GuardDuty Malware Protection for Amazon Backup
Topics
Overview
Malware Protection for Backup helps you detect the potential presence of malware in your backup data by scanning Amazon Backup–protected resources such as Amazon EBS snapshots, Amazon EC2 AMIs, and Amazon S3 Recovery Points. When Amazon Backup creates or updates a protected backup resource, GuardDuty can perform a malware scan on that backup to help identify potentially malicious content before it is restored into your environment.
How you can use Malware Protection for Backup
You can use this feature in two modes, depending on whether GuardDuty is enabled in your account:
-
Using Malware Protection for Backup with GuardDuty enabled
When GuardDuty is enabled in a Region, Amazon Backup integrates Malware Protection with the GuardDuty findings workflow. Malware scan results appear in GuardDuty findings in addition to Amazon EventBridge and Amazon CloudWatch.
-
Using Malware Protection for Backup without enabling GuardDuty
You can use Malware Protection for Backup independently, without enabling the full GuardDuty service. In this mode, scan results remain fully available through EventBridge and CloudWatch.
Considerations for using Malware Protection for Backup independently
When using the feature without enabling GuardDuty:
- Backup plan configuration is managed entirely in Amazon Backup.
GuardDuty does not provide controls for selecting backup plans, vaults, or resource types. All enablement, scheduling, and policy configuration remain in Amazon Backup.
- GuardDuty findings are not generated.
Findings require a detector ID, which is created only when GuardDuty is enabled. When using Malware Protection independently, scan results are surfaced exclusively through EventBridge events and CloudWatch metrics.
- You can still initiate on-demand scans from the GuardDuty console.
Even when GuardDuty is not enabled, the GuardDuty console provides a workflow to start an on-demand malware scan for supported backup resource types. This allows customers to use a familiar GuardDuty interface without requiring the full GuardDuty service.
- Non-GuardDuty customers can access scan initiation workflows.
The on-demand scan entry points are available to all customers using Malware Protection for Backup, regardless of whether a GuardDuty detector exists in the account.
- Scan behavior and coverage remain identical.
Whether GuardDuty is enabled or not, the feature scans the same Amazon Backup resource types with the same malware detection engine. The only difference is where results are published.
This model allows customers to adopt malware scanning for backups without requiring GuardDuty’s broader threat-detection features, while still providing an optional GuardDuty-based workflow for initiating and viewing scan operations.
How Malware Protection for Backup works
Malware Protection for Backup can scan the following Amazon Backup–protected resources:
- Amazon EBS snapshots
- Amazon EC2 AMIs created using Amazon Backup
- Amazon S3 Recovery Points
- Locked (immutable) vaults (EBS/EC2 Recovery Points) using Amazon Backup Vault Lock in supported regions
Incremental Scanning
Amazon Backup captures incremental changes for many resource types. GuardDuty has the ability to scan only the new or changed blocks or objects when a backup is created or updated, improving performance and reducing scanning overhead while achieving full coverage over time.
On-demand scanning
You can initiate a scan on any supported backup resource at any time—directly from either Amazon Backup or the GuardDuty console. Common use cases include verifying a backup before restore, rechecking older data after new threat signatures are published, or performing periodic compliance scans.
Note
- Malware Protection for Backup can be enabled only for backup resources in the same Region.
- GuardDuty scans a read-only copy of the backup; it does not modify backup content.
- Scanning works for both standard vaults and locked (immutable) vaults.