Malware Protection in Amazon GuardDuty - Amazon GuardDuty
How Malware Protection works in GuardDutyConfiguring GuardDuty Malware Protection for a standalone accountConfiguring GuardDuty Malware Protection in multiple-account environmentsGuardDuty Malware Protection finding types
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

Malware Protection in Amazon GuardDuty

GuardDuty Malware Protection is an enhancement to Amazon GuardDuty. GuardDuty identifies your resources that have already been compromised by malware, or those resources that are at risk. Malware Protection supports GuardDuty to detect the malware that may be the source of this compromise.

With Malware Protection enabled, whenever GuardDuty detects suspicious behavior on an Amazon EC2 instance or a container workload, GuardDuty Malware Protection automatically initiates an agentless scan on the Amazon Elastic Block Store (EBS) volumes attached to the impacted EC2 instance or container workload to detect the presence of malware. For more information, see GuardDuty findings that initiate Malware Protection scans. GuardDuty Malware Protection also allows you to select which resources to scan or skip. GuardDuty Malware Protection may not initiate an automatic scan on the resources that you choose to exclude from scanning. If the scan detects malware, you can view the detailed Malware Protection findings about the threat in the GuardDuty console.

Malware Protection is an optional capability, and is designed to not affect the performance of your resources. You can choose to start or stop the Malware Protection feature for any account or available Amazon Web Services Regions, at any time. By default, an existing GuardDuty customer can enable Malware Protection with a 30-day trial period. For a new GuardDuty account, Malware Protection is already enabled and included in the 30-day trial period. For more information, see Estimating GuardDuty cost.

How Malware Protection works in GuardDuty

GuardDuty Malware Protection scans and detects malware on EBS volumes attached to your potentially compromised Amazon EC2 instances and container workloads. The following image describes how Malware Protection works in GuardDuty.

To initiate automatic scans on your EC2 containers and EBS volumes, enable Malware Protection with a single click. The scan takes place offline with no impact on performance. Similar to other GuardDuty findings, you can review malware-related findings by integrating with Security Hub, EventBridge, and Detective.

In response to GuardDuty detecting suspicious and potentially malicious activity indicative of malware, Malware Protection creates snapshots of the relevant EBS volumes attached to the resources where GuardDuty detected such activity, and shares them with the GuardDuty service account. Next, Malware Protection creates encrypted replica EBS volumes from those snapshots, in the service account.

Based on your Scan options, an automatic agentless scan initiates to detect malware. After the scan completes, GuardDuty deletes the encrypted replica EBS volumes and the snapshots of your EBS volumes. If malware is found and you've turned on the Snapshots retention setting, the snapshots of your EBS volumes won't get deleted and are automatically retained in your Amazon account. When no malware is found, the snapshots of your EBS volumes will not be retained, irrespective of the snapshots retention setting. By default, the snapshots retention setting is turned off. For information about the costs of snapshots and their retention, see Amazon EBS pricing.

GuardDuty will retain each replica EBS volume that it scans for up to one day, unless and to the extent that there is a service outage or failure with a replica EBS volume and its malware scan, at which point, GuardDuty will retain such an EBS volume for no more than seven days. The extended volume retention period is to triage and address the outage or failure. GuardDuty Malware Protection will delete the replica EBS volumes after the outage or failure is addressed or once the extended retention period lapses.

Note

For each EC2 instance and container workload for which GuardDuty generates findings, GuardDuty Malware Protection initiates a scan only once every 24 hours.

After the malware scan completes, you can dive deep into understanding the finding details and corresponding CloudWatch log events by accessing the following resources:

Supported volumes in Malware Protection

GuardDuty supports volumes that are both unencrypted and encrypted with a customer managed key. If your EBS volumes are encrypted with a customer managed key, GuardDuty uses the same key to encrypt the replica EBS volume. For unencrypted EBS volumes, GuardDuty uses its own key to encrypt the replica EBS volume. GuardDuty Malware Protection doesn't scan EBS volumes that are encrypted using Amazon EBS encryption. GuardDuty Malware Protection supports scanning EBS volumes attached to EC2 instances that reside in your Amazon account.

