# Monitoring S3 object scans in Malware Protection for S3
When using Malware Protection for S3 with a GuardDuty detector ID, if your Amazon S3 object is potentially malicious, GuardDuty will generate [Malware Protection for S3 finding type](gdu-malware-protection-s3-finding-types.md). Using the GuardDuty console and APIs, you can view the generated findings. For information about understanding this finding type, see [Finding details](guardduty_findings-summary.md).
When using Malware Protection for S3 without enabling GuardDuty (no detector ID), even when your scanned Amazon S3 object is potentially malicious, GuardDuty can't generate any findings.
**Topics**
+ [S3 object potential scan status and result status](#s3-object-scan-result-value-malware-protection)
+ [Monitoring S3 object scans with Amazon EventBridge](monitor-with-eventbridge-s3-malware-protection.md)
+ [Monitoring S3 object scans with GuardDuty managed tags](monitor-enable-s3-object-tagging-malware-protection.md)
+ [S3 object scan status metrics in CloudWatch](monitor-cloudwatch-metrics-s3-malware-protection.md)
## S3 object potential scan status and result status
This section explains the potential S3 object scan status values and the scan result values.
An S3 object scan status indicates the status of the malware scan, such as completed, skipped, or failed.
An S3 object malware scan result status indicates the result of the scan based on the scan status value. Each malware scan result status value maps to a scan status.
The following list provides the potential S3 object scan result values. If you have enabled tagging, you can monitor the scan result by [Using S3 Object Tags](monitor-enable-s3-object-tagging-malware-protection.md). After the scan, the tag value will have one of the following scan result values.
**S3 object potential malware scan result status values**
+ `NO_THREATS_FOUND` – GuardDuty detected no potential threat associated with the scanned object.
+ `THREATS_FOUND` – GuardDuty detected a potential threat associated with the scanned object.
+ `UNSUPPORTED` – There are a few reasons why Malware Protection for S3 will skip a scan. Potential reasons include password-protected file, archives with extremely high compression ratios, [Malware Protection for S3 quotas](malware-protection-s3-quotas-guardduty.md), and support for certain Amazon S3 features may be unavailable. For more information, see [Capabilities of Malware Protection for S3](s3-malware-protection-capability.md).
+ `ACCESS_DENIED` – GuardDuty can't access this object for scanning. Check the IAM role permissions associated with this bucket. For more information, see [Create or update IAM role policy](malware-protection-s3-iam-policy-prerequisite.md).
If you have enabled post-scan S3 object tagging, see [Troubleshooting S3 object post-scan tag failures](troubleshoot-s3-post-scan-tag-failures.md).
+ `FAILED` – GuardDuty can't perform malware scan on this object because of an internal error.
The following list provides potential S3 object scan status values and their mapping to the S3 object scan result.
**S3 object potential scan status values**
+ **Completed** – The scan completed successfully and indicates whether the S3 object has malware. In this case, the potential S3 object scan result value could be either `THREATS_FOUND` or `NO_THREATS_FOUND`.
+ **Skipped** – GuardDuty skips a malware scan when scanning this S3 object is not supported by Malware Protection for S3, or GuardDuty doesn't have access to the uploaded S3 object in the selected bucket.
In this case, the potential S3 object scan result value could be either `UNSUPPORTED` or `ACCESS_DENIED`.
GuardDuty will also skip the scan if the required IAM role gets deleted.
+ **Failed** – Similar to the S3 object scan result value `FAILED`, this scan status means that GuardDuty was unable to perform malware scan on the S3 object because of an internal error.
