On-demand S3 malware scan in GuardDuty - Amazon GuardDuty
PrerequisitesStart on-demand malware scan

On-demand S3 malware scan in GuardDuty

GuardDuty Malware Protection for S3 continuously monitors new S3 uploads. For objects that existed before enabling protection, or to re-scan previously scanned objects, you can initiate on-demand S3 malware scan once you've enabled the GuardDuty Malware Protection plan for your bucket.

On-demand malware scanning uses the Malware Protection Plan's IAM role for object access and applying configuration. The scan will override any prefix configured in the Malware Protection Plan for the bucket.

Note

The Malware Protection for S3 quota applies to on-demand malware scanning. For more information, See Quotas in Malware Protection for S3.

For more information about pricing, see Pricing and usage cost for Malware Protection for S3.

Prerequisites

Before you start an on-demand malware scan, your account must meet the following prerequisites:

Start on-demand malware scan

Use the SendObjectMalwareScan API operation, which requires the S3 object path as input.

API/CLI

You can scan either the latest version of the object or specify a particular version to scan.

To scan a specific version of an object:

aws guardduty send-object-malware-scan --s3-object '{"Bucket": "amzn-s3-demo-bucket", "Key": "APKAEIBAERJR2EXAMPLE", "VersionId": "d41d8cd98f00b204e9800998eEXAMPLE"}'

To scan the latest version of an object:

aws guardduty send-object-malware-scan --s3-object '{"Bucket": "amzn-s3-demo-bucket", "Key": "APKAEIBAERJR2EXAMPLE"}'
Important

A successful API call confirms that the scan request has been accepted. However, it is important to monitor the scan results to ensure successful completion and to identify any issues, such as errors accessing the object. For more information, see Monitoring S3 object scans in Malware Protection for S3.