Review: Amazon GuardDuty Malware Protection for S3

Imagine users uploading attachments directly to S3 to share them with other users. Or partners uploading data to your S3 bucket to trigger business processes that download directly from S3. What could go wrong? A file uploaded to S3 could be infected. Malware, like a virus or ransomware is a cyber security threat first seen in 1971. Since then, the number of different types of malware has exploded. It is common practice to scan all files that enter (and sometimes leave) your security perimeter, usually your corporate network, by inspecting network traffic.
Additionally, many corporations install malware scanners on all servers and clients to scan all files that are stored (and sometimes accessed) from disk. But in the Cloud era, files can be uploaded directly to Amazon S3 bypassing your corporate network. You can access S3 objects without persisting them to disk first bypassing traditional malware scanners. We need to scan all uploads to Amazon S3 as well! That’s what Amazon GuardDuty Malware Protection for S3 is all about.

In the following post, I will dive deep into Amazon GuardDuty Malware Protection for S3. I have a lot of experience in this field. In 2015, I released an open-source project to scan files uploaded to Amazon S3. In 2019, I co-founded bucketAV - Antivirus protection for Amazon S3. I might be biased but I have seen a lot of customer use cases, judge yourself.

Scan modes

Amazon GuardDuty Malware Protection for S3 can scan files in real-time, right after the file is uploaded. Unfortunately, that’s it. Each file is scanned only once. There is no way to trigger a scan programmatically. It is also not possible to scan files just before a download happens.
Imagine a file uploaded a year ago. In the meantime, a new security vulnerability is disclosed. Unfortunately, the bad guys knew about the vulnerability long before and actively used it to attack victims. Only after the good guys discover the vulnerability, the malware scanners can detect it. All files uploaded one year ago could be infected as well. We simply don’t know because back then, the malware engine had no idea about the threat. That’s why almost all malware scanners rescan all files from time to time or on access. GuardDuty does not.

• Real-time/on-upload file scan: ✅
• Scheduled bucket scan: ❌
• On-demand bucket scan: ❌
• On-demand file scan: ❌
• On-access file scan: ❌

Mitigation

Detecting a malicious file is important. Dealing with the malicious files is key. Amazon GuardDuty Malware Protection for S3 can tag S3 objects with the scan result. You can use this tag in S3 bucket policies or IAM policies to restrict access to clean files or block access to infected files. Unfortunately, that’s it. GuardDuty does not delete infected files or quarantine files (move them to a separate S3 bucket for further analysis).

• Tag: ✅
• Delete: ❌
• Quarantine/Move: ❌

Reporting

New security tools are always great. But someone must deal with all the findings, right? Even if the mitigation is automated (like deleting infected files), you still want to know what the tool is doing. Therefore, reporting is an important aspect. Amazon GuardDuty Malware Protection for S3 is working mostly in the dark. If you subscribe to GuardDuty, you will see findings created for malicious files. If you use Amazon GuardDuty Malware Protection for S3 in standalone mode, the scan results are not stored. You get some high-level CloudWatch metrics and that’s it. No dashboard, no notifications, no reports.

• Reports: ❌
• Notifications (email): ❌
• Notifications (Slack): ❌
• Notifications (Microsoft Teams): ❌
• Dashboard: ❌
• AWS Security Hub finding integration: ⚠️ (only if you subscribe to GuardDuty)
• AWS Systems Manager OpsCenter item integration: ❌
• Amazon GuardDuty finding integration: ⚠️ (only if you subscribe to GuardDuty)

Developer

AWS is like Lego bricks. You put many bricks together to build great things. Amazon GuardDuty Malware Protection for S3 publishes events like scan results to EventBridge. EventBridge rules can trigger other AWS services. For example, to implement your quarantine logic, you can trigger a Lambda function if a file is infected. Keep in mind that moving files in S3 is not easy. You first copy the file and then delete it. But you can not copy a file that is larger than 5 GB. You need to copy it in parts which can take a lot of time so you better use Step Functions to orchestrate it to avoid Lambda timeouts.

• Amazon EventBridge integration: ✅
• Amazon SNS integration: ❌
• Amazon CloudWatch metrics integration: ✅
• AWS API to scan files: ❌

Pricing model

I will use three example workloads to demonstrate the pricing model using us-east-1 prices.

• Tiny (90 GB/month): $57.68
• Small (3 TB / month): $1,991.07
• Larger (15 TB / month): $12,696.81

In the following, I present detailed cost estimations of all examples. I end with a detailed comparison of the pricing models.

Tiny workload

The customer scans 300 files per day with an average file size of 10 MB. This results in 9,000 files and 90 GB per month. Objects are tagged with scan results. AWS region is us-east-1.

Small workload

The customer scans 20,000 files per day with an average file size of 5 MB. This results in 600,000 files and 3,000 GB per month. Objects are tagged with scan results. AWS region is us-east-1.

Larger workload

The customer scans 500,000 files per day with an average file size of 1 MB. This results in 15,000,000 files and 15,000 GB per month. Objects are tagged with scan results. AWS region is us-east-1.

Detailed pricing model comparison

The following table shows the various aspects of the pricing models using us-east-1 prices.

Limitations

Last but not least, we dive into the technical limitations of Amazon GuardDuty Malware Protection for S3:

• Maximum S3 object size: 5 GB
• Maximum extracted archive size: 5 GB
• Maximum number of files in an archive: 1,000
• Maximum archive depth level: 5 (archive inside archive inside archive…)

Service Maturity Table

Each service review ends with the service maturity table.

Our maturity score for Amazon GuardDuty Malware Protection for S3 is 8.0 on a scale from 0 to 10. Amazon GuardDuty Malware Protection for S3 benefits from being part of the GuardDuty service which is very mature. When we look at Feature Completeness in isolation, the picture looks less rosy. If you are interested in how bucketAV compares with Amazon GuardDuty Malware Protection for S3 I have you covered.