# Monitoring S3 object scans with Amazon EventBridge
*Amazon EventBridge* is a serverless event bus service that makes it easy to connect your applications with data from a variety of sources. EventBridge delivers a stream of real-time data from your own applications, Software-as-a-Service (SaaS) applications, and AWS services and routes that data to targets such as Lambda. This enables you to monitor events that happen in services, and build event-driven architectures. For more information, see the [Amazon EventBridge User Guide](https://docs.aws.amazon.com/eventbridge/latest/userguide/).
As the owner account of an S3 bucket that is protected with Malware Protection for S3, GuardDuty publishes EventBridge notifications to the default event bus in the following scenarios:
+ **Malware Protection plan resource status** changes for any of your protected buckets. For information about various statuses, see [Viewing and understanding protected bucket status](malware-protection-s3-bucket-status-gdu.md).
For setting up Amazon EventBridge (EventBridge) rule for the resource status, see [Malware Protection plan resource status](#resource-status-malware-protection-s3-ev).
+ The **S3 object scan result** gets published to your default EventBridge event bus.
The `s3Throttled` field indicates whether or not there was a delay in uploading or retrieving storage from Amazon S3. The value `true` indicates that there was a delay, and `false` indicates that there was no delay.
If `s3Throttled` is `true` for your scan result, then Amazon S3 recommends setting up prefixes in a way that helps you reduce the transactions per second (TPS) for each prefix. For more information, see [Best practices design patterns: optimizing Amazon S3 performance](https://docs.aws.amazon.com/AmazonS3/latest/userguide/optimizing-performance.html) in the *Amazon S3 User Guide*.
For setting up Amazon EventBridge (EventBridge) rule for the S3 object scan results, see [S3 object scan result](#s3-object-scan-status-malware-protection-s3-ev).
+ There is a **post-scan tag failure event** because of the following reasons:
+ Your IAM role is missing permissions to tag the object.
The [Adding IAM policy permissions](malware-protection-s3-iam-policy-prerequisite.md#attach-iam-policy-s3-malware-protection) template includes the permission for GuardDuty to tag an object.
+ The bucket resource or object specified in the IAM role no longer exists.
+ The associated S3 object has already reached the maximum tag limit. For more information about the tag limit, see [Categorizing your storage using tags](https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-tagging.html) in the *Amazon S3 User Guide*.
For setting up Amazon EventBridge (EventBridge) rule for the post-scan tag failure events, see [Post-scan tag failure events](#post-tag-failure-malware-protection-s3-ev).
## Set up EventBridge rules
You can set up EventBridge rules in your account to send either resource status, post-scan tag failure events, or the S3 object scan result to another AWS service. As a delegated GuardDuty administrator account, you will receive the Malware Protection plan resource status notification when there is a change in the status.
Standard EventBridge pricing will apply. For more information, see [Amazon EventBridge pricing](https://aws.amazon.com/eventbridge/pricing/).
All the values that show up in *red* are placeholders for the example. These values will change based on the values in your account, and whether or not malware is detected.