When the scan status is `SKIPPED`, the EventBridge notification for the S3 object scan result includes a `statusReasons` field within `scanResultDetails`. This field is a list of strings that provides the specific reason why the scan was skipped. The following table describes the possible `statusReasons` values.
| Status reason | Scan result status | Description |
| --- | --- | --- |
| `UNAUTHORIZED_TO_GET_OBJECT` | `ACCESS_DENIED` | Malware Protection for S3 doesn't have permission to read the S3 object, or the S3 object does not exist. Verify that the IAM role associated with the protected bucket has the required permissions and any bucket AWS KMS policy allows the role to decrypt objects. |
| `UNAUTHORIZED_TO_ASSUME_ROLE` | `ACCESS_DENIED` | Malware Protection for S3 can't assume the IAM role configured for the protected bucket. Verify that the role trust policy allows Malware Protection for S3 to assume the role. |
| `SSE_C_ENCRYPTED_OBJECT` | `ACCESS_DENIED` | The S3 object is encrypted with a customer-provided encryption key (SSE-C). GuardDuty can't access objects encrypted with SSE-C. For more information, see [Supportability of Amazon S3 features](supported-s3-features-malware-protection-s3.md). |
| `OBJECT_E_TAG_CHANGED` | `ACCESS_DENIED` | The S3 object ETag changed between the time the scan was initiated and when GuardDuty attempted to read the object. The subsequent upload or new version will be scanned. |
| `BUCKET_NOT_FOUND` | `ACCESS_DENIED` | The S3 bucket associated with the scan no longer exists. |
| `UNSUPPORTED_STORAGE_CLASS` | `UNSUPPORTED` | The S3 object uses a storage class that is not supported by Malware Protection for S3. For more information, see [Supportability of Amazon S3 features](supported-s3-features-malware-protection-s3.md). |
| `OBJECT_SIZE_LIMIT_EXCEEDED` | `UNSUPPORTED` | The S3 object size exceeds the maximum file size limit for Malware Protection for S3. For more information, see [Malware Protection for S3 quotas](malware-protection-s3-quotas-guardduty.md). |
| `PASSWORD_PROTECTED` | `UNSUPPORTED` | The object is password-protected. |
| `EXTRACTED_FILE_LIMIT_EXCEEDED` | `UNSUPPORTED` | The archive contains more files than the maximum allowed limit. For more information, see [Malware Protection for S3 quotas](malware-protection-s3-quotas-guardduty.md). |
| `EXTRACTED_LEVEL_LIMIT_EXCEEDED` | `UNSUPPORTED` | The archive exceeds the maximum nesting depth allowed. |
| `EXTRACTED_BYTE_LIMIT_EXCEEDED` | `UNSUPPORTED` | The extracted archive content exceeds the maximum byte size allowed. For more information, see [Malware Protection for S3 quotas](malware-protection-s3-quotas-guardduty.md). |
| `EXTRACTION_RATIO_LIMIT_EXCEEDED` | `UNSUPPORTED` | The archive has an extremely high compression ratio that exceeds the allowed limit. For more information, see [Malware Protection for S3 quotas](malware-protection-s3-quotas-guardduty.md). |
# Monitoring S3 object scans with Amazon EventBridge
*Amazon EventBridge* is a serverless event bus service that makes it easy to connect your applications with data from a variety of sources. EventBridge delivers a stream of real-time data from your own applications, Software-as-a-Service (SaaS) applications, and AWS services and routes that data to targets such as Lambda. This enables you to monitor events that happen in services, and build event-driven architectures. For more information, see the [Amazon EventBridge User Guide](https://docs.aws.amazon.com/eventbridge/latest/userguide/).
As the owner account of an S3 bucket that is protected with Malware Protection for S3, GuardDuty publishes EventBridge notifications to the default event bus in the following scenarios:
+ **Malware Protection plan resource status** changes for any of your protected buckets. For information about various statuses, see [Viewing and understanding protected bucket status](malware-protection-s3-bucket-status-gdu.md).
For setting up Amazon EventBridge (EventBridge) rule for the resource status, see [Malware Protection plan resource status](#resource-status-malware-protection-s3-ev).
+ The **S3 object scan result** gets published to your default EventBridge event bus.
The `s3Throttled` field indicates whether or not there was a delay in uploading or retrieving storage from Amazon S3. The value `true` indicates that there was a delay, and `false` indicates that there was no delay.
