Amazon GuardDuty Malware Protection for Amazon S3 was released at AWS re:Inforce 2024, so I immediately checked it out.
Detect malware in new object uploads to Amazon S3 with Amazon GuardDuty - AWS
Introducing Amazon GuardDuty Malware Protection for Amazon S3 | AWS News Blog
Update Overview
- The GuardDuty Malware Protection extension detects the upload of malicious files to the selected S3 bucket
- If GuardDuty is not enabled, you can enable only the GuardDuty Malware Protection for Amazon S3 feature
- The scanned object is tagged with GuardDutyMalwareScanStatus, and the tag value indicates whether it was determined to be a threat
The tag values are as follows
- NO_THREATS_FOUND: No potential threats were detected
- THREATS_FOUND: Potential threats were detected
- UNSUPPORTED: Scanning of the object is not supported
- ACCESS_DENIED: The object cannot be accessed
- FAILED: Malware scanning cannot be performed
More details about tags are also available in the following documentation
Monitoring S3 object scan status - Amazon GuardDuty
- Pricing is based on the size and number of objects. Prices are as follows:
- $0.79/GB per month for file size
- $0.282/1k per month for number of files
Intelligent Threat Detection – Amazon GuardDuty Pricing – AWS
Enable Malware Protection for Amazon S3
Click "Enable Malware Protection for S3" from "Malware Protection for S3" in GuardDuty.
Select "All objects in S3 bucket" as the S3 bucket to scan, and "Tag objects" as the tagging.
Create an IAM role for the Malware Protection for Amazon S3 feature.
Click "View Permissions".
The policies required for the IAM role will be displayed, so copy them.
For reference, the policies and trust relationships are as follows:
Policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowManagedRuleToSendS3EventsToGuardDuty",
"Effect": "Allow",
"Action": [
"events:PutRule",
"events:DeleteRule",
"events:PutTargets",
"events:RemoveTargets"
],
"Resource": [
"arn:aws:events:ap-northeast-1:3<accountID>:rule/DO-NOT-DELETE-AmazonGuardDutyMalwareProtectionS3*"
],
"Condition": {
"StringLike": {
"events:ManagedBy": "malware-protection-plan.guardduty.amazonaws.com"
}
}
},
{
"Sid": "AllowGuardDutyToMonitorEventBridgeManagedRule",
"Effect": "Allow",
"Action": [
"events:DescribeRule",
"events:ListTargetsByRule"
],
"Resource": [
"arn:aws:events:ap-northeast-1:<accountID>:rule/DO-NOT-DELETE-AmazonGuardDutyMalwareProtectionS3*"
]
},
{
"Sid": "AllowPostScanTag",
"Effect": "Allow",
"Action": [
"s3:PutObjectTagging",
"s3:GetObjectTagging",
"s3:PutObjectVersionTagging",
"s3:GetObjectVersionTagging"
],
"Resource": [
"arn:aws:s3:::test-s3mal-bucket/*"
]
},
{
"Sid": "AllowEnableS3EventBridgeEvents",
"Effect": "Allow",
"Action": [
"s3:PutBucketNotification",
"s3:GetBucketNotification"
],
"Resource": [
"arn:aws:s3:::test-s3mal-bucket"
]
},
{
"Sid": "AllowPutValidationObject",
"Effect": "Allow",
"Action": [
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::test-s3mal-bucket/malware-protection-resource-validation-object"
]
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::test-s3mal-bucket"
]
},
{
"Sid": "AllowMalwareScan",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:GetObjectVersion"
],
"Resource": [
"arn:aws:s3:::test-s3mal-bucket/*"
]
},
{
"Sid": "AllowDecryptForMalwareScan",
"Effect": "Allow",
"Action": [
"kms:GenerateDataKey",
"kms:Decrypt"
],
"Resource": "arn:aws:kms:ap-northeast-1:<accountID>:key/<key_id>",
"Condition": {
"StringLike": {
"kms:ViaService": "s3.*.amazonaws.com"
}
}
}
]
}
Trust relationship
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "malware-protection-plan.guardduty.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
Next, create an IAM role.
The entity type should be a custom trust policy and paste the copied trust relationship.
Policies are added as inline policies after creating a role.
Enter a role name and create the role.
In the inline policy permissions, paste the policy that you copied.
Enter a policy name and create the policy.
