In today's digital landscape, protecting your data from malware and other malicious threats is essential to maintaining the integrity of your organization's infrastructure and reputation. AWS GuardDuty has introduced a new feature specifically designed to detect and protect against malware in Amazon S3. In this blog, we will walk you through how to set up and use this feature to safeguard your S3 objects.

Why Use GuardDuty Malware Protection for S3?​

Traditionally, malware protection for AWS services was managed using third-party tools or custom applications. While tools like SonarQube and Cloud Storage Security were effective, there was a need for a more integrated solution directly within AWS. GuardDuty's new malware protection feature for S3 fills this gap by providing comprehensive protection that integrates seamlessly into your AWS environment.

Benefits of AWS GuardDuty Malware Protection for S3​

• Integrated Threat Detection: Directly built into AWS, it eliminates the need for third-party malware protection tools.
• Automated Threat Response: Automatically scans new objects uploaded to S3 and flags any suspicious files.
• Centralized Management: Allows for organization-wide deployment and control, reducing the risk of human error.
• Cost-Effective: Currently offers a 12-month free tier for scanning new files, encouraging users to adopt the service.

Getting Started with GuardDuty Malware Protection​

Step 1: Enable GuardDuty in Your AWS Account​

The first step is to log into your AWS account and navigate to the GuardDuty service. Since GuardDuty is region-specific, you will need to enable it for each region where you want protection. Follow these steps to enable the service:

1. Go to the GuardDuty dashboard in your AWS console.

2. Click on Enable GuardDuty.
3. Choose the default settings or customize the permissions if needed.
4. You will be offered a two-day free trial to explore the service.

Step 2: Setting Up an Organization-Wide Administrator​

To manage GuardDuty across multiple accounts, you can set up a delegated administrator. This setup allows you to manage malware protection centrally, ensuring that any new S3 buckets created across your organization are automatically protected.

1. Navigate to GuardDuty Settings.

2. Assign your AWS account as the Delegated Administrator.
3. Ensure that all GuardDuty settings apply across the organization for a centralized approach.

Step 3: Configure EventBridge for Alerts(Optional)​

When a threat is detected, you may not always have someone actively monitoring the AWS console. To ensure you receive notifications, configure AWS EventBridge to send alerts to email, SMS, Slack, or other communication tools.

1. Open the EventBridge dashboard in your AWS console.
2. Set up a rule to trigger alerts based on GuardDuty findings.
3. Link this rule to your preferred notification system, such as email or a messaging app.

Here are the detailed steps for Step 4 and additional methods for ensuring malware protection when objects are uploaded to Amazon S3.

Step 4: Enable S3 Malware Protection Using AWS GuardDuty​

Enabling malware protection in AWS S3 using GuardDuty involves configuring settings that automatically scan for and identify malicious files. Follow these steps to set up S3 malware protection effectively:

1. Log in to AWS Console: Open the AWS Management Console and sign in with your administrator account.

2. Navigate to GuardDuty: In the AWS Management Console, go to the Services menu and select GuardDuty under the Security, Identity, & Compliance section.

3. Enable GuardDuty (if not already enabled):

   1. If GuardDuty is not already enabled, click on the Enable GuardDuty button.
   2. You will see a two-day free trial offered by AWS. You can start with the trial or proceed with your existing plan.

   Note S3 Malware Protection is region specific. So for each region, the service has to be enabled. And S3 Maware scanning can only scan buckets in the region and not another region.

4. Access the GuardDuty Settings:

   1. Once GuardDuty is enabled, click on Settings in the GuardDuty dashboard.
   2. Look for the section that mentions S3 Protection or Malware Protection for S3.

5. Enable Malware Protection for S3 Buckets:

   1. Click on Enable S3 Malware Protection.
   2. You may need to specify the S3 buckets you want to protect. Select the bucket(s) where you want to enable malware protection.
   3. Ensure the S3 bucket you are protecting is in the same AWS region as the GuardDuty service.

