DEV Community

Cover image for Amazon GuardDuty Malware Protection for Amazon S3 is now generally available at re:Inforce 2024
Yuji Oshima for AWS Community Builders

Posted on • Originally published at yuj1osm.hatenablog.com

Amazon GuardDuty Malware Protection for Amazon S3 is now generally available at re:Inforce 2024

Amazon GuardDuty Malware Protection for Amazon S3 was released at AWS re:Inforce 2024, so I immediately checked it out.

Detect malware in new object uploads to Amazon S3 with Amazon GuardDuty - AWS

Introducing Amazon GuardDuty Malware Protection for Amazon S3 | AWS News Blog

Update Overview

  • The GuardDuty Malware Protection extension detects the upload of malicious files to the selected S3 bucket
  • If GuardDuty is not enabled, you can enable only the GuardDuty Malware Protection for Amazon S3 feature
  • The scanned object is tagged with GuardDutyMalwareScanStatus, and the tag value indicates whether it was determined to be a threat

The tag values ​​are as follows

  • NO_THREATS_FOUND: No potential threats were detected
  • THREATS_FOUND: Potential threats were detected
  • UNSUPPORTED: Scanning of the object is not supported
  • ACCESS_DENIED: The object cannot be accessed
  • FAILED: Malware scanning cannot be performed

More details about tags are also available in the following documentation

Monitoring S3 object scan status - Amazon GuardDuty

  • Pricing is based on the size and number of objects. Prices are as follows:
  • $0.79/GB per month for file size
  • $0.282/1k per month for number of files

Intelligent Threat Detection – Amazon GuardDuty Pricing – AWS

Enable Malware Protection for Amazon S3

Click "Enable Malware Protection for S3" from "Malware Protection for S3" in GuardDuty.

Image description

Select "All objects in S3 bucket" as the S3 bucket to scan, and "Tag objects" as the tagging.
Create an IAM role for the Malware Protection for Amazon S3 feature.
Click "View Permissions".

Image description

The policies required for the IAM role will be displayed, so copy them.

Image description

For reference, the policies and trust relationships are as follows:

Policy



{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowManagedRuleToSendS3EventsToGuardDuty",
      "Effect": "Allow",
      "Action": [
        "events:PutRule",
        "events:DeleteRule",
        "events:PutTargets",
        "events:RemoveTargets"
      ],
      "Resource": [
        "arn:aws:events:ap-northeast-1:3<accountID>:rule/DO-NOT-DELETE-AmazonGuardDutyMalwareProtectionS3*"
      ],
      "Condition": {
        "StringLike": {
          "events:ManagedBy": "malware-protection-plan.guardduty.amazonaws.com"
        }
      }
    },
    {
      "Sid": "AllowGuardDutyToMonitorEventBridgeManagedRule",
      "Effect": "Allow",
      "Action": [
        "events:DescribeRule",
        "events:ListTargetsByRule"
      ],
      "Resource": [
        "arn:aws:events:ap-northeast-1:<accountID>:rule/DO-NOT-DELETE-AmazonGuardDutyMalwareProtectionS3*"
      ]
    },
    {
      "Sid": "AllowPostScanTag",
      "Effect": "Allow",
      "Action": [
        "s3:PutObjectTagging",
        "s3:GetObjectTagging",
        "s3:PutObjectVersionTagging",
        "s3:GetObjectVersionTagging"
      ],
      "Resource": [
        "arn:aws:s3:::test-s3mal-bucket/*"
      ]
    },
    {
      "Sid": "AllowEnableS3EventBridgeEvents",
      "Effect": "Allow",
      "Action": [
        "s3:PutBucketNotification",
        "s3:GetBucketNotification"
      ],
      "Resource": [
        "arn:aws:s3:::test-s3mal-bucket"
      ]
    },
    {
      "Sid": "AllowPutValidationObject",
      "Effect": "Allow",
      "Action": [
        "s3:PutObject"
      ],
      "Resource": [
        "arn:aws:s3:::test-s3mal-bucket/malware-protection-resource-validation-object"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:ListBucket"
      ],
      "Resource": [
        "arn:aws:s3:::test-s3mal-bucket"
      ]
    },
    {
      "Sid": "AllowMalwareScan",
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:GetObjectVersion"
      ],
      "Resource": [
        "arn:aws:s3:::test-s3mal-bucket/*"
      ]
    },
    {
      "Sid": "AllowDecryptForMalwareScan",
      "Effect": "Allow",
      "Action": [
        "kms:GenerateDataKey",
        "kms:Decrypt"
      ],
      "Resource": "arn:aws:kms:ap-northeast-1:<accountID>:key/<key_id>",
      "Condition": {
        "StringLike": {
          "kms:ViaService": "s3.*.amazonaws.com"
        }
      }
    }
  ]
}


Enter fullscreen mode Exit fullscreen mode

Trust relationship



{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "malware-protection-plan.guardduty.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}


Enter fullscreen mode Exit fullscreen mode

Next, create an IAM role.

