Malware Protection in Amazon GuardDuty
GuardDuty Malware Protection is an enhancement to Amazon GuardDuty. GuardDuty identifies your resources that have already been compromised by malware, or those resources that are at risk. Malware Protection supports GuardDuty to detect the malware that may be the source of this compromise.
With Malware Protection enabled, whenever GuardDuty detects suspicious behavior on an Amazon EC2 instance or a container workload, GuardDuty Malware Protection automatically initiates an agentless scan on the Amazon Elastic Block Store (EBS) volumes attached to the impacted EC2 instance or container workload to detect the presence of malware. For more information, see GuardDuty findings that initiate Malware Protection scans. GuardDuty Malware Protection also allows you to select which resources to scan or skip. GuardDuty Malware Protection may not initiate an automatic scan on the resources that you choose to exclude from scanning. If the scan detects malware, you can view the detailed Malware Protection findings about the threat in the GuardDuty console.
Malware Protection is an optional capability, and is designed to not affect the performance of your resources. You can choose to start or stop the Malware Protection feature for any account or available Amazon Web Services Regions, at any time. By default, an existing GuardDuty customer can enable Malware Protection with a 30-day trial period. For a new GuardDuty account, Malware Protection is already enabled and included in the 30-day trial period. For more information, see Estimating GuardDuty cost.
How Malware Protection works in GuardDuty
GuardDuty Malware Protection scans and detects malware on EBS volumes attached to your potentially compromised Amazon EC2 instances and container workloads. The following image describes how Malware Protection works in GuardDuty.

In response to GuardDuty detecting suspicious and potentially malicious activity indicative of malware, Malware Protection creates snapshots of the relevant EBS volumes attached to the resources where GuardDuty detected such activity, and shares them with the GuardDuty service account. Next, Malware Protection creates encrypted replica EBS volumes from those snapshots, in the service account.
Based on your Scan options, an
automatic agentless scan initiates to detect malware. After the scan completes, GuardDuty deletes
the encrypted replica EBS volumes and the snapshots of your EBS volumes. If malware is found
and you've turned on the Snapshots retention setting, the snapshots of your EBS volumes won't
get deleted and are automatically retained in your Amazon account. When no malware is found,
the snapshots of your EBS volumes will not be retained, irrespective of the snapshots
retention setting. By default, the snapshots retention setting is turned off. For information
about the costs of snapshots and their retention, see Amazon EBS pricing
GuardDuty will retain each replica EBS volume that it scans for up to one day, unless and to the extent that there is a service outage or failure with a replica EBS volume and its malware scan, at which point, GuardDuty will retain such an EBS volume for no more than seven days. The extended volume retention period is to triage and address the outage or failure. GuardDuty Malware Protection will delete the replica EBS volumes after the outage or failure is addressed or once the extended retention period lapses.
For each EC2 instance and container workload for which GuardDuty generates findings, GuardDuty Malware Protection initiates a scan only once every 24 hours.
After the malware scan completes, you can dive deep into understanding the finding details and corresponding CloudWatch log events by accessing the following resources:
-
In the event of malware detection, GuardDuty generates new Malware Protection finding types with details about the impacted resource and the malware. For more information, see Finding details.
-
To understand the Malware Protection scan statuses, see Monitoring malware scan statuses and results.
-
GuardDuty publishes each event to your Amazon CloudWatch log group. These are the events that get generated during a malware scan. GuardDuty Malware Protection may skip some of the resources if you have customized Scan options. For more information about log events, see Understanding CloudWatch Logs and reasons for skipping resources.
Supported volumes in Malware Protection
GuardDuty supports volumes that are both unencrypted and encrypted with a customer managed key. If your EBS volumes are encrypted with a customer managed key, GuardDuty uses the same key to encrypt the replica EBS volume. For unencrypted EBS volumes, GuardDuty uses its own key to encrypt the replica EBS volume. GuardDuty Malware Protection doesn't scan EBS volumes that are encrypted using Amazon EBS encryption. GuardDuty Malware Protection supports scanning EBS volumes attached to EC2 instances that reside in your Amazon account.
GuardDuty doesn't support ECS Fargate.
GuardDuty service accounts by Amazon Web Services Region
When a snapshot is created and gets shared with the GuardDuty service account, a new event
gets created in the CloudTrail logs. This event specifies the corresponding
snapshotId
and userId
(GuardDuty service account for that
Amazon Web Services Region). The following example is a snippet from a CloudTrail event that shows the
request
for the ModifySnapshotAttribute
request:
"requestParameters": {
"snapshotId": "snap-1234567890abcdef0",
"createVolumePermission": {
"add": {
"items": [
{
"userId": "111122223333"
}
]
}
},
"attributeType": "CREATE_VOLUME_PERMISSION"
}
The userId
is the GuardDuty service account and depends on the selected Region.
