Amazon GuardDuty Malware Protection for Amazon S3 is a feature that automatically scans newly uploaded objects in S3 buckets for potential malware. This service provides a seamless, scalable solution to enhance security within AWS environments, particularly focusing on preventing the ingress of malicious files.
Key Features
Automated Malware Detection:
GuardDuty Malware Protection for S3 scans new objects or new versions of existing objects as they are uploaded to your S3 buckets. This automated process ensures that any potential malware is detected in real-time, mitigating risks before the files are accessed or processed downstream.Event-Driven Architecture:
The service uses an event-driven approach, which means that every time an object is uploaded to a bucket or a new version is added, a malware scan is automatically initiated. This timely detection mechanism is crucial for maintaining security without manual intervention.Scanning Scope:
GuardDuty Malware Protection for S3 focuses on newly uploaded objects. It does not retroactively scan existing objects in a bucket prior to the feature being enabled. If there is a need to scan existing objects, they must be re-uploaded to trigger the scan process.Operational Simplicity and Scalability:
By being fully managed by AWS, this feature alleviates the need for customers to maintain their own scanning infrastructure. This reduces operational complexity and ensures that scanning operations do not impact the performance and scalability of S3 operations.Integration with AWS Services:
Results from the malware scans can be integrated with Amazon EventBridge and Amazon CloudWatch. This enables automated workflows such as tagging, quarantine, or notification setups based on scan results. However, currently, the Malware Protection for S3 finding type does not integrate with AWS Security Hub and Amazon Detective.
Getting Started and Usage
To enable GuardDuty Malware Protection for S3:
- Configure the feature through the GuardDuty console.
- Select the specific S3 buckets to protect and set up necessary permissions through AWS Identity and Access Management (IAM).
- Choose whether to scan all objects in a bucket or only those with a specific prefix.
- Configure post-scan actions like tagging objects based on their scan status.
Organizational-Level Controls
Currently, there are no direct organizational-level controls to enable malware protection for all buckets simultaneously. Each bucket must be enabled individually. Furthermore, delegated GuardDuty administrators cannot enable this feature on buckets belonging to member accounts.
Security Findings and Notifications
Detailed security findings are generated for each scanned object, categorizing them based on the presence of threats. These findings are visible in the GuardDuty console and can trigger automated responses through EventBridge, ensuring timely handling of detected threats.
Pricing
The pricing for GuardDuty Malware Protection for S3 is based on the volume of data scanned and the number of objects evaluated. AWS offers a limited free tier that includes 1,000 requests and 1 GB of scanned data per month for the first year or until June 11, 2025, for existing accounts.