By using AWS re:Post, you agree to the AWS re:Post Terms of Use

Enabling GuardDuty Malware Protection for S3 as an Independent feature

5 minute read
Content level: Foundational
13

This Article talks about activating Malware protection for S3 on GuardDuty without GuardDuty Experience

Amazon GuardDuty is a threat detection service that continuously monitors your AWS account and workloads for malicious activities, and deliver detailed security findings for visibility and Remediation.Malware Protection for S3 helps you detect potential presence of malware by scanning newly uploaded objects to your selected Amazon Simple Storage Service (Amazon S3) bucket. When an S3 object or a new version of an existing S3 object gets uploaded to your selected bucket, GuardDuty automatically starts a malware scan. There are two approaches to enable Malware Protection for Amazon S3:

  1. As part of the Amazon GuardDuty service: You can leverage Malware Protection for S3 as part of the overall Amazon GuardDuty experience when you enable the GuardDuty service for your AWS account. In this approach, Malware Protection for S3 is integrated into the GuardDuty service, which provides intelligent threat detection and continuous monitoring for your AWS resources.

  2. As an independent feature: Alternatively, you can enable Malware Protection for S3 as a standalone feature without enabling the Amazon GuardDuty service. In this case, Malware Protection for S3 operates independently, allowing you to scan and protect your S3 buckets against malware and other malicious objects, without the need for the full suite of GuardDuty's threat detection capabilities.

The GuardDuty documentation refers to the second approach as using Malware Protection for S3 as an "independent feature." This option allows you to selectively enable malware scanning for your S3 buckets, without needing to subscribe to the entire GuardDuty service.

Here are the key considerations for using Malware Protection for S3 independently:

  1. No GuardDuty Detector ID: When enabling Malware Protection for S3 independently, your AWS account will not have an associated GuardDuty Detector ID. As a result, certain GuardDuty features, such as generating security findings, may not be available.

  2. Malware Scan Results: By default, the malware scan results are published to your default Amazon EventBridge event bus and an Amazon CloudWatch namespace. Additionally, if you enable tagging during the setup, the scanned S3 objects will be tagged with the scan result.

  3. Limited Integration: Without the GuardDuty service enabled, Malware Protection for S3 operates as a standalone feature, limiting its integration with other GuardDuty capabilities.

Here are the general considerations for enabling Malware Protection for S3, whether used independently or as part of the GuardDuty experience:

  1. Bucket Ownership: You can only enable Malware Protection for S3 buckets that belong to your own AWS account. As a delegated GuardDuty administrator account, you cannot enable this feature for buckets owned by member accounts.

  2. Regional Limitation: Malware Protection for S3 can only be enabled for buckets in the same AWS Region currently selected in the GuardDuty console. Cross-Region bucket protection is not supported.

  3. Delegated Administrator Notifications: If you are a delegated GuardDuty administrator account, you will receive Amazon EventBridge notifications whenever there is a change in the Malware Protection plan resource status for any S3 bucket configured for this feature by your organization's member accounts.

How to Enable Malware Protection for S3 independently

  1. First you search for GuardDuty in your AWS console search for guard duty

  2. Then you select GuardDuty Malware Protection for S3 Only and click Get Started s3 protection

  3. Make sure Malware Protection for S3 is selected and click on Enable button Enter image description here

  4. Select the Bucket you want to enable Malware Protection for , objects and tagging option. If you did not create a role, Select Create and use new service role. Push Enable. Enter image description here

  5. You should get message that Malware protection for S3 for selected bucket is successfully enabled. Enter image description here

Conclusion:

Malware Protection for S3 is a valuable feature provided by Amazon GuardDuty that helps detect and protect against malware in your Amazon S3 buckets. You have the flexibility to enable this feature either as part of the comprehensive GuardDuty service or as an independent standalone feature.

When using Malware Protection for S3 independently, it's important to consider the limitations, such as the absence of a GuardDuty Detector ID and reduced integration with other GuardDuty capabilities. However, you still benefit from automatic malware scanning of newly uploaded objects and the ability to publish scan results to Amazon EventBridge and Amazon CloudWatch.

Regardless of the approach you choose, there are general considerations to keep in mind. You can only enable Malware Protection for S3 buckets owned by your AWS account and within the same AWS Region. As a delegated GuardDuty administrator, you will receive notifications for any changes in the Malware Protection plan resource status of member accounts' buckets.

By following the step-by-step guide provided, you can easily enable Malware Protection for S3 independently through the AWS Management Console. This allows you to safeguard your S3 buckets against malware and ensure the integrity and security of your stored objects.

Implementing Malware Protection for S3, whether as part of GuardDuty or independently, is a proactive measure to enhance the security posture of your AWS environment and protect your valuable data from malicious threats.