Ensure that GuardDuty Malware Protection for EC2 is enabled
Overview
This check verifies that AWS GuardDuty has Malware Protection for EC2 enabled. This feature automatically scans the EBS volumes attached to your EC2 instances and container workloads to detect malware, without requiring you to install any agents.
Risk
If Malware Protection is not enabled, malicious software on your EC2 instances may go undetected. This could lead to:
- Data theft - Attackers could steal sensitive information
- Ransomware attacks - Files could be encrypted and held for ransom
- Cryptomining - Resources could be hijacked to mine cryptocurrency
- Lateral movement - Compromised instances could be used to attack other resources
Severity: High
Remediation Steps
Prerequisites
- AWS account access with permission to modify GuardDuty settings
- GuardDuty must already be enabled in your account (if not, enable it first)
AWS Console Method
- Sign in to the AWS Console
- Navigate to GuardDuty (search for it in the top search bar)
- In the left menu, click Protection plans
- Click Malware Protection for EC2
- Click the Enable button
- Click Save to confirm
AWS CLI Method
First, get your GuardDuty detector ID:
aws guardduty list-detectors --region us-east-1
This returns your detector ID (a long string like 12abc34d567e8fa901bc2d34e56789f0).
Then enable Malware Protection using that detector ID:
aws guardduty update-detector \
--detector-id <your-detector-id> \
--features '[{"Name":"EBS_MALWARE_PROTECTION","Status":"ENABLED"}]' \
--region us-east-1
Replace <your-detector-id> with the actual detector ID from the first command.
CloudFormation Template
This template creates a new GuardDuty detector with Malware Protection enabled. If you already have a detector, you may need to import it or modify the existing configuration.
AWSTemplateFormatVersion: '2010-09-09'
Description: Enable GuardDuty Malware Protection for EC2
Resources:
GuardDutyDetector:
Type: AWS::GuardDuty::Detector
Properties:
Enable: true
Features:
- Name: EBS_MALWARE_PROTECTION
Status: ENABLED
Deploy using:
aws cloudformation deploy \
--template-file guardduty-malware-protection.yaml \
--stack-name guardduty-malware-protection \
--region us-east-1
Terraform Configuration
For new GuardDuty deployments, use the aws_guardduty_detector_feature resource:
resource "aws_guardduty_detector" "main" {
enable = true
}
resource "aws_guardduty_detector_feature" "ebs_malware_protection" {
detector_id = aws_guardduty_detector.main.id
name = "EBS_MALWARE_PROTECTION"
status = "ENABLED"
}
If you already have a GuardDuty detector managed elsewhere, you can reference it by ID:
data "aws_guardduty_detector" "existing" {}
resource "aws_guardduty_detector_feature" "ebs_malware_protection" {
detector_id = data.aws_guardduty_detector.existing.id
name = "EBS_MALWARE_PROTECTION"
status = "ENABLED"
}
Verification
After enabling Malware Protection:
- Go to GuardDuty in the AWS Console
- Click Protection plans in the left menu
- Click Malware Protection for EC2
- Confirm the status shows as Enabled
CLI Verification
aws guardduty get-detector \
--detector-id <your-detector-id> \
--region us-east-1 \
--query 'Features[?Name==`EBS_MALWARE_PROTECTION`].Status' \
--output text
This should return ENABLED.
Additional Resources
- AWS GuardDuty Malware Protection Documentation
- GuardDuty Malware Protection Pricing
- Responding to GuardDuty Malware Findings
Notes
- No agent required: Malware Protection scans EBS volumes directly, so you do not need to install any software on your EC2 instances.
- Scans are triggered automatically: When GuardDuty detects suspicious activity, it initiates a malware scan. You can also run on-demand scans.
- Cost considerations: Malware Protection has additional costs based on the volume of data scanned. Review the pricing page before enabling in large environments.
- Multi-account setup: If using AWS Organizations, you can enable this feature across all member accounts from the delegated administrator account.
- Regional service: GuardDuty operates per-region. Enable Malware Protection in each region where you have EC2 workloads.