Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions,
see Getting Started with Amazon Web Services in China
(PDF).
Configuring
GuardDuty-initiated malware scan
For accounts associated with Amazon Organizations, you can automate this process through console
settings, as described in the next section.
To enable or disable
GuardDuty-initiated malware scan
Choose your preferred access method to configure GuardDuty-initiated malware scan for a standalone
account.
- Console
-
Open the GuardDuty console at https://console.amazonaws.cn/guardduty/.
-
In the navigation pane, under Protection plans, choose
Malware Protection.
-
The Malware Protection pane lists the current status of GuardDuty-initiated malware scan for your
account. You may enable or disable it at any time by selecting
Enable or Disable respectively.
-
Choose Save.
- API/CLI
-
-
Run the updateDetector API operation using your own regional
detector ID and passing the dataSources
object with
EbsVolumes
set to true
or false
.
You can also enable or disable GuardDuty-initiated malware scan using Amazon command line
tools by running the following Amazon CLI command. Make sure to use your own valid
detector ID
.
The following example code enables GuardDuty-initiated malware scan. To disable it,
replace true
with false
.
To find the detectorId
for your account and current Region, see
Settings page in the https://console.amazonaws.cn/guardduty/ console.
aws guardduty update-detector --detector-id 12abc34d567e8fa901bc2d34e56789f0
--features [{"Name" : "EBS_MALWARE_PROTECTION", "Status" : "ENABLED
"}]'
In a multi-account environment, only GuardDuty administrator account accounts can configure
GuardDuty-initiated malware scan. GuardDuty administrator account accounts can enable or disable the use of
GuardDuty-initiated malware scan for their member accounts. Once the administrator account configures
GuardDuty-initiated malware scan for a member account, the member account will follow the administrator account
account settings and be unable to modify these settings through the console. GuardDuty administrator account
accounts that manage their member accounts with Amazon Organizations support can choose to have
GuardDuty-initiated malware scan enabled automatically on all the existing and new accounts in the
organization. For more information, see Managing GuardDuty accounts with Amazon Organizations.
Establishing trusted access
to enable GuardDuty-initiated malware scan
If the GuardDuty delegated administrator account is not the same as the management account in your
organization, the management account must enable GuardDuty-initiated malware scan for their
organization. This way, the delegated administrator account can create the Service-linked role permissions for
Malware Protection in member accounts that are managed
through Amazon Organizations.
Choose your preferred access method to allow the delegated GuardDuty administrator account to enable
GuardDuty-initiated malware scan for member accounts in the organization.
- Console
-
Open the GuardDuty console at https://console.amazonaws.cn/guardduty/.
To log in, use the management account for your Amazon Organizations organization.
-
-
If you have not designated a delegated GuardDuty administrator account, then:
On the Settings page, under
delegated GuardDuty administrator account, enter the 12-digit account
ID
that you want to designate to administer the GuardDuty policy in
your organization. Choose Delegate.
-
-
If you've already designated a delegated GuardDuty administrator account that is different from the
management account, then:
On the Settings page, under Delegated
Administrator, turn on the Permissions
setting. This action will allow the delegated GuardDuty administrator account to attach relevant permissions
to the member accounts and enable GuardDuty-initiated malware scan in these member
accounts.
-
If you've already designated a delegated GuardDuty administrator account that is the same as the
management account, then you can directly enable GuardDuty-initiated malware scan for
the member accounts. For more information, see Auto-enable
GuardDuty-initiated malware scan for all member accounts.
If the delegated GuardDuty administrator account is different from your management account, you must
provide permissions to the delegated GuardDuty administrator account to allow enabling GuardDuty-initiated malware scan
for member accounts.
-
If you want to allow the delegated GuardDuty administrator account to enable GuardDuty-initiated malware scan for member
accounts in other Regions, change your Amazon Web Services Region, and repeat the steps
above.
- API/CLI
-
-
Using your management account credentials, run the following command:
aws organizations enable-aws-service-access --service-principal malware-protection.guardduty.amazonaws.com
-
(Optional) to enable GuardDuty-initiated malware scan for the management account that is
not a delegated administrator account, the management account will first create the Service-linked role permissions for
Malware Protection explicitly in their
account, and then enable GuardDuty-initiated malware scan from the delegated administrator account,
similar to any other member account.
aws iam create-service-linked-role --aws-service-name malware-protection.guardduty.amazonaws.com
-
You have designated the delegated GuardDuty administrator account in the currently selected Amazon Web Services Region. If you
have designated an account as a delegated GuardDuty administrator account in one region, that account must be your
delegated GuardDuty administrator account in all other regions. Repeat the step above for all other Regions.
Choose your preferred access method to enable or disable GuardDuty-initiated malware scan for a delegated GuardDuty administrator account.
- Console
-
Open the GuardDuty console at https://console.amazonaws.cn/guardduty/.
Make sure to use the management account credentials.
-
In the navigation pane, choose Malware Protection.
-
On the Malware Protection page, choose Edit next to GuardDuty-initiated malware scan.
