Configuring GuardDuty-initiated malware scan - Amazon GuardDuty
Configuring GuardDuty-initiated malware scan for a standalone accountConfiguring GuardDuty-initiated malware scan in multiple-account environments
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Configuring GuardDuty-initiated malware scan

Configuring GuardDuty-initiated malware scan for a standalone account

For accounts associated with Amazon Organizations, you can automate this process through console settings, as described in the next section.

To enable or disable GuardDuty-initiated malware scan

Choose your preferred access method to configure GuardDuty-initiated malware scan for a standalone account.

Console

  1. Open the GuardDuty console at https://console.amazonaws.cn/guardduty/.

  2. In the navigation pane, under Protection plans, choose Malware Protection.

  3. The Malware Protection pane lists the current status of GuardDuty-initiated malware scan for your account. You may enable or disable it at any time by selecting Enable or Disable respectively.

  4. Choose Save.

API/CLI

  • Run the updateDetector API operation using your own regional detector ID and passing the dataSources object with EbsVolumes set to true or false.

    You can also enable or disable GuardDuty-initiated malware scan using Amazon command line tools by running the following Amazon CLI command. Make sure to use your own valid detector ID.

    Note

    The following example code enables GuardDuty-initiated malware scan. To disable it, replace true with false.

    To find the detectorId for your account and current Region, see Settings page in the https://console.amazonaws.cn/guardduty/ console.

     aws guardduty update-detector --detector-id 12abc34d567e8fa901bc2d34e56789f0 --features [{"Name" : "EBS_MALWARE_PROTECTION", "Status" : "ENABLED"}]'

Configuring GuardDuty-initiated malware scan in multiple-account environments

In a multi-account environment, only GuardDuty administrator account accounts can configure GuardDuty-initiated malware scan. GuardDuty administrator account accounts can enable or disable the use of GuardDuty-initiated malware scan for their member accounts. Once the administrator account configures GuardDuty-initiated malware scan for a member account, the member account will follow the administrator account account settings and be unable to modify these settings through the console. GuardDuty administrator account accounts that manage their member accounts with Amazon Organizations support can choose to have GuardDuty-initiated malware scan enabled automatically on all the existing and new accounts in the organization. For more information, see Managing GuardDuty accounts with Amazon Organizations.

Establishing trusted access to enable GuardDuty-initiated malware scan

If the GuardDuty delegated administrator account is not the same as the management account in your organization, the management account must enable GuardDuty-initiated malware scan for their organization. This way, the delegated administrator account can create the Service-linked role permissions for Malware Protection in member accounts that are managed through Amazon Organizations.

Note

Before you designate a delegated GuardDuty administrator account, see Considerations and recommendations.

Choose your preferred access method to allow the delegated GuardDuty administrator account to enable GuardDuty-initiated malware scan for member accounts in the organization.

Console

  1. Open the GuardDuty console at https://console.amazonaws.cn/guardduty/.

    To log in, use the management account for your Amazon Organizations organization.

    1. If you have not designated a delegated GuardDuty administrator account, then:

      On the Settings page, under delegated GuardDuty administrator account, enter the 12-digit account ID that you want to designate to administer the GuardDuty policy in your organization. Choose Delegate.

      1. If you've already designated a delegated GuardDuty administrator account that is different from the management account, then:

        On the Settings page, under Delegated Administrator, turn on the Permissions setting. This action will allow the delegated GuardDuty administrator account to attach relevant permissions to the member accounts and enable GuardDuty-initiated malware scan in these member accounts.

      2. If you've already designated a delegated GuardDuty administrator account that is the same as the management account, then you can directly enable GuardDuty-initiated malware scan for the member accounts. For more information, see Auto-enable GuardDuty-initiated malware scan for all member accounts.

      Tip

      If the delegated GuardDuty administrator account is different from your management account, you must provide permissions to the delegated GuardDuty administrator account to allow enabling GuardDuty-initiated malware scan for member accounts.

  3. If you want to allow the delegated GuardDuty administrator account to enable GuardDuty-initiated malware scan for member accounts in other Regions, change your Amazon Web Services Region, and repeat the steps above.

