AWS Step-by-Step
Scanning Amazon S3 Buckets for Malware, Part 1
AWS recently extended GuardDuty's threat-hunting capabilities to its flagship storage service. Here's how to deploy it.
If you have data stored in S3 buckets within the AWS cloud, you can use the Amazon GuardDuty service to scan objects within your buckets for malware. In this article series, I will show you how to enable this malware scanning.
Before you can enable malware protection for an S3 bucket, you will need to create an IAM role that will provide the required permissions. It is possible to modify an existing role, if you prefer, but for the purposes of this article, I am going to be creating a new role.
To get started, you are going to need to track down a bit of information. The first is your AWS account number. You are also going to need to know the names of the S3 buckets that you want to protect. If your buckets are encrypted using a customer-managed key, then you will need to know the key ID. If the buckets are encrypted with an AWS KAM key, you will simply use an asterisk in place of the key ID.
With this information in hand, you will need to create a permissions template. I like to edit the permissions in Notepad and then copy the Notepad document to AWS, but you can edit the permissions directly within the AWS console if you prefer. Here is what the template looks like:
{
"Version": "2012-10-17",
"Statement": [{
"Sid": "AllowManagedRuleToSendS3EventsToGuardDuty",
"Effect": "Allow",
"Action": [
"events:PutRule",
"events:DeleteRule",
"events:PutTargets",
"events:RemoveTargets"
],
"Resource": [
"arn:aws:events:us-east-1:111122223333:rule/DO-NOT-DELETE-AmazonGuardDutyMalwareProtectionS3*"
],
"Condition": {
"StringLike": {
"events:ManagedBy": "malware-protection-plan.guardduty.amazonaws.com"
}
}
},
{
"Sid": "AllowGuardDutyToMonitorEventBridgeManagedRule",
"Effect": "Allow",
"Action": [
"events:DescribeRule",
"events:ListTargetsByRule"
],
"Resource": [
"arn:aws:events:us-east-1:111122223333:rule/DO-NOT-DELETE-AmazonGuardDutyMalwareProtectionS3*"
]
},
{
"Sid": "AllowPostScanTag",
"Effect": "Allow",
"Action": [
"s3:PutObjectTagging",
"s3:GetObjectTagging",
"s3:PutObjectVersionTagging",
"s3:GetObjectVersionTagging"
],
"Resource": [
"arn:aws:s3:::DOC-EXAMPLE-BUCKET/*"
]
},
{
"Sid": "AllowEnableS3EventBridgeEvents",
"Effect": "Allow",
"Action": [
"s3:PutBucketNotification",
"s3:GetBucketNotification"
],
"Resource": [
"arn:aws:s3:::DOC-EXAMPLE-BUCKET"
]
},
{
"Sid": "AllowPutValidationObject",
"Effect": "Allow",
"Action": [
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::DOC-EXAMPLE-BUCKET/malware-protection-resource-validation-object"
]
},
{
"Sid": "AllowCheckBucketOwnership",
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::DOC-EXAMPLE-BUCKET"
]
},
{
"Sid": "AllowMalwareScan",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:GetObjectVersion"
],
"Resource": [
"arn:aws:s3:::DOC-EXAMPLE-BUCKET/*"
]
},
{
"Sid": "AllowDecryptForMalwareScan",
"Effect": "Allow",
"Action": [
"kms:GenerateDataKey",
"kms:Decrypt"
],
"Resource": "arn:aws:kms:us-east-1:111122223333:key/APKAEIBAERJR2EXAMPLE",
"Condition": {
"StringLike": {
"kms:ViaService": "s3.us-east-1.amazonaws.com"
}
}
}
]
}
This template is provided by Amazon and there are a few things that you will need to modify within it in order to use the template. First, you will need to replace DOC-EXAMPLE_BUCKET with the names of your S3 buckets. You can add or remove lines as necessary to accommodate all of your buckets.
The next thing that you will need to do is to replace 111122223333 with your account ID. Likewise, you will have to replace APKAEIBAERJR2EXAMPLE with your customer-managed key ID or with an asterisk if Amazon manages your key. Finally, be sure to update the template to reflect your preferred region (the default s us-east-1).
Now that you have created the policy template, you can create the necessary IAM role. To do so, open the Identity and Access Management (IAM) console and select the Policy tab. Next, click on the Create Policy button. At this point, AWS will display the Create Policy screen. Click on the JSON button and then paste all of the statements from your template into the area shown in Figure 1. My advice is to overwrite all of the existing text with the text from your template.
Click Next and you will be taken to the Policy Details screen. Here you will need to provide a name and a description for your policy. When you are done, click the Create Policy button.
The next thing that you will need to do is to create an IAM role. Select the Roles tab and then click the Create Role button. Set the Trusted Entity Type to AWS Account and then select the account for which you want to enable the role, as shown in Figure 2.
Click Next and you will be taken to the Permissions Policies screen. Select the policy that you created a moment ago, and then click Next.
At this point, you will be taken to the Role Details screen. Here you will need to assign a name and an optional description for the role that you are creating. When you are done, click the Create Role button to create the new role.
With the new role created, click on the role and then select the Trust Relationships tab, as shown in Figure 3. Now, click the Edit Trust policy button.
You will need to append the following trust policy code, provided by Amazon, to the existing trust policy:
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "malware-protection-plan.guardduty.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
You can see what the completed policy looks like in Figure 4. Click the Update Policy button to complete the process.
Now that you have created the necessary role, permissions and policy, it's time to actually enable malware scanning for S3. I will walk you through the setup process in Part 2 of this series.
About the Author
Brien Posey is a 22-time Microsoft MVP with decades of IT experience. As a freelance writer, Posey has written thousands of articles and contributed to several dozen books on a wide variety of IT topics. Prior to going freelance, Posey was a CIO for a national chain of hospitals and health care facilities. He has also served as a network administrator for some of the country's largest insurance companies and for the Department of Defense at Fort Knox. In addition to his continued work in IT, Posey has spent the last several years actively training as a commercial scientist-astronaut candidate in preparation to fly on a mission to study polar mesospheric clouds from space. You can follow his spaceflight training on his Web site.