# Supportability of Amazon S3 features The following table specifies whether or not Malware Protection for S3 supports the listed Amazon S3 features. | S3 feature name | Is the support available? | Description | | --- | --- | --- | | S3 Storage Class - S3 Standard S3 Storage Class - S3 Standard-Infrequent Access S3 Storage Class - S3 One Zone-Infrequent Access S3 Storage Class - S3 Glacier Instant Retrieval | Yes | S3 objects can be retrieved without restoring asynchronously. | | S3 Storage Class - S3 Intelligent-Tiering | Conditional | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/guardduty/latest/ug/supported-s3-features-malware-protection-s3.html) | | S3 Storage Class - S3 Express One Zone (Directory bucket) | No | GuardDuty supports only general purpose buckets for Malware Protection for S3. | | S3 Storage Class - S3 Glacier Flexible Retrieval S3 Storage Class - S3 Glacier Deep Archive | No | The S3 objects must be restored before they can be accessed. | | Amazon S3 on Outposts | No | Malware Protection for S3 is not supported on Outposts. | | S3 versioning | Yes | All the uploaded S3 objects are scanned for malware. If you uploaded an object with file version v1 and immediately uploaded another version override with v2, then GuardDuty will scan both the object file versions v1 and v2. However, the scan start time might not be in the same order. | | S3 Replication - scan replicated object | Yes | If the destination bucket is a protected resource, then GuardDuty will scan all the S3 objects are replicated to the prefixes that are protected and monitored. | | S3 Replication: Replicate on scan result tag | No | You can't define a replication rule based on the scan result tag. Amazon S3 does't support replication for tag, except for on create. | | Data Encryption - S3-SSE Data Encryption - SSE-KMS Data Encryption - DSSE-KMS AWS KMS - Customer managed key | Yes | GuardDuty supports malware scans for S3 objects that are encrypted with managed and customer managed keys. Ensure that the IAM role includes the permission to use the key. For more information, see [Adding IAM policy permissions](malware-protection-s3-iam-policy-prerequisite.md#attach-iam-policy-s3-malware-protection). | | Data Encryption - SSE-C | No | Malware Protection for S3 doesn't support scanning S3 objects that are encrypted with keys that are not accessible. | | Client side encryption | No | When your Amazon S3 objects are encrypted by using Amazon S3 Encryption Client, your objects aren't exposed to any third party, including AWS. For information on why this is not supported, see [Protecting data by using client-side encryption](https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingClientSideEncryption.html). CSE-KMS encrypted objects are received as an encrypted blob where the encryption can't be determined. Therefore, GuardDuty processes them as they are received, and scans the encrypted blob as a regular file. GuardDuty doesn't return an `UNSUPPORTED` scan status for such objects, unless any of the [Quotas in Malware Protection for S3](malware-protection-s3-quotas-guardduty.md) exceeds. | | S3 object lock and legal hold | Yes | Locked S3 objects are locked based on WORM - Write Once Read Many. Malware Protection for S3 can access and scan the objects. | | Requester pays | Yes | Malware Protection for S3 can scan the buckets that are set up with *Requester Pays*. The requester will pay for the S3 calls. For more information, see [Using Requester Pays buckets for storage transfers and usage](https://docs.aws.amazon.com/AmazonS3/latest/userguide/RequesterPaysBuckets.html) in the *Amazon S3 User Guide*. | | S3: Storage lifecycle | Yes | You can define lifecycle policies based on the scan result tag. For example, auto-delete malicious objects. For more information about lifcycle configuration, see [Managing your storage lifecycle](https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lifecycle-mgmt.html) in the *Amazon S3 User Guide*. | | S3: Tag-based access control (TBAC) | Yes | You can define bucket resource policies based on your S3 object scan result tag. For example, prevent access to S3 objects that are not yet scanned, or GuardDuty detected threats. For more information, see [Using tag-based access control (TBAC) with Malware Protection for S3](tag-based-access-s3-malware-protection.md). |