監控掃描狀態並導致備份的惡意軟體防護 - Amazon GuardDuty

本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。

監控掃描狀態並導致備份的惡意軟體防護

啟動惡意軟體掃描後,GuardDuty 會提供幾個機制,您可以透過這些機制來監控掃描的狀態和結果。下表提供與惡意軟體掃描相關聯的一些值。

Category 可能的值

掃描狀態

RUNNINGCOMPLETEDCOMPLETED_WITH_ISSUESFAILEDSKIPPED

掃描類別

FULL_SCANINCREMENTAL_SCAN

掃描類型

GUARDDUTY_INITIATEDON_DEMANDBACKUP_INITIATED

掃描結果狀態

NO_THREATS_FOUNDTHREATS_FOUND

*請注意,如果掃描未完成,則掃描結果狀態可能不存在。THREATS_FOUND 的掃描結果狀態表示 GuardDuty 偵測到惡意軟體。

掃描也可能因為各種原因而略過。下表說明可能會略過掃描的原因:

掃描略過原因 Reason

ACCESS_DENIED

客戶角色沒有執行掃描所需的必要許可

RESOURCE_NOT_FOUND

嘗試掃描的資源不存在於帳戶中,或在掃描期間遭到刪除

SNAPSHOT_SIZE_LIMIT_EXCEEDED

快照大小大於 GuardDuty 目前支援的大小

INCREMENTAL_NO_DIFFERENCE

增量掃描請求中指定的資源沒有差異

RESOURCE_UNAVAILABLE

資源未處於預期狀態。如果掃描是增量的,則基本復原點不會處於可用或已完成狀態

UNRELATED_RESOURCES

對於增量掃描 - 基礎和目前資源不是來自相同的歷程

BASE_RESOURCE_NOT_SCANNED

對於增量掃描 - 基本資源先前未掃描或找不到已完成的掃描

BASE_CREATED_AFTER_TARGET

對於增量掃描 - 基礎資源的建立日期大於目前資源的建立日期

UNSUPPORTED_FOR_INCREMENTAL

請求的資源類型不支援增量掃描

UNSUPPORTED_AMI

公有 AMI、僅具有暫時性儲存的 AMI,以及未處於可用狀態的 AMI 不符合掃描資格

UNSUPPORTED_SNAPSHOT

冷儲存快照不符合掃描資格

UNSUPPORTED_COMPOSITE_RP

複合資源類型不支援掃描

UNSUPPORTED_PRODUCT_CODE_TYPE

請求的資源包含不支援掃描的 Amazon Marketplace 產品代碼

AMI_SNAPSHOT_LIMIT_EXCEEDED

AMI 不支援掃描超過 40 個快照

NO_EBS_VOLUMES_FOUND

找不到所請求資源的 Ebs 區塊型設備映射

UNRELATED_RESOURCES

對於增量掃描 - 基礎資源的 arn 與預期資源的 arn 不同

掃描結果的保留期間為 90 天。選擇您偏好的存取方式,以便追蹤惡意軟體掃描狀態。

使用主控台監控掃描

  1. 開啟 GuardDuty 主控台,網址為 https://console.aws.amazon.com/guardduty/

  2. 在導覽窗格中,選擇惡意軟體掃描

  3. 您可以依篩選條件搜尋列中可用的下列屬性來篩選惡意軟體掃描。

    • 掃描 ID – Unique identifier associated with the malware scan.
    • 帳戶 ID – Account where the malware scan initiated.
    • 資源 ARN – Amazon Resource Name (ARN) associated with the Amazon resource associated with the scan.
    • 資源類型 – The type of resource associated with the scan, such as EC2 Instance, EBS Snapshot | EC2 AMI, EBS Recovery Point, EC2 Recovery Point, or S3 Recovery Point.
    • 狀態 – The scan status of the scan, such as Running, Skipped, Completed, Completed with Issues, or Failed.
    • 掃描類型 – Indicates whether this was an On-demand, GuardDuty-initiated, or Backup-Initiated malware scan.

使用 API/CLI 監控掃描

  • You can invoke ListMalwareScans to filter malware scans by RESOURCE_ARN, SCAN_ID, ACCOUNT_ID, SCAN_TYPE GUARDDUTY_FINDING_ID, SCAN_STATUS, RESOURCE_TYPE, and SCAN_START_TIME. You may also invoke GetMalwareScan to retrieve more detailed metadata of a scan by providing a scan-id as input. The GUARDDUTY_FINDING_ID filter criteria is available when the SCAN_TYPE is GuardDuty initiated.
  • You may change the example filter-criteria in the command below, and can filter on the basis of one CriterionKey at a time. The options for CriterionKey are Resource_ARN, SCAN_ID, ACCOUNT_ID, SCAN_TYPE, GUARDDUTY_FINDING_ID, SCAN_STATUS, RESOURCE_TYPE, and SCAN_START_TIME. You can change the 最大結果 (up to 50) and the sort-criteria. The AttributeName field is mandatory for sort-criteria and must be set to scanStartTime. In the following example, the values in 紅色 are placeholders. Replace them with the values appropriate for your account. If you use the same CriterionKey as below for ListMalwareScans, ensure to replace the example EqualsValue with the resource-type you want to filter by. 
    aws guardduty list-malware-scans --max-results 25 --sort-criteria '{"AttributeName": "scanStartTime", "OrderBy": "DESC"}' --filter-criteria '{"FilterCriterion":[{"CriterionKey":"RESOURCE_TYPE", "FilterCondition":{"EqualsValue":"EBS_SNAPSHOT"}}] }'
    aws guardduty get-malware-scan --scan-id abc123
  • The response for the above command for ListMalwareScans will return up to 25 scans with some details about the affected resource(s). The response for the above command for GetMalwareScan will return a single scan with detailed metadata about the scan.