API/CLI

  1. Using your management account credentials, run the following command:

    aws organizations enable-aws-service-access --service-principal malware-protection.guardduty.amazonaws.com

  2. (Optional) to enable GuardDuty-initiated malware scan for the management account that is not a delegated administrator account, the management account will first create the Service-linked role permissions for Malware Protection explicitly in their account, and then enable GuardDuty-initiated malware scan from the delegated administrator account, similar to any other member account.

    aws iam create-service-linked-role --aws-service-name malware-protection.guardduty.amazonaws.com

  3. You have designated the delegated GuardDuty administrator account in the currently selected Amazon Web Services Region. If you have designated an account as a delegated GuardDuty administrator account in one region, that account must be your delegated GuardDuty administrator account in all other regions. Repeat the step above for all other Regions.

Choose your preferred access method to enable or disable GuardDuty-initiated malware scan for a delegated GuardDuty administrator account.

Console

  1. Open the GuardDuty console at https://console.amazonaws.cn/guardduty/.

    Make sure to use the management account credentials.

  2. In the navigation pane, choose Malware Protection.

  3. On the Malware Protection page, choose Edit next to GuardDuty-initiated malware scan.

  4. Do one of the following:

    Using Enable for all accounts

    • Choose Enable for all accounts. This will enable the protection plan for all the active GuardDuty accounts in your Amazon organization, including the new accounts that join the organization.

    • Choose Save.

    Using Configure accounts manually

    • To enable the protection plan only for the delegated GuardDuty administrator account account, choose Configure accounts manually.

    • Choose Enable under the delegated GuardDuty administrator account (this account) section.

    • Choose Save.

API/CLI

Run the updateDetector API operation using your own regional detector ID and passing the features object name as EBS_MALWARE_PROTECTION and status as ENABLED or DISABLED.

You can enable or disable GuardDuty-initiated malware scan by running the following Amazon CLI command. Make sure to use delegated GuardDuty administrator account's valid detector ID.

Note

The following example code enables GuardDuty-initiated malware scan. To disable it, replace ENABLED with DISABLED.

To find the detectorId for your account and current Region, see Settings page in the https://console.amazonaws.cn/guardduty/ console.

aws guardduty update-detector --detector-id 12abc34d567e8fa901bc2d34e56789f0 /
              --account-ids 555555555555 /
              --features '[{"Name": "EBS_MALWARE_PROTECTION", "Status": "ENABLED"}]'

Choose your preferred access method to enable the GuardDuty-initiated malware scan feature for all member accounts. This includes existing member accounts and the new accounts that join the organization.

Console

  1. Sign in to the Amazon Web Services Management Console and open the GuardDuty console at https://console.amazonaws.cn/guardduty/.

    Make sure to use the delegated GuardDuty administrator account credentials.

  2. Do one of the following:

    Using the Malware Protection page

    1. In the navigation pane, choose Malware Protection.

    2. On the Malware Protection page, choose Edit in the GuardDuty-initiated malware scan section.

    3. Choose Enable for all accounts. This action automatically enables GuardDuty-initiated malware scan for both existing and new accounts in the organization.

    4. Choose Save.

      Note

      It may take up to 24 hours to update the configuration for the member accounts.

    Using the Accounts page

    1. In the navigation pane, choose Accounts.

    2. On the Accounts page, choose Auto-enable preferences before Add accounts by invitation.

    3. In the Manage auto-enable preferences window, choose Enable for all accounts under GuardDuty-initiated malware scan.

    4. On the Malware Protection page, choose Edit in the GuardDuty-initiated malware scan section.

    5. Choose Enable for all accounts. This action automatically enables GuardDuty-initiated malware scan for both existing and new accounts in the organization.

    6. Choose Save.

      Note

      It may take up to 24 hours to update the configuration for the member accounts.

    Using the Accounts page

    1. In the navigation pane, choose Accounts.

    2. On the Accounts page, choose Auto-enable preferences before Add accounts by invitation.

    3. In the Manage auto-enable preferences window, choose Enable for all accounts under GuardDuty-initiated malware scan.

    4. Choose Save.

    If you can't use the Enable for all accounts option, see Selectively enable or disable GuardDuty-initiated malware scan for member accounts.

