☁️
CTHFM: AWS
  • Welcome
  • Getting Started
    • Account Setup
  • AWS CLI
    • AWS CLI Overview
    • Installation
  • AWS Fundamentals
    • AWS Documentation
    • AWS Shared Responsibility Model
    • Organizational Hierarchy
    • AWS Principals
    • IAM Fundamentals
      • IAM Policy Components
      • IAM Documentation References
    • AWS Security Services Overview
    • AWS Core Services
    • AWS Frameworks
    • Regions and Availability Zones
  • SQL
    • SQL Refresher for Threat Hunting
  • Logging Reference
    • Cloudtrail
      • What is Cloudtrail?
      • Setting Up Cloudtrail
      • Cloudtrail Events Structure
      • Filtering and Searching CloudTrail Logs
      • IAM ID Prefixes
      • Additional Resources
      • API References
    • VPCFlow Logs
    • GuardDuty
      • Multi-Account Setup
      • GuardDuty Concepts
      • GuardDuty Finding References
      • S3 Protection
      • Malware Protection
        • EC2 Malware Protection
          • EC2 Protection Resources
          • Monitoring Scans
          • EC2 Malware Protection Events: CloudWatch
        • S3 Malware Protection
          • Enabling S3 Malware Protection
          • After Enabling S3 Malware Protection
          • S3 Malware Resource Plan Status
          • S3 Malware Protection Quotas
      • RDS Protection Enablement
      • Lambda Protection Enablement
      • Trusted IP Lists and Threat Lists in Amazon GuardDuty
      • Remediation Recommendations
      • GuardDuty API Reference
      • GuardDuty Quotas
    • Access Analyzer
      • Setup
      • External Access and Unused Access Analyzer Findings
      • Review Findings
      • Access Analyzer Resources
      • Access Analyzer API Reference
    • AWS Network Firewall
      • Permissions
      • Firewall Log Contents
      • Logging Destinations
      • CloudWatch Firewall Metrics
    • AWS Config
      • Resource Management in AWS Config
      • AWS Config Integrations
      • AWS Config Resources
      • Configuration Item
      • Config Rules
        • Evaluation Modes
  • CloudWatch
    • Amazon CloudWatch
      • CloudWatch Concepts
      • CloudWatch Metrics
        • Filter Pattern Syntax
      • CloudWatch Alarms
        • Alarm Recommendations
      • Subscriptions
      • CloudWatch Agent
      • CloudWatch Insights
        • Supported Logs and Discovered Fields
        • CloudWatch Insights Query Syntax
      • Anomaly Detection
        • Create Anomaly Detector
        • Alarms for Anomaly Detections
      • CloudWatch Filter Syntax
      • CloudWatch Service Quota
  • Athena For Threat Hunting
    • Introduction to Athena
    • Setting Up Athena
    • SQL For Threat Hunters
    • Automated Response
    • Query Best Practices
  • AWS Security Research and Resources
    • AWS Security Blog
    • AWS Goat
    • Cloud Goat
    • Pacu
    • Prowler
    • Scout Suite
  • Threat Hunting in AWS
    • Threat Hunting in AWS
    • Threat Hunting Introduction
    • Threat Hunting Process
      • Hypothesis Generation
      • Investigation
      • Identification
      • Resolution & Follow Up
    • Pyramid of Pain
    • MITRE Att&ck
      • MITRE Att&ck Concepts
      • MITRE Att&CK Data Sources
      • MITRE Att&CK Mitigations
    • MITRE Att&ck: AWS
      • MITRE Att&CK Matrix
      • Amazon Web Services Security Control Mappings
    • AWS Threat Hunting Ideas
      • AWS Threat Hunting Ideas: EC2
      • AWS Threat Hunting Ideas: Lambda
      • AWS Threat Hunting Ideas: SQS
      • AWS Threat Hunting Ideas: SNS
      • AWS Threat Hunting Ideas: RDS
Powered by GitBook
On this page
  • Overview
  • Using the GuardDuty Console:
  • Using API/CLI to Enable Malware Protection:
  • Considerations for Successful Setup:
  1. Logging Reference
  2. GuardDuty
  3. Malware Protection
  4. S3 Malware Protection

Enabling S3 Malware Protection

Overview

Malware Protection for S3 allows you to scan objects in S3 buckets for malware. This feature can be enabled through the GuardDuty console or API/CLI. You must first set up an IAM role with the appropriate permissions to let GuardDuty perform scans and, optionally, tag scanned objects.

Ensure to Enable GuardDuty within your enviroment otherwise S3 Malware Protection will not generate.

Using the GuardDuty Console:

  1. Enter S3 Bucket Details:

    • Navigate to Malware Protection for S3 in the GuardDuty console.

    • Select the AWS Region and enter the bucket name or browse to select the S3 bucket.

    • Choose whether to scan all objects or limit scans to specific prefixes (up to 5 prefixes).

  2. Enable Optional Tagging:

    • Enable object tagging to assign a predefined tag (GuardDutyMalwareScanStatus) with scan results like:

      • NO_THREATS_FOUND

      • THREATS_FOUND

      • ACCESS_DENIED

    • Tagging allows integration with tag-based access control (TBAC) policies to manage malicious objects.

  3. Choose the IAM Role:

    • Assign an IAM role with the required permissions for malware scanning and optional tagging.

    • Update the role if using it across multiple buckets.

    • Ensure the trust relationship policy is configured correctly for the role.

  4. Tagging the Malware Protection Plan (Optional):

    • Add up to 50 tags to the Malware Protection plan resource, if needed.

    • Tags are case-sensitive and help manage resources efficiently.

  5. Enable Protection:

    • After configuring all settings, click Enable to protect the bucket.

Using API/CLI to Enable Malware Protection:

  1. Prerequisites: Ensure you have created an IAM role ARN with the required permissions.

  2. API Example: Use the CreateMalwareProtectionPlan API to enable Malware Protection for an S3 bucket.

  3. CLI Commands:

Basic Command without Tagging:

aws guardduty create-malware-protection-plan \
  --role "arn:aws:iam::111122223333:role/role-name" \
  --protected-resource "S3Bucket"={"BucketName"="amzn-s3-demo-bucket1"}

With Specific Prefixes:

aws guardduty create-malware-protection-plan \
  --role "arn:aws:iam::111122223333:role/role-name" \
  --protected-resource '{"S3Bucket":{"BucketName":"amzn-s3-demo-bucket1", "ObjectPrefixes": ["Object1","Object2"]}}'

With Tagging Enabled:

aws guardduty create-malware-protection-plan \
  --role "arn:aws:iam::111122223333:role/role-name" \
  --protected-resource "S3Bucket"={"BucketName"="amzn-s3-demo-bucket1"} \
  --actions "Tagging"={"Status"="ENABLED"}

Plan ID: A Malware Protection plan ID will be generated for further actions, like updates or disabling the protection.

Considerations for Successful Setup:

  • Tag Limits: If an object already has 10 tags, GuardDuty cannot add another tag.

  • IAM Role Permissions: Ensure the IAM role has permissions to scan objects and apply tags.

  • EventBridge Integration: Scan results are also published to the default EventBridge event bus and CloudWatch for monitoring.

PreviousS3 Malware ProtectionNextAfter Enabling S3 Malware Protection

Last updated 8 months ago