Malware Protection in Amazon GuardDuty - Amazon GuardDuty
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

Malware Protection in Amazon GuardDuty

GuardDuty Malware Protection is an enhancement to Amazon GuardDuty. While GuardDuty identifies resources at risk, or that have already been compromised by malware through continuous monitoring of resource behavior and network communication, it didn't previously detect the malware that may be the source of the compromise.

With Malware Protection enabled, whenever GuardDuty detects suspicious behavior on Amazon EC2 instance or a container workload, GuardDuty Malware Protection automatically initiates an agentless scan on the volumes attached to the impacted EC2 instance or container workload to detect the presence of malware. For more information, see GuardDuty findings that initiate Malware Protection scans. GuardDuty Malware Protection also allows you to select which resources to scan or skip. GuardDuty Malware Protection may not initiate an automatic scan on the resources that you choose to exclude from scanning. If the scan detects malware, you can view the detailed Malware Protection findings about the threat in the GuardDuty console.

Malware Protection is an optional capability, and is designed to not affect the performance of your resources. Malware Protection is currently available in Amazon Web Services Regions where GuardDuty is available, excluding Amazon GovCloud (US) and China Regions. You can choose to start or stop Malware Protection feature for any account or available Amazon Web Services Regions, at any time. By default, an existing GuardDuty customer can enable Malware Protection with a 30-day trial period. For a new GuardDuty account, Malware Protection is already enabled and included in the 30-day trial period. For more information, see Estimating GuardDuty costs.

Understanding how Malware Protection works in GuardDuty

GuardDuty Malware Protection scans and detects malware on EBS volumes attached to your potentially compromised Amazon EC2 instances and container workloads. The following image describes how Malware Protection works in GuardDuty.


        Amazon GuardDuty scanning process.

In response to GuardDuty detecting suspicious and potentially malicious activity indicative of malware, Malware Protection creates snapshots of the relevant EBS volumes attached to the resources where GuardDuty detected such activity, and shares them with the Malware Protection service account. Next, Malware Protection creates encrypted replica EBS volumes from those snapshots, in the service account.

Based on your Scan options, an automatic agentless scan initiates to detect malware. After the scan completes, GuardDuty deletes the encrypted replica EBS volumes and the snapshots of your EBS volumes. If malware is found and you've turned on the Snapshots retention setting, the snapshots of your EBS volumes won't get deleted and are automatically retained in your Amazon account. When no malware is found, the snapshots of your EBS volumes will not be retained, irrespective of the snapshots retention setting. By default, the snapshots retention setting is turned off. For information on cost of snapshots and its retention, see Amazon EBS pricing.

GuardDuty will retain each replica EBS volume that it scans for up to one day, unless and to the extent that there is a service outage or failure with a replica EBS volume and its malware scan, at which point, GuardDuty will retain such an EBS volume for no more than seven days. The extended volume retention period is to triage and address the outage or failure. GuardDuty Malware Protection will delete the replica EBS volumes after the outage or failure is addressed or once the extended retention period lapses.

Note

For each EC2 instance and container workload for which GuardDuty generates findings, GuardDuty Malware Protection initiates a scan only once every 24 hours.

In the event of malware detection, GuardDuty generates new Malware Protection finding types with details about the impacted resource and the malware. For more information, see Finding details. To understand the Malware Protection scan statuses, see Monitoring malware scan statuses and results . GuardDuty publishes each event that gets generated during a malware scan. GuardDuty Malware Protection may skip some of the resources because of the reasons that are different from the Scan options. For more information, see Understanding CloudWatch Logs and skip reasons.

GuardDuty supports volumes that are both unencrypted and encrypted with customer managed key. If your EBS volumes are encrypted with a customer managed key, GuardDuty uses the same key to encrypt the replica EBS volume. For unencrypted EBS volumes, GuardDuty uses its own key to encrypt the replica EBS volume. GuardDuty Malware Protection doesn't scan EBS volumes that are encrypted using Amazon EBS encryption. GuardDuty Malware Protection supports the EBS volumes that reside in your Amazon account and VPC flow logs.

