Remediation
Enable Malware Protection for EC2β
Prerequisitesβ
If the GuardDuty delegated administrator account is not the same as the management account in your organization, the management account must enable GuardDuty-initiated malware scans for the organization. This ensures that the delegated administrator account can create the Service-Linked Role permissions for Malware Protection for EC2 in member accounts managed through AWS Organizations.
-
Using your management account credentials, enable service access for Malware Protection:
aws organizations enable-aws-service-access --service-principal malware-protection.guardduty.amazonaws.com -
(Optional) To enable GuardDuty-initiated malware scans for the management account that is not a delegated administrator account:
-
Create the Service-Linked Role permissions for Malware Protection for EC2 in the management account:
aws iam create-service-linked-role --aws-service-name malware-protection.guardduty.amazonaws.com -
Then, enable GuardDuty-initiated malware scans from the delegated administrator account, similar to any other member account.
-
-
Ensure you have designated a delegated GuardDuty administrator account in the currently selected AWS Region.
- If an account is designated as the delegated administrator in one region, it must be the delegated administrator in all other regions.
- Repeat the step above for all other regions where GuardDuty Malware Protection will be enabled.
For Multi-Account Environmentsβ
In a multi-account environment, only the delegated GuardDuty administrator account can enable or disable Malware Protection for EC2 on member accounts. Member accounts cannot modify this configuration directly.
From Command Lineβ
aws guardduty update-member-detectors \
--detector-id {{detector-id}} \
--account-ids {{account-id1}} {{account-id2}} ...
--region {{region}} \
--features 'Name=EBS_MALWARE_PROTECTION,Status=ENABLED'
The delegated administrator account manages member accounts using AWS Organizations and can choose to automatically enable GuardDuty-initiated malware scans for all accounts as they join the organization.
aws guardduty update-organization-configuration \
--detector-id {{detector-id}} \
--auto-enable true \
--region {{region}} \
--features 'Name=EBS_MALWARE_PROTECTION,AutoEnable={{NEW | ALL}}'
For a Standalone Accountβ
If your account is not associated with a delegated GuardDuty administrator via AWS Organizations, enable Malware Protection directly:
aws guardduty update-detector \
--detector-id {{detector-id}} \
--region {{region}} \
--features 'Name=EBS_MALWARE_PROTECTION,Status=ENABLED'