan result to another AWS service. As a delegated GuardDuty administrator account, you will receive the Malware Protection plan resource status notification when there is a change in the status.

Standard EventBridge pricing will apply. For more information, see Amazon EventBridge pricing.

All the values that show up in red are placeholders for the example. These values will change based on the values in your account, and whether or not malware is detected.

Malware Protection plan resource status

You can create an EventBridge event pattern based on the following scenarios:

Potential detail-type values
  • "GuardDuty Malware Protection Resource Status Active"

  • "GuardDuty Malware Protection Resource Status Warning"

  • "GuardDuty Malware Protection Resource Status Error"

Event pattern

{ "detail-type": ["potential detail-type"], "source": ["aws.guardduty"] }

Sample notification schema for GuardDuty Malware Protection Resource Status Active:

{ "version": "0", "id": "6a7e8feb-b491-4cf7-a9f1-bf3703467718", "detail-type": "GuardDuty Malware Protection Resource Status Active", "source": "aws.guardduty", "account": "111122223333", "time": "2017-12-22T18:43:48Z", "region": "us-east-1", "resources": ["arn:aws:guardduty:us-east-1:111122223333:malware-protection-plan/b4c7f464ab3a4EXAMPLE"], "detail": { "schemaVersion": "1.0", "eventTime": "2024-02-28T01:01:01Z", "s3BucketDetails": { "bucketName": "amzn-s3-demo-bucket" }, "resourceStatus": "ACTIVE" } }

Sample notification schema for GuardDuty Malware Protection Resource Status Warning:

{ "version": "0", "id": "6a7e8feb-b491-4cf7-a9f1-bf3703467718", "detail-type": "GuardDuty Malware Protection Resource Status warning", "source": "aws.guardduty", "account": "111122223333", "time": "2017-12-22T18:43:48Z", "region": "us-east-1", "resources": ["arn:aws:guardduty:us-east-1:111122223333:malware-protection-plan/b4c7f464ab3a4EXAMPLE"], "detail": { "schemaVersion": "1.0", "eventTime": "2024-02-28T01:01:01Z", "s3BucketDetails": { "bucketName": "amzn-s3-demo-bucket" }, "resourceStatus": "WARNING", "statusReasons": [ { "code": "INSUFFICIENT_TEST_OBJECT_PERMISSIONS" } ] } }

Sample notification schema for GuardDuty Malware Protection Resource Status Error:

{ "version": "0", "id": "fc7a35b7-83bd-3c1f-ecfa-1b8de9e7f7d2", "detail-type": "GuardDuty Malware Protection Resource Status Error", "source": "aws.guardduty", "account": "111122223333", "time": "2017-12-22T18:43:48Z", "region": "us-east-1", "resources": ["arn:aws:guardduty:us-east-1:111122223333:malware-protection-plan/b4c7f464ab3a4EXAMPLE"], "detail": { "schemaVersion": "1.0", "eventTime": "2024-02-28T01:01:01Z", "s3BucketDetails": { "bucketName": "amzn-s3-demo-bucket" }, "resourceStatus": "ERROR", "statusReasons": [ { "code": "EVENTBRIDGE_MANAGED_EVENTS_DELIVERY_DISABLED" } ] } }

Based on the reason behind the resourceStatus ERROR, the statusReasons value will get populated.

For information about troubleshooting steps for the following warning and errors, see Troubleshooting Malware Protection plan status.

S3 object scan result

{ "detail-type": ["GuardDuty Malware Protection Object Scan Result"], "source": ["aws.guardduty"] }

Sample notification schema for NO_THREATS_FOUND:

{ "version": "0", "id": "72c7d362-737a-6dce-fc78-9e27a0171419", "detail-type": "GuardDuty Malware Protection Object Scan Result", "source": "aws.guardduty", "account": "111122223333", "time": "2024-02-28T01:01:01Z", "region": "us-east-1", "resources": [arn:aws:guardduty:us-east-1:111122223333:malware-protection-plan/b4c7f464ab3a4EXAMPLE], "detail": { "schemaVersion": "1.0", "scanStatus": "COMPLETED", "resourceType": "S3_OBJECT", "s3ObjectDetails": { "bucketName": "amzn-s3-demo-bucket", "objectKey": "APKAEIBAERJR2EXAMPLE", "eTag": "ASIAI44QH8DHBEXAMPLE", "versionId" : "d41d8cd98f00b204e9800998eEXAMPLE", "s3Throttled": false }, "scanResultDetails": { "scanResultStatus": "NO_THREATS_FOUND", "threats": null } } }

Sample notification schema for THREATS_FOUND:

{ "version": "0", "id": "72c7d362-737a-6dce-fc78-9e27a0171419", "detail-type": "GuardDuty Malware Protection Object Scan Result", "source": "aws.guardduty", "account": "111122223333", "time": "2024-02-28T01:01:01Z", "region": "us-east-1", "resources": [arn:aws:guardduty:us-east-1:111122223333:malware-protection-plan/b4c7f464ab3a4EXAMPLE], "detail": { "schemaVersion": "1.0", "scanStatus": "COMPLETED", "resourceType": "S3_OBJECT", "s3ObjectDetails": { "bucketName": "amzn-s3-demo-bucket", "objectKey": "APKAEIBAERJR2EXAMPLE", "eTag": "ASIAI44QH8DHBEXAMPLE", "versionId" : "d41d8cd98f00b204e9800998eEXAMPLE", "s3Throttled": false }, "scanResultDetails": { "scanResultStatus": "THREATS_FOUND", "threats": [ { "name": "EICAR-Test-File (not a virus)" } ] } } }
Note

The scanResultDetails.Threats field contains only one threat. By default, the Malware Protection for S3 scan reports the first detected threat. After this, the scanStatus is set to COMPLETED.