Note

GuardDuty doesn't support ECS Fargate.

GuardDuty service accounts by Amazon Web Services Region

When a snapshot is created and gets shared with the GuardDuty service account, a new event gets created in the CloudTrail logs. This event specifies the corresponding snapshotId and userId (GuardDuty service account for that Amazon Web Services Region). The following example is a snippet from a CloudTrail event that shows the request for the ModifySnapshotAttribute request:

"requestParameters": {
        "snapshotId": "snap-1234567890abcdef0",
        "createVolumePermission": {
            "add": {
                "items": [
                    {
                        "userId": "111122223333"
                    }
                ]
            }
        },
        "attributeType": "CREATE_VOLUME_PERMISSION"
    }

The userId is the GuardDuty service account and depends on the selected Region. The following table shows the GuardDuty service accounts for each Region:

Amazon Web Services Region Region code GuardDuty service account ID (userId)

US East (N. Virginia)

us-east-1

652050842985

US East (Ohio)

us-east-2

178123968615

US West (N. California)

us-west-1

669213148797

US West (Oregon)

us-west-2

447226417196

Asia Pacific (Mumbai)

ap-south-1

913179291432

Asia Pacific (Osaka)

ap-northeast-3

089661699081

Asia Pacific (Seoul)

ap-northeast-2

039163547507

Asia Pacific (Tokyo)

ap-northeast-1

874749492622

Asia Pacific (Singapore)

ap-southeast-1

247460962669

Asia Pacific (Sydney)

ap-southeast-2

124839743349

Canada (Central)

ca-central-1

175877067165

Europe (Frankfurt)

eu-central-1

002294850712

Europe (Ireland)

eu-west-1

283769539786

Europe (London)

eu-west-2

310125036783

Europe (Paris)

eu-west-3

866607715269

Europe (Stockholm)

eu-north-1

693780578038

South America (São Paulo)

sa-east-1

546914126324

Europe (Milan) (Opt-in)

eu-south-1

977238331021

Asia Pacific (Hong Kong) (Opt-in)

ap-east-1

249472122084

Middle East (Bahrain) (Opt-in)

me-south-1

404001805210

Africa (Cape Town) (Opt-in)

af-south-1

957664736811

Asia Pacific (Jakarta) (Opt-in)

ap-southeast-3

452118225523

Configuring GuardDuty Malware Protection for a standalone account

For accounts associated with Amazon Organizations, you can automate this process through console settings, as described in the next section.

Accounts that were using GuardDuty before the addition of Malware Protection can enable this feature by configuring GuardDuty through the console.

To enable or disable Malware Protection

Choose your access method below for instructions on enabling and disabling Malware Protection for a standalone account.

Console

  1. Open the GuardDuty console at https://console.amazonaws.cn/guardduty/.

  2. In the navigation pane, under Settings, choose Malware Protection.

  3. The Malware Protection pane lists the current status of Malware Protection for your account. You may enable or disable it at any time by selecting Enable or Disable respectively, then confirming your selection.

API

  • Run the updateDetector API operation using your own regional detector ID and passing the dataSources object with EbsVolumes set to true or false.

    You can also enable or disable Malware Protection using Amazon command line tools by running the following Amazon CLI command. Make sure to use your own valid detector ID.

    Note

    The following example code enables Malware Protection. To disable it, replace true with false.

    You can find your detectorId for your current Region on the Settings page in the https://console.amazonaws.cn/guardduty/ console, or by using the ListDetectors API.

     aws guardduty update-detector --detector-id 12abc34d567e8fa901bc2d34e56789f0 --data-sources '{"MalwareProtection":{"ScanEc2InstanceWithFindings":{"EbsVolumes":true}}}'

Configuring GuardDuty Malware Protection in multiple-account environments

In a multi-account environment, only GuardDuty administrator accounts can configure Malware Protection. GuardDuty administrator accounts can enable or disable the use of Malware Protection for their member accounts. Once the administrator configures GuardDuty Malware Protection for a member account, the member account will follow the administrator account settings and be unable to modify these settings through the console. GuardDuty administrator accounts that manage their member accounts with Amazon Organizations support can choose to have Malware Protection enabled automatically on all the existing and new accounts in the organization. For more information, see Managing GuardDuty accounts with Amazon Organizations.

