在 Backup 的恶意软件防护中监控扫描状态和结果 - Amazon GuardDuty

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

在 Backup 的恶意软件防护中监控扫描状态和结果

启动恶意软件扫描后, GuardDuty 提供了几种机制,您可以通过这些机制监控扫描的状态和结果。下表提供了一些与恶意软件扫描相关的值。

类别 可能的 值

扫描状态

RUNNINGCOMPLETEDCOMPLETED_WITH_ISSUESFAILEDSKIPPED

扫描类别

FULL_SCANINCREMENTAL_SCAN

扫描类型

GUARDDUTY_INITIATEDON_DEMANDBACKUP_INITIATED

扫描结果状态

NO_THREATS_FOUNDTHREATS_FOUND

*请注意,如果扫描未完成,则可能不会显示扫描结果状态。THREATS_FOUND 的扫描结果状态表示 GuardDuty 检测到恶意软件的存在。

由于各种原因,也可能跳过扫描。下表说明了可能跳过扫描的原因:

扫描已跳过原因 Reason

ACCESS_DENIED

客户角色没有服务执行扫描所需的权限

RESOURCE_NOT_FOUND

正在尝试扫描的资源不存在于账户中或在扫描过程中被删除

已超过快照大小限制

快照大小大于当前支持的容量 GuardDuty

增量_没有_差异

增量扫描请求中指定的资源没有区别

资源不可用

资源未处于预期状态。如果扫描是增量扫描,则基本恢复点不处于 “可用” 或 “已完成” 状态

不相关的资源

对于增量扫描-基础资源和当前资源不是来自同一个谱系

未扫描基本资源

对于增量扫描-之前未扫描过基础资源或未找到已完成的扫描

BASE_CREATED_ATER_TARGET

对于增量扫描-基础资源的创建日期晚于当前资源的创建日期

不支持增量版

请求的资源类型不支持增量扫描

UNSUPPORTED_AMI

公共 AMI、只有临时存储空间的 AMI 和 AMI 未处于可用状态都不符合扫描条件

不支持的快照

冷存储快照不符合扫描条件

UNSUPPORTED_COMPOSITE_RP

复合资源类型不支持扫描

不支持的_产品_代码_类型

请求的资源包含不支持扫描的亚马逊 Marketplace 产品代码

AMI_SNAPSHOT_LIMIT_已超过

AMI 不支持扫描超过 40 个快照

未找到 EBS_VOLUMES_FOLUMES

未找到所请求资源的 Ebs 区块设备映射

不相关的资源

对于增量扫描-基础资源的 arn 与预期资源的 arn 不同

扫描结果的保留期为 90 天。选择您的首选访问方式来跟踪恶意软件扫描的状态。

使用控制台监控扫描

  1. 打开 GuardDuty 控制台,网址为https://console.aws.amazon.com/guardduty/。

  2. 在导航窗格中,选择恶意软件扫描

  3. 您可以通过筛选条件搜索栏中提供的以下属性筛选恶意软件扫描。

    • 扫描 ID – Unique identifier associated with the malware scan.
    • 账户 ID – Account where the malware scan initiated.
    • 资源 ARN – Amazon Resource Name (ARN) associated with the Amazon resource associated with the scan.
    • 资源类型 – The type of resource associated with the scan, such as EC2 Instance, EBS Snapshot | EC2 AMI, EBS Recovery Point, EC2 Recovery Point, or S3 Recovery Point.
    • Status – The scan status of the scan, such as Running, Skipped, Completed, Completed with Issues, or Failed.
    • 扫描类型 – Indicates whether this was an On-demand, GuardDuty-initiated, or Backup-Initiated malware scan.

使用 API/CLI 监控扫描

  • You can invoke ListMalwareScans to filter malware scans by RESOURCE_ARN, SCAN_ID, ACCOUNT_ID, SCAN_TYPE GUARDDUTY_FINDING_ID, 扫描状态, 资源类型, and SCAN_START_TIME. You may also invoke GetMalwareScan to retrieve more detailed metadata of a scan by providing a scan-id as input. The GUARDDUTY_FINDING_ID filter criteria is available when the 扫描类型 is GuardDuty initiated.
  • You may change the example 筛选标准 in the command below, and can filter on the basis of one CriterionKey at a time. The options for CriterionKey are resource_arn, SCAN_ID, ACCOUNT_ID, 扫描类型, GUARDDUTY_FINDING_ID, 扫描状态, 资源类型, and SCAN_START_TIME. You can change the 最大结果 (up to 50) and the 排序标准. The AttributeName field is mandatory for 排序标准 and must be set to scanStartTime. In the following example, the values in red are placeholders. Replace them with the values appropriate for your account. If you use the same CriterionKey as below for ListMalwareScans, ensure to replace the example EqualsValue with the 资源类型 you want to filter by. 
    aws guardduty list-malware-scans --max-results 25 --sort-criteria '{"AttributeName": "scanStartTime", "OrderBy": "DESC"}' --filter-criteria '{"FilterCriterion":[{"CriterionKey":"RESOURCE_TYPE", "FilterCondition":{"EqualsValue":"EBS_SNAPSHOT"}}] }'
    aws guardduty get-malware-scan --scan-id abc123
  • The response for the above command for ListMalwareScans will return up to 25 scans with some details about the affected resource(s). The response for the above command for GetMalwareScan will return a single scan with detailed metadata about the scan.