Do one of the following:
Using Enable for all accounts
Using Configure accounts manually
To enable the protection plan only for the delegated GuardDuty administrator account account, choose
Configure accounts manually.
Choose Enable under the
delegated GuardDuty administrator account (this account) section.
Choose Save.
- API/CLI
-
Run the updateDetector API operation using your own regional
detector ID and passing the features
object name
as
EBS_MALWARE_PROTECTION
and status
as ENABLED
or
DISABLED
.
You can enable or disable GuardDuty-initiated malware scan by running the following Amazon CLI command. Make
sure to use delegated GuardDuty administrator account's valid detector ID
.
The following example code enables GuardDuty-initiated malware scan. To disable it, replace
ENABLED
with DISABLED
.
To find the detectorId
for your account and current Region, see
Settings page in the https://console.amazonaws.cn/guardduty/ console.
aws guardduty update-detector --detector-id 12abc34d567e8fa901bc2d34e56789f0
/
--account-ids 555555555555
/
--features '[{"Name": "EBS_MALWARE_PROTECTION", "Status": "ENABLED
"}]'
Choose your preferred access method to enable the GuardDuty-initiated malware scan feature for all member
accounts. This includes existing member accounts and the new accounts that join the organization.
- Console
-
Sign in to the Amazon Web Services Management Console and open the GuardDuty console at https://console.amazonaws.cn/guardduty/.
Make sure to use the delegated GuardDuty administrator account credentials.
Do one of the following:
Using the Malware Protection page
In the navigation pane, choose
Malware Protection.
On the Malware Protection page,
choose Edit in the
GuardDuty-initiated malware scan section.
Choose Enable for all accounts. This action
automatically enables GuardDuty-initiated malware scan for both existing and new accounts in the organization.
Choose Save.
It may take up to 24 hours to update the configuration for the member accounts.
Using the Accounts page
In the navigation pane, choose
Accounts.
On the Accounts page, choose Auto-enable preferences before
Add accounts by invitation.
In the Manage auto-enable preferences window, choose
Enable for all accounts under GuardDuty-initiated malware scan.
-
On the Malware Protection page, choose
Edit in the
GuardDuty-initiated malware scan section.
-
Choose Enable for all accounts. This action
automatically enables GuardDuty-initiated malware scan for both existing and new
accounts in the organization.
-
Choose Save.
It may take up to 24 hours to update the configuration for the member accounts.
Using the Accounts page
-
In the navigation pane, choose Accounts.
-
On the Accounts page, choose
Auto-enable preferences before Add accounts
by invitation.
-
In the Manage auto-enable preferences window,
choose Enable for all accounts under
GuardDuty-initiated malware scan.
-
Choose Save.
If you can't use the Enable for all accounts option,
see Selectively
enable or disable GuardDuty-initiated malware scan for member accounts.
- API/CLI
-
-
To selectively enable or disable GuardDuty-initiated malware scan for your member
accounts, invoke the updateMemberDetectors API operation using your own
detector ID
.
-
The following example shows how you can enable GuardDuty-initiated malware scan for a
single member account. To disable a member account, replace ENABLED
with DISABLED
.
To find the detectorId
for your account and current Region, see
Settings page in the https://console.amazonaws.cn/guardduty/ console.
aws guardduty update-member-detectors --detector-id 12abc34d567e8fa901bc2d34e56789f0
--account-ids 111122223333
--features '[{"Name": "EBS_MALWARE_PROTECTION", "Status": "ENABLED
"}]'
You can also pass a list of account IDs separated by a space.
-
When the code has successfully executed, it returns an empty list of
UnprocessedAccounts
. If there were any problems changing the
detector settings for an account, that account ID is listed along with a summary
of the issue.
Choose your preferred access method to enable GuardDuty-initiated malware scan for all the
existing active member accounts in the organization.
To configure GuardDuty-initiated malware scan for all existing active member accounts
Sign in to the Amazon Web Services Management Console and open the GuardDuty console at https://console.amazonaws.cn/guardduty/.
Sign in using the delegated GuardDuty administrator account credentials.
-
In the navigation pane, choose Malware Protection.
-
On the Malware Protection, you can view the current status of the
GuardDuty-initiated malware scan configuration. Under the
Active member accounts section, choose
Actions.
-
From the Actions dropdown menu, choose Enable for
all existing active member accounts.
-
Choose Save.
The newly added member accounts must Enable GuardDuty before
selecting configuring GuardDuty-initiated malware scan. The member accounts managed by invitation
can configure GuardDuty-initiated malware scan manually for their accounts. For more information,
see Step 3 - Accept an invitation.
Choose your preferred access method to enable GuardDuty-initiated malware scan for new accounts
that join your organization.
- Console
-
The delegated GuardDuty administrator account can enable GuardDuty-initiated malware scan for new member accounts in an
organization, using either the Malware Protection or
Accounts page.
To auto-enable GuardDuty-initiated malware scan for new member accounts
Open the GuardDuty console at https://console.amazonaws.cn/guardduty/.
Make sure to use the delegated GuardDuty administrator account credentials.