Establishing trusted access to enable Malware Protection

If the GuardDuty delegated administrator is not the same as the management account in your organization, the management account must enable Malware Protection feature for their organization. This way, the delegated administrator can create the Service-linked role permissions for GuardDuty Malware Protection in member accounts that are managed through Amazon Organizations.

Note

Before you designate a GuardDuty delegated administrator, see Important considerations for GuardDuty delegated administrators.

Choose one of the following access methods to allow the GuardDuty delegated administrator to enable Malware Protection for member accounts.

Console

  1. Open the GuardDuty console at https://console.amazonaws.cn/guardduty/.

    To log in, use the management account for your Amazon Organizations organization.

  2. In the navigation pane, choose Settings.

    1. If you have not designated a delegated administrator, then:

      On the Settings page, under Delegated Administrator, enter the 12-digit account ID that you want to designate to administer the GuardDuty policy in your organization. Choose Delegate.

      1. If you've already designated a delegated administrator that is different from the management account, then:

        On the Settings page, under Delegated Administrator, turn on the Permissions setting. This action will allow the delegated administrator to attach relevant permissions to the member accounts and enable Malware Protection in these member accounts.

      2. If you've already designated a delegated administrator that is the same as the management account, then you can directly enable Malware Protection for the member accounts. For more information, see Automatically enabling Malware Protection for all organization member accounts.

      Tip

      If the delegated administrator is different from your management account, you must provide permissions to the delegated administrator to allow enabling Malware Protection for member accounts.

  4. If you want to allow the delegated administrator to enable Malware Protection for member accounts in other Regions, change your Amazon Region, and repeat the steps above.

API

  1. Using your management account credentials, run the following command:

    aws organizations enable-aws-service-access --service-principal malware-protection.guardduty.amazonaws.com

  2. Optional: To enable Malware Protection for the management account that is not a delegated administrator, the management account will first create the Service-linked role permissions for GuardDuty Malware Protection explicitly in their account, and then enable Malware Protection from the delegated administrator, similar to any other member account.

    aws iam create-service-linked-role --aws-service-name malware-protection.guardduty.amazonaws.com

  3. You have designated the delegated administrator in the currently selected Amazon Region. If you have designated an account as a delegated administrator in one region, that account must be your delegated administrator in all other regions. Repeat the step above for all other Regions.

Automatically enabling Malware Protection for all organization member accounts

Note

This functionality is only available to a GuardDuty administrator who manages members through Amazon Organizations.

You can enable GuardDuty Malware Protection for all member accounts in an organization.

  1. Open the GuardDuty console at https://console.amazonaws.cn/guardduty/.

  2. In the navigation pane, under Settings, choose Malware Protection.

  3. GuardDuty Malware Protection lists the current status of GuardDuty Malware Protection for the administrator account and the member accounts.

  4. Choose Enable to start the Malware Protection service on the administrator account.

  5. Choose Enable all to enable Malware Protection on all member accounts with a single click, and confirm your selection. The console will then display the number of member accounts that were enabled successfully.

    Once enabled, you can manage member accounts from Accounts in the left navigation pane.

Note

This action also enables the Auto-enable feature to automatically enable GuardDuty Malware Protection for future member accounts within your organization.

Selectively enable or disable GuardDuty Malware Protection for member accounts

Note

This functionality is only available to a GuardDuty administrator who manages members through Amazon Organizations.

Choose your access method below for instructions on selectively enabling and disabling Malware Protection for member accounts.

Console

  1. Open the GuardDuty console at https://console.amazonaws.cn/guardduty/.

  2. In the navigation pane, under Settings, choose Accounts.

    Note

    From the Accounts table, review the Malware Protection column. A green checkmark icon indicates that Malware Protection is enabled, and a blue dash icon indicates that it is disabled. If this column is blank, the account is not eligible for Malware Protection. You can also filter by Enabled or Disabled.

