# Set up snapshot retention and EC2 scan coverage
<a name="malware-protection-customizations"></a>

This section explains how to customize malware scanning options for your Amazon EC2 instances. These customizations apply to both On-demand malware scan and those initiated by GuardDuty. You can do the following:
+ Enable snapshot retention – When enabled before a scan, GuardDuty will retain the Amazon EBS snapshot that GuardDuty detected as malicious.
+ Choose which Amazon EC2 instances to scan – Use tags to include or exclude specific Amazon EC2 instances from malware scans.

## Snapshots retention
<a name="mp-snapshots-retention"></a>

GuardDuty provides you with the option to retain the snapshots of your EBS volumes in your AWS account. By default, the snapshots retention setting is turned off. The snapshots will only be retained if you have this setting turned on before the scan initiates.

As the scan initiates, GuardDuty generates the replica EBS volumes based on the snapshots of your EBS volumes. After the scan completes and the snapshots retention setting in your account was turned on already, the snapshots of your EBS volumes will be retained only when malware is found and [Malware Protection for EC2 finding types](findings-malware-protection.md) get generated. When no malware is found, then regardless of your snapshot settings, GuardDuty automatically deletes the snapshots of your EBS volumes unless [Amazon EBS snapshot locking](https://docs.aws.amazon.com/ebs/latest/userguide/lock-snapshot.html) has been enabled on the created snapshots.

### Snapshots usage cost
<a name="mp-snapshots-usage-cost"></a>

During the malware scanning, as GuardDuty creates the snapshots of your Amazon EBS volumes, there is a usage cost associated with this step. If you turn on the snapshots retention setting for your account, when malware is found and the snapshots get retained, you will incur usage cost for the same. For information about cost of snapshots and their retention, see [Amazon EBS pricing](https://aws.amazon.com//ebs/pricing/). 

As a delegated GuardDuty administrator account, only you can make this update on behalf of the organization member accounts. However, if a member account is [managed by invitation method](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_invitations.html), they can make this change on their own. For more information, see [Administrator account and member account relationships](administrator_member_relationships.md).

Choose your preferred access method to turn on the snapshots retention setting.

------
#### [ Console ]

1. Open the GuardDuty console at [https://console.aws.amazon.com/guardduty/](https://console.aws.amazon.com/guardduty/).

1. In the navigation pane, under **Protection plans**, choose **Malware Protection for EC2**.

1. Choose **General settings** in the bottom section of the console. To retain the snapshots, turn on **Snapshots retention**.

------
#### [ API/CLI ]

Run [UpdateMalwareScanSettings](https://docs.aws.amazon.com/guardduty/latest/APIReference/API_UpdateMalwareScanSettings.html) to update the current configuration for snapshot retention setting. 

Alternatively, you can run the following AWS CLI command to automatically retain snapshots when GuardDuty Malware Protection for EC2 generates findings.

Ensure to replace the *detector-id* with your own valid `detectorId`.

To find the `detectorId` for your account and current Region, see the **Settings** page in the [https://console.aws.amazon.com/guardduty/](https://console.aws.amazon.com/guardduty/) console, or run the [https://docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html](https://docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html) API.

```
aws guardduty update-malware-scan-settings --detector-id 60b8777933648562554d637e0e4bb3b2 --ebs-snapshot-preservation "RETENTION_WITH_FINDING"
```

If you want to turn off snapshots retention, replace `RETENTION_WITH_FINDING` with `NO_RETENTION`. 

------

## Scan options with user-defined tags
<a name="mp-scan-options"></a>

By using GuardDuty-initiated malware scan, you can also specify tags to either include or exclude Amazon EC2 instances and Amazon EBS volumes from the scanning and threat detection process. You can customize each GuardDuty-initiated malware scan by editing tags in either the inclusion or exclusion tags list. Each list can include up to 50 tags.

If you don't already have user-defined tags associated to your EC2 resources, see [Tag your Amazon EC2 resources](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html) in the *Amazon EC2 User Guide*. 

