Enable malware protection for S3 in GuardDuty

[Khatraf]

User Story

As a Modernisation platform user
I want malware protection for S3 in GuardDuty enabled
So that we can automatically detect and mitigate malware in files uploaded to our S3 buckets

Value / Purpose

Automated malware detection- as it automatically scans objects uploaded to S3 buckets for malicious files, reducing the need for manual checks and interventions.
Real-Time Threat Detection - allowing teams to respond to malware or compromised files as soon as they are uploaded.

Useful Contacts

No response

Additional Information

Member request: see here

https://aws.amazon.com/blogs/security/using-amazon-guardduty-malware-protection-to-scan-uploads-to-amazon-s3/

Definition of Done

• Turn on malware protection at org level
• Check that Malware Protection is enabled across all S3 buckets
• Test malware scanning e.g. upload test files and verify that GuardDuty detects and scans the objects for malware

[dms1981]

Confirmed that this is enabled in the organisation-security account, that new accounts are auto-enrolled, and that all existing accounts are protected. Buckets, however, don't appear to be automatically protected.

[Khatraf]

Enabling this feature is an account level setting where you can choose specific S3 buckets you want to enable malware protection for. Looking into creating a role that can be used with enough permissions to perform the malware scan.

[Khatraf]

New Feature Alert: Malware Protection for Amazon S3! AWS has released a new security feature that allows you to scan newly uploaded objects in your S3 buckets for potential malware, providing an added layer of protection for your data. With customisable bucket selection, you can choose specific S3 buckets to monitor, ensuring malware scanning is applied only where it's needed, keeping your critical data safe from threats.

Note: All existing AWS accounts are eligible for a 12-month Free Tier, which includes 1,000 requests and 1 GB of malware scanning each month. The Free Tier starts on June 11, 2024, and ends on June 11, 2025.

More details can be found here: https://docs.aws.amazon.com/guardduty/latest/ug/gdu-malware-protection-s3.html 

Example implementation: 
See here for an example of enabling Malware Protection for S3.
This example demonstrates how to configure Malware Protection for specific S3 buckets, and the MemberInfrastructureAccess role has the necessary permissions to perform malware scans.

[Khatraf]

uploaded test files to check the malware scanning: https://eu-west-2.console.aws.amazon.com/s3/object/tests3malwarekf?region=eu-west-2&bucketType=general&prefix=test_file - GuardDuty flagged the object with finding type THREATS_FOUND
https://eu-west-2.console.aws.amazon.com/s3/object/tests3malwarekf?region=eu-west-2&bucketType=general&prefix=clean.txt - NO_THREATS_FOUND

[Khatraf]

[markgov]

Malware has been setup and tested and a new ticket has been raised to enable it on other buckets