AWS Step-by-Step

Scanning Amazon S3 Buckets for Malware, Part 2

How to set up GuardDuty to monitor your S3 data.

In Part 1 of this series, I showed you how to put into place the various prerequisites that are required to allow malware scanning within Amazon S3 buckets. Now, it's time to set up malware protection for S3.

To get started, log into the AWS portal and launch the GuardDuty service. For those who might not be familiar with this service, GuardDuty provides intelligent threat detection for various AWS resources. From the main Amazon GuardDuty screen, select the GuardDuty Malware Protection for S3 Only option, shown in Figure 1, and click Get Started.

Choose the GuardDuty Malware Protection for S3 Only option and click Get Started.
[Click on image for larger view.]   Figure 1. Choose the GuardDuty Malware Protection for S3 Only option and click Get Started.

At this point, you will be taken to the main Malware Protection for S3 screen, which you can see in Figure 2. Click the Enable Malware Protection for S3 button.

Click the Enable Malware Protection for S3 button.
[Click on image for larger view.]   Figure 2. Click the Enable Malware Protection for S3 button.

You will now be taken to the Enable Malware Protection for S3 screen. The first thing you will need to do on this screen is to select the S3 bucket that you want to protect. If you have multiple buckets that need to be protected, then you will have to repeat this process for each additional bucket.

Next, you will need to choose what it is that you want to protect within the selected S3 bucket. You can opt to protect all of the objects within the bucket, or you can limit the protection to objects beginning with a specific prefix. The selection process is similar to that of other anti-malware tools that give you the opportunity to exclude certain file types from the scanning process in order to avoid corruption. Incidentally, if you do choose to scan items that use a certain prefix, you can specify up to five different prefixes.

The next section of the page, which you can see in Figure 3, allows you to tag scanned objects. Tagging is optional, but AWS does recommend that you tag items that have been scanned.

AWS allows you to tag items that have been scanned.
[Click on image for larger view.]   Figure 3. AWS allows you to tag items that have been scanned.

If you enable tagging, then Amazon will automatically add a GuardDutyMalwareScanStatus tag to each object that has been scanned. This tag will be automatically assigned one of several possible values, including:

  • NO_THREATS_FOUND
  • THREATS_FOUND
  • UNSUPPORTED
  • ACCESS_DENIED, or
  • FAILED

Although there is a small cost associated with the tagging process, it's still a good idea to use tagging because it makes for an easy way to assess an object's health.

The next thing you will need to do is to add the permissions that will enable GuardDuty scanning of your S3 buckets. In order to complete this process, you will need to have already completed the steps outlined in Part 1. Assuming that you have completed those steps, all you will need to do is to select the IAM role that contains the required permissions. When you are done, you can click the Enable button to complete the process. Upon doing so, you should see the malware protection status listed as Active for your S3 bucket, as shown in Figure 4.

Malware scanning is active for my S3 bucket.
[Click on image for larger view.]   Figure 4. Malware scanning is active for my S3 bucket.

If you want to make sure that malware scanning is working properly, try uploading a file to your S3 bucket. Once you have done so, click on the file to access its properties. Now scroll down through the Properties tab until you reach the Tags section. You should see a GuardDutyMalwareScan status tag and a corresponding value that reflects the file's health. You can see an example of this in Figure 5.

The GuardDutyMalwareScanStatus tag indicated that no threats were found  for this file.
[Click on image for larger view.]   Figure 5. The GuardDutyMalwareScanStatus tag indicated that no threats were found for this file.

AWS also allows you to monitor the scanning process through the GuardDuty console. Just open the console and click on your S3 bucket. When you do, you will see a screen like the one that is shown in Figure 6. As you can see in the figure, this screen displays a series of metrics that let you keep track of the number of scans that have been completed, as well as failed scans and incidents in which malware has been detected.

GuardDuty contains metrics that you can use to monitor the scanning process.
[Click on image for larger view.]   Figure 6. GuardDuty contains metrics that you can use to monitor the scanning process.

About the Author

Brien Posey is a 22-time Microsoft MVP with decades of IT experience. As a freelance writer, Posey has written thousands of articles and contributed to several dozen books on a wide variety of IT topics. Prior to going freelance, Posey was a CIO for a national chain of hospitals and health care facilities. He has also served as a network administrator for some of the country's largest insurance companies and for the Department of Defense at Fort Knox. In addition to his continued work in IT, Posey has spent the last several years actively training as a commercial scientist-astronaut candidate in preparation to fly on a mission to study polar mesospheric clouds from space. You can follow his spaceflight training on his Web site.

Featured

Subscribe on YouTube