Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.
Customizations in Malware Protection
General settings
Snapshots retention
GuardDuty provides you the option to retain the snapshots of your EBS volumes in your Amazon
account. By default, the snapshots retention setting is turned off.
As the scan initiates, GuardDuty generates the replica EBS volumes based on the snapshots of
your EBS volumes. After the scan completes and you've turned on the snapshots retention
setting, the snapshots of your EBS volumes will be retained only if Malware Protection scan detects
malware in the replica EBS volumes. When no malware is detected, GuardDuty automatically deletes
the snapshots of your EBS volumes, irrespective of the snapshots retention setting. For
information on cost of snapshots and its retention, see Amazon
EBS pricing.
Choose your access method to turn on the snapshots retention setting.
- Console
-
Open the GuardDuty console at https://console.amazonaws.cn/guardduty/.
-
In the navigation pane, under Settings, choose
Malware Protection.
-
Choose General settings in the bottom section of the
console. To retain the snapshots, turn on Snapshots
retention.
- API
-
-
Run the following Amazon CLI command to automatically retain snapshots when
GuardDuty Malware Protection generates findings.
Ensure to replace the detector-id
with your own
valid detectorId
.
-
You can find your detectorId for your current Region
on the Settings page in the https://console.amazonaws.cn/guardduty/ console,
or by using the ListDetectors API.
aws guardduty update-malware-scan-settings --detector-id 60b8777933648562554d637e0e4bb3b2
--ebs-snapshot-preservation "RETENTION_WITH_FINDING
"
-
If you want to turn off snapshots retention, replace
RETENTION_WITH_FINDING
with NO_RETENTION
.
Scan options
GuardDuty Malware Protection allows you to specify tags to either include or exclude Amazon EC2 instances and EBS
volumes from the scanning and threat detection process. You can customize each malware scan by
editing tags in either the inclusion or exclusion tags list. Each list can include up to 50
tags.
If you don't already have tags associated to your EC2 resources, see Tag your Amazon EC2
resources in the Amazon EC2 User Guide for Linux Instances or Tag your Amazon EC2
resources in the Amazon EC2 User Guide for Windows Instances.
GuardDuty won't scan volumes if the GuardDutyExcluded
tag is set to
true
.
To exclude EC2 instances from
malware scan
If you want to exclude any EC2 instance or EBS volume during the scanning process, you
can set the GuardDutyExcluded
tag to true
for any EC2 instance or
EBS volume, and GuardDuty won't scan it. For more information on GuardDutyExcluded
tag, see Service-linked role permissions for
GuardDuty Malware Protection. You can also add an EC2 instance tag
to an exclusion list. If you add multiple tags to the exclusion tags list, any EC2 instance
that contains at least one of these tags will get excluded from the malware scans. Choose
your access method to add a tag associated to an EC2 instance, to an exclusion list.
- Console
-
Open the GuardDuty console at https://console.amazonaws.cn/guardduty/.
-
In the navigation pane, under Settings, choose
Malware Protection.
-
Choose Scan options next to General
settings. Choose Use exclusion tags from the
drop-down menu on the right of this section.
-
Choose Add new exclusion tag and specify the tag's
Key
and Value
pair that you want
to exclude. It is optional to provide the Value
.
Tag keys and values are case-sensitive. For more, see
Tag restrictions in the
Amazon EC2 User Guide for Linux Instances or
Tag restrictions in the
Amazon EC2 User Guide for Windows Instances.
If value for a key is not provided and the EC2 instance is tagged with the
specified key, this EC2 instance will be excluded from the Malware Protection scanning
process, regardless of the tag's assigned value.
- API
-
-
Update the malware scan settings to exclude an EC2 instance or a container
workload from the scanning process.
The following Amazon CLI example command adds a new tag to the exclusion tags list.
Ensure to replace the example detector-id
with your own
valid detectorId
.
MapEquals
is a list of Key
/Value
pairs.
You can find your detectorId for your current Region
on the Settings page in the https://console.amazonaws.cn/guardduty/ console,
or by using the ListDetectors API.
aws guardduty update-malware-scan-settings --detector-id 60b8777933648562554d637e0e4bb3b2
--scan-resource-criteria '{"Exclude": {"EC2_INSTANCE_TAG" : {"MapEquals": [{ "Key": "TestKeyWithValue
", "Value": "TestValue
" }, {"Key":"TestKeyWithoutValue
"} ]}}}' --ebs-snapshot-preservation "RETENTION_WITH_FINDING
"
Tag keys and values are case-sensitive. For more, see
Tag restrictions in the
Amazon EC2 User Guide for Linux Instances or
Tag restrictions in the
Amazon EC2 User Guide for Windows Instances.
To include EC2 instances in
malware scan
If you want to scan an EC2 instance, add its tag to the inclusion list. When you add a
tag to an inclusion tags list, an EC2 instance that doesn't contain any of the added tags is
skipped from the malware scan. If you add multiple tags to the inclusion tags list, an EC2
instance that contains at least one of those tags is included in the malware scan.
Sometimes, an EC2 instance may be skipped during the scanning process. For more information,
see Reasons for skipping resource during malware
scan.
Choose your access method to add a tag associated to an EC2 instance, to an inclusion
list.
- Console
-
-
Log into the https://console.amazonaws.cn/guardduty/ console.
-
In the navigation pane, under Settings, choose
Malware Protection.
-
Choose Scan options next to General
settings. Choose Use inclusion tags from the
drop-down menu on the right of this section.
-
Choose Add new inclusion tag and specify the tag's
Key
and Value
pair that you want
to include. It is optional to provide the Value
.
Tag keys and values are case-sensitive. For more, see
Tag restrictions in the
Amazon EC2 User Guide for Linux Instances or
Tag restrictions in the
Amazon EC2 User Guide for Windows Instances.
If value for a key is not provided and EC2 instance is tagged with the
specified key, the EC2 instance will be included in the Malware Protection scanning process,
regardless of the tag's assigned value.
- API
-
-
Update the malware scan settings to include an EC2 instance or a container
workload in the scanning process.
The following Amazon CLI example command adds a new tag to the inclusion tags list.
Ensure to replace the example detector-id
with your own
valid detectorId
. Replace the example
TestKey
and TestValue
with
the Key
and Value
pair of the tag associated to your EC2
resource.
MapEquals
is a list of Key
/Value
pairs.
You can find your detectorId for your current Region
on the Settings page in the https://console.amazonaws.cn/guardduty/ console,
or by using the ListDetectors API.
aws guardduty update-malware-scan-settings --detector-id 60b8777933648562554d637e0e4bb3b2
--scan-resource-criteria '{"Include": {"EC2_INSTANCE_TAG" : {"MapEquals": [{ "Key": "TestKeyWithValue
", "Value": "TestValue
" }, {"Key":"TestKeyWithoutValue
"} ]}}}' --ebs-snapshot-preservation "RETENTION_WITH_FINDING
"
Tag keys and values are case-sensitive. For more, see
Tag restrictions in the
Amazon EC2 User Guide for Linux Instances or
Tag restrictions in the
Amazon EC2 User Guide for Windows Instances.
It may take up to 5 minutes for GuardDuty to detect a new tag.
At any time, you can either choose Inclusion tags or
Exclusion tags but not both. If you want to switch between the tags,
choose that tag from the dropdown menu on the right of this section, and
Confirm your selection. This action clears all your current tags.