Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable Malware Protection for Amazon EC2

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: GD-005

Ensure that Malware Protection for EC2 is enabled for your Amazon GuardDuty detectors. Malware Protection for EC2 helps detect potential malware in Amazon EC2 instances and container workloads. Once enabled, the feature scans the EBS volumes attached to your Amazon EC2 instances.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

Enabling GuardDuty Malware Protection for Amazon EC2 resources enhances security by detecting and analyzing malicious files, reducing the risk of data breaches or compromised workloads. It provides early threat detection, helping to identify malware infections and allowing for quicker remediation, thus ensuring the integrity and security of your AWS cloud environment.

Audit

To determine if Malware Protection for EC2 is enabled for your Amazon GuardDuty detectors, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to GuardDuty console available at https://console.aws.amazon.com/guardduty.

03 In the left navigation panel, under Protection plans, choose Malware Protection for EC2 to access the feature settings for the current AWS region.

04 In the GuardDuty-initiated malware scan section, check the Status attribute value. If the Status value is GuardDuty-initiated malware scan is not enabled, Malware Protection for EC2 is not enabled for Amazon GuardDuty within the current AWS cloud region.

05 Change the AWS region from the console navigation bar and repeat steps no. 3 and 4 to verify the Malware Protection for EC2 feature status for other AWS cloud regions.

Using AWS CLI

01 Run list-detectors command (OSX/Linux/UNIX) with custom output filters to list the ID of each Amazon GuardDuty detector available in the selected AWS region (in this case, US East – N. Virginia region): 

aws guardduty list-detectors
	--region us-east-1
	--query 'DetectorIds'

02 The command output should return an array with the requested GuardDuty detector ID(s): 

[
	"abcd1234abcd1234abcd1234abcd1234",
	"1234abcd1234abcd1234abcd1234abcd"
]

03 Run get-detector command (OSX/Linux/UNIX) with the ID of the Amazon GuardDuty detector that you want to examine as the identifier parameter and custom output filters to describe the configuration status of the Malware Protection for EC2 feature in the selected AWS region: 

aws guardduty get-detector
	--region us-east-1
	--detector-id "abcd1234abcd1234abcd1234abcd1234"
	--query 'DataSources.MalwareProtection.ScanEc2InstanceWithFindings.EbsVolumes.Status'

04 The command output should return the requested configuration status: 

"DISABLED"

If the get-detector command output returns "DISABLED", as shown in the example above, Malware Protection for EC2 is not enabled for Amazon GuardDuty in the selected AWS cloud region.

05 Repeat steps no. 3 and 4 for each Amazon GuardDuty detector deployed in the selected AWS region.

06 Change the AWS region by updating the --region command parameter value and repeat step no. 1 – 4 to check the Malware Protection for EC2 feature status for other AWS cloud regions.

Remediation / Resolution

To enable Malware Protection for EC2 for your Amazon GuardDuty detectors, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to GuardDuty console available at https://console.aws.amazon.com/guardduty.

03 In the left navigation panel, under Protection plans, choose Malware Protection for EC2 to access the feature settings for the current AWS region.

04 In the GuardDuty-initiated malware scan section, choose Enable under Status. In the confirmation box, choose Confirm to enable Malware Protection for EC2, within the current AWS cloud region.

05 (Optional) Choose Inclusion/Exclusion tags and use the Add tags button to add inclusion or exclusion tags. Amazon GuardDuty will scan EC2 instances based on the tags you configure. If you use inclusion tags, only instances with those specific tags will be scanned. However, if you use exclusion tags, instances with those tags will be skipped during the scanning process.

06 (Optional) You can also use on-demand malware scan for Amazon EC2 instances. In the On-demand malware scan section, enter the ARN of the instance that you want to scan in the EC2 instance ARN box and choose Start scan to initiate an on-demand malware scan on the selected Amazon EC2 instance.

07 (Optional) In the General settings section, choose whether to retain scanned snapshots when malware is detected. This configuration setting applies to both GuardDuty-initiated and On-demand malware scans. By default, the snapshots retention is disabled.

08 Change the AWS region from the console navigation bar and repeat steps no. 1 - 7 to activate the Malware Protection for EC2 feature for other AWS cloud regions.

Using AWS CLI

01 Run update-detector command (OSX/Linux/UNIX) with the ID of the regional Amazon GuardDuty detector that you want to configure as the identifier parameter, to enable Malware Protection for EC2 in the selected AWS region (the command does not produce an output). This will enable GuardDuty-initiated malware scans: 

aws guardduty update-detector
	--region us-east-1
	--detector-id "abcd1234abcd1234abcd1234abcd1234"
	--features [{"Name":"EBS_MALWARE_PROTECTION","Status":"ENABLED"}]'

02 (Optional) To use on-demand malware scan for Amazon EC2 instances, run start-malware-scan command (OSX/Linux/UNIX) with the ARN of the Amazon EC2 instance that you want to scan as the identifier parameter (the command does not produce an output): 

aws guardduty start-malware-scan
	--region us-east-1
	--resource-arn "arn:aws:ec2:us-east-1:123456789012:instance/i-0abcd1234abcd1234"

03 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 and 2 to enable the Malware Protection for EC2 feature for other AWS cloud regions.

References

Publication date Nov 19, 2024

Related GuardDuty rules