Capabilities of Malware Protection for S3 - Amazon GuardDuty

Capabilities of Malware Protection for S3

The following list provides an overview of what you can expect or do after enabling Malware Protection for S3 for your bucket:

  • Choose what to scan – Scan files as they get uploaded to all or specific prefixes (up to 5) associated with your selected S3 bucket.

  • Automatic scans on uploaded objects – Once you enable Malware Protection for S3 for a bucket, GuardDuty will automatically start a scan to detect potential malware in a newly uploaded object.

  • Enable through console, by using API/AWS CLI, or AWS CloudFormation – Choose a preferred method to enable Malware Protection for S3.

    You can enable Malware Protection for S3 by using Infrastructure as code (IaC) platforms such as Terraform. For more information, see Resource: aws_guardduty_malware_protection_plan.

  • Supported file formats, Malware Protection for S3 quotas, and Amazon S3 features – Malware Protection for S3 supports all file formats that you can upload to the S3 buckets. If the uploaded file is password-protected, then GuardDuty will skip scanning the file. For information about the quotas related to object size, maximum archive depth level, and other details, see Quotas in Malware Protection for S3.

    For information about whether or not an Amazon S3 feature is supported, see Supportability of Amazon S3 features.

  • Supports tagging scanned S3 object – When you enable Optional tagging of objects based on scan result, then after each malware scan, GuardDuty will add a tag that indicates the scan status. You can use this tag to set up tag-based access control (TBAC) for the S3 objects. For example, you can restrict access to the S3 objects that are indicated as malicious and have the tag value as THREATS_FOUND.

  • Amazon EventBridge notifications – GuardDuty sends events to Amazon EventBridge when the Malware Protection plan resource status changes, or a malware scan of the S3 object completes. These events are sent to the default event bus. You can use EventBridge and these events to write rules that take actions, such as monitoring when these events happen. For more information, see Monitoring S3 object scans with Amazon EventBridge.

  • CloudWatch metrics – View CloudWatch metrics to enable alarms on certain malware scan status. For more information, see S3 object scan status metrics in CloudWatch.