The entity type should be a custom trust policy and paste the copied trust relationship.

Image description

Policies are added as inline policies after creating a role.
Enter a role name and create the role.

Image description

In the inline policy permissions, paste the policy that you copied.

Image description

Enter a policy name and create the policy.

Image description

Return to the Enable S3 Malware Protection setting, select the IAM role you created, and click "Enable."

Image description

S3 Malware Protection has been enabled.

Image description

You can monitor the scan status.

Image description

The IAM policy had permissions to S3 and EventBridge.
So I checked EventBridge and found that a rule called "DO-NOT-DELETE-AmazonGuardDutyMalwareProtectionS3-" had been created.
Looking at the event pattern and target, it appeared that when an object is created in the S3 bucket, guardduty-malware-protection-plan is launched and a scan is performed.

Image description

Image description

Detecting malware

Upload the eicar file to S3 bucket.

By the way, when S3 Malware Protection is enabled, a test file called "malware-protection-resource-validation-object" is automatically created.

Image description

When watching the monitoring, you can see that it is being scanned and determined to be infected.

Image description

The eicar file is tagged with "GuardDutyMalwareScanStatus: THREATS_FOUND", indicating that a potential threat has been detected.

Image description

By the way, if you look at the tag of the test file "malware-protection-resource-validation-object" created during activation, you will see that it is tagged with "GuardDutyMalwareScanStatus: NO_THREATS_FOUND", which indicates that it was not determined to be a potential threat.

Image description

Checking the detection results

Now let's look at the detection results.
Looking at the "Detection Results" in GuardDuty, you can see that the detection result type is "Object:S3/MaliciousFile" with a severity of "High".

Image description

If you look at the details, you can see the reason for the detection and information about the object.

Image description

Protect against malware

After scanning, objects are tagged, so you can implement tag-based access control (TBAC) in your bucket policies to isolate malware from the resources it accesses.

Using tag-based access control (TBAC) with Malware Protection for S3 - Amazon GuardDuty

There is an example policy, so set it in the S3 bucket policy.

Image description

It denies access to any objects other than those with the tag "GuardDutyMalwareScanStatus": "NO_THREATS_FOUND".

Tag-Based Access Control (TBAC) Bucket Policy Examples



{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "NoReadExceptForClean",
            "Effect": "Deny",
            "NotPrincipal": {
                "AWS": [
                    "arn:aws:iam::555555555555:root",
                    "arn:aws:iam::555555555555:role/IAM-role-ARN",
                    "arn:aws:iam::555555555555:assumed-role/role-ARN/GuardDutyMalwareProtection"
                ]
            },
            "Action": [
                "s3:GetObject",
                "s3:GetObjectVersion"
            ],
            "Resource": [
                "arn:aws:s3:::DOC-EXAMPLE-BUCKET",
                "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*"
            ],
            "Condition": {
                "StringNotEquals": {
                    "s3:ExistingObjectTag/GuardDutyMalwareScanStatus": "NO_THREATS_FOUND"
                }
            }
        },
        {
            "Sid": "OnlyGuardDutyCanTag",
            "Effect": "Deny",
            "NotPrincipal": {
                "AWS": [
                    "arn:aws:iam::555555555555:root",
                    "arn:aws:iam::555555555555:role/IAM-role-ARN",
                    "arn:aws:iam::555555555555:assumed-role/role-ARN/GuardDutyMalwareProtection"
                ]
            },
            "Action": "s3:PutObjectTagging",
            "Resource": [
                "arn:aws:s3:::DOC-EXAMPLE-BUCKET",
                "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*"
            ]
        }
    ]
}


Enter fullscreen mode Exit fullscreen mode

As a test, upload a harmless file to your S3 bucket.

Image description

Image description

The result was "GuardDutyMalwareScanStatus: NO_THREATS_FOUND".

Image description

When I tried copying it locally using AWS CloudShell, only the eicar file was blocked.



$ aws s3 cp s3://test-s3mal-bucket/test.txt ./
download: s3://test-s3mal-bucket/test.txt to ./test.txt

$ aws s3 cp s3://test-s3mal-bucket/eicar.com ./
fatal error: An error occurred (403) when calling the HeadObject operation: Forbidden

Enter fullscreen mode Exit fullscreen mode




Summary

I tried Amazon GuardDuty Malware Protection for Amazon S3.

I'm glad that we can easily implement the isolation mechanism, not just detection.

As a use case, I think it will be effective in applications where an unspecified number of users can upload files to an S3 bucket.

On the other hand, there seems to be no need to force it on S3 buckets that are used internally for log storage and do not have room for uploads from an unspecified number of users.
Use it according to your needs.

You can freely customize tagging and EventBridge, so you can send notification emails to operators or isolate them in other buckets.
It's a good idea to design it flexibly according to your requirements.

The scope of use of GuardDuty is expanding, so let's try it out.

Top comments (0)