EC2 Malware Protection

Overview

Malware Protection for EC2 detects malware by scanning Amazon Elastic Block Store (EBS) volumes attached to Amazon EC2 instances and container workloads. It offers flexibility to include or exclude specific instances and provides an option to retain EBS snapshots when malware is detected. The service is integrated with Amazon GuardDuty and does not impact system performance.

Scan Types:

GuardDuty-Initiated Malware Scan:
- Trigger: Automatically initiates when GuardDuty generates a finding indicating potential malware.
- Frequency: Once every 24 hours per resource.
- Configuration: Must be enabled for each account or AWS Organization.
- Free Trial: 30-day trial for new accounts when this scan type is enabled.
- Scan Options: Supports exclusion of resources using user-defined tags.
On-Demand Malware Scan:
- Trigger: Manually initiated by providing the Amazon Resource Name (ARN) of the EC2 instance.
- Frequency: Can be initiated any time after one hour from the previous scan.
- Configuration: No feature-level setup required.
- Free Trial: No free trial for this scan type.
- Tagging: Does not support user-defined tags but honors the global GuardDutyExcluded tag.

EBS Volume Scanning and Snapshots:

EBS Volume Scanning: Scans volumes attached to EC2 instances or container workloads.
Snapshot Retention:
- Snapshots are created during both types of scans and are retained only if malware is detected.
- If no malware is found, snapshots are deleted, even if the retention setting is enabled.
- By default, the snapshot retention setting is disabled but can be manually activated.
Replica EBS Volume Management:
- GuardDuty creates encrypted replicas of EBS volumes for scanning and retains them for up to 55 hours.
- If there is an outage or failure, volumes may be retained for up to 7 days for triage.

Limitations:

Unsupported Workloads: Does not support Fargate with Amazon ECS or Amazon EKS.
Regional Availability: Malware Protection must be enabled on a per-region basis within GuardDuty.

Summary of Key Features:

Performance Impact: Designed to operate without affecting system performance.
Automation and Flexibility: Supports automatic and on-demand scans with tagging options for resource management.
Data Management: Snapshots and encrypted replicas are managed efficiently to ensure security, with options to retain evidence in case of malware detection.

PreviousMalware Protection NextEC2 Protection Resources

Last updated 8 months ago

Overview

Scan Types:

GuardDuty-Initiated Malware Scan:

Trigger: Automatically initiates when GuardDuty generates a finding indicating potential malware.
Frequency: Once every 24 hours per resource.
Configuration: Must be enabled for each account or AWS Organization.
Free Trial: 30-day trial for new accounts when this scan type is enabled.
Scan Options: Supports exclusion of resources using user-defined tags.

On-Demand Malware Scan:

Trigger: Manually initiated by providing the Amazon Resource Name (ARN) of the EC2 instance.
Frequency: Can be initiated any time after one hour from the previous scan.
Configuration: No feature-level setup required.
Free Trial: No free trial for this scan type.
Tagging: Does not support user-defined tags but honors the global GuardDutyExcluded tag.

EBS Volume Scanning and Snapshots:

EBS Volume Scanning: Scans volumes attached to EC2 instances or container workloads.

Snapshot Retention:

Snapshots are created during both types of scans and are retained only if malware is detected.
If no malware is found, snapshots are deleted, even if the retention setting is enabled.
By default, the snapshot retention setting is disabled but can be manually activated.

Replica EBS Volume Management:

GuardDuty creates encrypted replicas of EBS volumes for scanning and retains them for up to 55 hours.
If there is an outage or failure, volumes may be retained for up to 7 days for triage.

Limitations:

Unsupported Workloads: Does not support Fargate with Amazon ECS or Amazon EKS.

Regional Availability: Malware Protection must be enabled on a per-region basis within GuardDuty.

Summary of Key Features:

Performance Impact: Designed to operate without affecting system performance.

Automation and Flexibility: Supports automatic and on-demand scans with tagging options for resource management.

Data Management: Snapshots and encrypted replicas are managed efficiently to ensure security, with options to retain evidence in case of malware detection.