# GuardDuty Malware Protection for AWS Backup
**Topics**
+ [Overview](#malware-protection-backup-overview)
+ [How does Malware Protection for Backup work?](malware-protection-backup-how-it-works.md)
+ [GuardDuty Malware Protection for Backup: IAM Role Permissions](malware-protection-backup-iam-permissions.md)
+ [**(Optional) Get started with Malware Protection for Backup Independently (console only)**](malware-protection-backup-get-started-independent.md)
+ [Starting an On-Demand Scan for Malware Protection for Backup](malware-protection-backup-start-on-demand-scan.md)
+ [Monitoring scan statuses and results in Malware Protection for Backup](monitoring-malware-protection-backup-scans.md)
+ [Quotas for Malware Protection for Backup](malware-protection-backup-quotas.md)
## Overview
Malware Protection for Backup helps you detect the potential presence of malware in your backup data by scanning AWS Backup–protected resources such as Amazon EBS snapshots, Amazon EC2 AMIs, and Amazon S3 Recovery Points. When AWS Backup creates or updates a protected backup resource, GuardDuty can perform a malware scan on that backup to help identify potentially malicious content before it is restored into your environment.
**How you can use Malware Protection for Backup**
You can use this feature in two modes, depending on whether GuardDuty is enabled in your account:
1. Using Malware Protection for Backup with GuardDuty enabled
When GuardDuty is enabled in a Region, AWS Backup integrates Malware Protection with the GuardDuty findings workflow. Malware scan results appear in GuardDuty findings in addition to Amazon EventBridge and Amazon CloudWatch.
1. Using Malware Protection for Backup without enabling GuardDuty
You can use Malware Protection for Backup independently, without enabling the full GuardDuty service. In this mode, scan results remain fully available through EventBridge and CloudWatch.
**Considerations for using Malware Protection for Backup independently**
When using the feature without enabling GuardDuty:
+ Backup plan configuration is managed entirely in AWS Backup.
GuardDuty does not provide controls for selecting backup plans, vaults, or resource types. All enablement, scheduling, and policy configuration remain in AWS Backup.
+ GuardDuty findings are not generated.
Findings require a detector ID, which is created only when GuardDuty is enabled. When using Malware Protection independently, scan results are surfaced exclusively through EventBridge events and CloudWatch metrics.
+ You can still initiate on-demand scans from the GuardDuty console.
Even when GuardDuty is not enabled, the GuardDuty console provides a workflow to start an on-demand malware scan for supported backup resource types. This allows customers to use a familiar GuardDuty interface without requiring the full GuardDuty service.
+ Non-GuardDuty customers can access scan initiation workflows.
The on-demand scan entry points are available to all customers using Malware Protection for Backup, regardless of whether a GuardDuty detector exists in the account.
+ Scan behavior and coverage remain identical.
Whether GuardDuty is enabled or not, the feature scans the same AWS Backup resource types with the same malware detection engine. The only difference is where results are published.
This model allows customers to adopt malware scanning for backups without requiring GuardDuty’s broader threat-detection features, while still providing an optional GuardDuty-based workflow for initiating and viewing scan operations.
**How Malware Protection for Backup works**
Malware Protection for Backup can scan the following AWS Backup–protected resources:
+ Amazon EBS snapshots
+ Amazon EC2 AMIs
+ Amazon S3 Recovery Points
+ Locked (immutable) vaults (EBS/EC2 Recovery Points) using AWS Backup Vault Lock in [supported regions](https://docs.aws.amazon.com/aws-backup/latest/devguide/backup-feature-availability.html#features-by-region)
*Incremental Scanning*
AWS Backup captures incremental changes for many resource types. GuardDuty has the ability to scan only the new or changed blocks or objects when a backup is created or updated, improving performance and reducing scanning overhead while achieving full coverage over time.
*On-demand scanning*
You can initiate a scan on any supported backup resource at any time—directly from either AWS Backup or the GuardDuty console. Common use cases include verifying a backup before restore, rechecking older data after new threat signatures are published, or performing periodic compliance scans.
**Note**
Malware Protection for Backup can be enabled only for backup resources in the same Region.
GuardDuty scans a read-only copy of the backup; it does not modify backup content.
Scanning works for both standard vaults and locked (immutable) vaults.
# How does Malware Protection for Backup work?
This section describes components of Malware Protection for Backup, how it works, and how you can review the malware scan status and result.