If `s3Throttled` is `true` for your scan result, then Amazon S3 recommends setting up prefixes in a way that helps you reduce the transactions per second (TPS) for each prefix. For more information, see [Best practices design patterns: optimizing Amazon S3 performance](https://docs.aws.amazon.com/AmazonS3/latest/userguide/optimizing-performance.html) in the *Amazon S3 User Guide*.
For setting up Amazon EventBridge (EventBridge) rule for the S3 object scan results, see [S3 object scan result](#s3-object-scan-status-malware-protection-s3-ev).
+ There is a **post-scan tag failure event** because of the following reasons:
+ Your IAM role is missing permissions to tag the object.
The [Adding IAM policy permissions](malware-protection-s3-iam-policy-prerequisite.md#attach-iam-policy-s3-malware-protection) template includes the permission for GuardDuty to tag an object.
+ The bucket resource or object specified in the IAM role no longer exists.
+ The associated S3 object has already reached the maximum tag limit. For more information about the tag limit, see [Categorizing your storage using tags](https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-tagging.html) in the *Amazon S3 User Guide*.
For setting up Amazon EventBridge (EventBridge) rule for the post-scan tag failure events, see [Post-scan tag failure events](#post-tag-failure-malware-protection-s3-ev).
## Set up EventBridge rules
You can set up EventBridge rules in your account to send either resource status, post-scan tag failure events, or the S3 object scan result to another AWS service. As a delegated GuardDuty administrator account, you will receive the Malware Protection plan resource status notification when there is a change in the status.
Standard EventBridge pricing will apply. For more information, see [Amazon EventBridge pricing](https://aws.amazon.com/eventbridge/pricing/).
All the values that show up in *red* are placeholders for the example. These values will change based on the values in your account, and whether or not malware is detected.
**Topics**
+ [Malware Protection plan resource status](#resource-status-malware-protection-s3-ev)
+ [S3 object scan result](#s3-object-scan-status-malware-protection-s3-ev)
+ [Post-scan tag failure events](#post-tag-failure-malware-protection-s3-ev)
### Malware Protection plan resource status
You can create an EventBridge event pattern based on the following scenarios:
**Potential `detail-type` values**
+ `"GuardDuty Malware Protection Resource Status Active"`
+ `"GuardDuty Malware Protection Resource Status Warning"`
+ `"GuardDuty Malware Protection Resource Status Error"`
**Event pattern**
```
{
"detail-type": ["potential detail-type"],
"source": ["aws.guardduty"]
}
```
**Sample notification schema for `GuardDuty Malware Protection Resource Status Active`**:
```
{
"version": "0",
"id": "6a7e8feb-b491-4cf7-a9f1-bf3703467718",
"detail-type": "GuardDuty Malware Protection Resource Status Active",
"source": "aws.guardduty",
"account": "111122223333",
"time": "2017-12-22T18:43:48Z",
"region": "us-east-1",
"resources": ["arn:aws:guardduty:us-east-1:111122223333:malware-protection-plan/b4c7f464ab3a4EXAMPLE"],
"detail": {
"schemaVersion": "1.0",
"eventTime": "2024-02-28T01:01:01Z",
"s3BucketDetails": {
"bucketName": "amzn-s3-demo-bucket"
},
"resourceStatus": "ACTIVE"
}
}
```
**Sample notification schema for `GuardDuty Malware Protection Resource Status Warning`**:
```
{
"version": "0",
"id": "6a7e8feb-b491-4cf7-a9f1-bf3703467718",
"detail-type": "GuardDuty Malware Protection Resource Status warning",
"source": "aws.guardduty",
"account": "111122223333",
"time": "2017-12-22T18:43:48Z",
"region": "us-east-1",
