Understanding CloudWatch Logs and reasons for skipping resources during Malware Protection for EC2 scan - Amazon GuardDuty
Auditing CloudWatch Logs in GuardDuty Malware Protection for EC2GuardDuty Malware Protection for EC2 log retentionReasons for skipping resource
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Understanding CloudWatch Logs and reasons for skipping resources during Malware Protection for EC2 scan

GuardDuty Malware Protection for EC2 publishes events to your Amazon CloudWatch log group /aws/guardduty/malware-scan-events. For each of the events related to the malware scan, you can monitor the status and scan result of your impacted resources. Certain Amazon EC2 resources and Amazon EBS volumes may have been skipped during the Malware Protection for EC2 scan.

Auditing CloudWatch Logs in GuardDuty Malware Protection for EC2

There are three types of scan events supported in the /aws/guardduty/malware-scan-events CloudWatch log group.

Malware Protection for EC2 scan event name Explanation

EC2_SCAN_STARTED

Created when an GuardDuty Malware Protection for EC2 is initiating the process of malware scan, such as preparing to take a snapshot of an EBS volume.

EC2_SCAN_COMPLETED

Created when GuardDuty Malware Protection for EC2 scan completes for at least one of the EBS volumes of the impacted resource. This event also includes the snapshotId that belongs to the scanned EBS volume. After the scan completes, the scan result will either be CLEAN, THREATS_FOUND, or NOT_SCANNED.

EC2_SCAN_SKIPPED

Created when GuardDuty Malware Protection for EC2 scan skips all the EBS volumes of the impacted resource. To identify the skip reason, select the corresponding event, and view the details. For more information on skip reasons, see Reasons for skipping resource during malware scan below.

Note

If you're using an Amazon Organizations, CloudWatch log events from member accounts in Organizations get published to both administrator account and member account's log group.

Choose your preferred access method to view and query CloudWatch events.

Console

  1. Sign in to the Amazon Web Services Management Console and open the CloudWatch console at https://console.amazonaws.cn/cloudwatch/.

  2. In the navigation pane, under Logs, choose Log groups. Choose the /aws/guardduty/malware-scan-events log group to view the scan events for GuardDuty Malware Protection for EC2.

    To run a query, choose Log Insights.

    For information about running a query, see Analyzing log data with CloudWatch Logs Insights in the Amazon CloudWatch User Guide.

  3. Choose Scan ID to monitor the details of the impacted resource and malware findings. For example, you can run the following query to filter the CloudWatch log events by using scanId. Make sure to use your own valid scan-id.

    fields @timestamp, @message, scanRequestDetails.scanId as scanId
| filter scanId like "77a6f6115da4bd95f4e4ca398492bcc0"
| sort @timestamp asc
API/CLI

  • To work with log groups, see Search log entries using the Amazon CLI in the Amazon CloudWatch User Guide.

    Choose the /aws/guardduty/malware-scan-events log group to view the scan events for GuardDuty Malware Protection for EC2.

  • To view and filter log events, see GetLogEvents and FilterLogEvents, respectively, in the Amazon CloudWatch API Reference.

GuardDuty Malware Protection for EC2 log retention

The default log retention period for /aws/guardduty/malware-scan-events log group is 90 days, after which the log events are deleted automatically. To change the log retention policy for your CloudWatch log group, see Change log data retention in CloudWatch Logs in the Amazon CloudWatch User Guide, or PutRetentionPolicy in the Amazon CloudWatch API Reference.

Reasons for skipping resource during malware scan

In the events related to the malware scan, certain EC2 resources and EBS volumes may have been skipped during the scanning process. The following table lists the reasons why GuardDuty Malware Protection for EC2 may not scan the resources. If applicable, use the proposed steps to resolve these issues, and scan these resources the next time GuardDuty Malware Protection for EC2 initiates a malware scan. The other issues are used to inform you about the course of events and are non-actionable.

Reasons for skipping Explanation Proposed steps

RESOURCE_NOT_FOUND

The resourceArn provided to the initiate the on-demand malware scan was not found in your Amazon environment.

Validate the resourceArn of your Amazon EC2 instance or container workload, and try again.

ACCOUNT_INELIGIBLE

The Amazon account ID from which you tried initiating an On-demand malware scan has not enabled GuardDuty.

Verify that GuardDuty is enabled for this Amazon account.

When you enable GuardDuty in a new Amazon Web Services Region it may take up to 20 minutes to sync.

UNSUPPORTED_KEY_ENCRYPTION

GuardDuty Malware Protection for EC2 supports volumes that are both unencrypted and encrypted with customer managed key. It doesn't support scanning EBS volumes that are encrypted using Amazon EBS encryption.

Presently, there is a regional difference where this skip reason is not applicable. For more information about these Amazon Web Services Regions, see Region-specific feature availability.

Replace your encryption key with a customer managed key. For more information on the types of encryption that GuardDuty supports, see Supported Amazon EBS volumes for malware scan.

EXCLUDED_BY_SCAN_SETTINGS

The EC2 instance or EBS volume was excluded during the malware scan. There are two possibilities - either the tag was added to the inclusion list but the resource isn't associated with this tag, the tag was added to the exclusion list and the resource is associated with this tag, or the GuardDutyExcluded tag is set to true for this resource.

Update your scan options or the tags associated to your Amazon EC2 resource. For more information, see Scan options with user-defined tags.

UNSUPPORTED_VOLUME_SIZE

The volume is greater than 2048 GB.

Not actionable.

NO_VOLUMES_ATTACHED

GuardDuty Malware Protection for EC2 found the instance in your account but no EBS volume was attached to this instance to proceed with the scan.

Not actionable.

UNABLE_TO_SCAN

It is an internal service error.

Not actionable.

SNAPSHOT_NOT_FOUND

The snapshots created from the EBS volumes and shared with the service account was not found, and GuardDuty Malware Protection for EC2 couldn't proceed with the scan.

Check CloudTrail to ensure that the snapshots were not removed intentionally.

SNAPSHOT_QUOTA_REACHED

You have reached the maximum volume allowed for snapshots for each Region. This prevents not just retaining but also creating new snapshots.

You can either remove old snapshots or request for quota increase. You can view the default limit for Snapshots per Region and how to request quota increase under Service quotas in the Amazon General Reference Guide.

MAX_NUMBER_OF_ATTACHED_VOLUMES_REACHED

More than 11 EBS volumes were attached to an EC2 instance. GuardDuty Malware Protection for EC2 scanned the first 11 EBS volumes, obtained by sorting the deviceName alphabetically.

Not actionable.

UNSUPPORTED_PRODUCT_CODE_TYPE

GuardDuty can scan majority of instances with productCode as marketplace. Some marketplace instances may not be eligible for scanning. GuardDuty will skip such instances and log the reason as UNSUPPORTED_PRODUCT_CODE_TYPE. This support varies in Amazon GovCloud (US) and China Regions. For more information, see Region-specific feature availability.

For more information, see Paid AMIs in the Amazon EC2 User Guide. For information on productCode, see ProductCode in the Amazon EC2 API Reference.

Not actionable.