By using AWS re:Post, you agree to the AWS re:Post Terms of Use

How to enable and use on demand EC2 Malware Scans on Guard Duty

2 minute read
Content level: Foundational
10

This Article talks about activating on-demand EC2 Malware Scanning

Malware Protection for EC2 is a feature that helps detect potential malware on your EC2 instances and container workloads. Here's what it does:

  • Scans EBS volumes attached to EC2 instances and containers running on EC2.
  • Allows you to choose which EC2 instances to include or exclude from scans.
  • Offers an option to keep snapshots of EBS volumes in your GuardDuty account, but only if malware is found.
  • Generates findings when malware is detected.

This feature gives you flexibility in scanning and helps you identify and investigate potential malware threats in your EC2 environment. Since it scans EBS volume directly, it wont affect the performance of your resources. Malware Protection for Amazon EC2 offers two types of scans to help you safeguard your EC2 instances:

  • Amazon GuardDuty-initiated malware scans
  • On-demand malware scans

In this Article, we'll focus on on-demand malware scans To enable and use on-demand EC2 Malware Scans:

Ensure that both Amazon GuardDuty and Malware Protection for EC2 are enabled in your account.

  1. Navigate to the GuardDuty console and select "EC2 Malware Scans" from the menu.

Enter image description here

  1. Click on Start On-demand malware scan and add ARN for ec2 instance that needs to be scanned and click Confirm.

Enter image description here

  1. Once completed, the scan will appear in the EC2 Malware Scans list with a unique scan ID. Enter image description here

  2. Select the scan to view detailed information, including:

  • Scan coverage
  • Number of files scanned
  • Invocation method
  • Resource type and instance ID
  • Scanned EBS volume details
  • If malware is detected, click "Click to see malware findings" for more information.

Enter image description here

  1. The findings page will display relevant information such as finding ID, detected threat details, affected resources and threat intelligence specifics Enter image description here

  2. For deeper analysis, you can click "Investigate with Amazon Detective" (requires Amazon Detective to be enabled). This allows you to explore:

    GuardDuty findings VPC workflow Account-level CloudTrail activity Unusual trends from unfamiliar IP addresses Enter image description here

By leveraging these on-demand scans and the detailed insights they provide, you can significantly enhance your cloud security posture and respond swiftly to potential malware threats in your Amazon EC2 environment.

profile pictureAWS
EXPERT
published 14 days ago216 views