  3. Choose the account for which you want to configure Malware Protection. From the Actions menu, choose Enable Malware Protection or Disable Malware Protection, then confirm your selection to change the settings for the selected account. The table will update automatically to show your changes.

API

To selectively enable or disable GuardDuty Malware Protection for your member accounts, run the updateMemberDetectors API operation using your own detector ID. The following example shows how you can enable Malware Protection for a single member account. To disable it, replace true with false.

You can find your detectorId for your current Region on the Settings page in the https://console.amazonaws.cn/guardduty/ console, or by using the ListDetectors API.

aws guardduty update-member-detectors --detector-id 12abc34d567e8fa901bc2d34e56789f0 --account-ids 123456789012 --data-sources '{"MalwareProtection":{"ScanEc2InstanceWithFindings":{"EbsVolumes":true}}}'
Note

You can also pass a list of account IDs separated by a space.

When the code has successfully executed, it returns an empty list of UnprocessedAccounts. If there were any problems changing the detector settings for an account, that account ID is listed along with a summary of the issue.

Configuring Malware Protection for newly added accounts in the Organization

The newly added member accounts must Enable GuardDuty before selecting Enable or Disable Malware Protection. For more information, see Step 3 - Accept an invitation.

The member accounts managed by invitation can configure GuardDuty Malware Protection manually for their accounts. Choose your access method below for instructions on how to view the current status of Malware Protection for your account.

Console

  1. Open the GuardDuty console at https://console.amazonaws.cn/guardduty/.

  2. In the navigation pane, under Settings, choose Accounts.

  3. Choose Auto-enable and review the status of Malware Protection.

  4. You can Enable or Disable Malware Protection for new member accounts.

  5. Choose Update Settings to confirm your selection.

API
Important

By default, Malware Protection is automatically enabled for new detectors.

If you are a GuardDuty administrator enabling GuardDuty for the first time on a new account, and don't want Malware Protection enabled by default, you can disable it by modifying the createDetector API operation with the optional dataSources object. The following example uses the Amazon CLI to enable a new GuardDuty detector with the Malware Protection disabled.

aws guardduty create-detector --enable --data-sources '{"MalwareProtection":{"ScanEc2InstanceWithFindings":{"EbsVolumes":false}}}'

Enable Malware Protection for existing accounts in the Organization managed via invitation

The GuardDuty Malware Protection service-linked role (SLR) must be created in member accounts. The administrator can't enable the Malware Protection feature in member accounts that are not managed by Amazon Organizations.

Presently, you can perform the following steps through the GuardDuty console at https://console.amazonaws.cn/guardduty/ to enable Malware Protection for the existing member accounts.

Console

  1. Open the GuardDuty console at https://console.amazonaws.cn/guardduty/.

  2. In your administrator account, choose Accounts in the navigation pane.

  3. Choose the member account that wants to enable Malware Protection and then, choose Actions.

  4. Choose Disassociate member.

  5. In your member account, choose Malware Protection under Settings on the navigation pane.

  6. Choose Enable Malware Protection. GuardDuty will create an SLR for the member account. For more information on SLR, see Service-linked role permissions for GuardDuty Malware Protection.

  7. In your administrator account, choose Accounts under Settings on the navigation pane.

  8. Choose the member account that needs to be added back to the organization.

  9. Choose Actions and then, choose Add member.

API

  1. Use administrator account to run DisassociateMembers API on the member accounts that want to enable Malware Protection.

  2. Use your member account to invoke UpdateDetector to enable Malware Protection.

    You can find your detectorId for your current Region on the Settings page in the https://console.amazonaws.cn/guardduty/ console, or by using the ListDetectors API.

    aws guardduty update-detector --detector-id 12abc34d567e8fa901bc2d34e56789f0 --data-sources '{"MalwareProtection":{"ScanEc2InstanceWithFindings":{"EbsVolumes":true}}}'

  3. Use administrator account to run the CreateMembers API to add the member back to the organization.

GuardDuty Malware Protection finding types

Malware Protection generates the following findings in response to the findings that GuardDuty detects. These Malware Protection findings can only be generated for those accounts that have enabled this feature.