Enable Malware Protection

Risk Level: Medium (should be achieved)

Ensure that the Malware Protection feature is enabled for your Amazon GuardDuty detectors. Malware Protection helps detect potential malware in Amazon EC2 instances and container workloads. Additionally, it automatically scans newly uploaded S3 buckets for potential malware.

This rule can help you work with the AWS Well-Architected Framework.

Security

Enabling GuardDuty Malware Protection for Amazon EC2 and S3 resources enhances security by detecting and analyzing malicious files, reducing the risk of data breaches or compromised workloads. It provides early threat detection, helping to identify malware infections and allowing for quicker remediation, thus ensuring the integrity and security of your AWS cloud environment.

Audit

To determine if Malware Protection is enabled for your Amazon GuardDuty detectors, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to GuardDuty console available at https://console.aws.amazon.com/guardduty and perform the following actions to check the Malware Protection feature status for Amazon EC2 and S3 resources:

To check the status of Malware Protection for EC2:
1. In the left navigation panel, under Protection plans, choose Malware Protection for EC2 to access the feature settings for the current AWS region.
2. In the GuardDuty-initiated malware scan section, check the Status attribute value. If Status is set to GuardDuty-initiated malware scan is not enabled, Malware Protection for EC2 is not enabled for Amazon GuardDuty within the current AWS region.
To check the status of Malware Protection for S3:
1. In the left navigation panel, under Protection plans, choose Malware Protection for S3 to access the feature settings for the current AWS region.
2. In the Protected buckets section, check for any S3 buckets protected by the Malware Protection feature. If there are no protected buckets listed in this section and the Enable Malware Protection for S3 button is displayed, Malware Protection for S3 is not enabled for Amazon GuardDuty within the current AWS cloud region.

03 Change the AWS region from the console navigation bar and repeat step no. 2 to verify the Amazon GuardDuty Malware Protection status for other AWS cloud regions.

Using AWS CLI

01 Run list-detectors command (OSX/Linux/UNIX) with custom output filters to list the ID of each Amazon GuardDuty detector available in the selected AWS region (in this case, US East – N. Virginia region):

aws guardduty list-detectors
  --region us-east-1
  --query 'DetectorIds'

02 The command output should return an array with the requested GuardDuty detector ID(s):

[
	"abcd1234abcd1234abcd1234abcd1234",
	"1234abcd1234abcd1234abcd1234abcd"
]

03 To determine if Malware Protection is enabled for Amazon GuardDuty, perform the following commands to check the Malware Protection feature status for Amazon EC2 and S3 resources:

To check the status of Malware Protection for EC2:
1. Run get-detector command (OSX/Linux/UNIX) with the ID of the Amazon GuardDuty detector that you want to examine as the identifier parameter and custom output filters to describe the configuration status of the Malware Protection for EC2 setting in the selected AWS region:
```
aws guardduty get-detector
  --region us-east-1
  --detector-id "abcd1234abcd1234abcd1234abcd1234"
  --query 'DataSources.MalwareProtection.ScanEc2InstanceWithFindings.EbsVolumes.Status'
```
2. The command output should return the requested configuration status:
```
"DISABLED"
```
  If the get-detector command output returns "DISABLED", as shown in the example above, Malware Protection for EC2 is not enabled for Amazon GuardDuty in the selected AWS region.
3. Repeat steps no. 1 and 2 for other Amazon GuardDuty detectors deployed in the selected AWS region.
To check the status of Malware Protection for S3:
1. Run list-malware-protection-plans command (OSX/Linux/UNIX) with custom output filters to describe the Malware Protection plans available in the selected AWS region. Amazon GuardDuty creates a Malware Protection plan for each S3 bucket configured for malware scan:
```
aws guardduty list-malware-protection-plans
  --region us-east-1
  --query 'MalwareProtectionPlans'
```
2. The command output should return the Malware Protection plans available in the selected region:
```
[]
```
  If the list-malware-protection-plans command output returns an empty array, i.e. [], there are no Malware Protection plans created for S3 buckets, therefore, Malware Protection for S3 is not enabled for Amazon GuardDuty within the current AWS cloud region.

04 Change the AWS region by updating the --region command parameter value and repeat step no. 1 – 3 to check the Amazon GuardDuty Malware Protection status for other AWS cloud regions.

