Security Briefing — Amazon GuardDuty Malware Protection
AWS launched GuardDuty Malware Protection to automatically scan Amazon EC2, EKS, and EFS workloads for malware when suspicious activity is detected, improving cloud incident response coverage.
Executive briefing: Amazon Web Services released GuardDuty Malware Protection on . The capability captures disk snapshots from compromised workloads, scans them in an isolated service account, and reports findings through GuardDuty's existing console and APIs.
Key updates
- Automated evidence collection. GuardDuty orchestrates snapshot capture and scanning without requiring agents on EC2 instances or EKS nodes.
- Broader coverage. The feature supports Amazon EBS-backed EC2, container workloads managed by EKS, and Amazon EFS file systems.
- Integrated response. Findings appear in GuardDuty, EventBridge, and Security Hub, enabling automated containment and ticketing workflows.
Implementation guidance
- Enable GuardDuty Malware Protection across accounts via AWS Organizations and confirm service-linked roles are provisioned.
- Update incident response playbooks to triage new malware finding types and connect them to quarantine automation.
- Ensure IAM policies allow GuardDuty to create snapshots and access required KMS keys.