## Overview
Malware Protection for Backup is a feature that helps you detect the presence of malware on EBS snapshots, EC2 images (AMI), and Recovery Points belonging to EBS, EC2, and S3 resource types. You can start an on-demand malware scan either through the GuardDuty console or API by passing in an IAM role that provides the permissions required for the scan, along with one or two resource ARNs depending on the scan category. There are two scan categories possible - full scans and incremental scans.
### Full scan and Incremental scan
A full scan is where the API will accept a resource ARN and scan all the files within that resource. An incremental scan on the other hand takes two resource ARNs, both belonging to the same resource, and scans the changed files between them. As an example, let's assume we take a snapshot of an EBS volume. Let's call it *snapshot-1*. If a full scan is done on this snapshot, GuardDuty scans all the files contained with this snapshot. Now let's assume that a few files were added to the same volume, and a new snapshot is taken. Let's call it *snapshot-2*. Since only a few files have changed between *snapshot-1* and *snapshot-2*, one can trigger an incremental scan with these two snapshots' resource ARNs. In this case *snapshot-2* is referred to as the `target` resource, and *snapshot-1* is referred to as the `base` resource. You will see this terminology used in the rest of the document. This incremental scan will scan the changed files between *snapshot-1* and *snapshot-2*.
### Rescanning Previously Infected Files in an Incremental Scan
As part of an incremental scan, GuardDuty will also rescan the previously infected files from the base scan for up to 365 days.
### Requirements for an Incremental Scan
The following requirements must be met for GuardDuty to perform an incremental scan. If any of these requirements are not met, GuardDuty will skip the scan.
+ Base resource must be scanned within the last 365 days and the scan result must be in `COMPLETED` or `COMPLETED_WITH_ISSUES`.
+ Base resource must be have a creation date that is earlier than that of the target resource.
+ The base and target resources must have the same encryption type in case of snapshots.
+ The base and target resources must be from the same lineage.
+ For an EBS snapshot and EBS recovery point, this means that they either come from the same volume, or copies of the same volume, without any change in the encryption type.
+ For a S3 Recovery Point, the base and target resource ARNs must be created from the same underlying S3 bucket.
+ In case of AMIs, pairs of snapshots are compared between the base and target AMI to identify snapshots for an incremental scan. Each pair of snapshots need to meet the above mentioned conditions. Any snapshot within the target AMI that does not have a corresponding matching snapshot in the base AMI will be skipped.
### Re-scanning previously scanned backup Resources
You can start a new on-demand malware scan on the same resource after 10 minutes from the start time of the previous malware scan. If the new malware scan gets started within 10 minutes of initiation of the previous malware scan, your request will result in the following error, and no scan ID will get generated for this request. The steps to re-scan the instance remain the same as starting an on-demand malware scan for the first time.
## IAM Role Required for Scanning
You need to pass in an IAM role in order to start a full or incremental scan. This role provides the permissions required for performing the scan operations. [GuardDuty Malware Protection for Backup: IAM Role Permissions](malware-protection-backup-iam-permissions.md) provides the exact list of permissions required, along with the relevant trust policy that is needed to perform the scan.
## Reviewing Resource scan status and result
GuardDuty publishes the scan result event to Amazon EventBridge default event bus. GuardDuty uses at-least-once delivery, which means you might receive multiple scan results for the same object. We recommend designing your applications to handle duplicate results. You're billed only once for each scanned object.
For more information, see [Monitoring scan statuses and results in Malware Protection for Backup](monitoring-malware-protection-backup-scans.md).
## Reviewing generated findings
Reviewing the findings depends on whether or not you are using Malware Protection for Backup with GuardDuty. Consider the following scenarios:
**Using Malware Protection for Backup when you have GuardDuty service enabled (detector ID)**
If the malware scan detects a potentially malicious file in a scanned Backup resource, GuardDuty will generate an associated finding. You can view the finding details and use the recommended steps to potentially remediate the finding. Based on your [Export findings frequency](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_exportfindings.html#guardduty_exportfindings-frequency), the generated finding gets exported to an S3 bucket and Amazon EventBridge event bus.
For information about the finding type that would get generated, see [Malware Protection for Backup finding types](findings-malware-protection-backup.md) finding types for Malware Protection for Backup.
**Using Malware Protection for Backup as an independent feature (no detector ID)**
GuardDuty will not be able to generate findings because there is no associated detector ID. To know the scan status for your backup resource, you can view the scan result that GuardDuty automatically publishes to your default event bus.
