π‘οΈ AWS GuardDuty Detector Malware Protection for EC2 is not enabledπ’
- Contextual name: π‘οΈ Detector Malware Protection for EC2 is not enabledπ’
- ID:
/ce/ca/aws/guardduty/detector-malware-protection-for-ec2 - Tags:
- π’ Policy with categories
- π’ Policy with type
- π’ Production policy
- Policy Type:
COMPLIANCE_POLICY - Policy Categories:
SECURITY
Logicβ
- π§ prod.logic.yamlπ’
Similar Policiesβ
- AWS Security Hub: [GuardDuty.8] GuardDuty Malware Protection for EC2 should be enabled
Descriptionβ
Descriptionβ
This policy identifies AWS GuardDuty Detectors that do not have Malware Protection for EC2 enabled.
Malware Protection for EC2 helps detect potential malware by scanning Amazon EBS volumes attached to EC2 instances and container workloads running on Amazon EC2.
Rationaleβ
GuardDuty Malware Protection for EC2 scans your EC2 instances for malware. When suspicious behavior is detected, GuardDuty can automatically initiate a malware scan of attached EBS volumes by taking a snapshot and analyzing it. This provides effective threat detection without requiring you to deploy or maintain additional security software on your instances.
Impactβ
Charges for GuardDuty Malware Protection are based on the total and prorated GB of Amazon EBS data scanned each month.
Auditβ
This policy flags an AWS GuardDuty Detector as
INCOMPLIANTif the EBS_MALWARE_PROTECTIONFeatureis set to DISABLED.
Remediationβ
Remediationβ
Enable Malware Protection for EC2β
Prerequisitesβ
If the GuardDuty delegated administrator account is not the same as the management account in your organization, the management account must enable GuardDuty-initiated malware scans for the organization. This ensures that the delegated administrator account can create the Service-Linked Role permissions for Malware Protection for EC2 in member accounts managed through AWS Organizations.
Using your management account credentials, enable service access for Malware Protection:
aws organizations enable-aws-service-access --service-principal malware-protection.guardduty.amazonaws.com(Optional) To enable GuardDuty-initiated malware scans for the management account that is not a delegated administrator account:
Create the Service-Linked Role permissions for Malware Protection for EC2 in the management account:
aws iam create-service-linked-role --aws-service-name malware-protection.guardduty.amazonaws.com... see more
policy.yamlβ
Linked Framework Sectionsβ
| Section | Sub Sections | Internal Rules | Policies | Flags | Compliance |
|---|---|---|---|---|---|
| πΌ AWS Foundational Security Best Practices v1.0.0 β πΌ [GuardDuty.8] GuardDuty Malware Protection for EC2 should be enabled | 1 | no data | |||
| πΌ Cloudaware Framework β πΌ Threat Protection | 36 | no data |