API/CLI

  • To selectively enable or disable GuardDuty-initiated malware scan for your member accounts, invoke the updateMemberDetectors API operation using your own detector ID.

  • The following example shows how you can enable GuardDuty-initiated malware scan for a single member account. To disable a member account, replace ENABLED with DISABLED.

    To find the detectorId for your account and current Region, see Settings page in the https://console.amazonaws.cn/guardduty/ console.

    aws guardduty update-member-detectors --detector-id 12abc34d567e8fa901bc2d34e56789f0 --account-ids 111122223333 --features '[{"Name": "EBS_MALWARE_PROTECTION", "Status": "ENABLED"}]'

    You can also pass a list of account IDs separated by a space.

  • When the code has successfully executed, it returns an empty list of UnprocessedAccounts. If there were any problems changing the detector settings for an account, that account ID is listed along with a summary of the issue.

Choose your preferred access method to enable GuardDuty-initiated malware scan for all the existing active member accounts in the organization.

To configure GuardDuty-initiated malware scan for all existing active member accounts

  1. Sign in to the Amazon Web Services Management Console and open the GuardDuty console at https://console.amazonaws.cn/guardduty/.

    Sign in using the delegated GuardDuty administrator account credentials.

  2. In the navigation pane, choose Malware Protection.

  3. On the Malware Protection, you can view the current status of the GuardDuty-initiated malware scan configuration. Under the Active member accounts section, choose Actions.

  4. From the Actions dropdown menu, choose Enable for all existing active member accounts.

  5. Choose Save.

The newly added member accounts must Enable GuardDuty before selecting configuring GuardDuty-initiated malware scan. The member accounts managed by invitation can configure GuardDuty-initiated malware scan manually for their accounts. For more information, see Step 3 - Accept an invitation.

Choose your preferred access method to enable GuardDuty-initiated malware scan for new accounts that join your organization.

Console

The delegated GuardDuty administrator account can enable GuardDuty-initiated malware scan for new member accounts in an organization, using either the Malware Protection or Accounts page.

To auto-enable GuardDuty-initiated malware scan for new member accounts

  1. Open the GuardDuty console at https://console.amazonaws.cn/guardduty/.

    Make sure to use the delegated GuardDuty administrator account credentials.

  2. Do one of the following:

    • Using the Malware Protection page:

      1. In the navigation pane, choose Malware Protection.

      2. On the Malware Protection page, choose Edit in the GuardDuty-initiated malware scan.

      3. Choose Configure accounts manually.

      4. Select Automatically enable for new member accounts. This step ensures that whenever a new account joins your organization, GuardDuty-initiated malware scan will be automatically enabled for their account. Only the organization delegated GuardDuty administrator account can modify this configuration.

      5. Choose Save.

    • Using the Accounts page:

      1. In the navigation pane, choose Accounts.

      2. On the Accounts page, choose Auto-enable preferences.

      3. In the Manage auto-enable preferences window, select Enable for new accounts under GuardDuty-initiated malware scan.

      4. Choose Save.

API/CLI

  • To enable or disable GuardDuty-initiated malware scan for new member accounts, invoke the UpdateOrganizationConfiguration API operation using your own detector ID.

  • The following example shows how you can enable GuardDuty-initiated malware scan for a single member account. To disable it, see Selectively enable or disable GuardDuty-initiated malware scan for member accounts. If you don't want to enable it for all the new accounts joining the organization, set AutoEnable to NONE.

    To find the detectorId for your account and current Region, see Settings page in the https://console.amazonaws.cn/guardduty/ console.

    aws guardduty update-organization-configuration --detector-id 12abc34d567e8fa901bc2d34e56789f0 --AutoEnable --features '[{"Name": "EBS_MALWARE_PROTECTION", "AutoEnable": NEW}]'

    You can also pass a list of account IDs separated by a space.