For information about the scan status and result, see [Monitoring scan statuses and results in Malware Protection for Backup](monitoring-malware-protection-backup-scans.md).
**Note**
If you are also using Malware Protection for S3, there is a possibility that your S3 file was previously tagged as NO\$1THREATS\$1FOUND and yet the same file could show up in the list of threats for the Backup Recovery Point that object belongs to. This happens since the service frequently updates its malware signatures, which may have changed the status of the file. Please note that in such cases GuardDuty does not go back and update the tag on the file in the original S3 bucket. The only way to get an updated tag applied on the file is by reuploading the object to the bucket or using the on-demand scan feature for S3.
# GuardDuty Malware Protection for Backup: IAM Role Permissions
## Customer role provided for malware scanning
GuardDuty Malware Protection expects a customer role (scanner role) to be provided when scans are initiated on Backup resources, namely snapshots, AMIs and EBS/EC2/S3 Recovery Points. This role provides the permissions required by GuardDuty to perform the scan on those specific resources. The permissions policy and the trust policy for this role can be found in [Permissions and trust policy for the role](#malware-protection-backup-permissions-trust-policy). The section below describes why each of these permissions are required.
## Details about the permissions
+ `ModifySnapshotAttribute` - Allows unencrypted and customer managed key encrypted snapshots to be accessed by GuardDuty Malware Protection service account.
+ `CreateGrant` - Allows GuardDuty Malware Protection to create and access a Customer Managed Key encrypted EBS volume from the customer managed key encrypted snapshot that the GuardDuty service account is provided access to.
+ `RetireGrant` - Allows GuardDuty Malware Protection to retire the grants that were created on the Customer Managed Key for reading encrypted snapshots
+ `ReEncryptTo` and `ReEncryptFrom` - Required by EBS to give GuardDuty access to snapshots that are encrypted with customer managed keys and create encrypted volumes from them. Although customers might consider ReEncryption of a snapshot during sharing as key transition, snapshots remain immutable from the customer perspective once created.
+ `ListSnapshotBlocks` and `GetSnapshotBlock` - EBS Direct APIs are used to access the snapshot blocks for an AWS Managed Key encrypted snapshot. This is done because AWS Managed Key encrypted snapshots cannot otherwise be accessed cross-account.
+ `Decrypt` - Allows decrypting base snapshots that are customer managed key encrypted when they are downloaded into memory using EBS Direct APIs as part of incremental scanning.
+ `ListChangedBlocks` - EBS Direct API used in incremental snapshot scanning to get the list of changed blocks between two snapshots.
+ `DescribeKey` - Allows GuardDuty Malware Protection to determine the keyId of the AWS managed key in the customer account.
+ `DescribeImages` - Allows an AMI to be described to obtain the list of snapshots belonging to the AMI.
+ `DescribeRecoveryPoint` - Allows the service to fetch the Recovery Point details and verify the resource type for the Recovery Point.
+ `CreateBackupAccessPoint`, `DescribeBackupAccessPoint`, `DeleteBackupAccessPoint` - Allows the service to create, describe, and delete the Access Point that is required for accessing Recovery Points.
+ `kms:Decrypt` - Allows the service to access objects in a S3 Recovery Point during a S3 Recovery Point scan.
## Securing the Role
The role must be configured with a trust policy that trusts the GuardDuty Malware Protection service principal. This ensures that no principal other than the GuardDuty service can assume this role. Further, you are encouraged to scope down the policies to specific resources instead of `*`. This includes snapshot ids and key ids. Doing this will ensure that the role provides access only to those specific resources.
**Important**
Incorrect configuration could result in scan failures due to insufficient permissions.
## How GuardDuty Malware Protection uses grants in AWS KMS
GuardDuty Malware Protection requires [grants](https://docs.aws.amazon.com/kms/latest/developerguide/grants.html) to use your KMS keys.
When you start a scan on an encrypted snapshot or an EC2 AMI consisting of encrypted snapshots, GuardDuty Malware Protection creates grants on your behalf by sending a [CreateGrant](https://docs.aws.amazon.com/kms/latest/APIReference/API_CreateGrant.html) request to AWS KMS. These grants give GuardDuty access to a specific key in your account.
GuardDuty Malware Protection requires the grant to use your customer managed key for the following internal operations:
+ Send [DescribeKey](https://docs.aws.amazon.com/kms/latest/APIReference/API_DescribeKey.html) requests to AWS to fetch details about the symmetric customer managed key that the resource submitted for a malware scan is encrypted with.
