Enable Malware Protection for Amazon S3

Risk Level: Medium (should be achieved)

Ensure that Malware Protection for S3 is enabled for your Amazon GuardDuty detectors. Malware Protection for S3 helps detect and prevent malware in files uploaded to your Amazon S3 buckets, safeguarding sensitive data and ensuring compliance with security policies.

This rule can help you work with the AWS Well-Architected Framework.

Security

Enabling GuardDuty Malware Protection for Amazon S3 buckets enhances security by detecting and analyzing malicious files, thereby reducing the risk of data breaches. It provides early threat detection, helps identify malware infections, and enables quicker remediation. As a result, it ensures the integrity and security of your AWS cloud environment.

Audit

To determine if Malware Protection for S3 is enabled for your Amazon GuardDuty detectors, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to GuardDuty console available at https://console.aws.amazon.com/guardduty.

03 In the left navigation panel, under Protection plans, choose Malware Protection for S3 to access the feature settings for the current AWS region.

04 In the Protected buckets section, check for any S3 buckets protected by the Malware Protection for S3 feature. If there are no protected buckets listed in this section and the Enable Malware Protection for S3 button is displayed, Malware Protection for S3 is not enabled for Amazon GuardDuty within the current AWS cloud region.

05 Change the AWS region from the console navigation bar and repeat steps no. 3 and 4 to verify the Malware Protection for S3 feature status for other AWS cloud regions.

Using AWS CLI

01 Run list-malware-protection-plans command (OSX/Linux/UNIX) with custom output filters to describe the Malware Protection plans available in the selected AWS region. Amazon GuardDuty creates a Malware Protection plan for each S3 bucket configured for malware scan:

aws guardduty list-malware-protection-plans
	--region us-east-1
	--query 'MalwareProtectionPlans'

02 The command output should return the Malware Protection plans available in the selected AWS region:

[]

If the list-malware-protection-plans command output returns an empty array, i.e., [], there are no Malware Protection plans created for Amazon S3 buckets. Therefore, Malware Protection for S3 is not enabled for Amazon GuardDuty in the selected AWS cloud region.

03 Change the AWS region by updating the --region command parameter value and repeat step no. 1 – 4 to check the Malware Protection for S3 feature status for other AWS cloud regions.

Remediation / Resolution

To enable Malware Protection for S3 for your Amazon GuardDuty detectors, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to GuardDuty console available at https://console.aws.amazon.com/guardduty.

03 In the left navigation panel, under Protection plans, choose Malware Protection for s3 to access the feature settings for the current AWS region.

04 In the Protected buckets section, choose Enable Malware Protection for S3, and perform the following actions to enable and configure Malware Protection for S3:

For Enter S3 bucket details, choose Browse S3 and select the S3 bucket that you want to protect. Choose whether to scan all the objects in the selected bucket or scan only objects with a prefix that you configure.
For Tag scanned objects, choose Tag objects to tag your S3 objects with a scan status such as "NO_THREATS_FOUND", "THREATS_FOUND", "UNSUPPORTED", "ACCESS_DENIED", or "FAILED".
Amazon GuardDuty requires permissions to perform malware scans on your behalf. For Service access, choose Create and use a new service role to automatically create a new IAM role required to authorize GuardDuty or choose Use an existing service role and select an existing IAM role. If you are enabling Malware Protection for S3 for the first time, select the option to create and use a new role.
(Optional) For Tag Malware Protection policy ID - optional, use the Add new tag button to create any required tag sets, according to your tagging scheme.
Choose Enable to enable Malware Protection for S3, for the selected Amazon S3 bucket. This creates a Malware Protection plan for the S3 bucket.
Repeat steps no. 1 - 5 for each Amazon S3 bucket that you want to protect with the Malware Protection feature.

05 Change the AWS cloud region from the console navigation bar and repeat steps no. 1 - 4 to activate the Malware Protection for S3 feature for other AWS cloud regions.

