Protect Your S3 Buckets with Agentless Malware Detection from GuardDuty

Why Malware Scanning in Amazon S3 Is Critical for Your Organization

Amazon S3 is the backbone of cloud storage for many organizations. It is a central hub to store files from internal systems, external partners, third-party tools, and customer uploads. While this makes S3 very useful, it also brings risks—malicious files can enter your environment.

Since S3 is often the main entry point for data and workloads, scanning for malware is necessary. Not all data can be trusted, especially from third parties. A single infected PDF, ZIP, or executable file can affect your systems if not detected early.

For example, an employee might download a file from S3 that contains ransomware or a trojan without knowing it. That one file could bypass endpoint protection, spread across your network, and cause severe damage, such as data breaches, system outages, or financial loss.

Imagine a vendor uploads a file to your S3 bucket. The file has ransomware. An internal application accesses the file and unknowingly activates the malware. This can cause:

• File encryption and system disruption
• Spread of malware across the network
• Unauthorized access to confidential data
• Reputational and financial damage

These risks are real and occur in organizations globally.

Proactive Threat Detection.

To address this, AWS launched Amazon GuardDuty Malware Protection for S3 in June 2024. This feature adds malware detection directly into your S3 workflow using GuardDuty’s advanced threat detection.

GuardDuty uses a constantly updated malware signature database and intelligent detection techniques to scan objects in real-time or on demand. If malware is found, GuardDuty provides detailed alerts and can trigger automatic actions like tagging or moving files to quarantine.

This helps block infected files before they impact your systems or customer applications, reducing risk and improving security. This built-in feature scans files automatically without external tools or agents.

Key Benefits:

• Automatic Scanning: Scans S3 objects automatically during upload or when accessed by Amazon EBS-backed workloads.
• Agentless: No need to install agents or third-party tools.
• Detailed Alerts: Provides detailed alerts, including file name, affected resources, and next steps.
• Quarantine Option: Allows tagging and automatic quarantine of infected objects.
• Fully Managed: AWS handles the infrastructure and operations.
• Easy Setup: Enable it in just a few clicks.

Steps to Enable Amazon S3 Malware Scanning Using AWS GuardDuty

• Open the Amazon GuardDuty service in the AWS Management Console.
• From the left menu, click “Malware Protection for S3.”
• Click “Enable Malware Protection for S3.”
• Select the S3 buckets you want to monitor.
• Choose the option to tag objects after scanning.
• Assign an IAM role that permits GuardDuty to access and scan the selected buckets.
• Click “Enable” to activate protection.

Monitoring and Automation options:

• Go to the “Findings” section in the GuardDuty console to view detected malware. Each finding shows the object key, bucket name, and threat level.
• You can also create filters to easily search for infected files by threat name, bucket, or tag.
• Additionally, you can even Set up Amazon EventBridge to trigger an AWS Lambda function when malware is detected. The Lambda function can move infected files to a quarantine bucket and Notify users through SNS.
• You can also link to Jira for ticket creation or update IAM policies and ACLs to restrict access to infected objects.

• File Size Limit: GuardDuty does not scan files larger than 5 GB. These are skipped.
• Object Tagging: Clean files will be tagged with statuses like “No threat found.” Infected files can be tagged and moved automatically using your defined automation.

Conclusion:

With a few simple steps, GuardDuty Malware Protection for S3 helps integrate malware scanning into your storage workflow. Combined with EventBridge and Lambda automation, it enables quick detection, tagging, and isolation of suspicious files—before they become a threat.

At Yash, we’ve deployed this integrated approach across multiple customer environments, consistently delivering enhanced visibility, faster threat response, and stronger data security. GuardDuty Malware Protection isn’t just a feature—it’s a critical, scalable layer of defense that strengthens the security posture of Amazon S3 and safeguards your digital assets with confidence.

• Amazon S3
• Malware Scanning
• Malware Scanning in AWS