-
Do one of the following:
- API/CLI
-
-
To enable or disable GuardDuty-initiated malware scan for new member accounts, invoke
the UpdateOrganizationConfiguration API operation using
your own detector ID
.
-
The following example shows how you can enable GuardDuty-initiated malware scan for a
single member account. To disable it, see Selectively
enable or disable GuardDuty-initiated malware scan for member accounts.
If you don't want to enable it for all the new accounts joining the
organization, set AutoEnable
to NONE
.
To find the detectorId
for your account and current Region, see
Settings page in the https://console.amazonaws.cn/guardduty/ console.
aws guardduty update-organization-configuration --detector-id 12abc34d567e8fa901bc2d34e56789f0
--AutoEnable --features '[{"Name": "EBS_MALWARE_PROTECTION", "AutoEnable": NEW
}]'
You can also pass a list of account IDs separated by a space.
-
When the code has successfully executed, it returns an empty list of
UnprocessedAccounts
. If there were any problems changing the
detector settings for an account, that account ID is listed along with a summary
of the issue.
Choose your preferred access method to configure GuardDuty-initiated malware scan for member
accounts selectively.
- Console
-
Open the GuardDuty console at https://console.amazonaws.cn/guardduty/.
-
In the navigation pane, choose Accounts.
-
On the Accounts page, review the
GuardDuty-initiated malware scan column for the status of your
member account.
-
Select the account for which you want to configure GuardDuty-initiated malware scan.
You can select multiple accounts at a time.
-
From the Edit protection plans menu, choose the
appropriate option for GuardDuty-initiated malware scan.
- API/CLI
-
To selectively enable or disable GuardDuty-initiated malware scan for your member
accounts, invoke the updateMemberDetectors API operation using your own
detector ID
.
The following example shows how you can enable GuardDuty-initiated malware scan for a
single member account. To disable it, replace ENABLED
with
DISABLED
.
To find the detectorId
for your account and current Region, see
Settings page in the https://console.amazonaws.cn/guardduty/ console.
aws guardduty update-member-detectors --detector-id 12abc34d567e8fa901bc2d34e56789f0
--account-ids 111122223333
--features '[{"Name": "EBS_MALWARE_PROTECTION", "Status": "ENABLED
"}]'
You can also pass a list of account IDs separated by a space.
When the code has successfully executed, it returns an empty list of
UnprocessedAccounts
. If there were any problems changing the detector
settings for an account, that account ID is listed along with a summary of the
issue.
To selectively enable or disable GuardDuty-initiated malware scan for your member
accounts, run the updateMemberDetectors API operation using your own
detector ID
. The following example shows how you can
enable GuardDuty-initiated malware scan for a single member account. To disable it, replace
true
with false
.
To find the detectorId
for your account and current Region, see
Settings page in the https://console.amazonaws.cn/guardduty/ console.
aws guardduty update-member-detectors --detector-id 12abc34d567e8fa901bc2d34e56789f0
--account-ids 123456789012
--data-sources '{"MalwareProtection":{"ScanEc2InstanceWithFindings":{"EbsVolumes":true
}}}'
You can also pass a list of account IDs separated by a space.
When the code has successfully executed, it returns an empty list of
UnprocessedAccounts
. If there were any problems changing the detector
settings for an account, that account ID is listed along with a summary of the
issue.
The GuardDuty Malware Protection service-linked role (SLR) must be created in member accounts. The
administrator account can't enable the GuardDuty-initiated malware scan feature in member accounts that are not
managed by Amazon Organizations.
Presently, you can perform the following steps through the GuardDuty console at
https://console.amazonaws.cn/guardduty/ to enable GuardDuty-initiated malware scan for the existing member
accounts.
- Console
-
Open the GuardDuty console at https://console.amazonaws.cn/guardduty/.
Sign in using your administrator account credentials.
-
In the navigation pane, choose Accounts.
-
Select the member account for which you want to enable
GuardDuty-initiated malware scan. You can select multiple accounts at a time.
-
Choose Actions.
-
Choose Disassociate member.
-
In your member account, choose Malware Protection under
Protection plans on the navigation pane.
-
Choose Enable GuardDuty-initiated malware scan. GuardDuty will create
an SLR for the member account. For more information on SLR, see Service-linked role permissions for
Malware Protection.
-
In your administrator account account, choose Accounts on the
navigation pane.
-
Choose the member account that needs to be added back to the
organization.
-
Choose Actions and then, choose Add
member.
- API/CLI
-
-
Use administrator account account to run DisassociateMembers API on the member accounts that
want to enable GuardDuty-initiated malware scan.
-
Use your member account to invoke UpdateDetector to enable
GuardDuty-initiated malware scan.
To find the detectorId
for your account and current Region, see
Settings page in the https://console.amazonaws.cn/guardduty/ console.
aws guardduty update-detector --detector-id 12abc34d567e8fa901bc2d34e56789f0
--data-sources '{"MalwareProtection":{"ScanEc2InstanceWithFindings":{"EbsVolumes":true}}}'
-
Use administrator account account to run the CreateMembers API to add the member back to the
organization.