+ Create an EBS volume from an encrypted snapshot using the [CreateVolume](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateVolume.html) API and encrypt the volume with the same key.
+ Access snapshot blocks on the snapshot through the [GetSnapshotBlock](https://docs.aws.amazon.com/ebs/latest/APIReference/API_GetSnapshotBlock.html) API during an incremental scan.
+ Send [Decrypt](https://docs.aws.amazon.com/kms/latest/APIReference/API_Decrypt.html) requests to AWS KMS to decrypt the encrypted data keys so that they can be used to read the data on the snapshot during the scan.
You can revoke the created grant, or remove the service's access to the customer managed key at any time. If you do, GuardDuty won't be able to access any of the data encrypted by the customer managed key, which affects operations that are dependent on that data.
## GuardDuty Malware Protection Encryption Context
An [encryption context](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context) is an optional set of key-value pairs that contain additional contextual information about the data.
When you include an encryption context in a request to encrypt data, AWS KMS; binds the encryption context to the encrypted data. To decrypt data, you include the same encryption context in the request.
GuardDuty Malware Protection uses one of the two encryption contexts.
**Encryption Context 1:** Key is `aws:guardduty:id`.
```
"encryptionContext": {
"aws:guardduty:id": "snap-11112222333344"
}
```
This encryption context is used with grant operations: CreateGrant, Decrypt, GenerateDataKeyWithoutPlaintext, ReEncryptTo, RetireGrant, DescribeKey.
One grant is created on the current resource with this encryption context and grant operations.
**Encryption Context 2:** Key is `aws:ebs:id`
```
"encryptionContext": {
"aws:ebs:id": "snap-11112222333344"
}
```
This encryption context is used with grant operations: ReEncryptFrom, Decrypt, RetireGrant, DescribeKey.
Three grants are created with these encryption contexts and grant operations. One on the target snapshot with the `ReEncryptFrom` grant operation. A second one on the target snapshot with `Decrypt, RetireGrant, DescribeKey` operations. And a third one on the base snapshot with the same grant operations as the second grant.
## Permissions and trust policy for the role
**Permissions Policy**
```
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": [
"ebs:ListSnapshotBlocks",
"ebs:ListChangedBlocks",
"ebs:GetSnapshotBlock"
],
"Resource": "arn:aws:ec2:*::snapshot/*"
},
{
"Sid": "CreateGrantPermissions",
"Effect": "Allow",
"Action": "kms:CreateGrant",
"Resource": "arn:aws:kms:*:*:key/*",
"Condition": {
"ForAnyValue:StringLike": {
"kms:EncryptionContext:aws:guardduty:id": "snap-*",
"kms:ViaService": [
"guardduty.*.amazonaws.com",
"backup.*.amazonaws.com"
]
},
"ForAllValues:StringEquals": {
"kms:GrantOperations": [
"Decrypt",
"CreateGrant",
"GenerateDataKeyWithoutPlaintext",
"ReEncryptFrom",
"ReEncryptTo",
"RetireGrant",
"DescribeKey"
]
},
"Bool": {
"kms:GrantIsForAWSResource": "true"
}
}
},
{
"Sid": "CreateGrantPermissionsForReEncryptAndDirectAPIs",
"Effect": "Allow",
"Action": "kms:CreateGrant",
"Resource": "arn:aws:kms:*:*:key/*",
"Condition": {
"ForAnyValue:StringLike": {
"kms:EncryptionContext:aws:ebs:id": "snap-*",
"kms:ViaService": [
"guardduty.*.amazonaws.com",
"backup.*.amazonaws.com"
]
},
"ForAllValues:StringEquals": {
"kms:GrantOperations": [
"Decrypt",
"ReEncryptTo",
"ReEncryptFrom",
"RetireGrant",
"DescribeKey"
]
},
"Bool": {
"kms:GrantIsForAWSResource": "true"
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:DescribeImages",
"ec2:DescribeSnapshots"
],
"Resource": "*"
},
{
"Sid": "ShareSnapshotPermission",
"Effect": "Allow",
"Action": [
"ec2:ModifySnapshotAttribute"
],
"Resource": "arn:aws:ec2:*:*:snapshot/*"
},
{
"Sid": "ShareSnapshotKMSPermission",
"Effect": "Allow",
"Action": [
"kms:ReEncryptTo",
"kms:ReEncryptFrom"
],
"Resource": "arn:aws:kms:*:*:key/*",
"Condition": {
"StringLike": {
"kms:ViaService": "ec2.*.amazonaws.com"
}
}
},
{
"Sid": "DescribeKeyPermission",
"Effect": "Allow",
"Action": "kms:DescribeKey",
"Resource": "arn:aws:kms:*:*:key/*"
},
{
"Sid": "DescribeRecoveryPointPermission",
"Effect": "Allow",
"Action": [
"backup:DescribeRecoveryPoint"
