Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

Customizations in Malware Protection

General settings

Snapshots retention

GuardDuty provides you the option to retain the snapshots of your EBS volumes in your Amazon account. By default, the snapshots retention setting is turned off.

As the scan initiates, GuardDuty generates the replica EBS volumes based on the snapshots of your EBS volumes. After the scan completes and you've turned on the snapshots retention setting, the snapshots of your EBS volumes will be retained only if the Malware Protection scan detects malware in the replica EBS volumes. When no malware is detected, GuardDuty automatically deletes the snapshots of your EBS volumes, irrespective of the snapshots retention setting. For information on cost of snapshots and its retention, see Amazon EBS pricing.

You can turn on the snapshots retention setting through the console or by using the API, provided below.

Console

1. Log into the https://console.amazonaws.cn/guardduty/ console.

2. In the navigation pane, under Settings, choose Malware Protection.

3. Choose General settings in the bottom section of the console. To retain the snapshots, turn on Snapshots retention.

API

1. Run the following Amazon CLI command to retain snapshots whenever GuardDuty Malware Protection generates findings.

   Ensure to replace the example detector-id with your own valid detectorId.

2. You can find your detectorId for your current Region in the https://console.amazonaws.cn/guardduty/ console from the Settings page, or by using the ListDetectors API.

   aws guardduty update-malware-scan-settings --detector-id 60b8777933648562554d637e0e4bb3b2 --ebs-snapshot-preservation "RETENTION_WITH_FINDING"

3. If you want to turn off snapshots retention, replace RETENTION_WITH_FINDING with NO_RETENTION.

Scan options

GuardDuty Malware Protection allows you to specify tags to either include or exclude Amazon EC2 instances and EBS volumes from the scanning and threat detection process. You can Tag your Amazon EC2 resources and customize the Scan options. For each malware scan, you can add tags to either an inclusion or exclusion tags list. Each list can include up to 50 tags.

To exclude EC2 instances from malware scan

If you want to exclude any EC2 instance during the scanning process, you can set the GuardDutyExcluded tag to true for any EC2 instance and EBS volume, and GuardDuty won't scan it. For more information on GuardDutyExcluded tag, see Service-linked role permissions for GuardDuty Malware Protection. You can also add an EC2 instance tag to the exclusion list. You can achieve this through the GuardDuty console or by using the API provided below.

If you add multiple tags to the exclusion tags list, any EC2 instance that contains at least one of these tags will get excluded from the malware scans.

Console

1. Log into the https://console.amazonaws.cn/guardduty/ console.

2. In the navigation pane, under Settings, choose Malware Protection.

3. Choose Scan options next to General settings. Choose Use exclusion tags from the dropdown menu on the right of this section.

4. Choose Add new exclusion tag and specify the tag's Key and Value pair that you want to exclude. It is optional to provide the Value.

   If value for a key is not provided and EC2 instance is tagged with the specified key, the EC2 instance will be excluded from the Malware Protection scanning process, regardless of the tag's assigned value.

API

• Update the malware scan settings to exclude an EC2 instance or a container workload from the scanning process.

  The following Amazon CLI example command adds a new tag to the exclusion tags list. Ensure to replace the example detector-id with your own valid detectorId.

  MapEquals is a list of Key/Value pairs.

  You can find your detectorId for your current Region in the https://console.amazonaws.cn/guardduty/ console from the Settings page, or by using the ListDetectors API.

  aws guardduty update-malware-scan-settings --detector-id 60b8777933648562554d637e0e4bb3b2 --scan-resource-criteria '{"Exclude": {"EC2_INSTANCE_TAG" : {"MapEquals": [{ "Key": "TestKeyWithValue", "Value": "TestValue" }, {"Key":"TestKeyWithoutValue"} ]}}}' --ebs-snapshot-preservation "RETENTION_WITH_FINDING"

To include EC2 instances in malware scan

If you want to scan an EC2 instance, add its tag to the inclusion list. You can achieve this through the GuardDuty console or by using the API provided below.

If you add any tag to the inclusion list, the instance(s) associated to that tag gets scanned. Any instance that doesn't have its tag added to the inclusion list won't get scanned. If you add multiple tags, an instance that contains all the tags gets scanned.

Console

1. Log into the https://console.amazonaws.cn/guardduty/ console.

2. In the navigation pane, under Settings, choose Malware Protection.

3. Choose Scan options next to General settings. Choose Use inclusion tags from the dropdown menu on the right of this section.

4. Choose Add new inclusion tag and specify the tag's Key and Value pair that you want to include. It is optional to provide the Value.

   If value for a key is not provided and EC2 instance is tagged with the specified key, the EC2 instance will be included in the Malware Protection scanning process, regardless of the tag's assigned value.

API

• Update the malware scan settings to include an EC2 instance or a container workload in the scanning process.

  The following Amazon CLI example command adds a new tag to the inclusion tags list. Ensure to replace the example detector-id with your own valid detectorId. Replace the example TestKey and TestValue with the Key and Value pair of the tag associated to your EC2 resource.

  MapEquals is a list of Key/Value pairs.

  You can find your detectorId for your current Region in the https://console.amazonaws.cn/guardduty/ console from the Settings page, or by using the ListDetectors API.

  aws guardduty update-malware-scan-settings --detector-id 60b8777933648562554d637e0e4bb3b2 --scan-resource-criteria '{"Include": {"EC2_INSTANCE_TAG" : {"MapEquals": [{ "Key": "TestKeyWithValue", "Value": "TestValue" }, {"Key":"TestKeyWithoutValue"} ]}}}' --ebs-snapshot-preservation "RETENTION_WITH_FINDING"

At any time, you can either choose Inclusion tags or Exclusion tags but not both. If you want to switch between the tags, choose that tag from the dropdown menu on the right of this section, and Confirm your selection. This action clears all your current tags.