Gravity Cloud

AWS Release: Detect Malware in New Object Uploads to Amazon S3 with Amazon GuardDuty

Vatsal Bajpai
Vatsal Bajpai
2 min read·
Cover Image for AWS Release: Detect Malware in New Object Uploads to Amazon S3 with Amazon GuardDuty

What's new in Guard Duty for S3

Amazon GuardDuty has introduced a powerful new feature to enhance the security of your Amazon S3 buckets: Malware Protection for S3. This tool helps detect potential malware by automatically scanning newly uploaded objects to your selected S3 buckets. When an S3 object or a new version of an existing object is uploaded, GuardDuty initiates a malware scan to ensure your data's integrity and security.

12-month Free Tier starting from June 11, 2024

Two Approaches to Enable Malware Protection for S3

  1. With GuardDuty Service: You can enable Malware Protection for S3 as part of the overall GuardDuty experience. This integration allows you to leverage all GuardDuty features, including detailed security findings associated with a detector ID.
  2. Independent Feature: Alternatively, you can enable Malware Protection for S3 without activating the full GuardDuty service. This method focuses solely on malware scanning for S3 objects.

Using Malware Protection for S3 Independently

  • No Detector ID: When used independently, your account will not have an associated detector ID, impacting which GuardDuty features are available. For instance, no GuardDuty findings are generated.
  • Scan Results: By default, scan results are published to your default Amazon EventBridge event bus and Amazon CloudWatch. You can also enable tagging of objects based on scan results, providing a clear status directly on the S3 objects.

General Considerations

  • Bucket Ownership: You can enable Malware Protection for S3 for S3 buckets that belong to your own AWS account. This feature cannot be enabled by a delegated administrator on buckets owned by member accounts.
  • Administrator Notifications: Delegated GuardDuty administrators will receive notifications via Amazon EventBridge whenever a member account enables this feature for their S3 buckets.
  • Integration Limitations: Currently, Malware Protection for S3 findings do not integrate with AWS Security Hub or Amazon Detective.

How It Works

  • Enablement: You can configure Malware Protection for S3 for your entire bucket or limit the scans to specific prefixes (up to 5). This flexibility helps you manage and target your security needs efficiently.
  • IAM Permissions: An IAM PassRole is required to allow GuardDuty to perform the necessary scan actions. You can update an existing role or create a new one to grant these permissions.
  • Tagging: Optionally enable tagging for scanned objects, which allows GuardDuty to add tags indicating the scan results. These tags can be used for further access control and management.

Pricing

  • Free Tier: Enjoy a 12-month Free Tier starting from June 11, 2024, allowing you to use Malware Protection for S3 at no additional cost during this period.
  • Tagging Costs: Enabling S3 Object Tagging incurs additional costs. For more information on tagging costs, refer to the Amazon S3 pricing page. EventBridge: Standard pricing applies for custom EventBridge rules and any associated AWS services such as CloudWatch Logs or AWS Lambda.

If you like this, follow us on Twitter and LinkedIn and explore our platform to help save you more cloud costs - gravitycloud.ai

footer