**Note**  
On-demand malware scan doesn't support scan options with user-defined tags. It supports [Global `GuardDutyExcluded` tag](#mp-scan-options-gdu-excluded-tag).

### To exclude EC2 instances from malware scan
<a name="exclude-ec2-instances-malware-protection"></a>

If you want to exclude any Amazon EC2 instance or Amazon EBS volume during the scanning process, you can set the `GuardDutyExcluded` tag to `true` for any Amazon EC2 instance or Amazon EBS volume, and GuardDuty won't scan it. For more information about `GuardDutyExcluded` tag, see [Service-linked role permissions for Malware Protection for EC2](slr-permissions-malware-protection.md). You can also add an Amazon EC2 instance tag to an exclusion list. If you add multiple tags to the exclusion tags list, any Amazon EC2 instance that contains at least one of these tags will be excluded from the malware scanning process.

As a delegated GuardDuty administrator account, only you can make this update on behalf of the organization member accounts. However, if a member account is [managed by invitation method](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_invitations.html), they can make this change on their own. For more information, see [Administrator account and member account relationships](administrator_member_relationships.md).

Choose your preferred access method to add a tag associated with an Amazon EC2 instance, to an exclusion list.

------
#### [ Console ]

1. Open the GuardDuty console at [https://console.aws.amazon.com/guardduty/](https://console.aws.amazon.com/guardduty/).

1. In the navigation pane, under **Protection plans**, choose **Malware Protection for EC2**.

1. Expand **Inclusion/Exclusion tags** section. Choose **Add tags**.

1. Choose **Exclusion tags** and then choose to **Confirm**.

1. Specify the tag's **Key** and **Value** pair that you want to exclude. It is optional to provide the **Value**. After you add all the tags, choose **Save**.
**Important**  
Tag keys and values are case-sensitive. For more information, see [Tag restrictions](https://docs.aws.amazon.com//AWSEC2/latest/UserGuide/Using_Tags.html#tag-restrictions) in the *Amazon EC2 User Guide*.

   If a value for a key is not provided and the EC2 instance is tagged with the specified key, this EC2 instance will be excluded from the GuardDuty-initiated malware scan scanning process, regardless of the tag's assigned value.

------
#### [ API/CLI ]

Run [UpdateMalwareScanSettings](https://docs.aws.amazon.com/guardduty/latest/APIReference/API_UpdateMalwareScanSettings.html) by excluding an EC2 instance or a container workload from the scanning process. 

The following AWS CLI example command adds a new tag to the exclusion tags list. Replace the example *detector-id* with your own valid `detectorId`.

`MapEquals` is a list of `Key`/`Value` pairs.

To find the `detectorId` for your account and current Region, see the **Settings** page in the [https://console.aws.amazon.com/guardduty/](https://console.aws.amazon.com/guardduty/) console, or run the [https://docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html](https://docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html) API.

```
aws guardduty update-malware-scan-settings --detector-id 60b8777933648562554d637e0e4bb3b2 --scan-resource-criteria '{"Exclude": {"EC2_INSTANCE_TAG" : {"MapEquals": [{ "Key": "TestKeyWithValue", "Value": "TestValue" }, {"Key":"TestKeyWithoutValue"} ]}}}' --ebs-snapshot-preservation "RETENTION_WITH_FINDING"
```

**Important**  
Tag keys and values are case-sensitive. For more information, see [Tag restrictions](https://docs.aws.amazon.com//AWSEC2/latest/UserGuide/Using_Tags.html#tag-restrictions) in the *Amazon EC2 User Guide*.

------

### To include EC2 instances in malware scan
<a name="include-ec2-instances-malware-protection"></a>

If you want to scan an EC2 instance, add its tag to the inclusion list. When you add a tag to an inclusion tags list, an EC2 instance that doesn't contain any of the added tags is skipped from the malware scan. If you add multiple tags to the inclusion tags list, an EC2 instance that contains at least one of those tags is included in the malware scan. Sometimes, an EC2 instance may be skipped during the scanning process because of other reasons. For more information, see [Reasons for skipping resource during malware scan](malware-protection-auditing-scan-logs.md#mp-scan-skip-reasons). 

As a delegated GuardDuty administrator account, only you can make this update on behalf of the organization member accounts. However, if a member account is [managed by invitation method](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_invitations.html), they can make this change on their own. For more information, see [Administrator account and member account relationships](administrator_member_relationships.md).

Choose your preferred access method to add a tag associated with an EC2 instance, to an inclusion list.

------
#### [ Console ]

1. Open the GuardDuty console at [https://console.aws.amazon.com/guardduty/](https://console.aws.amazon.com/guardduty/).

1. In the navigation pane, under **Protection plans**, choose **Malware Protection for EC2**.

1. Expand **Inclusion/Exclusion tags** section. Choose **Add tags**.

1. Choose **Inclusion tags** and then choose **Confirm**. 

1. Choose **Add new inclusion tag** and specify the tag's **Key** and **Value** pair that you want to include. It is optional to provide the **Value**.

   After you have added all the inclusion tags, choose **Save**.

   If a value for a key is not provided an EC2 instance is tagged with the specified key, the EC2 instance will be included in the Malware Protection for EC2 scanning process, regardless of the tag's assigned value.

------
#### [ API/CLI ]
+ Run [UpdateMalwareScanSettings](https://docs.aws.amazon.com/guardduty/latest/APIReference/API_UpdateMalwareScanSettings.html) to include an EC2 instance or a container workload in the scanning process.

  The following AWS CLI example command adds a new tag to the inclusion tags list. Ensure that you replace the example *detector-id* with your own valid `detectorId`. Replace the example *TestKey* and *TestValue* with the `Key` and `Value` pair of the tag associated with your EC2 resource.

  `MapEquals` is a list of `Key`/`Value` pairs.

  To find the `detectorId` for your account and current Region, see the **Settings** page in the [https://console.aws.amazon.com/guardduty/](https://console.aws.amazon.com/guardduty/) console, or run the [https://docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html](https://docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html) API.

  ```
  aws guardduty update-malware-scan-settings --detector-id 60b8777933648562554d637e0e4bb3b2 --scan-resource-criteria '{"Include": {"EC2_INSTANCE_TAG" : {"MapEquals": [{ "Key": "TestKeyWithValue", "Value": "TestValue" }, {"Key":"TestKeyWithoutValue"} ]}}}' --ebs-snapshot-preservation "RETENTION_WITH_FINDING"
  ```
**Important**  
Tag keys and values are case-sensitive. For more information, see [Tag restrictions](https://docs.aws.amazon.com//AWSEC2/latest/UserGuide/Using_Tags.html#tag-restrictions) in the *Amazon EC2 User Guide*.

------

**Note**  
It may take up to 5 minutes for GuardDuty to detect a new tag.

At any time, you can either choose **Inclusion tags** or **Exclusion tags** but not both. If you want to switch between the tags, choose that tag from the dropdown menu when you add new tags, and **Confirm** your selection. This action clears all your current tags.

## Global `GuardDutyExcluded` tag
<a name="mp-scan-options-gdu-excluded-tag"></a>

GuardDuty uses a global tag key, `GuardDutyExcluded`, that you can add to your Amazon EC2 resources and set the tag value to `true`. This Amazon EC2 resource that has this tag key and value pair will be excluded from the malware scan. Both the scan types (GuardDuty-initiated malware scan and On-demand malware scan) support the global tag. If you start an on-demand malware scan on an Amazon EC2, a scan ID will be generated. However, the scan will be skipped with an `EXCLUDED_BY_SCAN_SETTINGS` reason. For more information, see [Reasons for skipping resource during malware scan](malware-protection-auditing-scan-logs.md#mp-scan-skip-reasons).