],
"Resource": "*"
},
{
"Sid": "CreateBackupAccessPointPermissions",
"Effect" : "Allow",
"Action" : [
"backup:CreateBackupAccessPoint"
],
"Resource": "arn:aws:backup:*:*:recovery-point:*"
},
{
"Sid": "ReadAndDeleteBackupAccessPointPermissions",
"Effect" : "Allow",
"Action" : [
"backup:DescribeBackupAccessPoint",
"backup:DeleteBackupAccessPoint"
],
"Resource": "*"
},
{
"Sid": "KMSKeyPermissionsForInstantAccess",
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": "arn:aws:kms:*:*:key/*",
"Condition": {
"StringLike": {
"kms:ViaService": "backup.*.amazonaws.com"
}
}
}
]
}
```
**Trust Policy**
```
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "malware-protection.guardduty.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
```
# **(Optional) Get started with Malware Protection for Backup Independently (console only)**
Use this optional step when you want to get started with Malware Protection for Backup threat detection option independent of the GuardDuty status in your AWS account.
If you also want to use other dedicated protection plans in GuardDuty, you must get started with the Amazon GuardDuty service. For information about GuardDuty protection plans, see [Features of GuardDuty](https://docs.aws.amazon.com/guardduty/latest/ug/what-is-guardduty.html#features-of-guardduty).
## **Steps to get started with Malware Protection for Backup**
1. Sign in to the AWS Management Console and open the [https://console.aws.amazon.com/guardduty/](https://console.aws.amazon.com/guardduty/) console at [https://console.aws.amazon.com/guardduty/](https://console.aws.amazon.com/guardduty/)
1. Select **Discover Malware Protection Features** and click on **Get Started**.
1. On clicking **Get Started**, you can choose between options including AWS Backup and S3 Malware Protection features.
![\[alt text not found\]](http://docs.aws.amazon.com/guardduty/latest/ug/images/malware_protection_backup_new_feature_console.png)
1. You are taken to the Malware Protection for Backup page, where you can choose to **Start an on-demand scan** or **View malware scans**.
![\[alt text not found\]](http://docs.aws.amazon.com/guardduty/latest/ug/images/malware_protection_backup_console.png)
# Starting an On-Demand Scan for Malware Protection for Backup
## Console
1. Sign in to the AWS Management Console and open the GuardDuty console at [https://console.aws.amazon.com/guardduty/](https://console.aws.amazon.com/guardduty/).
1. Navigate to **Malware Protection for Backup** and click on **Start on-demand scan**.
1. Choose between Full scan and Incremental scan.
1. To start a full scan, enter the resource ARN of the resource to be scanned.
1. For an incremental scan, enter the Target Resource ARN and the Baseline Resource ARN.
1. If the resource being scanned is a Recovery Point, you also need to enter the name of the AWS Backup Vault it belongs to.
1. Service access - you need to choose a role which has the permissions required to access the resource and perform the scan. Click on **View Policy** to view the exact permissions needed for the role, along with the required trust policy.
You can make changes to the policy based on your requirements or scope down the permissions to the exact resource. For more details on how you can create or update an IAM role, see [GuardDuty Malware Protection for Backup: IAM Role Permissions](malware-protection-backup-iam-permissions.md).
For issues with IAM role permissions, see [Troubleshooting IAM role permissions error](https://docs.aws.amazon.com/guardduty/latest/ug/troubleshoot-malware-protection-s3-iam-role-permissions-error.html).
## API/CLI
Invoke [StartMalwareScan](https://docs.aws.amazon.com/guardduty/latest/APIReference/API_StartMalwareScan.html) which accepts the `resourceArn` of the resource for which you want to start an on-demand malware scan on. If you want to start an incremental scan, pass in the `baselineResourceArn` in `incrementalScanDetails`. As part of the scan configuration, you also need to provide an IAM role that has all the permissions needed to start the scan. After you successfully start a scan, `StartMalwareScan` returns a `scanId`. Invoke the `GetMalwareScan` API to monitor the progress of the started scan and to get details of the scan once it is done.