The following table shows the GuardDuty service accounts for each Region:
Amazon Web Services Region | Region code | GuardDuty service account ID (userId ) |
---|---|---|
US East (N. Virginia) |
us-east-1 |
652050842985 |
US East (Ohio) |
us-east-2 |
178123968615 |
US West (N. California) |
us-west-1 |
669213148797 |
US West (Oregon) |
us-west-2 |
447226417196 |
Asia Pacific (Mumbai) |
ap-south-1 |
913179291432 |
Asia Pacific (Osaka) |
ap-northeast-3 |
089661699081 |
Asia Pacific (Seoul) |
ap-northeast-2 |
039163547507 |
Asia Pacific (Tokyo) |
ap-northeast-1 |
874749492622 |
Asia Pacific (Singapore) |
ap-southeast-1 |
247460962669 |
Asia Pacific (Sydney) |
ap-southeast-2 |
124839743349 |
Canada (Central) |
ca-central-1 |
175877067165 |
Europe (Frankfurt) |
eu-central-1 |
002294850712 |
Europe (Ireland) |
eu-west-1 |
283769539786 |
Europe (London) |
eu-west-2 |
310125036783 |
Europe (Paris) |
eu-west-3 |
866607715269 |
Europe (Stockholm) |
eu-north-1 |
693780578038 |
South America (São Paulo) |
sa-east-1 |
546914126324 |
Europe (Milan) (Opt-in) |
eu-south-1 |
977238331021 |
Asia Pacific (Hong Kong) (Opt-in) |
ap-east-1 |
249472122084 |
Middle East (Bahrain) (Opt-in) |
me-south-1 |
404001805210 |
Africa (Cape Town) (Opt-in) |
af-south-1 |
957664736811 |
Asia Pacific (Jakarta) (Opt-in) |
ap-southeast-3 |
452118225523 |
Configuring GuardDuty Malware Protection for a standalone account
For accounts associated with Amazon Organizations, you can automate this process through console settings, as described in the next section.
Accounts that were using GuardDuty before the addition of Malware Protection can enable this feature by configuring GuardDuty through the console.
To enable or disable Malware Protection
Choose your access method below for instructions on enabling and disabling Malware Protection for a standalone account.
Configuring GuardDuty Malware Protection in multiple-account environments
In a multi-account environment, only GuardDuty administrator accounts can configure Malware Protection. GuardDuty administrator accounts can enable or disable the use of Malware Protection for their member accounts. Once the administrator configures GuardDuty Malware Protection for a member account, the member account will follow the administrator account settings and be unable to modify these settings through the console. GuardDuty administrator accounts that manage their member accounts with Amazon Organizations support can choose to have Malware Protection enabled automatically on all the existing and new accounts in the organization. For more information, see Managing GuardDuty accounts with Amazon Organizations.
Establishing trusted access to enable Malware Protection
If the GuardDuty delegated administrator is not the same as the management account in your organization, the management account must enable Malware Protection feature for their organization. This way, the delegated administrator can create the Service-linked role permissions for GuardDuty Malware Protection in member accounts that are managed through Amazon Organizations.
Before you designate a GuardDuty delegated administrator, see Important considerations for GuardDuty delegated administrators.
Choose one of the following access methods to allow the GuardDuty delegated administrator to enable Malware Protection for member accounts.
Automatically enabling Malware Protection for all organization member accounts
This functionality is only available to a GuardDuty administrator who manages members through Amazon Organizations.
You can enable GuardDuty Malware Protection for all member accounts in an organization.
Open the GuardDuty console at https://console.amazonaws.cn/guardduty/
. -
In the navigation pane, under Settings, choose Malware Protection.
-
GuardDuty Malware Protection lists the current status of GuardDuty Malware Protection for the administrator account and the member accounts.
-
Choose Enable to start the Malware Protection service on the administrator account.
-
Choose Enable all to enable Malware Protection on all member accounts with a single click, and confirm your selection. The console will then display the number of member accounts that were enabled successfully.
Once enabled, you can manage member accounts from Accounts in the left navigation pane.
This action also enables the Auto-enable feature to automatically enable GuardDuty Malware Protection for future member accounts within your organization.
Selectively enable or disable GuardDuty Malware Protection for member accounts
This functionality is only available to a GuardDuty administrator who manages members through Amazon Organizations.
Choose your access method below for instructions on selectively enabling and disabling Malware Protection for member accounts.
Configuring Malware Protection for newly added accounts in the Organization
The newly added member accounts must Enable GuardDuty before selecting Enable or Disable Malware Protection. For more information, see Step 3 - Accept an invitation.
The member accounts managed by invitation can configure GuardDuty Malware Protection manually for their accounts. Choose your access method below for instructions on how to view the current status of Malware Protection for your account.
Enable Malware Protection for existing accounts in the Organization managed via invitation
The GuardDuty Malware Protection service-linked role (SLR) must be created in member accounts. The administrator can't enable the Malware Protection feature in member accounts that are not managed by Amazon Organizations.
Presently, you can perform the following steps through the GuardDuty console at
https://console.amazonaws.cn/guardduty/
GuardDuty Malware Protection finding types
Malware Protection generates the following findings in response to the findings that GuardDuty detects. These Malware Protection findings can only be generated for those accounts that have enabled this feature.