6. Create S3 Malware scanning role

   1. Create a role with policy similar to following:
   
   

   {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowManagedRuleToSendS3EventsToGuardDuty",
            "Effect": "Allow",
            "Action": [
                "events:PutRule",
                "events:DeleteRule",
                "events:PutTargets",
                "events:RemoveTargets"
            ],
            "Resource": [
                "arn:aws:events:us-east-1:<account-number>:rule/DO-NOT-DELETE-AmazonGuardDutyMalwareProtectionS3*"
            ],
            "Condition": {
                "StringLike": {
                    "events:ManagedBy": "malware-protection-plan.guardduty.amazonaws.com"
                }
            }
        },
        {
            "Sid": "AllowGuardDutyToMonitorEventBridgeManagedRule",
            "Effect": "Allow",
            "Action": [
                "events:DescribeRule",
                "events:ListTargetsByRule"
            ],
            "Resource": [
                "arn:aws:events:us-east-1:<account-number>:rule/DO-NOT-DELETE-AmazonGuardDutyMalwareProtectionS3*"
            ]
        },
        {
            "Sid": "AllowPostScanTag",
            "Effect": "Allow",
            "Action": [
                "s3:PutObjectTagging",
                "s3:GetObjectTagging",
                "s3:PutObjectVersionTagging",
                "s3:GetObjectVersionTagging"
            ],
            "Resource": [
                "arn:aws:s3:::<bucket-name>/*"
            ]
        },
        {
            "Sid": "AllowEnableS3EventBridgeEvents",
            "Effect": "Allow",
            "Action": [
                "s3:PutBucketNotification",
                "s3:GetBucketNotification"
            ],
            "Resource": [
                "arn:aws:s3:::<bucket-name>"
            ]
        },
        {
            "Sid": "AllowPutValidationObject",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject"
            ],
            "Resource": [
                "arn:aws:s3:::<bucket-name>/malware-protection-resource-validation-object"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::<bucket-name>"
            ]
        },
        {
            "Sid": "AllowMalwareScan",
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:GetObjectVersion"
            ],
            "Resource": [
                "arn:aws:s3:::<bucket-name>/*"
            ]
        },
        {
            "Sid": "AllowDecryptForMalwareScan",
            "Effect": "Allow",
            "Action": [
                "kms:GenerateDataKey",
                "kms:Decrypt"
            ],
            "Resource": "arn:aws:kms:us-east-1:<account-number>:key/*",
            "Condition": {
                "StringLike": {
                    "kms:ViaService": "s3.*.amazonaws.com"
                }
            }
        }
    ]
   }
   

   2. For each new bucket that needs to be scanned, add the bucket name following the above pattern
   3. Following should be the Role trust policy:

   {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "malware-protection-plan.guardduty.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
        }
    ]
   }
   

7. Set Up Tag-Based Access Control (Optional): To enable more detailed control over your S3 objects, configure tag-based access controls that will help you categorize and manage the scanning process.

8. Review and Confirm the Settings:

   1. Confirm your settings by reviewing all the configurations.
   2. Click Save Changes to apply the settings.

9. Testing the Setup:

   1. Upload a test file to your S3 bucket to see if the GuardDuty malware protection detects it.
   2. Verify that the scan results are displayed in the GuardDuty Findings dashboard, which will confirm the configuration is active.

Step 5: Test the Setup with a Sample File​

Testing your setup is crucial to ensure that GuardDuty is actively scanning and detecting malware. You can use a harmless test file designed to simulate malware to see how GuardDuty responds.

1. Upload a benign test file from the EICAR organization, specifically designed for antivirus testing.
2. GuardDuty should detect this file and classify it as a threat.
3. Check the GuardDuty findings to confirm that the detection process is working as expected.

Step 6: Review GuardDuty Findings​

The GuardDuty dashboard provides a clear view of all security findings, including details about detected threats. This is where you can monitor the state of your S3 objects and identify any security risks.

1. Navigate to the Findings section in GuardDuty.
2. Review each finding to understand the severity and nature of the threat.
3. Use the information to make informed decisions about your security posture.

Step 7: Continuous Monitoring and Alerting​

To ensure that you always stay on top of potential threats, configure continuous monitoring and alerts:

1. Set up rules in EventBridge to send notifications whenever a new threat is detected.
2. Export findings to an S3 bucket or a centralized monitoring system if needed.
3. Regularly review your GuardDuty setup to incorporate any new AWS security features.