"resources": ["arn:aws:guardduty:us-east-1:111122223333:malware-protection-plan/b4c7f464ab3a4EXAMPLE"],
"detail": {
"schemaVersion": "1.0",
"eventTime": "2024-02-28T01:01:01Z",
"s3BucketDetails": {
"bucketName": "amzn-s3-demo-bucket"
},
"resourceStatus": "WARNING",
"statusReasons": [
{
"code": "INSUFFICIENT_TEST_OBJECT_PERMISSIONS"
}
]
}
}
```
**Sample notification schema for `GuardDuty Malware Protection Resource Status Error`**:
```
{
"version": "0",
"id": "fc7a35b7-83bd-3c1f-ecfa-1b8de9e7f7d2",
"detail-type": "GuardDuty Malware Protection Resource Status Error",
"source": "aws.guardduty",
"account": "111122223333",
"time": "2017-12-22T18:43:48Z",
"region": "us-east-1",
"resources": ["arn:aws:guardduty:us-east-1:111122223333:malware-protection-plan/b4c7f464ab3a4EXAMPLE"],
"detail": {
"schemaVersion": "1.0",
"eventTime": "2024-02-28T01:01:01Z",
"s3BucketDetails": {
"bucketName": "amzn-s3-demo-bucket"
},
"resourceStatus": "ERROR",
"statusReasons": [
{
"code": "EVENTBRIDGE_MANAGED_EVENTS_DELIVERY_DISABLED"
}
]
}
}
```
Based on the reason behind the `resourceStatus` `ERROR`, the `statusReasons` value will get populated.
For information about troubleshooting steps for the following warning and errors, see [Troubleshooting Malware Protection plan status](troubleshoot-s3-malware-protection-status-errors.md).
### S3 object scan result
```
{
"detail-type": ["GuardDuty Malware Protection Object Scan Result"],
"source": ["aws.guardduty"]
}
```
When the `scanStatus` is `SKIPPED`, the `scanResultDetails` includes a `statusReasons` field that provides the specific reason why the scan was skipped. For information about the possible values, see [S3 object potential scan status and result status](monitoring-malware-protection-s3-scans-gdu.md#s3-object-scan-result-value-malware-protection).
**Sample notification schema for `NO_THREATS_FOUND`**:
```
{
"version": "0",
"id": "72c7d362-737a-6dce-fc78-9e27a0171419",
"detail-type": "GuardDuty Malware Protection Object Scan Result",
"source": "aws.guardduty",
"account": "111122223333",
"time": "2024-02-28T01:01:01Z",
"region": "us-east-1",
"resources": ["arn:aws:guardduty:us-east-1:111122223333:malware-protection-plan/b4c7f464ab3a4EXAMPLE"],
"detail": {
"schemaVersion": "1.0",
"scanStatus": "COMPLETED",
"resourceType": "S3_OBJECT",
"s3ObjectDetails": {
"bucketName": "amzn-s3-demo-bucket",
"objectKey": "APKAEIBAERJR2EXAMPLE",
"eTag": "ASIAI44QH8DHBEXAMPLE",
"versionId" : "d41d8cd98f00b204e9800998eEXAMPLE",
"s3Throttled": false
},
"scanResultDetails": {
"scanResultStatus": "NO_THREATS_FOUND",
"threats": null,
"statusReasons": null
}
}
}
```
**Sample notification schema for `THREATS_FOUND`**:
```
{
"version": "0",
"id": "72c7d362-737a-6dce-fc78-9e27a0171419",
"detail-type": "GuardDuty Malware Protection Object Scan Result",
"source": "aws.guardduty",
"account": "111122223333",
"time": "2024-02-28T01:01:01Z",
"region": "us-east-1",
"resources": ["arn:aws:guardduty:us-east-1:111122223333:malware-protection-plan/b4c7f464ab3a4EXAMPLE"],
"detail": {
"schemaVersion": "1.0",
"scanStatus": "COMPLETED",
"resourceType": "S3_OBJECT",
"s3ObjectDetails": {
"bucketName": "amzn-s3-demo-bucket",
"objectKey": "APKAEIBAERJR2EXAMPLE",
"eTag": "ASIAI44QH8DHBEXAMPLE",
"versionId" : "d41d8cd98f00b204e9800998eEXAMPLE",
"s3Throttled": false
},
"scanResultDetails": {
"scanResultStatus": "THREATS_FOUND",
"threats": [
{
"name": "EICAR-Test-File (not a virus)"
}
],
"statusReasons": null
}
}
}
```
**Note**
The `scanResultDetails.Threats` field contains only one threat. By default, the Malware Protection for S3 scan reports the first detected threat. After this, the `scanStatus` is set to `COMPLETED`.
