At the latest re:Inforce cloud security conference, AWS announced GuardDuty Malware Protection for Amazon S3. This new malware scanning feature for Amazon S3 enables teams to detect malware in new object uploads using Amazon GuardDuty.
The new feature allows developers to scan newly uploaded objects to Amazon S3 buckets for potential malware, viruses, and other suspicious content, and take immediate action to isolate them before they are ingested into further processing. Channy Yun, principal developer advocate at AWS, writes:
Amazon GuardDuty Malware Protection uses multiple AWS developed and industry-leading third-party malware scanning engines to provide malware detection without degrading the scale, latency, and resiliency profile of Amazon S3.
Malware detection on S3 also gives application owners more control over the security of their organization’s buckets. According to the documentation, it is possible to enable GuardDuty Malware Protection for S3 even if core GuardDuty is not enabled in the account. Corey Quinn, chief cloud economist at The Duckbill Group, comments:
This was a great idea when AirBNB built BinaryAlert seven years ago or more. What took AWS so long? Further, what happens when the malware signatures change--does every object get rescanned (at 60¢ per GB)?
BinaryAlert is a serverless, open-source, real-time framework managed by Terraform for detecting malicious files. In a popular Reddit thread, user atccodex comments:
Finally!!!! And now to retire my custom solution if this works well!
The new feature supports file sizes up to 5 GB, including archive files with up to five levels and 1,000 files per level after decompression, and supports tagging. After scanning a newly uploaded object, GuardDuty can add a tag, GuardDutyMalwareScanStatus, with the scan status value: NO_THREATS_FOUND, THREATS_FOUND, UNSUPPORTED, ACCESS_DENIED, or FAILED. Furthermore, malicious objects can be moved to a quarantine bucket, and all the S3 malware findings can be viewed in the AWS management console.
Source: AWS blog
Automatic notifications of the scan results are performed using Amazon EventBridge, allowing customers to build downstream workflows or define bucket policies preventing further access to certain objects. While the new feature does not require GuardDuty to be enabled for the AWS account, Yun adds:
However, if you enable GuardDuty in your account, you can use the full monitoring of foundational sources, such as AWS CloudTrail management events, Amazon Virtual Private Cloud (Amazon VPC) Flow Logs, and DNS query logs, as well as malware protection features. You can also have security findings sent to AWS Security Hub and Amazon Detective for further investigation.
GuardDuty Malware Protection for Amazon S3 is available in all regions where GuardDuty is offered. The new feature includes a limited Free Tier (1,000 requests and 1 GB each month, up to a maximum of 12 months) and then charges based on usage.