Using AWS CLI

01 Amazon GuardDuty requires permissions to perform malware scans on your behalf. To implement the required permissions, create and assign an IAM role. Define the trust relationship policy for the required IAM role and save the policy document to a new JSON file named cc-iam-role-trust-policy.json:

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Effect": "Allow",
			"Principal": {
				"Service": "malware-protection-plan.guardduty.amazonaws.com"
			},
			"Action": "sts:AssumeRole"
		}
	]
}

02 Run create-role command (OSX/Linux/UNIX) to create a new IAM role using the trust relationship policy defined at the previous step (i.e. cc-iam-role-trust-policy.json):

aws iam create-role
	--role-name MalwareProtectionIamRole
	--assume-role-policy-document file://cc-iam-role-trust-policy.json

03 The command output should return the information available for the new IAM role:

{
	"Role": {
		"AssumeRolePolicyDocument": {
			"Version": "2012-10-17",
			"Statement": [
				{
					"Effect": "Allow",
					"Principal": {
						"Service": "malware-protection-plan.guardduty.amazonaws.com"
					},
					"Action": "sts:AssumeRole"
				}
			]
		},
		"RoleId": "ABCDABCDABCDABCDABCDA",
		"CreateDate": "2024-11-12T15:00:00.002Z",
		"RoleName": "MalwareProtectionIamRole",
		"Path": "/",
		"Arn": "arn:aws:iam::123456789012:role/MalwareProtectionIamRole"
	}
}

04 Define the access permissions for your new IAM role and save the policy document to a new JSON file named cc-iam-role-access-policy.json. Replace the \<aws-account-id\> and \<bucket-name\> placeholders with your own values:

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "AllowManagedRuleToSendS3EventsToGuardDuty",
			"Effect": "Allow",
			"Action": [
				"events:PutRule"
			],
			"Resource": [
				"arn:aws:events:us-east-1:<aws-account-id>:rule/DO-NOT-DELETE-AmazonGuardDutyMalwareProtectionS3*"
			],
			"Condition": {
				"StringEquals": {
					"events:ManagedBy": "malware-protection-plan.guardduty.amazonaws.com"
				},
				"ForAllValues:StringEquals": {
					"events:source": "aws.s3",
					"events:detail-type": [
						"Object Created",
						"AWS API Call via CloudTrail"
					]
				},
				"Null": {
					"events:source": "false",
					"events:detail-type": "false"
				}
			}
		},
		{
			"Sid": "AllowUpdateTargetAndDeleteManagedRule",
			"Effect": "Allow",
			"Action": [
				"events:DeleteRule",
				"events:PutTargets",
				"events:RemoveTargets"
			],
			"Resource": [
				"arn:aws:events:us-east-1:<aws-account-id>:rule/DO-NOT-DELETE-AmazonGuardDutyMalwareProtectionS3*"
			],
			"Condition": {
				"StringEquals": {
					"events:ManagedBy": "malware-protection-plan.guardduty.amazonaws.com"
				}
			}
		},
		{
			"Sid": "AllowGuardDutyToMonitorEventBridgeManagedRule",
			"Effect": "Allow",
			"Action": [
				"events:DescribeRule",
				"events:ListTargetsByRule"
			],
			"Resource": [
				"arn:aws:events:us-east-1:<aws-account-id>:rule/DO-NOT-DELETE-AmazonGuardDutyMalwareProtectionS3*"
			]
		},
		{
			"Sid": "AllowEnableS3EventBridgeEvents",
			"Effect": "Allow",
			"Action": [
				"s3:PutBucketNotification",
				"s3:GetBucketNotification"
			],
			"Resource": [
				"arn:aws:s3:::<bucket-name>"
			],
			"Condition": {
				"StringEquals": {
					"aws:ResourceAccount": "<aws-account-id>"
				}
			}
		},
		{
			"Sid": "AllowPostScanTag",
			"Effect": "Allow",
			"Action": [
				"s3:GetObjectTagging",
				"s3:GetObjectVersionTagging",
				"s3:PutObjectTagging",
				"s3:PutObjectVersionTagging"
			],
			"Resource": [
				"arn:aws:s3:::<bucket-name>/*"
			],
			"Condition": {
				"StringEquals": {
					"aws:ResourceAccount": "<aws-account-id>"
				}
			}
		},
		{
			"Sid": "AllowPutValidationObject",
			"Effect": "Allow",
			"Action": [
				"s3:PutObject"
			],
			"Resource": [
				"arn:aws:s3:::<bucket-name>/malware-protection-resource-validation-object"
			],
			"Condition": {
				"StringEquals": {
					"aws:ResourceAccount": "<aws-account-id>"
				}
			}
		},
		{
			"Sid": "AllowCheckBucketOwnership",
			"Effect": "Allow",
			"Action": [
				"s3:ListBucket"
			],
			"Resource": [
				"arn:aws:s3:::<bucket-name>"
			],
			"Condition": {
				"StringEquals": {
					"aws:ResourceAccount": "<aws-account-id>"
				}
			}
		},
		{
			"Sid": "AllowMalwareScan",
			"Effect": "Allow",
			"Action": [
				"s3:GetObject",
				"s3:GetObjectVersion"
			],
			"Resource": [
				"arn:aws:s3:::<bucket-name>/*"
			],
			"Condition": {
				"StringEquals": {
					"aws:ResourceAccount": "<aws-account-id>"
				}
			}
		}
	]
}