**Sample notification schema for scan result status `UNSUPPORTED` (Skipped)**:
```
{
"version": "0",
"id": "72c7d362-737a-6dce-fc78-9e27a0EXAMPLE",
"detail-type": "GuardDuty Malware Protection Object Scan Result",
"source": "aws.guardduty",
"account": "111122223333",
"time": "2024-02-28T01:01:01Z",
"region": "us-east-1",
"resources": ["arn:aws:guardduty:us-east-1:111122223333:malware-protection-plan/b4c7f464ab3a4EXAMPLE"],
"detail": {
"schemaVersion": "1.0",
"scanStatus": "SKIPPED",
"resourceType": "S3_OBJECT",
"s3ObjectDetails": {
"bucketName": "amzn-s3-demo-bucket",
"objectKey": "APKAEIBAERJR2EXAMPLE",
"eTag": "ASIAI44QH8DHBEXAMPLE",
"versionId" : "d41d8cd98f00b204e9800998eEXAMPLE",
"s3Throttled": false
},
"scanResultDetails": {
"scanResultStatus": "UNSUPPORTED",
"threats": null,
"statusReasons": ["PASSWORD_PROTECTED"]
}
}
}
```
**Sample notification schema for scan result status `ACCESS_DENIED` (Skipped)**:
```
{
"version": "0",
"id": "72c7d362-737a-6dce-fc78-9e27a0EXAMPLE",
"detail-type": "GuardDuty Malware Protection Object Scan Result",
"source": "aws.guardduty",
"account": "111122223333",
"time": "2024-02-28T01:01:01Z",
"region": "us-east-1",
"resources": ["arn:aws:guardduty:us-east-1:111122223333:malware-protection-plan/b4c7f464ab3a4EXAMPLE"],
"detail": {
"schemaVersion": "1.0",
"scanStatus": "SKIPPED",
"resourceType": "S3_OBJECT",
"s3ObjectDetails": {
"bucketName": "amzn-s3-demo-bucket",
"objectKey": "APKAEIBAERJR2EXAMPLE",
"eTag": "ASIAI44QH8DHBEXAMPLE",
"versionId" : "d41d8cd98f00b204e9800998eEXAMPLE",
"s3Throttled": false
},
"scanResultDetails": {
"scanResultStatus": "ACCESS_DENIED",
"threats": null,
"statusReasons": ["SSE_C_ENCRYPTED_OBJECT"]
}
}
}
```
**Sample notification schema for scan result status `FAILED`**:
```
{
"version": "0",
"id": "72c7d362-737a-6dce-fc78-9e27a0EXAMPLE",
"detail-type": "GuardDuty Malware Protection Object Scan Result",
"source": "aws.guardduty",
"account": "111122223333",
"time": "2024-02-28T01:01:01Z",
"region": "us-east-1",
"resources": ["arn:aws:guardduty:us-east-1:111122223333:malware-protection-plan/b4c7f464ab3a4EXAMPLE"],
"detail": {
"schemaVersion": "1.0",
"scanStatus": "FAILED",
"resourceType": "S3_OBJECT",
"s3ObjectDetails": {
"bucketName": "amzn-s3-demo-bucket",
"objectKey": "APKAEIBAERJR2EXAMPLE",
"eTag": "ASIAI44QH8DHBEXAMPLE",
"versionId" : "d41d8cd98f00b204e9800998eEXAMPLE",
"s3Throttled": false
},
"scanResultDetails": {
"scanResultStatus": "FAILED",
"threats": null,
"statusReasons": null
}
}
}
```
### Post-scan tag failure events
**Event pattern**:
```
{
"detail-type": "GuardDuty Malware Protection Post Scan Action Failed",
"source": "aws.guardduty"
}
```
**Sample notification schema for `ACCESS_DENIED`**:
```
{
"version": "0",
"id": "746acd83-d75c-5b84-91d2-dad5f13ba0d7",
"detail-type": "GuardDuty Malware Protection Post Scan Action Failed",
"source": "aws.guardduty",
"account": "111122223333",
