AWS Step-by-Step

Scanning Amazon S3 Buckets for Malware, Part 2

How to set up GuardDuty to monitor your S3 data.

• By Brien Posey
• 07/31/2024

In Part 1 of this series, I showed you how to put into place the various prerequisites that are required to allow malware scanning within Amazon S3 buckets. Now, it's time to set up malware protection for S3.

To get started, log into the AWS portal and launch the GuardDuty service. For those who might not be familiar with this service, GuardDuty provides intelligent threat detection for various AWS resources. From the main Amazon GuardDuty screen, select the GuardDuty Malware Protection for S3 Only option, shown in Figure 1, and click Get Started.

At this point, you will be taken to the main Malware Protection for S3 screen, which you can see in Figure 2. Click the Enable Malware Protection for S3 button.

You will now be taken to the Enable Malware Protection for S3 screen. The first thing you will need to do on this screen is to select the S3 bucket that you want to protect. If you have multiple buckets that need to be protected, then you will have to repeat this process for each additional bucket.

Next, you will need to choose what it is that you want to protect within the selected S3 bucket. You can opt to protect all of the objects within the bucket, or you can limit the protection to objects beginning with a specific prefix. The selection process is similar to that of other anti-malware tools that give you the opportunity to exclude certain file types from the scanning process in order to avoid corruption. Incidentally, if you do choose to scan items that use a certain prefix, you can specify up to five different prefixes.

The next section of the page, which you can see in Figure 3, allows you to tag scanned objects. Tagging is optional, but AWS does recommend that you tag items that have been scanned.

If you enable tagging, then Amazon will automatically add a GuardDutyMalwareScanStatus tag to each object that has been scanned. This tag will be automatically assigned one of several possible values, including:

• NO_THREATS_FOUND
• THREATS_FOUND
• UNSUPPORTED
• ACCESS_DENIED, or
• FAILED

Although there is a small cost associated with the tagging process, it's still a good idea to use tagging because it makes for an easy way to assess an object's health.

The next thing you will need to do is to add the permissions that will enable GuardDuty scanning of your S3 buckets. In order to complete this process, you will need to have already completed the steps outlined in Part 1. Assuming that you have completed those steps, all you will need to do is to select the IAM role that contains the required permissions. When you are done, you can click the Enable button to complete the process. Upon doing so, you should see the malware protection status listed as Active for your S3 bucket, as shown in Figure 4.

If you want to make sure that malware scanning is working properly, try uploading a file to your S3 bucket. Once you have done so, click on the file to access its properties. Now scroll down through the Properties tab until you reach the Tags section. You should see a GuardDutyMalwareScan status tag and a corresponding value that reflects the file's health. You can see an example of this in Figure 5.

AWS also allows you to monitor the scanning process through the GuardDuty console. Just open the console and click on your S3 bucket. When you do, you will see a screen like the one that is shown in Figure 6. As you can see in the figure, this screen displays a series of metrics that let you keep track of the number of scans that have been completed, as well as failed scans and incidents in which malware has been detected.