使用监控扫描 EventBridge

Amazon EventBridge 是一项无服务器事件总线服务,可以轻松地将您的应用程序与来自各种来源的数据连接起来。 EventBridge 提供来自您自己的应用程序、 Software-as-a-Service (SaaS) 应用程序和亚马逊服务的实时数据流,并将这些数据路由到 Lambda 等目标。这使您能够监控服务中发生的事件,并构建事件驱动的架构。有关更多信息,请参阅 Amazon EventBridge 用户指南

GuardDuty 一旦确定了扫描状态,就会向默认事件总线发布 EventBridge 通知。您可以在账户中设置 EventBridge 规则,将事件发送到与 Amazon 集成的其他服务 EventBridge。将适用标准 EventBridge 定价。有关更多信息,请参阅 Amazon EventBridge 定价

下面显示的许多值都是示例的占位符,并且会因扫描而异。

恶意软件扫描结果事件

Backup 的潜在详细信息类型值:

  • “GuardDuty Malware Protection EBS Snapshot Scan Result”
  • “GuardDuty Malware Protection EC2 AMI Scan Result”
  • “GuardDuty Malware Protection S3 Recovery Point Scan Result”
  • “GuardDuty Malware Protection EBS Recovery Point Scan Result”
  • “GuardDuty Malware Protection EC2 Recovery Point Scan Result”

事件模式示例:

{
      "detail-type": ["GuardDuty Malware Protection EC2 AMI Scan Result"],
      "source": ["aws.guardduty"]
}

未发现威胁的 EC2 AMI 扫描通知架构示例:

{
    "version": "0",
    "id": "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111",
    "detail-type": "GuardDuty Malware Protection EC2 AMI Scan Result",
    "source": "aws.guardduty",
    "account": "1111222233334444",
    "time": "2025-11-01T00:00:00Z",
    "region": "us-east-1",
    "resources": ["arn:aws:ec2:us-east-1:1111222233334444:image/ami-1234567890abcdef0"],
    "detail": {
        "schemaVersion": "1.0",
        "scanStatus": "COMPLETED",
        "resourceType": "EC2_AMI",
        "scanId": "d41d8cd98f00b204e9800998ecf8427e",
        "scanStatusReason": null,
        "scanType": "ON_DEMAND",
        "triggerType": "GUARDDUTY",
        "scanCategory": "FULL_SCAN",
        "scanStartTime": 1234567890123,
        "scanCompleteTime": 2345678901234,
        "scanResultDetails": {
            "scanResultStatus": "NO_THREATS_FOUND",
            "uniqueThreatCount": null
        }
    }
}
显示更多显示更少

发现威胁的 EC2 AMI 扫描通知架构示例:

{
    "version": "0",
    "id": "a1b2c3d4-5678-90ab-cdef-EXAMPLE22222",
    "detail-type": "GuardDuty Malware Protection EC2 AMI Scan Result",
    "source": "aws.guardduty",
    "account": "1111222233334444",
    "time": "2025-11-01T00:00:00Z",
    "region": "us-east-1",
    "resources": ["arn:aws:ec2:us-east-1:1111222233334444:image/ami-1234567890abcdef0"],
    "detail": {
        "schemaVersion": "1.0",
        "scanStatus": "COMPLETED",
        "resourceType": "EC2_AMI",
        "scanId": "d41d8cd98f00b204e9800998ecf8427e",
        "scanStatusReason": null,
        "scanType": "ON_DEMAND",
        "triggerType": "GUARDDUTY",
        "scanCategory": "FULL_SCAN",
        "scanStartTime": 1234567890123,
        "scanCompleteTime": 2345678901234,
        "scanResultDetails": {
            "scanResultStatus": "THREATS_FOUND",
            "uniqueThreatCount": 1,
            "threats": {
                "name": "EICAR-Test-File (not a virus)",
                "source": "AMAZON",
                "count": 2,
                "itemDetails": [{
                    "resourceArn": "arn:aws:ec2:us-east-1:1111222233334444:snapshot/snap-abcdef01234567890",
                    "hash": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
                    "itemPath": "/eicar.txt",
                    "additionalInfo": {
                        "versionId": null,
                        "deviceName": "/dev/sdf"
                    }
                }]
            }
        }
    }
}
显示更多显示更少

跳过 EC2 AMI 扫描的通知架构示例:

{
    "version": "0",
    "id": "a1b2c3d4-5678-90ab-cdef-EXAMPLE33333",
    "detail-type": "GuardDuty Malware Protection EC2 AMI Scan Result",
    "source": "aws.guardduty",
    "account": "1111222233334444",
    "time": "2025-11-01T00:00:00Z",
    "region": "us-east-1",
    "resources": ["arn:aws:ec2:us-east-1:1111222233334444:image/ami-1234567890abcdef0"],
    "detail": {
        "schemaVersion": "1.0",
        "scanStatus": "SKIPPED",
        "resourceType": "EC2_AMI",
        "scanId": "d41d8cd98f00b204e9800998ecf8427e",
        "scanStatusReason": "UNSUPPORTED_AMI",
        "scanType": "ON_DEMAND",
        "triggerType": "GUARDDUTY",
        "scanCategory": "FULL_SCAN",
        "scanStartTime": 1234567890123,
        "scanCompleteTime": 2345678901234,
       "scanResultDetails": {
            "uniqueThreatCount": null,
            "threats": null
        }
    }
}
显示更多显示更少