Sample notification schema for scan result status UNSUPPORTED (Skipped):

{ "version": "0", "id": "72c7d362-737a-6dce-fc78-9e27a0EXAMPLE", "detail-type": "GuardDuty Malware Protection Object Scan Result", "source": "aws.guardduty", "account": "111122223333", "time": "2024-02-28T01:01:01Z", "region": "us-east-1", "resources": [arn:aws:guardduty:us-east-1:111122223333:malware-protection-plan/b4c7f464ab3a4EXAMPLE], "detail": { "schemaVersion": "1.0", "scanStatus": "SKIPPED", "resourceType": "S3_OBJECT", "s3ObjectDetails": { "bucketName": "amzn-s3-demo-bucket", "objectKey": "APKAEIBAERJR2EXAMPLE", "eTag": "ASIAI44QH8DHBEXAMPLE", "versionId" : "d41d8cd98f00b204e9800998eEXAMPLE", "s3Throttled": false }, "scanResultDetails": { "scanResultStatus": "UNSUPPORTED", "threats": null } } }

Sample notification schema for scan result status ACCESS_DENIED (Skipped):

{ "version": "0", "id": "72c7d362-737a-6dce-fc78-9e27a0EXAMPLE", "detail-type": "GuardDuty Malware Protection Object Scan Result", "source": "aws.guardduty", "account": "111122223333", "time": "2024-02-28T01:01:01Z", "region": "us-east-1", "resources": [arn:aws:guardduty:us-east-1:111122223333:malware-protection-plan/b4c7f464ab3a4EXAMPLE], "detail": { "schemaVersion": "1.0", "scanStatus": "SKIPPED", "resourceType": "S3_OBJECT", "s3ObjectDetails": { "bucketName": "amzn-s3-demo-bucket", "objectKey": "APKAEIBAERJR2EXAMPLE", "eTag": "ASIAI44QH8DHBEXAMPLE", "versionId" : "d41d8cd98f00b204e9800998eEXAMPLE", "s3Throttled": false }, "scanResultDetails": { "scanResultStatus": "ACCESS_DENIED", "threats": null } } }

Sample notification schema for scan result status FAILED:

{ "version": "0", "id": "72c7d362-737a-6dce-fc78-9e27a0EXAMPLE", "detail-type": "GuardDuty Malware Protection Object Scan Result", "source": "aws.guardduty", "account": "111122223333", "time": "2024-02-28T01:01:01Z", "region": "us-east-1", "resources": [arn:aws:guardduty:us-east-1:111122223333:malware-protection-plan/b4c7f464ab3a4EXAMPLE], "detail": { "schemaVersion": "1.0", "scanStatus": "FAILED", "resourceType": "S3_OBJECT", "s3ObjectDetails": { "bucketName": "amzn-s3-demo-bucket", "objectKey": "APKAEIBAERJR2EXAMPLE", "eTag": "ASIAI44QH8DHBEXAMPLE", "versionId" : "d41d8cd98f00b204e9800998eEXAMPLE", "s3Throttled": false }, "scanResultDetails": { "scanResultStatus": "FAILED", "threats": null } } }

Post-scan tag failure events

Event pattern:

{ "detail-type": "GuardDuty Malware Protection Post Scan Action Failed", "source": "aws.guardduty" }

Sample notification schema for ACCESS_DENIED:

{ "version": "0", "id": "746acd83-d75c-5b84-91d2-dad5f13ba0d7", "detail-type": "GuardDuty Malware Protection Post Scan Action Failed", "source": "aws.guardduty", "account": "111122223333", "time": "2024-06-10T16:16:08Z", "region": "us-east-1", "resources": ["arn:aws:guardduty:us-east-1:111122223333:malware-protection-plan/b4c7f464ab3a4EXAMPLE"], "detail": { "schemaVersion": "1.0", "eventTime": "2024-06-10T16:16:08Z", "s3ObjectDetails": { "bucketName": "amzn-s3-demo-bucket", "objectKey": "2024-03-10-16-16-00-7D723DE8DBE9Y2E0", "eTag": "0e9eeec810ad8b61d69112c15c2a5hb6", "versionId" : "d41d8cd98f00b204e9800998eEXAMPLE", "s3Throttled": false }, "postScanActions": [{ "actionType": "TAGGING", "failureReason": "ACCESS_DENIED" }] } }

Sample notification schema for MAX_TAG_LIMIT_EXCEEDED:

{ "version": "0", "id": "746acd83-d75c-5b84-91d2-dad5f13ba0d7", "detail-type": "GuardDuty Malware Protection Post Scan Action Failed", "source": "aws.guardduty", "account": "111122223333", "time": "2024-06-10T16:16:08Z", "region": "us-east-1", "resources": ["arn:aws:guardduty:us-east-1:111122223333:malware-protection-plan/b4c7f464ab3a4EXAMPLE"], "detail": { "schemaVersion": "1.0", "eventTime": "2024-06-10T16:16:08Z", "s3ObjectDetails": { "bucketName": "amzn-s3-demo-bucket", "objectKey": "2024-03-10-16-16-00-7D723DE8DBE9Y2E0", "eTag": "0e9eeec810ad8b61d69112c15c2a5hb6", "versionId" : "d41d8cd98f00b204e9800998eEXAMPLE", "s3Throttled": false }, "postScanActions": [{ "actionType": "TAGGING", "failureReason": "MAX_TAG_LIMIT_EXCEEDED" }] } }

To troubleshoot these failure reasons, see Troubleshooting S3 object post-scan tag failures.