Remediation / Resolution

To enable the Malware Protection security feature for Amazon GuardDuty, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to GuardDuty console available at https://console.aws.amazon.com/guardduty and perform the following actions to enable the Amazon GuardDuty Malware Protection feature for your Amazon EC2 and S3 resources:

To enable and configure Malware Protection for EC2, perform the following operations:
1. In the left navigation panel, under Protection plans, choose Malware Protection for EC2 to access the feature settings for the current AWS region.
2. In the GuardDuty-initiated malware scan section, choose Enable under Status. In the confirmation box, choose Confirm to enable Malware Protection for EC2, within the current AWS region.
3. (Optional) Choose Inclusion/Exclusion tags and use the Add tags button to add inclusion or exclusion tags. Amazon GuardDuty will scan EC2 instances based on the tags you configure. If you use inclusion tags, only instances with those specific tags will be scanned. However, if you use exclusion tags, instances with those tags will be skipped during the scanning process.
4. (Optional) You can also use on-demand malware scan for Amazon EC2 instances. In the On-demand malware scan section, enter the ARN of the instance that you want to scan in the EC2 instance ARN box and choose Start scan to initiate an on-demand malware scan on your EC2 instance.
To enable and configure Malware Protection for S3, perform the following operations:
1. In the left navigation panel, under Protection plans, choose Malware Protection for S3 to access the feature settings for the current AWS region.
2. In the Protected buckets section, choose Enable Malware Protection for S3, and perform the following actions to enable and configure Malware Protection for S3:
  1. For Enter S3 bucket details, choose Browse S3 and select the S3 bucket that you want to protect. Choose whether to scan all the objects in the selected bucket or scan only objects with a prefix that you configure.
  2. For Tag scanned objects, choose Tag objects to tag your S3 objects with a scan status such as "NO_THREATS_FOUND", "THREATS_FOUND", "UNSUPPORTED", "ACCESS_DENIED", or "FAILED".
  3. Amazon GuardDuty requires permissions to perform malware scans on your behalf. For Permissions, choose View permissions, copy the required policies and select Choose an IAM role and attach permissions to create a new IAM role with the copied permissions (policies). Once the necessary IAM role is available, return to the Permissions section and choose the new role from the IAM role dropdown list.
  4. (Optional) Tag Malware Protection policy ID - optional, use the Add new tag button to create any required tag sets, according to your tagging scheme.
  5. Choose Enable to enable Malware Protection for S3, for the selected Amazon S3 bucket. This creates a Malware Protection plan for the S3 bucket.
  6. Repeat steps no. 1 - 5 for each Amazon S3 bucket that you want to protect with Amazon GuardDuty Malware Protection.

03 Change the AWS cloud region from the console navigation bar and repeat steps no. 1 and 2 to activate the Amazon GuardDuty Malware Protection feature for other AWS regions.

Using AWS CLI

To enable and configure Malware Protection for EC2, run the following commands:
1. Run update-detector command (OSX/Linux/UNIX) with the ID of the regional Amazon GuardDuty detector that you want to configure as the identifier parameter, to enable Malware Protection for EC2 in the selected AWS region (the command does not produce an output). This will enable GuardDuty-initiated malware scans:
```
aws guardduty update-detector
  --region us-east-1
  --detector-id "abcd1234abcd1234abcd1234abcd1234"
  --features [{"Name":"EBS_MALWARE_PROTECTION","Status":"ENABLED"}]'
```
2. (Optional) To use on-demand malware scan for Amazon EC2 instances, run start-malware-scan command (OSX/Linux/UNIX) with the ARN of the Amazon EC2 instance that you want to scan as the identifier parameter (the command does not produce an output):
```
aws guardduty start-malware-scan
  --region us-east-1
  --resource-arn "arn:aws:ec2:us-east-1:123456789012:instance/i-0abcd1234abcd1234"
```

To enable and configure Malware Protection for S3, run the following commands:

Amazon GuardDuty requires permissions to perform malware scans on your behalf. Define the trust relationship policy for the required IAM role and save the policy document to a new JSON file named cc-iam-role-trust-policy.json:
```
{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Effect": "Allow",
			"Principal": {
				"Service": "malware-protection-plan.guardduty.amazonaws.com"
			},
			"Action": "sts:AssumeRole"
		}
	]
}
```
Run create-role command (OSX/Linux/UNIX) to create a new IAM role using the trust relationship policy defined at the previous step (i.e. cc-iam-role-trust-policy.json):
```
aws iam create-role
  --role-name MalwareProtectionIamRole
  --assume-role-policy-document file://cc-iam-role-trust-policy.json
```

The command output should return the information available for the new IAM role:

{
	"Role": {
		"AssumeRolePolicyDocument": {
			"Version": "2012-10-17",
			"Statement": [
				{
					"Effect": "Allow",
					"Principal": {
						"Service": "malware-protection-plan.guardduty.amazonaws.com"
					},
					"Action": "sts:AssumeRole"
				}
			]
		},
		"RoleId": "ABCDABCDABCDABCDABCDA",
		"CreateDate": "2024-10-02T15:00:00.002Z",
		"RoleName": "MalwareProtectionIamRole",
		"Path": "/",
		"Arn": "arn:aws:iam::123456789012:role/MalwareProtectionIamRole"
	}
}

Define the access permissions for your new IAM role and save the policy document to a new JSON file named cc-iam-role-access-policy.json. Replace the placeholder values for your S3 bucket name, AWS account ID, and KMS key ID:

