Understanding CloudWatch Logs and reasons for skipping resources during Malware Protection scan
GuardDuty Malware Protection publishes events to your Amazon CloudWatch log group /aws/guardduty/malware-scan-events. For each of the events related to the malware scan, you can monitor the status and scan result of your impacted resources. Certain Amazon EC2 resources and Amazon EBS volumes may have been skipped during the Malware Protection scan.
Auditing CloudWatch Logs in GuardDuty Malware Protection
There are three types of scan events supported in the /aws/guardduty/malware-scan-events CloudWatch log group.
Malware Protection scan event name | Explanation |
---|---|
|
Created when an GuardDuty Malware Protection is initiating the process of malware scan, such as preparing to take a snapshot of an EBS volume. |
|
Created when GuardDuty Malware Protection scan completes for at least one of the EBS volumes of
the impacted resource. After the scan completes, the scan result will either be
|
|
Created when GuardDuty Malware Protection scan skips all the EBS volumes of the impacted resource. To identify the skip reason, select the corresponding event, and view the details. For more information on skip reasons, see Reasons for skipping resource during malware scan below. |
If you're using an Amazon Organizations, CloudWatch log events from member accounts in Organizations get published to both administrator and member account's log group.
GuardDuty Malware Protection log retention
The default log retention period for
/aws/guardduty/malware-scan-events log group is 90 days, after which
the log events are deleted automatically. To change the log retention policy for your CloudWatch log
group, see Change log data retention in CloudWatch Logs or PutRetentionPolicy
Reasons for skipping resource during malware scan
In the events related to the malware scan, certain EC2 resources and EBS volumes may have been skipped during the scanning process. The following table lists the reasons why GuardDuty Malware Protection may not scan the resources. If applicable, use the proposed steps to resolve these issues, and scan these resources the next time GuardDuty Malware Protection initiates a malware scan. The other issues are used to inform you about the course of events and are non-actionable.
Reasons for skipping | Explanation | Proposed steps |
---|---|---|
|
GuardDuty Malware Protection supports volumes that are both unencrypted and encrypted with customer managed key. It doesn't support scanning EBS volumes that are encrypted using Amazon EBS encryption. |
Replace your encryption key with a customer managed key. For more information on the types of encryption that GuardDuty supports, see Supported volumes in Malware Protection. |
|
The EC2 instance or EBS volume was excluded during the malware scan. There are
two possibilities - either the tag was added to the inclusion list but the resource
isn't associated with this tag, the tag was added to the exclusion list and the
resource is associated with this tag, or the |
Update your scan options or the tags associated to your Amazon EC2 resource. For more information, see Scan options. |
|
The volume is greater than 1024 GB. |
Not actionable. |
|
GuardDuty Malware Protection found the instance in your account but no EBS volume was attached to this instance to proceed with the scan. |
Not actionable. |
|
It is an internal service error. |
Not actionable. |
|
The snapshots created from the EBS volumes and shared with the service account was not found, and GuardDuty Malware Protection couldn't proceed with the scan. |
Check CloudTrail to ensure that the snapshots were not removed intentionally. |
|
You have reached the maximum volume allowed for snapshots for each Region. This prevents not just retaining but also creating new snapshots. |
You can either remove old snapshots or request for quota increase. You can view the default limit for Snapshots per Region and how to request quota increase under Service quotas in the Amazon General Reference Guide. |
|
More than 11 EBS volumes were attached to an EC2 instance. GuardDuty Malware Protection
scanned the first 11 EBS volumes, obtained by sorting the |
Not actionable. |
|
GuardDuty doesn't support scanning of instances with For information on |
Not actionable. |