# Monitoring scan statuses and results in Malware Protection for Backup
After a malware scan is initiated, GuardDuty provides a few mechanisms through which you may monitor the status and result of a scan. The following table provides some of the values associated with malware scans.
| Category | Potential values |
| --- | --- |
| Scan status | `RUNNING`, `COMPLETED`, `COMPLETED_WITH_ISSUES`, `FAILED`, or `SKIPPED` |
| Scan Category | `FULL_SCAN` or `INCREMENTAL_SCAN` |
| Scan type | `GUARDDUTY_INITIATED`, `ON_DEMAND` or `BACKUP_INITIATED` |
| Scan Result Status | `NO_THREATS_FOUND` or `THREATS_FOUND` |
\$1Note that Scan Result Status may not be present if the scan was not completed. The Scan Result Status of THREATS\$1FOUND indicates that GuardDuty detected the presence of malware.
For S3 Recovery Points, COMPLETED\$1WITH\$1ISSUES indicates that some files were either skipped or failed. For AMI's, COMPLETED\$1WITH\$1ISSUES indicates that at least 1 snapshot was not able to be scanned. See below for the list of skipped reasons.
Scans may also be skipped for various reasons. The below table explains the reasons why scans may be skipped:
| Scan Skipped Reason | Reason |
| --- | --- |
| ACCESS\$1DENIED | Customer Role does not have the required permissions needed for the service to perform the scan |
| RESOURCE\$1NOT\$1FOUND | Resource attempting to be scanned does not exist in the account or was deleted during scanning |
| SNAPSHOT\$1SIZE\$1LIMIT\$1EXCEEDED | The snapshot size is greater than is currently supported by GuardDuty |
| INCREMENTAL\$1NO\$1DIFFERENCE | The resources specified in the incremental scan request have no difference |
| RESOURCE\$1UNAVAILABLE | Resource not in the expected state. If the scan is incremental, base recovery point not in AVAILABLE or COMPLETED state |
| UNRELATED\$1RESOURCES | For incremental scans - the base and current resource are not from the same lineage |
| BASE\$1RESOURCE\$1NOT\$1SCANNED | For incremental scans - the base resource was not previously scanned or no completed scan was found |
| BASE\$1CREATED\$1AFTER\$1TARGET | For incremental scans - the base resource's creation date is greater than the current resource's creation date |
| UNSUPPORTED\$1FOR\$1INCREMENTAL | The requested resource type does not support incremental scanning |
| UNSUPPORTED\$1AMI | Public AMI's, AMI's with only ephemeral storage, and AMI's not in an available state are not eligible for scanning |
| UNSUPPORTED\$1SNAPSHOT | Cold storage snapshots are not eligible for scanning |
| UNSUPPORTED\$1COMPOSITE\$1RP | Scanning is not supported for composite resource types |
| UNSUPPORTED\$1PRODUCT\$1CODE\$1TYPE | The requested resource contains an Amazon Marketplace product code which does not support scanning |
| AMI\$1SNAPSHOT\$1LIMIT\$1EXCEEDED | AMI's do not support scanning of more than 40 snapshots |
| NO\$1EBS\$1VOLUMES\$1FOUND | No Ebs block device mappings found for the requested resource |
| UNRELATED\$1RESOURCES | For incremental scans - the base resource's arn differs from the expected resource's arn |
| ALL\$1FILES\$1SKIPPED\$1OR\$1FAILED | All files in the scan were either skipped or failed |
Scan results have a retention period of 90 days. Choose your preferred access method to track the status of your malware scan.
**Monitoring Scans Using the Console**
1. Open the GuardDuty console at [https://console.aws.amazon.com/guardduty/.](https://console.aws.amazon.com/guardduty/)
1. In the navigation pane, choose **Malware scans.**
1. You can filter the malware scans by the following **Properties** available in the *filter search bar*.
+ **Scan ID** – Unique identifier associated with the malware scan.
+ **Account ID** – Account where the malware scan initiated.
+ **Resource ARN** – Amazon Resource Name (ARN) associated with the Amazon resource associated with the scan.
+ **Resource Type** – The type of resource associated with the scan, such as EC2 Instance, EBS Snapshot \$1 EC2 AMI, EBS Recovery Point, EC2 Recovery Point, or S3 Recovery Point.
+ **Status** – The scan status of the scan, such as Running, Skipped, Completed, Completed with Issues, or Failed.
+ **Scan Type** – Indicates whether this was an On-demand, GuardDuty-initiated, or Backup-Initiated malware scan.
