☁️
CTHFM: AWS
  • Welcome
  • Getting Started
    • Account Setup
  • AWS CLI
    • AWS CLI Overview
    • Installation
  • AWS Fundamentals
    • AWS Documentation
    • AWS Shared Responsibility Model
    • Organizational Hierarchy
    • AWS Principals
    • IAM Fundamentals
      • IAM Policy Components
      • IAM Documentation References
    • AWS Security Services Overview
    • AWS Core Services
    • AWS Frameworks
    • Regions and Availability Zones
  • SQL
    • SQL Refresher for Threat Hunting
  • Logging Reference
    • Cloudtrail
      • What is Cloudtrail?
      • Setting Up Cloudtrail
      • Cloudtrail Events Structure
      • Filtering and Searching CloudTrail Logs
      • IAM ID Prefixes
      • Additional Resources
      • API References
    • VPCFlow Logs
    • GuardDuty
      • Multi-Account Setup
      • GuardDuty Concepts
      • GuardDuty Finding References
      • S3 Protection
      • Malware Protection
        • EC2 Malware Protection
          • EC2 Protection Resources
          • Monitoring Scans
          • EC2 Malware Protection Events: CloudWatch
        • S3 Malware Protection
          • Enabling S3 Malware Protection
          • After Enabling S3 Malware Protection
          • S3 Malware Resource Plan Status
          • S3 Malware Protection Quotas
      • RDS Protection Enablement
      • Lambda Protection Enablement
      • Trusted IP Lists and Threat Lists in Amazon GuardDuty
      • Remediation Recommendations
      • GuardDuty API Reference
      • GuardDuty Quotas
    • Access Analyzer
      • Setup
      • External Access and Unused Access Analyzer Findings
      • Review Findings
      • Access Analyzer Resources
      • Access Analyzer API Reference
    • AWS Network Firewall
      • Permissions
      • Firewall Log Contents
      • Logging Destinations
      • CloudWatch Firewall Metrics
    • AWS Config
      • Resource Management in AWS Config
      • AWS Config Integrations
      • AWS Config Resources
      • Configuration Item
      • Config Rules
        • Evaluation Modes
  • CloudWatch
    • Amazon CloudWatch
      • CloudWatch Concepts
      • CloudWatch Metrics
        • Filter Pattern Syntax
      • CloudWatch Alarms
        • Alarm Recommendations
      • Subscriptions
      • CloudWatch Agent
      • CloudWatch Insights
        • Supported Logs and Discovered Fields
        • CloudWatch Insights Query Syntax
      • Anomaly Detection
        • Create Anomaly Detector
        • Alarms for Anomaly Detections
      • CloudWatch Filter Syntax
      • CloudWatch Service Quota
  • Athena For Threat Hunting
    • Introduction to Athena
    • Setting Up Athena
    • SQL For Threat Hunters
    • Automated Response
    • Query Best Practices
  • AWS Security Research and Resources
    • AWS Security Blog
    • AWS Goat
    • Cloud Goat
    • Pacu
    • Prowler
    • Scout Suite
  • Threat Hunting in AWS
    • Threat Hunting in AWS
    • Threat Hunting Introduction
    • Threat Hunting Process
      • Hypothesis Generation
      • Investigation
      • Identification
      • Resolution & Follow Up
    • Pyramid of Pain
    • MITRE Att&ck
      • MITRE Att&ck Concepts
      • MITRE Att&CK Data Sources
      • MITRE Att&CK Mitigations
    • MITRE Att&ck: AWS
      • MITRE Att&CK Matrix
      • Amazon Web Services Security Control Mappings
    • AWS Threat Hunting Ideas
      • AWS Threat Hunting Ideas: EC2
      • AWS Threat Hunting Ideas: Lambda
      • AWS Threat Hunting Ideas: SQS
      • AWS Threat Hunting Ideas: SNS
      • AWS Threat Hunting Ideas: RDS
Powered by GitBook
On this page
  • Overview
  • IAM Role Requirements:
  • Tagging Scanned Objects (Optional):
  • How Malware Protection for S3 Works:
  • Reviewing Scan Status and Results:
  • Using Malware Protection for S3 with and without GuardDuty:
  1. Logging Reference
  2. GuardDuty
  3. Malware Protection

S3 Malware Protection

Overview

Malware Protection for S3 enables malware scans on Amazon S3 buckets within your AWS account. You can choose to protect an entire bucket or restrict scans to specific object prefixes (up to 5). Once enabled, scanned buckets are known as protected buckets.

IAM Role Requirements:

  • An IAM role with specific permissions is required for GuardDuty to:

    • Detect newly uploaded objects.

    • Perform scans.

    • Optionally, tag objects based on scan results.

  • You can update an existing role or create a new one to support multiple buckets.

Tagging Scanned Objects (Optional):

  • During setup, you can enable tagging for scanned objects with the key-value pair: GuardDutyMalwareScanStatus: <Potential Scan Result>

  • Possible tag values include:

    • NO_THREATS_FOUND

    • THREATS_FOUND

    • UNSUPPORTED

    • ACCESS_DENIED

    • FAILED

  • Important: Tagging must be enabled before objects are uploaded to allow tagging of scanned results. These tags can support tag-based access control (TBAC) policies to act on malicious objects.

How Malware Protection for S3 Works:

  1. Event Detection and Isolation:

    • GuardDuty uses Amazon EventBridge to detect new uploads in protected buckets.

    • Files are downloaded using AWS PrivateLink and scanned in an isolated, locked-down VPC environment with no internet access.

    • Scans are encrypted with AWS KMS during the process, ensuring data protection.

  2. Data Handling and Clean-up:

    • GuardDuty temporarily stores scanned objects within the isolated environment and deletes them after scanning.

    • Each scan starts in a freshly cleaned environment to ensure data isolation.

Reviewing Scan Status and Results:

  • EventBridge: GuardDuty publishes the scan results to EventBridge.

  • CloudWatch Metrics: You can monitor the number of scanned objects and bytes via CloudWatch and set up alarms based on scan results.

  • Tagged Objects: If tagging is enabled, you can track scan status directly through S3 object tags.

Using Malware Protection for S3 with and without GuardDuty:

  • With GuardDuty Enabled:

    • Findings are generated for detected malware and can be viewed through the GuardDuty console or exported to S3 or EventBridge for further action.

  • Without GuardDuty (Independent Feature):

    • No findings are generated, but scan results can be tracked through:

      • EventBridge events.

      • CloudWatch metrics.

      • S3 object tags (if tagging is enabled).

PreviousEC2 Malware Protection Events: CloudWatchNextEnabling S3 Malware Protection

Last updated 8 months ago