Scanning existing objects with GuardDuty Malware Protection for S3

0

Hello,

We've been exploring GuardDuty Malware Protection for S3. While the scan of newly uploaded objects in S3 buckets works great, we find it somewhat limiting that there is no option for an on-demand scan of existing objects in a bucket. This might be useful for two cases:

  • enrolling pre-existing non-empty buckets into GuardDuty Malware Protection
  • re-scanning objects uploaded in the past for potential newly identified threats

Obviously, there are work-arounds possible, such as using S3 replication or aws s3 sync to a protected bucket. However, I'd just like to ask:

  1. Is there a recommended way to handle pre-existing objects in buckets where malware protection is enabled?
  2. Is it on the roadmap to support on-demand/existing objects scanning?

Thank you very much!

1 Answer
2
Accepted Answer

Hello.

Is there a recommended way to handle pre-existing objects in buckets where malware protection is enabled?

Currently, existing objects cannot be inspected, so the only way is to upload a new version of the object or copy it using the "aws s3 cp" command.(As of September 2024)
https://docs.aws.amazon.com/guardduty/latest/ug/gdu-malware-protection-s3.html

Malware Protection for S3 helps you detect potential presence of malware by scanning newly uploaded objects to your selected Amazon Simple Storage Service (Amazon S3) bucket. When an S3 object or a new version of an existing S3 object gets uploaded to your selected bucket, GuardDuty automatically starts a malware scan.

Is it on the roadmap to support on-demand/existing objects scanning?

Unfortunately, there is currently no announcement from AWS that existing objects will also be subject to inspection.
Also, no announcement has been made regarding the roadmap for feature development.
If your AWS account has an AWS support developer plan or higher contract, I think it would be a good idea to make a feature request.
https://docs.aws.amazon.com/awssupport/latest/user/case-management.html#choosing-severity

profile picture
EXPERT
answered a month ago
profile picture
EXPERT
reviewed 15 days ago
profile picture
EXPERT
reviewed a month ago
profile picture
EXPERT
reviewed a month ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions