# On-demand S3 malware scan in GuardDuty
<a name="malware-protection-s3-on-demand"></a>

GuardDuty Malware Protection for S3 continuously monitors new S3 uploads. For objects that existed before enabling protection, or to re-scan previously scanned objects, you can initiate on-demand S3 malware scan once you've enabled the GuardDuty Malware Protection plan for your bucket.

 On-demand malware scanning uses the Malware Protection Plan's IAM role for object access and applying configuration. The scan will override any prefix configured in the Malware Protection Plan for the bucket. 

**Note**  
The Malware Protection for S3 quota applies to on-demand malware scanning. For more information, See [Quotas in Malware Protection for S3](malware-protection-s3-quotas-guardduty.md).  
For more information about pricing, see [Pricing and usage cost for Malware Protection for S3](pricing-malware-protection-for-s3-guardduty.md).

## Prerequisites
<a name="prerequisites-malware-protection-s3-on-demand"></a>

Before you start an on-demand malware scan, your account must meet the following prerequisites:
+ Malware Protection for S3 is enabled on the target bucket. See [Configuring Malware Protection for S3 for your bucket](configuring-malware-protection-for-s3-guardduty.md) for more information.
+ The [AWS managed policy: AmazonGuardDutyFullAccess\$1v2 (recommended)](security-iam-awsmanpol.md#security-iam-awsmanpol-AmazonGuardDutyFullAccess-v2) policy is attached to the IAM user or the IAM role invoking the API.

## Start on-demand malware scan
<a name="malware-protection-initiate-malware-protection-s3-on-demand"></a>

Use the [SendObjectMalwareScan](https://docs.aws.amazon.com/guardduty/latest/APIReference/API_SendObjectMalwareScan.html) API operation, which requires the S3 object path as input.

------
#### [ API/CLI ]

You can scan either the latest version of the object or specify a particular version to scan.

To scan a specific version of an object:

```
aws guardduty send-object-malware-scan --s3-object '{"Bucket": "amzn-s3-demo-bucket", "Key": "APKAEIBAERJR2EXAMPLE", "VersionId": "d41d8cd98f00b204e9800998eEXAMPLE"}'
```

To scan the latest version of an object:

```
aws guardduty send-object-malware-scan --s3-object '{"Bucket": "amzn-s3-demo-bucket", "Key": "APKAEIBAERJR2EXAMPLE"}'
```

------

**Important**  
A successful API call confirms that the scan request has been accepted. However, it is important to monitor the scan results to ensure successful completion and to identify any issues, such as errors accessing the object. For more information, see [Monitoring S3 object scans in Malware Protection for S3](monitoring-malware-protection-s3-scans-gdu.md).