AWS Extends GuardDuty Malware Detector to S3 Files

Amazon Web Services is giving users of its Simple Storage Service (S3) another tool to check their buckets for potentially malicious file uploads.

Amazon GuardDuty Malware Protection, which users can already use to monitor Amazon Elastic Block Storage (EBS) volumes, can now extend its threat monitoring benefits to Amazon S3, AWS announced last week.

"Now, you can continuously evaluate new objects uploaded to S3 buckets for malware and take action to isolate or eliminate any malware found," wrote AWS principal developer advocate Channy Yun in a blog post. "Amazon GuardDuty Malware Protection uses multiple [AWS] developed and industry-leading third-party malware scanning engines to provide malware detection without degrading the scale, latency, and resiliency profile of Amazon S3."

The new S3 capability is relatively low-lift compared to similar malware detection tools, Yun contends. "[T]his managed solution from GuardDuty does not require you to manage your own isolated data pipelines or compute infrastructure in each AWS account and AWS Region where you want to perform malware analysis."

Administrators can use GuardDuty Malware Protection to scan every new file that's uploaded to an S3 bucket, or to only scan files with specific prefixes. It'll specifically target files types that are known to frequently carry malware. It can scan objects as large as 5GB and that belong to the following S3 categories: S3 Standard, S3 Intelligent-Tiering, S3 Standard-IA, S3 One Zone-IA and Amazon S3 Glacier Instant Retrieval.

GuardDuty can also be programmed to tag scanned files based on what it found (or didn't find). Tags include "NO_THREATS_FOUND," "THREATS_FOUND" and "ACCESS_DENIED." Admins can control access to files based on the tag GuardDuty applied to them; for instance, they can block access to files that haven't been scanned yet or that have been flagged as malicious.

GuardDuty Malware Protection for S3 also works with the Amazon EventBridge event routing solution. "GuardDuty will send scan metrics to your EventBridge for each protected S3 bucket," wrote Yun. "You can set up alarms and define post-scan actions, such as tagging the object or moving the malicious object to a quarantine bucket."

Users can activate GuardDuty Malware Protection for S3 without deploying it across their entire AWS account. Pricing is based on the number of objects and the amount of GBs scanned per month.

More information on this feature is available here.

About the Author

Gladys Rama (@GladysRama3) is the editorial director of Converge360.


Subscribe on YouTube