Return to the Enable S3 Malware Protection setting, select the IAM role you created, and click "Enable."
S3 Malware Protection has been enabled.
You can monitor the scan status.
The IAM policy had permissions to S3 and EventBridge.
So I checked EventBridge and found that a rule called "DO-NOT-DELETE-AmazonGuardDutyMalwareProtectionS3-" had been created.
Looking at the event pattern and target, it appeared that when an object is created in the S3 bucket, guardduty-malware-protection-plan is launched and a scan is performed.
Detecting malware
Upload the eicar file to S3 bucket.
By the way, when S3 Malware Protection is enabled, a test file called "malware-protection-resource-validation-object" is automatically created.
When watching the monitoring, you can see that it is being scanned and determined to be infected.
The eicar file is tagged with "GuardDutyMalwareScanStatus: THREATS_FOUND", indicating that a potential threat has been detected.
By the way, if you look at the tag of the test file "malware-protection-resource-validation-object" created during activation, you will see that it is tagged with "GuardDutyMalwareScanStatus: NO_THREATS_FOUND", which indicates that it was not determined to be a potential threat.
Checking the detection results
Now let's look at the detection results.
Looking at the "Detection Results" in GuardDuty, you can see that the detection result type is "Object:S3/MaliciousFile" with a severity of "High".
If you look at the details, you can see the reason for the detection and information about the object.
Protect against malware
After scanning, objects are tagged, so you can implement tag-based access control (TBAC) in your bucket policies to isolate malware from the resources it accesses.
Using tag-based access control (TBAC) with Malware Protection for S3 - Amazon GuardDuty
There is an example policy, so set it in the S3 bucket policy.
It denies access to any objects other than those with the tag "GuardDutyMalwareScanStatus": "NO_THREATS_FOUND".
Tag-Based Access Control (TBAC) Bucket Policy Examples
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "NoReadExceptForClean",
"Effect": "Deny",
"NotPrincipal": {
"AWS": [
"arn:aws:iam::555555555555:root",
"arn:aws:iam::555555555555:role/IAM-role-ARN",
"arn:aws:iam::555555555555:assumed-role/role-ARN/GuardDutyMalwareProtection"
]
},
"Action": [
"s3:GetObject",
"s3:GetObjectVersion"
],
"Resource": [
"arn:aws:s3:::DOC-EXAMPLE-BUCKET",
"arn:aws:s3:::DOC-EXAMPLE-BUCKET/*"
],
"Condition": {
"StringNotEquals": {
"s3:ExistingObjectTag/GuardDutyMalwareScanStatus": "NO_THREATS_FOUND"
}
}
},
{
"Sid": "OnlyGuardDutyCanTag",
"Effect": "Deny",
"NotPrincipal": {
"AWS": [
"arn:aws:iam::555555555555:root",
"arn:aws:iam::555555555555:role/IAM-role-ARN",
"arn:aws:iam::555555555555:assumed-role/role-ARN/GuardDutyMalwareProtection"
]
},
"Action": "s3:PutObjectTagging",
"Resource": [
"arn:aws:s3:::DOC-EXAMPLE-BUCKET",
"arn:aws:s3:::DOC-EXAMPLE-BUCKET/*"
]
}
]
}
As a test, upload a harmless file to your S3 bucket.
The result was "GuardDutyMalwareScanStatus: NO_THREATS_FOUND".
When I tried copying it locally using AWS CloudShell, only the eicar file was blocked.
$ aws s3 cp s3://test-s3mal-bucket/test.txt ./
download: s3://test-s3mal-bucket/test.txt to ./test.txt
$ aws s3 cp s3://test-s3mal-bucket/eicar.com ./
fatal error: An error occurred (403) when calling the HeadObject operation: Forbidden
Summary
I tried Amazon GuardDuty Malware Protection for Amazon S3.
I'm glad that we can easily implement the isolation mechanism, not just detection.
As a use case, I think it will be effective in applications where an unspecified number of users can upload files to an S3 bucket.
On the other hand, there seems to be no need to force it on S3 buckets that are used internally for log storage and do not have room for uploads from an unspecified number of users.
Use it according to your needs.
You can freely customize tagging and EventBridge, so you can send notification emails to operators or isolate them in other buckets.
It's a good idea to design it flexibly according to your requirements.
The scope of use of GuardDuty is expanding, so let's try it out.
Top comments (0)