使用 EventBridge 監控掃描

Amazon EventBridge 為無伺服器事件匯流排服務,可讓您輕鬆將應用程式與來自各種來源的資料互相連線。EventBridge 可從您自己的應用程式、Software-as-a-Service (SaaS) 應用程式和 Amazon 服務提供即時資料串流,並將該資料路由至 Lambda 等目標。這可讓您監控在服務中發生的事件,並建置事件導向的架構。如需詳細資訊,請參閱 Amazon EventBridge 使用者指南

確定掃描狀態後,GuardDuty 會將 EventBridge 通知發佈至預設事件匯流排。您可以在帳戶中設定 EventBridge 規則,將事件傳送至與 Amazon EventBridge 整合的其他服務。標準 EventBridge 定價將適用。如需詳細資訊,請參閱 Amazon EventBridge 定價

以下顯示的許多值都是範例的預留位置,並且會根據掃描而有所不同。

惡意軟體掃描結果事件

備份的潛在詳細資訊類型值:

  • “GuardDuty Malware Protection EBS Snapshot Scan Result”
  • “GuardDuty Malware Protection EC2 AMI Scan Result”
  • “GuardDuty Malware Protection S3 Recovery Point Scan Result”
  • “GuardDuty Malware Protection EBS Recovery Point Scan Result”
  • “GuardDuty Malware Protection EC2 Recovery Point Scan Result”

範例事件模式:

{
      "detail-type": ["GuardDuty Malware Protection EC2 AMI Scan Result"],
      "source": ["aws.guardduty"]
}

未找到威脅的 EC2 AMI 掃描通知結構描述範例:

{
    "version": "0",
    "id": "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111",
    "detail-type": "GuardDuty Malware Protection EC2 AMI Scan Result",
    "source": "aws.guardduty",
    "account": "1111222233334444",
    "time": "2025-11-01T00:00:00Z",
    "region": "us-east-1",
    "resources": ["arn:aws:ec2:us-east-1:1111222233334444:image/ami-1234567890abcdef0"],
    "detail": {
        "schemaVersion": "1.0",
        "scanStatus": "COMPLETED",
        "resourceType": "EC2_AMI",
        "scanId": "d41d8cd98f00b204e9800998ecf8427e",
        "scanStatusReason": null,
        "scanType": "ON_DEMAND",
        "triggerType": "GUARDDUTY",
        "scanCategory": "FULL_SCAN",
        "scanStartTime": 1234567890123,
        "scanCompleteTime": 2345678901234,
        "scanResultDetails": {
            "scanResultStatus": "NO_THREATS_FOUND",
            "uniqueThreatCount": null
        }
    }
}
顯示較多顯示較少

找到威脅的 EC2 AMI 掃描通知結構描述範例:

{
    "version": "0",
    "id": "a1b2c3d4-5678-90ab-cdef-EXAMPLE22222",
    "detail-type": "GuardDuty Malware Protection EC2 AMI Scan Result",
    "source": "aws.guardduty",
    "account": "1111222233334444",
    "time": "2025-11-01T00:00:00Z",
    "region": "us-east-1",
    "resources": ["arn:aws:ec2:us-east-1:1111222233334444:image/ami-1234567890abcdef0"],
    "detail": {
        "schemaVersion": "1.0",
        "scanStatus": "COMPLETED",
        "resourceType": "EC2_AMI",
        "scanId": "d41d8cd98f00b204e9800998ecf8427e",
        "scanStatusReason": null,
        "scanType": "ON_DEMAND",
        "triggerType": "GUARDDUTY",
        "scanCategory": "FULL_SCAN",
        "scanStartTime": 1234567890123,
        "scanCompleteTime": 2345678901234,
        "scanResultDetails": {
            "scanResultStatus": "THREATS_FOUND",
            "uniqueThreatCount": 1,
            "threats": {
                "name": "EICAR-Test-File (not a virus)",
                "source": "AMAZON",
                "count": 2,
                "itemDetails": [{
                    "resourceArn": "arn:aws:ec2:us-east-1:1111222233334444:snapshot/snap-abcdef01234567890",
                    "hash": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
                    "itemPath": "/eicar.txt",
                    "additionalInfo": {
                        "versionId": null,
                        "deviceName": "/dev/sdf"
                    }
                }]
            }
        }
    }
}
顯示較多顯示較少

略過 EC2 AMI 掃描的通知結構描述範例:

{
    "version": "0",
    "id": "a1b2c3d4-5678-90ab-cdef-EXAMPLE33333",
    "detail-type": "GuardDuty Malware Protection EC2 AMI Scan Result",
    "source": "aws.guardduty",
    "account": "1111222233334444",
    "time": "2025-11-01T00:00:00Z",
    "region": "us-east-1",
    "resources": ["arn:aws:ec2:us-east-1:1111222233334444:image/ami-1234567890abcdef0"],
    "detail": {
        "schemaVersion": "1.0",
        "scanStatus": "SKIPPED",
        "resourceType": "EC2_AMI",
        "scanId": "d41d8cd98f00b204e9800998ecf8427e",
        "scanStatusReason": "UNSUPPORTED_AMI",
        "scanType": "ON_DEMAND",
        "triggerType": "GUARDDUTY",
        "scanCategory": "FULL_SCAN",
        "scanStartTime": 1234567890123,
        "scanCompleteTime": 2345678901234,
       "scanResultDetails": {
            "uniqueThreatCount": null,
            "threats": null
        }
    }
}
顯示較多顯示較少