"time": "2024-06-10T16:16:08Z",
"region": "us-east-1",
"resources": ["arn:aws:guardduty:us-east-1:111122223333:malware-protection-plan/b4c7f464ab3a4EXAMPLE"],
"detail": {
"schemaVersion": "1.0",
"eventTime": "2024-06-10T16:16:08Z",
"s3ObjectDetails": {
"bucketName": "amzn-s3-demo-bucket",
"objectKey": "2024-03-10-16-16-00-7D723DE8DBE9Y2E0",
"eTag": "0e9eeec810ad8b61d69112c15c2a5hb6",
"versionId" : "d41d8cd98f00b204e9800998eEXAMPLE",
"s3Throttled": false
},
"postScanActions": [{
"actionType": "TAGGING",
"failureReason": "ACCESS_DENIED"
}]
}
}
```
**Sample notification schema for `MAX_TAG_LIMIT_EXCEEDED`**:
```
{
"version": "0",
"id": "746acd83-d75c-5b84-91d2-dad5f13ba0d7",
"detail-type": "GuardDuty Malware Protection Post Scan Action Failed",
"source": "aws.guardduty",
"account": "111122223333",
"time": "2024-06-10T16:16:08Z",
"region": "us-east-1",
"resources": ["arn:aws:guardduty:us-east-1:111122223333:malware-protection-plan/b4c7f464ab3a4EXAMPLE"],
"detail": {
"schemaVersion": "1.0",
"eventTime": "2024-06-10T16:16:08Z",
"s3ObjectDetails": {
"bucketName": "amzn-s3-demo-bucket",
"objectKey": "2024-03-10-16-16-00-7D723DE8DBE9Y2E0",
"eTag": "0e9eeec810ad8b61d69112c15c2a5hb6",
"versionId" : "d41d8cd98f00b204e9800998eEXAMPLE",
"s3Throttled": false
},
"postScanActions": [{
"actionType": "TAGGING",
"failureReason": "MAX_TAG_LIMIT_EXCEEDED"
}]
}
}
```
To troubleshoot these failure reasons, see [Troubleshooting S3 object post-scan tag failures](troubleshoot-s3-post-scan-tag-failures.md).
# Monitoring S3 object scans with GuardDuty managed tags
Use enable tagging option so that GuardDuty can add tags to your Amazon S3 object after completing the malware scan.
**Considerations for enabling tagging**
+ There is an associated usage cost when GuardDuty tags your S3 objects. For more information, see [Pricing and usage cost for Malware Protection for S3](pricing-malware-protection-for-s3-guardduty.md).
+ You must keep the required tagging permissions to your preferred IAM role associated with this bucket; otherwise, GuardDuty can't add tags to your scanned objects. The IAM role already includes the permissions to add tags to the scanned S3 objects. For more information, see [Create or update IAM role policy](malware-protection-s3-iam-policy-prerequisite.md).
+ By default, you can associate up to 10 tags with an S3 object. For more information, see [Using tag-based access control (TBAC)](tag-based-access-s3-malware-protection.md).
After you enable tagging for an S3 bucket or specific prefixes, any newly uploaded object that gets scanned, will have an associated tag in the following key-value pair format:
`GuardDutyMalwareScanStatus`:`Scan-Result-Status`
For information about potential tag values, see [S3 object potential scan status and result status](monitoring-malware-protection-s3-scans-gdu.md#s3-object-scan-result-value-malware-protection).
