Supported Amazon EBS volumes for malware scan - Amazon GuardDuty
Modifying default KMS key ID
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Supported Amazon EBS volumes for malware scan

In all of the Amazon Web Services Regions where GuardDuty supports the Malware Protection for EC2 feature, you can scan the Amazon EBS volumes that are unencrypted or encrypted. You can have Amazon EBS volumes that are encrypted with either Amazon managed key or customer managed key. Presently, some of the Amazon Web Services Regions support both the ways to encrypt your Amazon EBS volumes, while others support only customer managed key.

For more information where this capability is not yet supported, see China Regions

The following list describes the key that GuardDuty uses whether or not your Amazon EBS volumes are encrypted:

  • Amazon EBS volumes that are either unencrypted or encrypted with Amazon managed key – GuardDuty uses its own key to encrypt the replica Amazon EBS volumes.

    When your account belongs to an Amazon Web Services Region that doesn't support scanning Amazon EBS volumes that are encrypted with the default Amazon managed key for EBS, see Modifying default Amazon KMS key ID of an Amazon EBS volume.

  • Amazon EBS volumes that are encrypted with customer managed key – GuardDuty uses the same key to encrypt the replica EBS volume.

Malware Protection for EC2 doesn't support scanning Amazon EC2 instances with productCode as marketplace. If a malware scan gets initiated for such an Amazon EC2 instance, the scan will be skipped. For more information, see UNSUPPORTED_PRODUCT_CODE_TYPE in Reasons for skipping resource during malware scan.

Modifying default Amazon KMS key ID of an Amazon EBS volume

By default, invoking the CreateVolume API with encryption set to true and not specifying the KMS key ID, creates an Amazon EBS volume that gets encrypted with the default Amazon KMS key for EBS encryption. However, when an encryption key is not provided explicitly, you can modify the default key by invoking the ModifyEbsDefaultKmsKeyId API or by using the corresponding Amazon CLI command.

To modify the EBS default key ID, add the following necessary permission to your IAM policy – ec2:modifyEbsDefaultKmsKeyId. Any newly-created Amazon EBS volume that you choose to be encrypted but don't specify an associated KMS key ID, will use the default key ID. Use one of the following methods to update the EBS default key ID:

To modify default KMS key ID of an Amazon EBS volume

Do one of the following:

  • Using an API – You can use the ModifyEbsDefaultKmsKeyId API. For information about how you can view the encryption status of your volume, see Create Amazon EBS volume.

  • Using Amazon CLI command – The following example modifies the default KMS key ID that will encrypt Amazon EBS volumes if you don't provide a KMS key ID. Make sure to replace the Region with the Amazon Web Services Region of your KM key ID.

    aws ec2 modify-ebs-default-kms-key-id --region us-west-2 --kms-key-id AKIAIOSFODNN7EXAMPLE

    The above command will generate an output similar to the following output:

    { 
  "KmsKeyId": "arn:aws-cn:kms:us-west-2:444455556666:key/AKIAIOSFODNN7EXAMPLE"
}