**Topics**
+ [Malware Protection plan resource status](#resource-status-malware-protection-s3-ev)
+ [S3 object scan result](#s3-object-scan-status-malware-protection-s3-ev)
+ [Post-scan tag failure events](#post-tag-failure-malware-protection-s3-ev)
### Malware Protection plan resource status
You can create an EventBridge event pattern based on the following scenarios:
**Potential `detail-type` values**
+ `"GuardDuty Malware Protection Resource Status Active"`
+ `"GuardDuty Malware Protection Resource Status Warning"`
+ `"GuardDuty Malware Protection Resource Status Error"`
**Event pattern**
```
{
"detail-type": ["potential detail-type"],
"source": ["aws.guardduty"]
}
```
**Sample notification schema for `GuardDuty Malware Protection Resource Status Active`**:
```
{
"version": "0",
"id": "6a7e8feb-b491-4cf7-a9f1-bf3703467718",
"detail-type": "GuardDuty Malware Protection Resource Status Active",
"source": "aws.guardduty",
"account": "111122223333",
"time": "2017-12-22T18:43:48Z",
"region": "us-east-1",
"resources": ["arn:aws:guardduty:us-east-1:111122223333:malware-protection-plan/b4c7f464ab3a4EXAMPLE"],
"detail": {
"schemaVersion": "1.0",
"eventTime": "2024-02-28T01:01:01Z",
"s3BucketDetails": {
"bucketName": "amzn-s3-demo-bucket"
},
"resourceStatus": "ACTIVE"
}
}
```
**Sample notification schema for `GuardDuty Malware Protection Resource Status Warning`**:
```
{
"version": "0",
"id": "6a7e8feb-b491-4cf7-a9f1-bf3703467718",
"detail-type": "GuardDuty Malware Protection Resource Status warning",
"source": "aws.guardduty",
"account": "111122223333",
"time": "2017-12-22T18:43:48Z",
"region": "us-east-1",
"resources": ["arn:aws:guardduty:us-east-1:111122223333:malware-protection-plan/b4c7f464ab3a4EXAMPLE"],
"detail": {
"schemaVersion": "1.0",
"eventTime": "2024-02-28T01:01:01Z",
"s3BucketDetails": {
"bucketName": "amzn-s3-demo-bucket"
},
"resourceStatus": "WARNING",
"statusReasons": [
{
"code": "INSUFFICIENT_TEST_OBJECT_PERMISSIONS"
}
]
}
}
```
**Sample notification schema for `GuardDuty Malware Protection Resource Status Error`**:
```
{
"version": "0",
"id": "fc7a35b7-83bd-3c1f-ecfa-1b8de9e7f7d2",
"detail-type": "GuardDuty Malware Protection Resource Status Error",
"source": "aws.guardduty",
"account": "111122223333",
"time": "2017-12-22T18:43:48Z",
"region": "us-east-1",
"resources": ["arn:aws:guardduty:us-east-1:111122223333:malware-protection-plan/b4c7f464ab3a4EXAMPLE"],
"detail": {
"schemaVersion": "1.0",
"eventTime": "2024-02-28T01:01:01Z",
"s3BucketDetails": {
"bucketName": "amzn-s3-demo-bucket"
},
"resourceStatus": "ERROR",
"statusReasons": [
{
"code": "EVENTBRIDGE_MANAGED_EVENTS_DELIVERY_DISABLED"
}
]
}
}
```
Based on the reason behind the `resourceStatus` `ERROR`, the `statusReasons` value will get populated.
For information about troubleshooting steps for the following warning and errors, see [Troubleshooting Malware Protection plan status](troubleshoot-s3-malware-protection-status-errors.md).
### S3 object scan result
```
{
"detail-type": ["GuardDuty Malware Protection Object Scan Result"],
"source": ["aws.guardduty"]
}
```
When the `scanStatus` is `SKIPPED`, the `scanResultDetails` includes a `statusReasons` field that provides the specific reason why the scan was skipped. For information about the possible values, see [S3 object potential scan status and result status](monitoring-malware-protection-s3-scans-gdu.md#s3-object-scan-result-value-malware-protection).
