Understanding CloudWatch Logs and reasons for skipping resources during Malware Protection scan
GuardDuty Malware Protection publishes events to your Amazon CloudWatch log group /aws/guardduty/malware-scan-events. For each of the events related to the malware scan, you can monitor the status and scan result of your impacted resources. Certain Amazon EC2 resources and Amazon EBS volumes may have been skipped during the Malware Protection scan.
Auditing CloudWatch Logs in GuardDuty Malware Protection
There are three types of scan events supported in the /aws/guardduty/malware-scan-events CloudWatch log group.
Malware Protection scan event name | Explanation |
---|---|
|
Created when an GuardDuty Malware Protection is initiating the process of malware scan, such as preparing to take a snapshot of an EBS volume. |
|
Created when GuardDuty Malware Protection scan completes for at least one of the EBS volumes of
the impacted resource. This event also includes the |
|
Created when GuardDuty Malware Protection scan skips all the EBS volumes of the impacted resource. To identify the skip reason, select the corresponding event, and view the details. For more information on skip reasons, see Reasons for skipping resource during malware scan below. |
Note
If you're using an Amazon Organizations, CloudWatch log events from member accounts in Organizations get published to both administrator account and member account's log group.
Choose your preferred access method to view and query CloudWatch events.
GuardDuty Malware Protection log retention
The default log retention period for
/aws/guardduty/malware-scan-events log group is 90 days, after which
the log events are deleted automatically. To change the log retention policy for your CloudWatch log
group, see Change log data retention in CloudWatch Logs or PutRetentionPolicy
Reasons for skipping resource during malware scan
In the events related to the malware scan, certain EC2 resources and EBS volumes may have been skipped during the scanning process. The following table lists the reasons why GuardDuty Malware Protection may not scan the resources. If applicable, use the proposed steps to resolve these issues, and scan these resources the next time GuardDuty Malware Protection initiates a malware scan. The other issues are used to inform you about the course of events and are non-actionable.
Reasons for skipping | Explanation | Proposed steps |
---|---|---|
|
The |
Validate the |
|
The Amazon account ID from which you tried initiating an On-demand malware scan has not enabled GuardDuty. |
Verify that GuardDuty is enabled for this Amazon account. When you enable GuardDuty in a new Amazon Web Services Region it may take up to 20 minutes to sync. |
|
GuardDuty Malware Protection supports volumes that are both unencrypted and encrypted with customer managed key. It doesn't support scanning EBS volumes that are encrypted using Amazon EBS encryption. Presently, there is a regional difference where this skip reason is not applicable. For more information about these Amazon Web Services Regions, see Region-specific feature availability. |
Replace your encryption key with a customer managed key. For more information on the types of encryption that GuardDuty supports, see Supported Amazon EBS volumes for malware scan. |
|
The EC2 instance or EBS volume was excluded during the malware scan. There are
two possibilities - either the tag was added to the inclusion list but the resource
isn't associated with this tag, the tag was added to the exclusion list and the
resource is associated with this tag, or the |
Update your scan options or the tags associated to your Amazon EC2 resource. For more information, see Scan options with user-defined tags. |
|
The volume is greater than 1024 GB. |
Not actionable. |
|
GuardDuty Malware Protection found the instance in your account but no EBS volume was attached to this instance to proceed with the scan. |
Not actionable. |
|
It is an internal service error. |
Not actionable. |
|
The snapshots created from the EBS volumes and shared with the service account was not found, and GuardDuty Malware Protection couldn't proceed with the scan. |
Check CloudTrail to ensure that the snapshots were not removed intentionally. |
|
You have reached the maximum volume allowed for snapshots for each Region. This prevents not just retaining but also creating new snapshots. |
You can either remove old snapshots or request for quota increase. You can view the default limit for Snapshots per Region and how to request quota increase under Service quotas in the Amazon General Reference Guide. |
|
More than 11 EBS volumes were attached to an EC2 instance. GuardDuty Malware Protection
scanned the first 11 EBS volumes, obtained by sorting the |
Not actionable. |
|
GuardDuty doesn't support scanning of instances with For information on |
Not actionable. |