When you enable Malware Protection, a service-linked role (SLR) is automatically created for your account. For more information, see Service-linked role permissions for GuardDuty Malware Protection.

Configure GuardDuty Malware Protection for a standalone account

For accounts associated with Amazon Organizations, you can automate this process through console settings, as described in the next section.

Accounts that were using GuardDuty before the addition of Malware Protection can enable this feature by configuring GuardDuty through the console.

To enable or disable Malware Protection

Console
  1. Open the GuardDuty console at https://console.amazonaws.cn/guardduty/.

  2. In the navigation pane, under Settings, choose Malware Protection.

  3. The Malware Protection pane lists the current status of Malware Protection for your account. You may enable or disable it at any time by selecting Enable or Disable respectively, then confirming your selection.

API
  • Run the updateDetector API operation using your own regional detector ID and passing the dataSources object with EbsVolumes set to true or false.

    You can also enable or disable Malware Protection using Amazon command line tools by running the following Amazon CLI command. Make sure to use your own valid detector ID.

    Note

    The following example code enables Malware Protection. To disable it, replace true with false.

    You can find your detectorId for your current Region in the https://console.amazonaws.cn/guardduty/ console from the Settings page, or by using the ListDetectors API.

    aws guardduty update-detector --detector-id 12abc34d567e8fa901bc2d34e56789f0 --data-sources '{"MalwareProtection":{"ScanEc2InstanceWithFindings":{"EbsVolumes":true}}}'

Configuring GuardDuty Malware Protection in multiple-account environments

In a multi-account environment, only GuardDuty administrator accounts can configure Malware Protection. GuardDuty administrator accounts can enable or disable the use of Malware Protection for their member accounts. Once the administrator configures GuardDuty Malware Protection for a member account, the member account will follow the administrator account settings and be unable to modify these settings through the console. GuardDuty administrator accounts that manage their member accounts with Amazon Organizations support can choose to have Malware Protection enabled automatically on all the existing and new accounts in the organization. For more information, see Managing GuardDuty accounts with Amazon Organizations.

Enable Malware Protection when delegated administrator is not a management account in Amazon Organizations

If the GuardDuty delegated administrator is not a management account in Amazon Organizations, the management account must enable Malware Protection feature for their organization. This way, the delegated administrator can create the Service-linked role permissions for GuardDuty Malware Protection, in member accounts that are managed through Amazon Organizations.

aws organizations enable-aws-service-access --service-principal malware-protection.guardduty.amazonaws.com

Optional: To enable Malware Protection for the management account that is not a delegated administrator, the management account will first create the Service-linked role permissions for GuardDuty Malware Protection explicitly in their account, and then enable Malware Protection from the delegated administrator, similar to any other member account.

aws iam create-service-linked-role --aws-service-name malware-protection.guardduty.amazonaws.com

Automatically enabling Malware Protection for all Organization member accounts

Note

This functionality is only available to administrator of GuardDuty members incorporated through Amazon Organizations.

You can enable GuardDuty Malware Protection for all member accounts in an organization.

  1. Open the GuardDuty console at https://console.amazonaws.cn/guardduty/.

  2. In the navigation pane, under Settings, choose Malware Protection.

  3. GuardDuty Malware Protection lists the current status of GuardDuty Malware Protection for the administrator account and the member accounts.

  4. Choose Enable to start the Malware Protection service on the administrator account.

  5. Choose Enable all to enable Malware Protection on all member accounts with a single click, and confirm your selection. The console will then display the number of member accounts that were enabled successfully.

    Once enabled, you can manage member accounts from Accounts in the left navigation pane.

Note

This action also enables the Auto-enable feature to automatically enable GuardDuty Malware Protection for future member accounts within your organization.

Selectively enable or disable GuardDuty Malware Protection for member accounts

Note

This functionality is only available to administrators of GuardDuty members incorporated through Amazon Organizations.

Console
  1. Open the GuardDuty console at https://console.amazonaws.cn/guardduty/.

  2. In the navigation pane, under Settings, choose Accounts.

    Note

    From the Accounts table, review the Malware Protection column. A green checkmark icon indicates that Malware Protection is enabled, and a blue dash icon indicates that it is disabled. If this column is blank, the account is not eligible for Malware Protection. You can also filter by Enabled or Disabled.