**Monitoring Scans using the API/CLI**
+ You can invoke ListMalwareScans to filter malware scans by `RESOURCE_ARN`, `SCAN_ID`, `ACCOUNT_ID`, `SCAN_TYPE GUARDDUTY_FINDING_ID`, `SCAN_STATUS`, `RESOURCE_TYPE`, and `SCAN_START_TIME`. You may also invoke GetMalwareScan to retrieve more detailed metadata of a scan by providing a scan-id as input. The `GUARDDUTY_FINDING_ID` filter criteria is available when the `SCAN_TYPE` is GuardDuty initiated.
+ You may change the example *filter-criteria* in the command below, and can filter on the basis of one `CriterionKey` at a time. The options for `CriterionKey` are `Resource_ARN`, `SCAN_ID`, `ACCOUNT_ID`, `SCAN_TYPE`, `GUARDDUTY_FINDING_ID`, `SCAN_STATUS`, `RESOURCE_TYPE`, and `SCAN_START_TIME`. You can change the *max-results* (up to 50) and the *sort-criteria*. The `AttributeName` field is mandatory for `sort-criteria` and must be set to `scanStartTime`. In the following example, the values in *red* are placeholders. Replace them with the values appropriate for your account. If you use the same `CriterionKey` as below for ListMalwareScans, ensure to replace the example `EqualsValue` with the *resource-type* you want to filter by.
```
aws guardduty list-malware-scans --max-results 25 --sort-criteria '{"AttributeName": "scanStartTime", "OrderBy": "DESC"}' --filter-criteria '{"FilterCriterion":[{"CriterionKey":"RESOURCE_TYPE", "FilterCondition":{"EqualsValue":"EBS_SNAPSHOT"}}] }'
```
```
aws guardduty get-malware-scan --scan-id abc123
```
+ The response for the above command for ListMalwareScans will return up to 25 scans with some details about the affected resource(s). The response for the above command for GetMalwareScan will return a single scan with detailed metadata about the scan.
**Monitoring Scans using EventBridge**
Amazon EventBridge is a serverless event bus service that makes it easy to connect your applications with data from a variety of sources. EventBridge delivers a stream of real-time data from your own applications, Software-as-a-Service (SaaS) applications, and Amazon services and routes that data to targets such as Lambda. This enables you to monitor events that happen in services, and build event-driven architectures. For more information, see the [Amazon EventBridge User Guide](https://docs.aws.amazon.com/eventbridge/latest/userguide/).
GuardDuty publishes EventBridge notifications to the default event bus once a scan status is determined. You can set up EventBridge rules in your account to send events to other services integrated with Amazon EventBridge. Standard EventBridge pricing will apply. For more information, see [Amazon EventBridge pricing](https://aws.amazon.com/eventbridge/pricing/).
Many of the values shown below are placeholders for the example and will vary depending on the scan.
**Malware Scan Result Events**
Potential detail-type values for Backup:
+ “GuardDuty Malware Protection EBS Snapshot Scan Result”
+ “GuardDuty Malware Protection EC2 AMI Scan Result”
+ “GuardDuty Malware Protection S3 Recovery Point Scan Result”
+ “GuardDuty Malware Protection EBS Recovery Point Scan Result”
+ “GuardDuty Malware Protection EC2 Recovery Point Scan Result”
**Sample Event Pattern:**
```
{
"detail-type": ["GuardDuty Malware Protection EC2 AMI Scan Result"],
"source": ["aws.guardduty"]
}
```
**Sample Notification Schema for EC2 AMI Scan with No Threats Found:**
```
{
"version": "0",
"id": "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111",
"detail-type": "GuardDuty Malware Protection EC2 AMI Scan Result",
"source": "aws.guardduty",
"account": "1111222233334444",
"time": "2025-11-01T00:00:00Z",
"region": "us-east-1",
"resources": ["arn:aws:ec2:us-east-1:1111222233334444:image/ami-1234567890abcdef0"],
"detail": {
"schemaVersion": "1.0",
"scanStatus": "COMPLETED",
"resourceType": "EC2_AMI",
"scanId": "d41d8cd98f00b204e9800998ecf8427e",
"scanStatusReason": null,
"scanType": "ON_DEMAND",
"triggerType": "GUARDDUTY",
"scanCategory": "FULL_SCAN",
"scanStartTime": 1234567890123,