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "AllowManagedRuleToSendS3EventsToGuardDuty",
			"Effect": "Allow",
			"Action": [
				"events:PutRule",
				"events:DeleteRule",
				"events:PutTargets",
				"events:RemoveTargets"
			],
			"Resource": [
			"arn:aws:events:us-east-1:<aws-account-id>:rule/DO-NOT-DELETE-AmazonGuardDutyMalwareProtectionS3*"
			],
			"Condition": {
				"StringLike": {
					"events:ManagedBy": "malware-protection-plan.guardduty.amazonaws.com"
				}
			}
		},
		{
			"Sid": "AllowGuardDutyToMonitorEventBridgeManagedRule",
			"Effect": "Allow",
			"Action": [
				"events:DescribeRule",
				"events:ListTargetsByRule"
			],
			"Resource": [
				"arn:aws:events:us-east-1:<aws-account-id>:rule/DO-NOT-DELETE-AmazonGuardDutyMalwareProtectionS3*"
			]
		},
		{
			"Sid": "AllowPostScanTag",
			"Effect": "Allow",
			"Action": [
				"s3:PutObjectTagging",
				"s3:GetObjectTagging",
				"s3:PutObjectVersionTagging",
				"s3:GetObjectVersionTagging"
			],
			"Resource": [
				"arn:aws:s3:::<bucket-name>/*"
			]
		},
		{
			"Sid": "AllowEnableS3EventBridgeEvents",
			"Effect": "Allow",
			"Action": [
				"s3:PutBucketNotification",
				"s3:GetBucketNotification"
			],
			"Resource": [
				"arn:aws:s3:::<bucket-name>"
			]
		},
		{
			"Sid": "AllowPutValidationObject",
			"Effect": "Allow",
			"Action": [
				"s3:PutObject"
			],
			"Resource": [
				"arn:aws:s3:::<bucket-name>/malware-protection-resource-validation-object"
			]
		},
		{
			"Effect": "Allow",
			"Action": [
				"s3:ListBucket"
			],
			"Resource": [
				"arn:aws:s3:::<bucket-name>"
			]
		},
		{
			"Sid": "AllowMalwareScan",
			"Effect": "Allow",
			"Action": [
				"s3:GetObject",
				"s3:GetObjectVersion"
			],
			"Resource": [
				"arn:aws:s3:::<bucket-name>/*"
			]
		},
		{
			"Sid": "AllowDecryptForMalwareScan",
			"Effect": "Allow",
			"Action": [
				"kms:GenerateDataKey",
				"kms:Decrypt"
			],
			"Resource": "arn:aws:kms:us-east-1:<aws-account-id>:key/<kms-key-id>",
			"Condition": {
				"StringLike": {
					"kms:ViaService": "s3.*.amazonaws.com"
				}
			}
		}
	]
}

Run attach-role-policy command (OSX/Linux/UNIX) to attach the required AWS-managed policy to your new IAM role (if successful, the command does not produce an output):
```
aws iam create-policy
  --policy-name MalwareProtectionAccessPolicy
  --policy-document file://cc-iam-role-access-policy.json
  --query 'Policy.Arn'
```
The command output should return the ARN of the newly created IAM policy:
```
"arn:aws:iam::123456789012:policy/MalwareProtectionAccessPolicy"
```
Run attach-role-policy command (OSX/Linux/UNIX) to attach the customer-managed policy created at the previous steps, to your Amazon IAM role (if successful, the command does not produce an output):
```
aws iam attach-role-policy
  --policy-arn "arn:aws:iam::123456789012:policy/MalwareProtectionAccessPolicy"
  --role-name MalwareProtectionIamRole
```
Run create-malware-protection-plan command (OSX/Linux/UNIX) to enable Malware Protection for S3, for the specified Amazon S3 bucket. The following command example enables Malware Protection for S3 with scanned S3 object tagging. This will create a Malware Protection plan for the selected S3 bucket:
```
aws guardduty create-malware-protection-plan
  --role "arn:aws:iam::123456789012:role/MalwareProtectionIamRole"
  --protected-resource "S3Bucket"={"BucketName"="tm-project5-input-data"}
  --actions "Tagging"={"Status"="ENABLED"}
```
The command output should return the ID of the newly created Malware Protection plan:
```
{
	"MalwareProtectionPlanId": "abcd1234abcd1234abcd"
}
```
Repeat steps no. 8 and 9 for each Amazon S3 bucket that you want to protect with Amazon GuardDuty Malware Protection.

02 Change the AWS cloud region by updating the --region command parameter value and repeat step no. 1 to activate the Amazon GuardDuty Malware Protection feature for other AWS regions.

References

AWS Command Line Interface (CLI) Documentation
list-detectors
get-detector
update-detector
list-malware-protection-plans
start-malware-scan
create-malware-protection-plan
create-role
create-policy
attach-role-policy

Publication date Oct 4, 2024

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

No thanks, back to article

You are auditing:

Enable Malware Protection

Risk Level: Medium

Audit

Using AWS Console

Using AWS CLI

Remediation / Resolution

Using AWS Console

Using AWS CLI

References

Related GuardDuty rules