  • When the code has successfully executed, it returns an empty list of UnprocessedAccounts. If there were any problems changing the detector settings for an account, that account ID is listed along with a summary of the issue.

Choose your preferred access method to configure GuardDuty-initiated malware scan for member accounts selectively.

Console

  1. Open the GuardDuty console at https://console.amazonaws.cn/guardduty/.

  2. In the navigation pane, choose Accounts.

  3. On the Accounts page, review the GuardDuty-initiated malware scan column for the status of your member account.

  4. Select the account for which you want to configure GuardDuty-initiated malware scan. You can select multiple accounts at a time.

  5. From the Edit protection plans menu, choose the appropriate option for GuardDuty-initiated malware scan.

API/CLI

To selectively enable or disable GuardDuty-initiated malware scan for your member accounts, invoke the updateMemberDetectors API operation using your own detector ID.

The following example shows how you can enable GuardDuty-initiated malware scan for a single member account. To disable it, replace ENABLED with DISABLED.

To find the detectorId for your account and current Region, see Settings page in the https://console.amazonaws.cn/guardduty/ console.

aws guardduty update-member-detectors --detector-id 12abc34d567e8fa901bc2d34e56789f0 --account-ids 111122223333 --features '[{"Name": "EBS_MALWARE_PROTECTION", "Status": "ENABLED"}]'
Note

You can also pass a list of account IDs separated by a space.

When the code has successfully executed, it returns an empty list of UnprocessedAccounts. If there were any problems changing the detector settings for an account, that account ID is listed along with a summary of the issue.

To selectively enable or disable GuardDuty-initiated malware scan for your member accounts, run the updateMemberDetectors API operation using your own detector ID. The following example shows how you can enable GuardDuty-initiated malware scan for a single member account. To disable it, replace true with false.

To find the detectorId for your account and current Region, see Settings page in the https://console.amazonaws.cn/guardduty/ console.

aws guardduty update-member-detectors --detector-id 12abc34d567e8fa901bc2d34e56789f0 --account-ids 123456789012 --data-sources '{"MalwareProtection":{"ScanEc2InstanceWithFindings":{"EbsVolumes":true}}}'
Note

You can also pass a list of account IDs separated by a space.

When the code has successfully executed, it returns an empty list of UnprocessedAccounts. If there were any problems changing the detector settings for an account, that account ID is listed along with a summary of the issue.

The GuardDuty Malware Protection service-linked role (SLR) must be created in member accounts. The administrator account can't enable the GuardDuty-initiated malware scan feature in member accounts that are not managed by Amazon Organizations.

Presently, you can perform the following steps through the GuardDuty console at https://console.amazonaws.cn/guardduty/ to enable GuardDuty-initiated malware scan for the existing member accounts.

Console

  1. Open the GuardDuty console at https://console.amazonaws.cn/guardduty/.

    Sign in using your administrator account credentials.

  2. In the navigation pane, choose Accounts.

  3. Select the member account for which you want to enable GuardDuty-initiated malware scan. You can select multiple accounts at a time.

  4. Choose Actions.

  5. Choose Disassociate member.

  6. In your member account, choose Malware Protection under Protection plans on the navigation pane.

  7. Choose Enable GuardDuty-initiated malware scan. GuardDuty will create an SLR for the member account. For more information on SLR, see Service-linked role permissions for Malware Protection.

  8. In your administrator account account, choose Accounts on the navigation pane.

  9. Choose the member account that needs to be added back to the organization.

  10. Choose Actions and then, choose Add member.

API/CLI

  1. Use administrator account account to run DisassociateMembers API on the member accounts that want to enable GuardDuty-initiated malware scan.

  2. Use your member account to invoke UpdateDetector to enable GuardDuty-initiated malware scan.

    To find the detectorId for your account and current Region, see Settings page in the https://console.amazonaws.cn/guardduty/ console.

    aws guardduty update-detector --detector-id 12abc34d567e8fa901bc2d34e56789f0 --data-sources '{"MalwareProtection":{"ScanEc2InstanceWithFindings":{"EbsVolumes":true}}}'

  3. Use administrator account account to run the CreateMembers API to add the member back to the organization.