- Newest
- Most votes
- Most comments
Check these 3 specific "Silent Drop" scenarios:
-
EventBridge Suffix/Prefix Filtering: Check your AWS::GuardDuty::MalwareProtectionPlan resource for a S3ObjectKeyFilter. If your manual smoke test path (test/smoke...) doesn't strictly match the prefix/suffix defined in the plan, EventBridge triggers, but GuardDuty silently drops the event before the scan logic starts.
-
Storage Class & Object Size: Ensure your test objects are S3 Standard or Standard-IA. Objects moved to Glacier or Deep Archive (even via Lifecycle) or objects that are 0 Bytes are ignored by the engine and often don't even register as SkippedScanCount.
-
Delegated Admin (DA) Conflict: Even with "FullAWSAccess", check if the Delegated Admin account (111111111111) has a conflicting "Auto-enable" setting for Malware Protection. If the DA settings were updated around April 26, it can override local standalone plans in member accounts, causing a silent execution failure.
Diagnostic Tip: Since your metrics are dead zero (not even Skipped), the issue lies in the routing layer. If points 1 & 2 are verified, this is likely a backend synchronization issue between the GuardDuty Org-Configuration and your standalone CloudFormation plans - only AWS Support can reset that internal state.
Got an update from the GuardDuty service team - they've identified the root cause, and the good news is it's something we can fix on our side. Going to run with this and will let the thread know. Shout out to Said Gomez, our account exec for getting visibility for us. We have decided to sign up for official support.
Root Cause: Invalid prefix configuration
The protection plans on both accounts have prefixes configured using wildcard patterns:
//uploads/ //attachments/ //tool-results/ //analysis/ The issue is that S3 Malware Protection does not support regex or wildcard-based prefix matching — it only accepts literal prefix strings. Because the configured prefixes are invalid, the scan engine never matches any uploaded objects, which is why all scan metrics show zero.
Why it appeared to work before April 26:
The service team clarified that this isn't a "zombie plan" or backend sync issue. It's likely that objects uploaded before April 26 happened to land in paths that coincidentally matched, or the prefix configuration was different at that time.
Fix:
Update your MalwareProtectionPlan prefix configurations to use literal path strings instead of wildcards. For example, if your bucket structure is:
s3://trblsm-agent-workspace-dev/workspace1/project1/uploads/
You'd configure the prefix as: workspace1/project1/uploads/
If you need to cover multiple paths, you'll need to list each literal prefix individually.
This is a textbook "Zombie Plan" scenario: the Control Plane reports green, but the Data Plane workers never receive the trigger. Given your evidence that it previously worked and stopped without changes, you are likely facing a backend event-routing synchronization issue in us-west-2.
Regarding escalation:
-
my honest recommendation: For production environments or solvent business cases, I always recommend a Business Support Plan. It is the only guaranteed way to open a high-priority ticket and have a Cloud Support Engineer manually reset the internal service state.
-
"No-Cost" Gamble: Beyond a paid plan, there are no "secret tricks" to force an AWS backend fix. Your best bet is to stay active on AWS re:Post and tag the Amazon GuardDuty team. Service teams monitor detailed technical reports like yours, and they may escalate it internally as a potential service-level bug.
-
Verification: As a last resort, try toggling the EventBridge settings on the S3 bucket or slightly modifying the IAM Trust Policy. This sometimes forces the GuardDuty backend to re-validate the integration, but if that fails, only AWS Internal can fix the routing layer.
Thank you for the detailed troubleshooting suggestions. We investigated all three scenarios:
- EventBridge Suffix/Prefix Filtering
We verified the ObjectPrefixes on both plans:
Pre-prod: */uploads/ Dev: //uploads/, //attachments/, //tool-results/, //analysis/ Our smoke test paths match these patterns:
Pre-prod test: repro-{ts}/uploads/... → matches */uploads/ Dev test: 1000TEST/repro-{ts}/uploads/... → matches //uploads/ 2. Storage Class & Object Size
Verified via head-object on test files from the April 26 timeframe:
Storage class: STANDARD (API returns null for default) Object sizes: 55-69 bytes (non-zero) Not Glacier, not empty.
- Delegated Admin Conflict
Checked describe-organization-configuration on the delegated admin detector. All features show AutoEnable: NONE. Notably, S3 Malware Protection isn't listed in the org configuration output at all - only EBS Malware Protection appears.
The strongest evidence against customer-side issues:
The pre-prod plan (CreatedAt: 2026-04-26) is completely untouched since creation. Same ObjectPrefixes, same role, same bucket. It successfully scanned EICAR files on April 26 - we found objects with GuardDutyMalwareScanStatus: THREATS_FOUND tags from that date. Today, with zero configuration changes, it shows identical zero-scan behavior as dev.
This is a control case: if prefix filtering, storage class, or DA conflicts were the cause, pre-prod would have failed from day one - not worked and then silently stopped.
We agree the issue is in the routing layer given all three metrics are dead zero. Given the unchanged pre-prod configuration, this appears to be a backend synchronization issue between GuardDuty org-level state and standalone MalwareProtectionPlan resources that only AWS can diagnose.
Is there any way to escalate this without a paid support plan?
Relevant content
- asked a year ago
- asked a year ago
- AWS OFFICIALUpdated 4 months ago
