Understanding CloudWatch Logs and skip reasons in GuardDuty Malware Protection - Amazon GuardDuty
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

Understanding CloudWatch Logs and skip reasons in GuardDuty Malware Protection

GuardDuty Malware Protection publishes events to your Amazon CloudWatch log group /aws/guardduty/malware-scan-events. For each of the events related to the malware scan, you can monitor the status and scan result of your impacted resources. Certain Amazon EC2 resources and Amazon EBS volumes may have been skipped during the the Malware Protection scan.

Auditing CloudWatch Logs in GuardDuty Malware Protection

There are three types of scan events supported in the /aws/guardduty/malware-scan-events CloudWatch log group.

Malware Protection scan event name Explanation

EC2_SCAN_STARTED

Created when an GuardDuty Malware Protection is initiating the process of malware scan, such as preparing to take a snapshot of an EBS volume.

EC2_SCAN_COMPLETED

Created when GuardDuty Malware Protection scan completes for at least one of the EBS volumes of the impacted resource. After the scan completes, the scan result will either be Clean or Infected.

EC2_SCAN_SKIPPED

Created when GuardDuty Malware Protection scan skips all the EBS volumes of the impacted resource. To identify the skip reason, select the corresponding event, and view the details. For more information on skip reasons, see Reasons for skipping resource during malware scan below.

Note

If you're using an Amazon Organizations, CloudWatch log events from member accounts in Organizations get published to both administrator and member account's log group.

Console
  1. Log into the https://console.amazonaws.cn/cloudwatch/ console.

  2. In the navigation pane, under Logs, choose Log groups. Choose the /aws/guardduty/malware-scan-events log group to view the scan events for GuardDuty Malware Protection.

    To run a query, choose Log Insights.

    For information on how to run a query, see Analyzing log data with CloudWatch Logs Insights in the Amazon CloudWatch User Guide.

  3. Choose Scan ID to monitor the details of the impacted resource and malware findings. For example, you can run the following query to filter the CloudWatch log events by using scanId. Make sure to use your own valid scan-id.

    fields @timestamp, @message, scanRequestDetails.scanId as scanId | filter scanId like "77a6f6115da4bd95f4e4ca398492bcc0" | sort @timestamp asc
API
  • To work with log groups, see Search log entries using the Amazon CLI in the Amazon CloudWatch User Guide.

    Choose the /aws/guardduty/malware-scan-events log group to view the scan events for GuardDuty Malware Protection.

  • To view and filter log events, see GetLogEvents and FilterLogEvents , respectively, in the Amazon CloudWatch API Reference.

GuardDuty Malware Protection log retention

The default log retention period for /aws/guardduty/malware-scan-events log group is 90 days, after which the log events are deleted automatically. To change the log retention policy for your CloudWatch log group, see Change log data retention in CloudWatch Logs or PutRetentionPolicy .

Reasons for skipping resource during malware scan

In the events related to the malware scan, certain EC2 resources and EBS volumes may have been skipped during the scanning process. The following table lists the reasons why GuardDuty Malware Protection may not scan the resources. If applicable, use the proposed steps to resolve these issues, and scan these resources the next time GuardDuty Malware Protection initiates a malware scan. The other issues are used to inform you about the course of events and are non-actionable.

Reasons for skipping Explanation Proposed steps

UNSUPPORTED_KEY_ENCRYPTION

GuardDuty Malware Protection supports volumes that are both unencrypted and encrypted with customer managed key. It doesn't support scanning EBS volumes that are encrypted using Amazon EBS encryption.

Replace your encryption key with a customer managed key. For more information on the types of encryption that GuardDuty supports, see Understanding how Malware Protection works in GuardDuty.

EXCLUDED_BY_SCAN_SETTINGS

The EC2 instance or EBS volume was excluded during the malware scan. There are two possibilities - either the tag was added to the inclusion list but the resource isn't associated with this tag, the tag was added to the exclusion list and the resource is associated with this tag, or the GuardDutyExcluded tag is set to true for this resource.

Update your scan options or the tags associated to your Amazon EC2 resource. For more information, see Scan options.

UNSUPPORTED_VOLUME_SIZE

The volume is greater than 1024 GB.

Not actionable.

NO_VOLUMES_ATTACHED

GuardDuty Malware Protection found the instance in your account but no EBS volume was attached to this instance to proceed with the scan.

Not actionable.

UNABLE_TO_SCAN

It is an internal service error.

Not actionable.

SNAPSHOT_NOT_FOUND

The snapshots created from the EBS volumes and shared with the service account was not found, and GuardDuty Malware Protection couldn't proceed with the scan.

Check CloudTrail to ensure that the snapshots were not removed intentionally.

SNAPSHOT_QUOTA_REACHED

You have reached the maximum volume allowed for snapshots for each Region. This prevents not just retaining but also creating new snapshots.

You can either remove old snapshots or request for quota increase. You can view the default limit for Snapshots per Region and how to request quota increase under Service quotas in the Amazon General Reference Guide.

MAX_NUMBER_OF_ATTACHED_VOLUMES_REACHED

More than 11 EBS volumes were attached to an EC2 instance. GuardDuty Malware Protection scanned the first 11 EBS volumes, obtained by sorting the deviceName alphabetically.

Not actionable.

UNSUPPORTED_PRODUCT_CODE_TYPE

GuardDuty doesn't support scanning of instances with productCode as marketplace. For more information, see Paid AMIs in the Amazon EC2 User Guide for Linux Instances.

For information on productCode, see ProductCode in the Amazon EC2 API Reference.

Not actionable.