05 Run create-policy command (OSX/Linux/UNIX) to create a new Amazon IAM customer-managed policy using the policy document defined in the previous step:

aws iam create-policy
	--policy-name MalwareProtectionAccessPolicy
	--policy-document file://cc-iam-role-access-policy.json
	--query 'Policy.Arn'

06 The command output should return the ARN of the newly created IAM policy:

"arn:aws:iam::123456789012:policy/MalwareProtectionAccessPolicy"

07 Run attach-role-policy command (OSX/Linux/UNIX) to attach the customer-managed policy created at the previous steps to your new IAM role (if successful, the command does not produce an output):

aws iam attach-role-policy
	--policy-arn "arn:aws:iam::123456789012:policy/MalwareProtectionAccessPolicy"
	--role-name MalwareProtectionIamRole

08 Run create-malware-protection-plan command (OSX/Linux/UNIX) to enable Malware Protection for S3, for the specified Amazon S3 bucket (replace \ with the name of the S3 bucket that you want to protect). The following command example enables Malware Protection for S3 with scanned S3 object tagging. This will create a Malware Protection plan for the selected S3 bucket:

aws guardduty create-malware-protection-plan
	--role "arn:aws:iam::123456789012:role/MalwareProtectionIamRole"
	--protected-resource "S3Bucket"={"BucketName"="<bucket-name>"}
	--actions "Tagging"={"Status"="ENABLED"}

09 The command output should return the ID of the newly created Malware Protection plan:

{
	"MalwareProtectionPlanId": "abcd1234abcd1234abcd"
}

10 Repeat steps no. 8 and 9 for each Amazon S3 bucket that you want to protect with the Malware Protection feature.

11 Change the AWS region by updating the --region command parameter value and repeat step no. 1 - 10 to enable the Malware Protection for S3 feature for other AWS cloud regions.

References

AWS Command Line Interface (CLI) Documentation
list-malware-protection-plans
create-role
create-policy
attach-role-policy
create-malware-protection-plan

Publication date Nov 19, 2024

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

No thanks, back to article

You are auditing:

Enable Malware Protection for Amazon S3

Risk Level: Medium

Audit

Using AWS Console

Using AWS CLI

Remediation / Resolution

Using AWS Console

Using AWS CLI

References

Related GuardDuty rules