Best Practices for S3 Malware Protection​

• Enable GuardDuty across all regions: Malware protection needs to be enabled in every region where you store S3 data to avoid vulnerabilities.
• Use tag-based access controls: This allows you to apply security policies more precisely to different S3 objects.
• Centralize management: Use a delegated administrator account to manage all GuardDuty settings for better efficiency and control.
• Test regularly: Periodically upload test files to ensure that your malware detection setup is functioning correctly.

Additional Methods for Ensuring Malware Protection on S3

Apart from using AWS GuardDuty, there are other methods to ensure that objects uploaded to S3 are scanned for malware and viruses to protect your infrastructure.

Method 1: Use AWS Lambda with Antivirus Scanning​

1. Set Up AWS Lambda Function:

   • Create an AWS Lambda function that triggers automatically whenever a new object is uploaded to the S3 bucket.
   • Configure the Lambda function to perform antivirus scanning using an open-source antivirus tool like ClamAV.

2. Create an S3 Trigger:

   • Set up an S3 event trigger to call the Lambda function whenever a file is uploaded to the S3 bucket.

3. Configure Antivirus Scanning Logic:

   • The Lambda function should download the object, run the ClamAV scan, and determine if the file is infected.
   • If a threat is detected, the Lambda function can delete the file or quarantine it for further analysis.

4. Notify the Administrator:

   • Use AWS Simple Notification Service (SNS) to send an alert to the system administrator whenever malware is detected.

Method 2: Integrate with Third-Party Security Tools​

1. Choose a Third-Party Security Tool:

   • Use third-party services like Cloud Storage Security or Trend Micro Cloud One that specialize in malware detection and data protection.

2. Set Up Integration with S3:

   • Configure the third-party service to automatically scan new objects uploaded to your S3 bucket.
   • Follow the provider's specific guidelines to integrate the service with your AWS account.

3. Monitor and Manage Alerts:

   • Set up alerts for any suspicious activity or identified threats using the third-party tool's notification features.
   • Maintain a security dashboard to track malware detection events.

Method 3: Implement an Intrusion Detection System (IDS)​

1. Deploy an IDS Tool:

   • Use intrusion detection systems like AWS Network Firewall or Snort to monitor traffic and identify malicious activities targeting your cloud environment.

2. Monitor S3 Traffic:

   • Configure the IDS to inspect traffic to and from your S3 buckets for signs of malware or unauthorized data transfer.

3. Automate Responses:

   • Automate responses to potential threats detected by the IDS, such as blocking malicious IP addresses or disabling compromised user accounts.

Summary of Methods

Method	Description	Tools Needed
AWS GuardDuty	Built-in malware detection for S3 using GuardDuty.	AWS GuardDuty, S3, IAM
AWS Lambda with ClamAV	Lambda triggers antivirus scans on new S3 uploads.	AWS Lambda, S3, ClamAV, SNS
Third-Party Security Tools	Uses external tools for malware protection.	Cloud Storage Security, Trend Micro, AWS S3
Intrusion Detection System	Monitors traffic and detects threats in real-time.	AWS Network Firewall, Snort, AWS CloudTrail

These methods provide a multi-layered approach to protect your S3 buckets from malware threats, ensuring the safety of your data and maintaining your organization's security posture.

Conclusion

AWS GuardDuty's malware protection for S3 is a powerful tool to enhance your cloud security. Its seamless integration with AWS services, combined with automated threat detection and centralized management, makes it an essential part of any organization's security strategy. Set up GuardDuty today and ensure that your S3 buckets are protected from potential malware threats.

🔚 Call to Action​

Choosing the right platform depends on your organizations needs. For more insights, subscribe to our newsletter for insights on cloud computing, tips, and the latest trends in technology. or follow our video series on cloud comparisons.

Interested in having your organization setup on cloud? If yes, please contact us and we'll be more than glad to help you embark on cloud journey.

💬 Comment below:
Which tool is your favorite? What do you want us to review next?