Getting started with On-demand malware scan
As a GuardDuty administrator account, you can initiate an on-demand malware scan on behalf of your active member accounts that have the following prerequisites set up in their accounts. Standalone accounts and active member accounts in GuardDuty can also initiate an on-demand malware scan for their own Amazon EC2 instances.
Prerequisites
GuardDuty must be enabled in the Amazon Web Services Regions where you want to initiate the on-demand malware scan.
-
Ensure that the Amazon managed policy: AmazonGuardDutyFullAccess is attached to the IAM user or the IAM role. You will need the access key and secret key associated with the IAM user or the IAM role.
As a delegated GuardDuty administrator account, you have the option to initiate an on-demand malware scan on behalf of an active member account.
If you're a member account that doesn't have the Service-linked role permissions for Malware Protection, then initiating an on-demand malware scan for an Amazon EC2 instance that belongs to your account, will automatically create the SLR for Malware Protection.
Important
Ensure that no one deletes the SLR permissions for Malware Protection when the malware scan, whether GuardDuty-initiated or on-demand, is still in progress. Doing so will prevent the scan from completing successfully and providing definite scan result.
Before you initiate an on-demand malware scan, make sure that no scan was initiated on the same resource in the past 1 hour; otherwise, it will be de-duped. For more information, see Re-scanning the same resource.
Initiating On-demand malware scan
Choose your preferred access method to initiate an on-demand malware scan.
1For information about the format of your Amazon EC2 instance ARN, see Amazon Resource Name (ARN). For Amazon EC2 instances, you can use the following example ARN format by replacing the values for the partition, Region, Amazon Web Services account ID, and Amazon EC2 instance ID. For information about length of your instance ID, see Resource IDs.
arn:aws-cn:ec2:
us-east-1
:555555555555
:instance/i-b188560f
Re-scanning the same Amazon EC2 instance
Whether a scan is GuardDuty-initiated or on-demand, you can initiate a new on-demand malware scan on the same EC2 instance after 1 hour from the start time of the previous malware scan. If the new malware scan gets initiated within 1 hour of initiation of the previous malware scan, your request will result in the following error, and no scan ID will get generated for this request.
A scan was initiated on this resource recently. You can request a scan on the same
resource one hour after the previous scan start time.
For information about how to initiate a new scan on the same resource, see Initiating On-demand malware scan.
To track the status of the malware scans, see Monitoring scan statuses and results in GuardDuty Malware Protection.