Monitoring S3 object scans in Malware Protection for S3 - Amazon GuardDuty
S3 object potential scan status and result status

Monitoring S3 object scans in Malware Protection for S3

When using Malware Protection for S3 with a GuardDuty detector ID, if your Amazon S3 object is potentially malicious, GuardDuty will generate Malware Protection for S3 finding type. Using the GuardDuty console and APIs, you can view the generated findings. For information about understanding this finding type, see Finding details.

When using Malware Protection for S3 without enabling GuardDuty (no detector ID), even when your scanned Amazon S3 object is potentially malicious, GuardDuty can't generate any findings.

Contents

S3 object potential scan status and result status

This section explains the potential S3 object scan status values and the scan result values.

An S3 object scan status indicates the status of the malware scan, such as completed, skipped, or failed.

An S3 object malware scan result status indicates the result of the scan based on the scan status value. Each malware scan result status value maps to a scan status.

The following list provides the potential S3 object scan result values. If you have enabled tagging, you can monitor the scan result by Using S3 object GuardDuty managed tags. After the scan, the tag value will have one of the following scan result values.

S3 object potential malware scan result status values

  • NO_THREATS_FOUND – GuardDuty detected no potential threat associated with the scanned object.

  • THREATS_FOUND – GuardDuty detected a potential threat associated with the scanned object.

  • UNSUPPORTED – There are a few reasons why Malware Protection for S3 will skip a scan. Potential reasons include password-protected file, Malware Protection for S3 quotas, and support for certain Amazon S3 features may be unavailable. For more information, see Capabilities of Malware Protection for S3.

  • ACCESS_DENIED – GuardDuty can't access this object for scanning. Check the IAM role permissions associated with this bucket. For more information, see Prerequisite - Create or update IAM role policy.

    If you have enabled post-scan S3 object tagging, see Troubleshooting S3 object post-scan tag failures.

  • FAILED – GuardDuty can't perform malware scan on this object because of an internal error.

The following list provides potential S3 object scan status values and their mapping to the S3 object scan result.

S3 object potential scan status values

  • Completed – The scan completed successfully and indicates whether the S3 object has malware. In this case, the potential S3 object scan result value could be either THREATS_FOUND or NO_THREATS_FOUND.

  • Skipped – GuardDuty skips a malware scan when scanning this S3 object is not supported by Malware Protection for S3, or GuardDuty doesn't have access to the uploaded S3 object in the selected bucket.

    In this case, the potential S3 object scan result value could be either UNSUPPORTED or ACCESS_DENIED.

  • Failed – Similar to the S3 object scan result value FAILED, this scan status means that GuardDuty was unable to perform malware scan on the S3 object because of an internal error.