View a markdown version of this page

Monitoring S3 object scans in Malware Protection for S3 - Amazon GuardDuty
S3 object potential scan status and result status

Monitoring S3 object scans in Malware Protection for S3

When using Malware Protection for S3 with a GuardDuty detector ID, if your Amazon S3 object is potentially malicious, GuardDuty will generate Malware Protection for S3 finding type. Using the GuardDuty console and APIs, you can view the generated findings. For information about understanding this finding type, see Finding details.

When using Malware Protection for S3 without enabling GuardDuty (no detector ID), even when your scanned Amazon S3 object is potentially malicious, GuardDuty can't generate any findings.

Contents

S3 object potential scan status and result status

This section explains the potential S3 object scan status values and the scan result values.

An S3 object scan status indicates the status of the malware scan, such as completed, skipped, or failed.

An S3 object malware scan result status indicates the result of the scan based on the scan status value. Each malware scan result status value maps to a scan status.

The following list provides the potential S3 object scan result values. If you have enabled tagging, you can monitor the scan result by Using S3 Object Tags. After the scan, the tag value will have one of the following scan result values.

S3 object potential malware scan result status values

  • NO_THREATS_FOUND – GuardDuty detected no potential threat associated with the scanned object.

  • THREATS_FOUND – GuardDuty detected a potential threat associated with the scanned object.

  • UNSUPPORTED – There are a few reasons why Malware Protection for S3 will skip a scan. Potential reasons include password-protected file, archives with extremely high compression ratios, Malware Protection for S3 quotas, and support for certain Amazon S3 features may be unavailable. For more information, see Capabilities of Malware Protection for S3.

  • ACCESS_DENIED – GuardDuty can't access this object for scanning. Check the IAM role permissions associated with this bucket. For more information, see Create or update IAM role policy.

    If you have enabled post-scan S3 object tagging, see Troubleshooting S3 object post-scan tag failures.

  • FAILED – GuardDuty can't perform malware scan on this object because of an internal error.

The following list provides potential S3 object scan status values and their mapping to the S3 object scan result.

S3 object potential scan status values

  • Completed – The scan completed successfully and indicates whether the S3 object has malware. In this case, the potential S3 object scan result value could be either THREATS_FOUND or NO_THREATS_FOUND.

  • Skipped – GuardDuty skips a malware scan when scanning this S3 object is not supported by Malware Protection for S3, or GuardDuty doesn't have access to the uploaded S3 object in the selected bucket.

    In this case, the potential S3 object scan result value could be either UNSUPPORTED or ACCESS_DENIED.

    GuardDuty will also skip the scan if the required IAM role gets deleted.

  • Failed – Similar to the S3 object scan result value FAILED, this scan status means that GuardDuty was unable to perform malware scan on the S3 object because of an internal error.

When the scan status is SKIPPED, the EventBridge notification for the S3 object scan result includes a statusReasons field within scanResultDetails. This field is a list of strings that provides the specific reason why the scan was skipped. The following table describes the possible statusReasons values.

Status reason Scan result status Description

UNAUTHORIZED_TO_GET_OBJECT

ACCESS_DENIED

Malware Protection for S3 doesn't have permission to read the S3 object, or the S3 object does not exist. Verify that the IAM role associated with the protected bucket has the required permissions and any bucket AWS KMS policy allows the role to decrypt objects.

UNAUTHORIZED_TO_ASSUME_ROLE

ACCESS_DENIED

Malware Protection for S3 can't assume the IAM role configured for the protected bucket. Verify that the role trust policy allows Malware Protection for S3 to assume the role.

SSE_C_ENCRYPTED_OBJECT

ACCESS_DENIED

The S3 object is encrypted with a customer-provided encryption key (SSE-C). GuardDuty can't access objects encrypted with SSE-C. For more information, see Supportability of Amazon S3 features.

OBJECT_E_TAG_CHANGED

ACCESS_DENIED

The S3 object ETag changed between the time the scan was initiated and when GuardDuty attempted to read the object. The subsequent upload or new version will be scanned.

BUCKET_NOT_FOUND

ACCESS_DENIED

The S3 bucket associated with the scan no longer exists.

UNSUPPORTED_STORAGE_CLASS

UNSUPPORTED

The S3 object uses a storage class that is not supported by Malware Protection for S3. For more information, see Supportability of Amazon S3 features.

OBJECT_SIZE_LIMIT_EXCEEDED

UNSUPPORTED

The S3 object size exceeds the maximum file size limit for Malware Protection for S3. For more information, see Malware Protection for S3 quotas.

PASSWORD_PROTECTED

UNSUPPORTED

The object is password-protected.

EXTRACTED_FILE_LIMIT_EXCEEDED

UNSUPPORTED

The archive contains more files than the maximum allowed limit. For more information, see Malware Protection for S3 quotas.

EXTRACTED_LEVEL_LIMIT_EXCEEDED

UNSUPPORTED

The archive exceeds the maximum nesting depth allowed.

EXTRACTED_BYTE_LIMIT_EXCEEDED

UNSUPPORTED

The extracted archive content exceeds the maximum byte size allowed. For more information, see Malware Protection for S3 quotas.

EXTRACTION_RATIO_LIMIT_EXCEEDED

UNSUPPORTED

The archive has an extremely high compression ratio that exceeds the allowed limit. For more information, see Malware Protection for S3 quotas.