Enable Malware Protection for S3 for your bucket - Amazon GuardDuty
Enter S3 bucket details(Optional) Tag scanned objectsPermissions(Optional) Tag Malware Protection plan IDSteps after enabling Malware Protection for S3
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Enable Malware Protection for S3 for your bucket

This section provides detailed steps on how to enable Malware Protection for S3 for a selected bucket in your own accounts.

Enter S3 bucket details

Use the following steps to provide the Amazon S3 bucket details:

  1. Sign in to the Amazon Web Services Management Console and open the GuardDuty console at https://console.amazonaws.cn/guardduty/.

  2. By using the Amazon Web Services Region selector in the upper-right corner of the page, select the Region where you want to enable Malware Protection for S3.

  3. In the navigation pane, choose Malware Protection for S3.

  4. In the Protected buckets section, choose Enable to enable Malware Protection for S3 for an S3 bucket that belongs to your own Amazon Web Services account.

  5. Under Enter S3 bucket details, enter the Amazon S3 bucket name. Alternatively, choose Browse S3 to select an S3 bucket.

    The Amazon Web Services Region of the S3 bucket and the Amazon Web Services account where you enable Malware Protection for S3 must be the same. For example, if your account belongs to the us-east-1 Region, then your Amazon S3 bucket Region must also be us-east-1.

  6. Under Prefix, you can select either All the objects in the S3 bucket or Objects beginning with a specific prefix.

    • Select All the objects in the S3 bucket when you want GuardDuty can scan all the newly uploaded objects in the selected bucket.

    • Select Objects beginning with a specific prefix when you want scan the newly uploaded objects that belong to a specific prefix. This option helps you focus the scope of the malware scan on the selected object prefixes only. For more information about using prefixes, see Organizing objects in Amazon S3 console by using folders in the Amazon S3 User Guide.

      Choose Add prefix and enter prefix. You can add up to five prefixes.

(Optional) Tag scanned objects

This is an optional step. When you enable the tagging option before an object gets uploaded to your bucket, then after completing the scan, GuardDuty will add a predefined tag with key as GuardDutyMalwareScanStatus and the value as the scan result. To use Malware Protection for S3 optimally, we recommend to enable the option to add tag to the S3 objects after the scan ends. Standard S3 Object Tagging cost applies. For more information, see Pricing for Malware Protection for S3.

Why should you enable tagging?

Considerations for GuardDuty to add a tag to your S3 object:

  • By default, you can associate up to 10 tags with an object. For more information, see Categorizing your storage using tags in the Amazon S3 User Guide.

    If all 10 tags are already in use, GuardDuty can't add the predefined tag to the scanned object. GuardDuty also publishes the scan result to your default EventBridge event bus. For more information, see Using Amazon EventBridge.

  • When the selected IAM role does't include the permission for GuardDuty to tag the S3 object, then even with tagging enabled for your protected bucket, GuardDuty will be unable to add tag to this scanned S3 object. For more information about the required IAM role permission for tagging, see Prerequisite - Create or update IAM PassRole policy.

    GuardDuty also publishes the scan result to your default EventBridge event bus. For more information, see Using Amazon EventBridge.

To select an option under Tag scanned objects

  • When you want GuardDuty to add tags to your scanned S3 objects, select Tag objects.

  • When you don't want GuardDuty to add tags to your scanned S3 objects, select Do not tag objects.

Permissions

Use the following steps to choose an IAM role that has the necessary permissions to perform malware scan actions on your behalf. These actions may include scanning the newly uploaded S3 objects and (optionally) adding tags to those objects.

To choose an IAM role name

  1. If you have already performed the steps under Prerequisite - Create or update IAM PassRole policy, then do the following:

    1. Under the Permissions section, for the IAM role name, choose an IAM role name that includes the necessary permissions.

  2. If you haven't already performed the steps under Prerequisite - Create or update IAM PassRole policy, then do the following:

    1. Choose View permissions.

    2. Under Permission details, choose the Policy tab. This shows a template of the required IAM permissions.

      Copy this template and then choose Close at the end of the Permission details window.

    3. Choose Attach policy that opens the IAM console in a new tab. You can choose to create a new IAM role or update an existing IAM role with the permissions from the copied template.

      This template includes placeholder values that you must replace with the appropriate values associated with your bucket and Amazon Web Services account.

    4. Go back to the browser tab with the GuardDuty console. Choose View permissions again.

    5. Under Permission details, choose the Trust relationship tab. This shows a template of the trust relationship policy for your IAM role.

      Copy this template and then choose Close at the end of the Permission details window.

    6. Go to the browser tab that has the IAM console open. To your preferred IAM role, add this trust relationship policy.

  3. To add tags to your Malware Protection plan ID that gets created for this protected resource, continue with the next section; otherwise, choose Enable at the end of this page to add the S3 bucket as a protected resource.

(Optional) Tag Malware Protection plan ID

This is an optional step that helps you add tags to the Malware Protection plan resource that would get created for your S3 bucket resource.

Each tag has two parts: A tag key and an optional tag value. For more information about tagging and its benefits, see Tagging Amazon resources.

To add tags to your Malware Protection plan resource

  1. Enter Key and an optional Value for the tag. Both tag key and tag value are case sensitive. For information about names of tag key and tag value, see Tag naming limits and requirements.

  2. To add more tags to your Malware Protection plan resource, choose Add new tag and repeat the previous step. You can add up to 50 tags to each resource.

  3. Choose Enable.

Steps after enabling Malware Protection for S3

After you enable Malware Protection for S3 for a bucket (or specific object prefixes), perform the following steps in the listed order:

  1. Add tag-based access control (TBAC) resource policy – When you enable tagging, then before an object gets uploaded to your selected bucket, ensure to add the TBAC policy to your S3 bucket resource. For more information, see Adding TBAC on S3 bucket resource.

  2. Monitor Malware Protection plan status – Monitor the Protection status column for each protected bucket. For information about potential statuses and what they mean, see Malware Protection plan resource status.

  3. Upload an object:

    1. Open the Amazon S3 console at https://console.amazonaws.cn/s3/.

    2. Upload a file to the S3 bucket or the object prefix for which you enabled this feature. For steps to upload a file, see Upload an object to your bucket in the Amazon S3 User Guide.

  4. Monitor S3 object scan status – This step includes information about how to check the malware scan status of the S3 object.

    Enabled both GuardDuty and Malware Protection for S3 Enabled Malware Protection for S3 only

    • When GuardDuty is enabled, it may generate the Malware Protection for S3 finding type to indicate the presence of malware in the scanned S3 object.

    • You can potentially check the S3 object scan result by using one or more options under Monitoring S3 object scan status. These include using Amazon EventBridge, CloudWatch metrics for Malware Protection plan, and tagging scanned objects.

    You can potentially check the S3 object scan result by using one or more options under Monitoring S3 object scan status. These include using Amazon EventBridge, CloudWatch metrics for Malware Protection plan, and tagging scanned objects.