# Troubleshooting S3 object post-scan tag failures in Malware Protection for S3
This section applies to you only if you [Enable tagging for scanned objects](enable-malware-protection-s3-bucket.md#tag-scanned-objects-s3-malware-protection) in your protected bucket.
When GuardDuty attempts to add a tag to your scanned S3 object, the action of tagging may result in a failure. The potential reasons why this may happen to your bucket are `ACCESS_DENIED` and `MAX_TAG_LIMIT_EXCEEDED`. Use the following topics to understand the potential reasons for these post-scan tag failure reasons and troubleshoot them.
**ACCESS\$1DENIED**
The following list provides potential reasons that may cause this issue:
+ The IAM role used for this protected S3 bucket is missing the **AllowPostScanTag** permission. Verify that the associated IAM role uses this bucket policy. For more information, see [Create or update IAM role policy](malware-protection-s3-iam-policy-prerequisite.md).
+ The protected S3 bucket policy does't allow GuardDuty to add tags to this object.
+ The scanned S3 object no longer exists.
**MAX\$1TAG\$1LIMIT\$1EXCEEDED**
By default, you can associate up to 10 tags with an S3 object. For more information, see Considerations for GuardDuty to add a tag to your S3 object under [Enable tagging for scanned objects](enable-malware-protection-s3-bucket.md#tag-scanned-objects-s3-malware-protection).
# S3 object scan status metrics in CloudWatch
You can monitor GuardDuty using CloudWatch, which collects raw data and processes it into readable, near real-time metrics. These statistics are retained for 15 months, so that you can access historical information and gain a better perspective on how Malware Protection for S3 is performing. You can also set alarms that watch for certain thresholds, and send notifications or take actions when those thresholds are met. For more information, see the [Amazon CloudWatch User Guide](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/).
The CloudWatch metrics for Malware Protection for S3 are available at the resource level. You can query these metrics for each protected resource separately. The metrics are reported in the `AWS/GuardDuty/MalwareProtection` namespace. You can set up alarms on specific resources to monitor security posture.
|
|
| **Malware scan status metrics** |
| --- |
| **Metric** | **Description** |
| `CompletedScanCount` | The number of S3 object malware scans that completed in a given time frame. Valid Dimensions: `Malware Protection Plan Id` `Resource Name` Units: Count |
| `FailedScanCount` | The number of S3 object malware scans that failed in a given time frame. **Valid Dimensions**: `Malware Protection Plan Id` `Resource Name` Units: Count |
| `SkippedScanCount` | The number of S3 object malware scans that were skipped in a given time frame. **Valid Dimensions**: `Malware Protection Plan Id` `Resource Name` `Skipped Reason` Potential values `Unsupported` `MissingPermissions` Units: Count |
| **Malware scan result metrics** |
| --- |
| `InfectedScanCount` | The number of S3 object malware scans that detected potentially malicious object in a given time frame. Valid Dimensions: `Malware Protection Plan Id` `Resource Name` Units: Count |
| `CompletedScanBytes` | The number of S3 object bytes scanned in a given time frame. Valid Dimensions: `Malware Protection Plan Id` `Resource Name` Units: Count |
**Note**
By default, the statistics in the CloudWatch metrics are AVG.
The following dimensions are supported for the Malware Protection for S3 metrics.
|
|
| **Dimension** | **Description** |
| --- |--- |
| Malware Protection Plan Id | The unique identifier that is associated with the Malware Protection plan resource that GuardDuty creates for your protected resource. |
| Resource Name | The name of the protected resource. |
| Skipped Reason | The reason why an S3 object malware scan was skipped. Potential values `Unsupported` `MissingPermissions` |
For information about accessing and querying these metrics, see [Use Amazon CloudWatch metrics](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/working_with_metrics.html) in the *Amazon CloudWatch User Guide*.
For information about setting up alarms, see [Using Amazon CloudWatch alarms](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/AlarmThatSendsEmail.html) in the *Amazon CloudWatch User Guide*.