  3. Choose the account for which you want to configure Malware Protection. From the Actions menu, choose Enable Malware Protection or Disable Malware Protection, then confirm your selection to change the settings for the selected account. The table will update automatically to show your changes.

API

To selectively enable or disable GuardDuty Malware Protection for your member accounts, run the updateMemberDetectors API operation using your own detector ID. The following example shows how you can enable Malware Protection for a single member account. To disable it, replace true with false.

You can find your detectorId for your current Region in the https://console.amazonaws.cn/guardduty/ console from the Settings page, or by using the ListDetectors API.

aws guardduty update-member-detectors --detector-id 12abc34d567e8fa901bc2d34e56789f0 --account-ids 123456789012 --data-sources '{"MalwareProtection":{"ScanEc2InstanceWithFindings":{"EbsVolumes":true}}}'
Note

You can also pass a list of account IDs separated by a space.

When the code has successfully executed, it returns an empty list of UnprocessedAccounts. If there were any problems changing the detector settings for an account, that account ID is listed along with a summary of the issue.

Configuring Malware Protection for newly added accounts in the Organization

The newly added member accounts must Enable GuardDuty before selecting Enable or Disable Malware Protection. For more information, see Step 3 - Accept an invitation.

The member accounts managed by invitation can configure GuardDuty Malware Protection manually for their accounts. You can view the current status of Malware Protection for your account through the console or by using the API provided below.

Console
  1. Open the GuardDuty console at https://console.amazonaws.cn/guardduty/.

  2. In the navigation pane, under Settings, choose Accounts.

  3. Choose Auto-enable and review the status of Malware Protection.

  4. You can Enable or Disable Malware Protection for new member accounts.

  5. Choose Update Settings to confirm your selection.

API
Important

By default, Malware Protection is automatically enabled for new detectors.

If you are a GuardDuty administrator enabling GuardDuty for the first time on a new account, and don't want Malware Protection enabled by default, you can disable it by modifying the createDetector API operation with the optional dataSources object. The following example uses the Amazon CLI to enable a new GuardDuty detector with the Malware Protection disabled.

aws guardduty create-detector --enable --data-sources '{"MalwareProtection":{"ScanEc2InstanceWithFindings":{"EbsVolumes":false}}}'

Enable Malware Protection for existing accounts in the Organization managed via invitation

The GuardDuty Malware Protection service-linked role (SLR) must be created in member accounts. The administrator can't enable the Malware Protection feature in member accounts that are not managed by Amazon Organizations.

The following steps provide a workaround to let you enable Malware Protection for the existing member accounts.

Console
  1. Open the GuardDuty console at https://console.amazonaws.cn/guardduty/.

  2. In your administrator account, choose Accounts in the navigation pane.

  3. Choose the member account that wants to enable Malware Protection and then, choose Actions.

  4. Choose Disassociate member.

  5. In your member account, choose Malware Protection under Settings on the navigation pane.

  6. Choose Enable Malware Protection. GuardDuty will create an SLR for the member account. For more information on SLR, see Service-linked role permissions for GuardDuty Malware Protection.

  7. In your administrator account, choose Accounts under Settings on the navigation pane.

  8. Choose the member account that needs to be added back to the organization.

  9. Choose Actions and then, choose Add member.

API
  1. Use administrator account to run DisassociateMembers API on the member accounts that want to enable Malware Protection.

  2. Use your member account to invoke UpdateDetector to enable Malware Protection.

    You can find your detectorId for your current Region in the https://console.amazonaws.cn/guardduty/ console from the Settings page, or by using the ListDetectors API.

    aws guardduty update-detector --detector-id 12abc34d567e8fa901bc2d34e56789f0 --data-sources '{"MalwareProtection":{"ScanEc2InstanceWithFindings":{"EbsVolumes":true}}}'
  3. Use administrator account to run the CreateMembers API to add the member back to the organization.

GuardDuty Malware Protection finding types

Malware Protection generates the following findings in response to the findings that GuardDuty detects. These Malware Protection findings can only be generated for those accounts that have enabled this feature.