**Sample notification schema for `NO_THREATS_FOUND`**:
```
{
"version": "0",
"id": "72c7d362-737a-6dce-fc78-9e27a0171419",
"detail-type": "GuardDuty Malware Protection Object Scan Result",
"source": "aws.guardduty",
"account": "111122223333",
"time": "2024-02-28T01:01:01Z",
"region": "us-east-1",
"resources": ["arn:aws:guardduty:us-east-1:111122223333:malware-protection-plan/b4c7f464ab3a4EXAMPLE"],
"detail": {
"schemaVersion": "1.0",
"scanStatus": "COMPLETED",
"resourceType": "S3_OBJECT",
"s3ObjectDetails": {
"bucketName": "amzn-s3-demo-bucket",
"objectKey": "APKAEIBAERJR2EXAMPLE",
"eTag": "ASIAI44QH8DHBEXAMPLE",
"versionId" : "d41d8cd98f00b204e9800998eEXAMPLE",
"s3Throttled": false
},
"scanResultDetails": {
"scanResultStatus": "NO_THREATS_FOUND",
"threats": null,
"statusReasons": null
}
}
}
```
**Sample notification schema for `THREATS_FOUND`**:
```
{
"version": "0",
"id": "72c7d362-737a-6dce-fc78-9e27a0171419",
"detail-type": "GuardDuty Malware Protection Object Scan Result",
"source": "aws.guardduty",
"account": "111122223333",
"time": "2024-02-28T01:01:01Z",
"region": "us-east-1",
"resources": ["arn:aws:guardduty:us-east-1:111122223333:malware-protection-plan/b4c7f464ab3a4EXAMPLE"],
"detail": {
"schemaVersion": "1.0",
"scanStatus": "COMPLETED",
"resourceType": "S3_OBJECT",
"s3ObjectDetails": {
"bucketName": "amzn-s3-demo-bucket",
"objectKey": "APKAEIBAERJR2EXAMPLE",
"eTag": "ASIAI44QH8DHBEXAMPLE",
"versionId" : "d41d8cd98f00b204e9800998eEXAMPLE",
"s3Throttled": false
},
"scanResultDetails": {
"scanResultStatus": "THREATS_FOUND",
"threats": [
{
"name": "EICAR-Test-File (not a virus)"
}
],
"statusReasons": null
}
}
}
```
**Note**
The `scanResultDetails.Threats` field contains only one threat. By default, the Malware Protection for S3 scan reports the first detected threat. After this, the `scanStatus` is set to `COMPLETED`.
**Sample notification schema for scan result status `UNSUPPORTED` (Skipped)**:
```
{
"version": "0",
"id": "72c7d362-737a-6dce-fc78-9e27a0EXAMPLE",
"detail-type": "GuardDuty Malware Protection Object Scan Result",
"source": "aws.guardduty",
"account": "111122223333",
"time": "2024-02-28T01:01:01Z",
"region": "us-east-1",
"resources": ["arn:aws:guardduty:us-east-1:111122223333:malware-protection-plan/b4c7f464ab3a4EXAMPLE"],
"detail": {
"schemaVersion": "1.0",
"scanStatus": "SKIPPED",
"resourceType": "S3_OBJECT",
"s3ObjectDetails": {
"bucketName": "amzn-s3-demo-bucket",
"objectKey": "APKAEIBAERJR2EXAMPLE",
"eTag": "ASIAI44QH8DHBEXAMPLE",
"versionId" : "d41d8cd98f00b204e9800998eEXAMPLE",
"s3Throttled": false
},
"scanResultDetails": {
"scanResultStatus": "UNSUPPORTED",
"threats": null,
"statusReasons": ["PASSWORD_PROTECTED"]
}
}
}
```
**Sample notification schema for scan result status `ACCESS_DENIED` (Skipped)**:
```
{
"version": "0",
"id": "72c7d362-737a-6dce-fc78-9e27a0EXAMPLE",
"detail-type": "GuardDuty Malware Protection Object Scan Result",
"source": "aws.guardduty",
"account": "111122223333",
"time": "2024-02-28T01:01:01Z",
"region": "us-east-1",
"resources": ["arn:aws:guardduty:us-east-1:111122223333:malware-protection-plan/b4c7f464ab3a4EXAMPLE"],
