Zenn
🪣

GuarddutyのMalware Protection for S3の挙動を確認

に公開
AWS
S3
GuardDuty
tech

GuardDutyのMalware Protection for S3を試してみた。
設定としては、有効化させたいS3のバケット名(optionでpath)を入力するのみなので簡単

挙動の確認

検知時の挙動を確認したいため
eicarファイル(ウイルス等のテスト用ファイル)をs3にアップしてみる
cloudshellで以下を実行します

curl https://secure.eicar.org/eicar.com -o eicar.com 
aws s3 cp eicar.com s3://<バケット名>/test-eicar.com

検知されるとobjectにGuardDutyMalwareScanStatusタグがTHREATS_FOUNDで自動付与される
検知有

ちなみにeicarではない通常のtxtファイルもアップロードしてみました。
検知されない(=ウイルスを含まないと判定された)場合はGuardDutyMalwareScanStatusタグがNO_THREATS_FOUNDで自動付与されます
検知なし

検知時に通知させたい場合はどうすれば良いか?

検知時にはGuardDuty findingsが発行され、
それと連携される形でsecurityhubにもfindingsが発行されていたので
eventbridge ruleで拾うことができました。

拾えた際のeventbridgeの定義ルールはこちら

{
  "detail-type": ["Security Hub Findings - Imported"],
  "source": ["aws.securityhub"],
  "detail": {
    "findings": {
      "ProductName": ["GuardDuty"],
      "RecordState": ["ACTIVE"],
      "Workflow": {
        "Status": ["NEW"]
      },
      "Severity": {
        "Label": ["LOW", "MEDIUM", "HIGH", "CRITICAL"]
      }
    }
  }
}

cdkだとこのように定義しています

 eventPattern: {
        source: ['aws.securityhub'],
        detailType: ['Security Hub Findings - Imported'],
        detail: {
          findings: {
            ProductName: ['GuardDuty'],
            Severity: {
              Label: ['LOW', 'MEDIUM', 'HIGH', 'CRITICAL'],
            },
            Workflow: {
              Status: ['NEW'],
            },
            RecordState: ['ACTIVE'],
          },
        },
      },

ちなみにsecurityhub findingsのjsonはこちらです
一部は削除したりマスキングしています

securityhub findings json
{
  "AwsAccountId": "xxxxxx",
  "AwsAccountName": "xxxxxx",
  "CompanyName": "Amazon",
  "CreatedAt": "2025-04-21T00:00:35.110Z",
  "Description": "A malware scan on your S3 object xxxxxx has detected a security risk EICAR-Test-File (not a virus).",
  "FindingProviderFields": {
    "Types": [
      "TTPs/Object/Object:S3-MaliciousFile"
    ],
    "Severity": {
      "Normalized": 75,
      "Label": "HIGH",
      "Product": 8
    }
  },
  "FirstObservedAt": "2025-04-21T00:00:35.110Z",
  "GeneratorId": "arn:aws:guardduty:ap-northeast-1:xxxxxx:detector/xxxxxx",
  "Id": "arn:aws:guardduty:ap-northeast-1:xxxxxx:detector/xxxxxx/finding/xxxxxx",
  "LastObservedAt": "2025-04-21T00:00:35.110Z",
  "ProcessedAt": "2025-04-21T11:45:06.479Z",
  "ProductArn": "arn:aws:securityhub:ap-northeast-1::product/aws/guardduty",
  "ProductFields": {
    "aws/guardduty/service/count": "1",
    "aws/guardduty/service/archived": "false",
    "aws/guardduty/service/malwareScanDetails/threats.0_/source": "Bitdefender",
    "aws/guardduty/service/additionalInfo/type": "default",
    "aws/guardduty/service/additionalInfo/value": "",
    "aws/guardduty/service/serviceName": "guardduty",
    "aws/guardduty/service/detectorId": "xxxxxx",
    "aws/guardduty/service/malwareScanDetails/threats.0_/itemPaths": "",
    "aws/guardduty/service/featureName": "S3MalwareProtection",
    "aws/guardduty/service/eventFirstSeen": "2025-04-21T00:00:35.110Z",
    "aws/guardduty/service/malwareScanDetails/threats.0_/name": "EICAR-Test-File (not a virus)",
    "aws/guardduty/service/eventLastSeen": "2025-04-21T00:00:35.110Z",
    "aws/securityhub/FindingId": "arn:aws:securityhub:ap-northeast-1::product/aws/guardduty/arn:aws:guardduty:ap-northeast-1:xxxxxx:detector/xxxxxx/finding/xxxxxx",
    "aws/securityhub/ProductName": "GuardDuty",
    "aws/securityhub/CompanyName": "Amazon"
  },
  "ProductName": "GuardDuty",
  "RecordState": "ACTIVE",
  "Region": "ap-northeast-1",
  "Resources": [
    {
      "Details": {
        "AwsS3Object": {
          "VersionId": "xxxxxx",
          "ETag": "xxxxxx"
        }
      },
      "Id": "arn:aws:s3:::xxxxxx",
      "Partition": "aws",
      "Region": "ap-northeast-1",
      "Type": "AwsS3Object"
    },
    {
      "Details": {
        "AwsS3Bucket": {
          "OwnerId": "xxxxxx",
          "CreatedAt": "2025-04-21T11:00:43Z",
          "ServerSideEncryptionConfiguration": {
            "Rules": [
              {
                "ApplyServerSideEncryptionByDefault": {
                  "SSEAlgorithm": "AES256"
                }
              }
            ]
          }
        }
      },
      "Id": "arn:aws:s3:::xxxxxx",
      "Partition": "aws",
      "Region": "ap-northeast-1",
      "Type": "AwsS3Bucket"
    }
  ],
  "Sample": false,
  "SchemaVersion": "2018-10-08",
  "Severity": {
    "Label": "HIGH",
    "Normalized": 75,
    "Product": 8
  },
  "SourceUrl": "xxxxxx",
  "Title": "A malware scan on your S3 object xxxxxx has detected a security risk EICAR-Test-File (not a virus).",
  "Types": [
    "TTPs/Object/Object:S3-MaliciousFile"
  ],
  "UpdatedAt": "2025-04-21T00:00:35.110Z",
  "Workflow": {
    "Status": "NEW"
  },
  "WorkflowState": "NEW"
}

ウイルス検知されたファイルに対するアクセスを禁止させたいが可能か?

私の場合は今回は要件になかったので試していないのですが
上記のようにobjectに自動でタグ付与されるため
タグベースのポリシーを付与することで、ウイルス検知されたファイルに対するアクセスを禁止が実現できるようです。
https://docs.aws.amazon.com/ja_jp/guardduty/latest/ug/tag-based-access-s3-malware-protection.html

Discussion