"scanCompleteTime": 2345678901234,
"scanResultDetails": {
"scanResultStatus": "NO_THREATS_FOUND",
"uniqueThreatCount": null
}
}
}
```
**Sample Notification Schema for EC2 AMI Scan with Threats Found:**
```
{
"version": "0",
"id": "a1b2c3d4-5678-90ab-cdef-EXAMPLE22222",
"detail-type": "GuardDuty Malware Protection EC2 AMI Scan Result",
"source": "aws.guardduty",
"account": "1111222233334444",
"time": "2025-11-01T00:00:00Z",
"region": "us-east-1",
"resources": ["arn:aws:ec2:us-east-1:1111222233334444:image/ami-1234567890abcdef0"],
"detail": {
"schemaVersion": "1.0",
"scanStatus": "COMPLETED",
"resourceType": "EC2_AMI",
"scanId": "d41d8cd98f00b204e9800998ecf8427e",
"scanStatusReason": null,
"scanType": "ON_DEMAND",
"triggerType": "GUARDDUTY",
"scanCategory": "FULL_SCAN",
"scanStartTime": 1234567890123,
"scanCompleteTime": 2345678901234,
"scanResultDetails": {
"scanResultStatus": "THREATS_FOUND",
"uniqueThreatCount": 1,
"threats": {
"name": "EICAR-Test-File (not a virus)",
"source": "AMAZON",
"count": 2,
"itemDetails": [{
"resourceArn": "arn:aws:ec2:us-east-1:1111222233334444:snapshot/snap-abcdef01234567890",
"hash": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
"itemPath": "/eicar.txt",
"additionalInfo": {
"versionId": null,
"deviceName": "/dev/sdf"
}
}]
}
}
}
}
```
**Sample Notification Schema for Skipped EC2 AMI Scan:**
```
{
"version": "0",
"id": "a1b2c3d4-5678-90ab-cdef-EXAMPLE33333",
"detail-type": "GuardDuty Malware Protection EC2 AMI Scan Result",
"source": "aws.guardduty",
"account": "1111222233334444",
"time": "2025-11-01T00:00:00Z",
"region": "us-east-1",
"resources": ["arn:aws:ec2:us-east-1:1111222233334444:image/ami-1234567890abcdef0"],
"detail": {
"schemaVersion": "1.0",
"scanStatus": "SKIPPED",
"resourceType": "EC2_AMI",
"scanId": "d41d8cd98f00b204e9800998ecf8427e",
"scanStatusReason": "UNSUPPORTED_AMI",
"scanType": "ON_DEMAND",
"triggerType": "GUARDDUTY",
"scanCategory": "FULL_SCAN",
"scanStartTime": 1234567890123,
"scanCompleteTime": 2345678901234,
"scanResultDetails": {
"uniqueThreatCount": null,
"threats": null
}
}
}
```
# Quotas for Malware Protection for Backup
**Malware Protection for Backup quotas**
| Quota name | AWS default quota value | Is it adjustable? | Description |
| --- | --- | --- | --- |
| StartMalwareScan TPS limit for all resource types | 10 | No | |
| Max snapshot size supported | 2 TB | No | |
| Supported file systems for snapshot and AMI scans | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/guardduty/latest/ug/malware-protection-backup-quotas.html) | No | |
| Max number of snapshots within an AMI supported for malware scanning | 40 for full scan. If there are more than 40, GuardDuty will only scan 40 amongst all snapshots. For an incremental scan, scanning is skipped. | No | |
| Max size of an object within a S3 Recovery Point | 100 GB | No | The maximum S3 object size that GuardDuty will attempt to scan for malware. Although this quota is not adjustable, if you need to scan larger objects, contact Support to determine if GuardDuty can increase the quota for your use case. |
| Extracted archive bytes | 100 GB | No | The maximum amount of data that GuardDuty can extract and analyze from an archive file. GuardDuty will skip archive files extracting to more than 100 GB. |
| Extracted archive files | 10,000 | No | The maximum number of files that GuardDuty can extract and analyze in an archive file. If the archive contains more than 10,000 files, then GuardDuty will have to skip the archived file. Compound files types are potentially subject to these limits. The file types include, but are not limited to, Multipurpose Internet Mail Extensions (MIME) encoded email messages, Compiled Python (PYC) files, Compiled HTML Help (CHM) files, all installers, and OpenDocument Format (ODF) documents. |
| Maximum archive depth levels | 5 | No | The maximum levels of nested archives that GuardDuty can extract. If the archive includes files that are nested beyond this value, then GuardDuty will skip those nested files. |