"detail": {
"schemaVersion": "1.0",
"scanStatus": "SKIPPED",
"resourceType": "S3_OBJECT",
"s3ObjectDetails": {
"bucketName": "amzn-s3-demo-bucket",
"objectKey": "APKAEIBAERJR2EXAMPLE",
"eTag": "ASIAI44QH8DHBEXAMPLE",
"versionId" : "d41d8cd98f00b204e9800998eEXAMPLE",
"s3Throttled": false
},
"scanResultDetails": {
"scanResultStatus": "ACCESS_DENIED",
"threats": null,
"statusReasons": ["SSE_C_ENCRYPTED_OBJECT"]
}
}
}
```
**Sample notification schema for scan result status `FAILED`**:
```
{
"version": "0",
"id": "72c7d362-737a-6dce-fc78-9e27a0EXAMPLE",
"detail-type": "GuardDuty Malware Protection Object Scan Result",
"source": "aws.guardduty",
"account": "111122223333",
"time": "2024-02-28T01:01:01Z",
"region": "us-east-1",
"resources": ["arn:aws:guardduty:us-east-1:111122223333:malware-protection-plan/b4c7f464ab3a4EXAMPLE"],
"detail": {
"schemaVersion": "1.0",
"scanStatus": "FAILED",
"resourceType": "S3_OBJECT",
"s3ObjectDetails": {
"bucketName": "amzn-s3-demo-bucket",
"objectKey": "APKAEIBAERJR2EXAMPLE",
"eTag": "ASIAI44QH8DHBEXAMPLE",
"versionId" : "d41d8cd98f00b204e9800998eEXAMPLE",
"s3Throttled": false
},
"scanResultDetails": {
"scanResultStatus": "FAILED",
"threats": null,
"statusReasons": null
}
}
}
```
### Post-scan tag failure events
**Event pattern**:
```
{
"detail-type": "GuardDuty Malware Protection Post Scan Action Failed",
"source": "aws.guardduty"
}
```
**Sample notification schema for `ACCESS_DENIED`**:
```
{
"version": "0",
"id": "746acd83-d75c-5b84-91d2-dad5f13ba0d7",
"detail-type": "GuardDuty Malware Protection Post Scan Action Failed",
"source": "aws.guardduty",
"account": "111122223333",
"time": "2024-06-10T16:16:08Z",
"region": "us-east-1",
"resources": ["arn:aws:guardduty:us-east-1:111122223333:malware-protection-plan/b4c7f464ab3a4EXAMPLE"],
"detail": {
"schemaVersion": "1.0",
"eventTime": "2024-06-10T16:16:08Z",
"s3ObjectDetails": {
"bucketName": "amzn-s3-demo-bucket",
"objectKey": "2024-03-10-16-16-00-7D723DE8DBE9Y2E0",
"eTag": "0e9eeec810ad8b61d69112c15c2a5hb6",
"versionId" : "d41d8cd98f00b204e9800998eEXAMPLE",
"s3Throttled": false
},
"postScanActions": [{
"actionType": "TAGGING",
"failureReason": "ACCESS_DENIED"
}]
}
}
```
**Sample notification schema for `MAX_TAG_LIMIT_EXCEEDED`**:
```
{
"version": "0",
"id": "746acd83-d75c-5b84-91d2-dad5f13ba0d7",
"detail-type": "GuardDuty Malware Protection Post Scan Action Failed",
"source": "aws.guardduty",
"account": "111122223333",
"time": "2024-06-10T16:16:08Z",
"region": "us-east-1",
"resources": ["arn:aws:guardduty:us-east-1:111122223333:malware-protection-plan/b4c7f464ab3a4EXAMPLE"],
"detail": {
"schemaVersion": "1.0",
"eventTime": "2024-06-10T16:16:08Z",
"s3ObjectDetails": {
"bucketName": "amzn-s3-demo-bucket",
"objectKey": "2024-03-10-16-16-00-7D723DE8DBE9Y2E0",
"eTag": "0e9eeec810ad8b61d69112c15c2a5hb6",
"versionId" : "d41d8cd98f00b204e9800998eEXAMPLE",
"s3Throttled": false
},
"postScanActions": [{
"actionType": "TAGGING",
"failureReason": "MAX_TAG_LIMIT_EXCEEDED"
}]
}
}
```
To troubleshoot these failure reasons, see [Troubleshooting S3 object post-scan tag failures](troubleshoot-s3-post-scan-tag-failures.md).