LogForge Logo LogForge
Home Vendors Search Download Login
Vendors Amazon Web Services AWS GuardDuty GuardDuty Malware Protection for S3 Finding Type
Amazon Web Services Logo

GuardDuty Malware Protection for S3 Finding Type

Malware detection on S3 objects

AWS GuardDuty Malware Protection for S3 finding type detecting malicious files in S3 objects during upload-triggered scans, including trojans, backdoors, viruses, ransomware, spyware, rootkits, miners, worms, and adware

malware-protection s3 malware-detection object-scanning
JSON Format 14 Fields Low Frequency Generator
Preview Sample View Schema

Overview

Malware Protection for S3 generates findings when malware scans detect malicious files in uploaded S3 objects. Requires both GuardDuty and Malware Protection for S3 to be enabled. Scans are triggered when objects are uploaded to protected buckets. Includes total number of detections and details for top 32 threats based on severity.

When Generated:

  • Malicious file detected in S3 object during upload-triggered scan
  • Object uploaded to protected S3 bucket contains malware
  • Malware scan detects threat in scanned S3 object
  • Scan triggered by S3 object upload event

Security Relevance:

High

Compliance:

PCI-DSS 5.1.1, 11.4 HIPAA 164.308(a)(1), 164.312(e)(1) SOC 2 CC6.1, CC7.2 ISO 27001 A.12.4.1, A.12.4.2 NIST CSF PR.DS-5, DE.AE-3 CIS AWS Foundations 3.1-3.14

Frequency Notes:

Malware Protection for S3 findings are generated when uploaded objects contain malware. Frequency depends on upload volume and threat landscape. Production environments typically see 1-10 findings per day. Each finding represents one object scan with detected threats. Objects scanned before enabling GuardDuty won't generate findings - must re-upload object to scan. Default severity is High (8.0).

Resources

Tools

Generation Configuration

Base Frequency: 5 events/hour
Time Patterns:
business_hours night_hours weekend
Business Hours Multiplier: 2.0x
Night Hours Multiplier: 1.5x
Weekend Multiplier: 1.0x

Field Definitions

Complete field reference for this event type with data types, descriptions, and example values.

Field Name Type Required Format Description Example Possible Values
detail.type
Source: Fixed value for S3 malware protection findings
 String Required Malware Protection for S3 finding type (always Object:S3/MaliciousFile) Object:S3/MaliciousFile
Object:S3/MaliciousFile — Malicious file detected in scanned S3 object
detail.resource.s3BucketDetails
Source: S3 bucket metadata from GuardDuty
 Array Required Details about S3 bucket containing the malicious object [{name, arn, type, owner, tags, publicAccess}]
detail.service.malwareProtectionScanDetails.scannedResourceDetails.bucketArn
Source: S3 bucket ARN from scan details
 String Required S3 bucket ARN ARN of the S3 bucket containing the scanned object arn:aws:s3:::data-bucket-123456
detail.service.malwareProtectionScanDetails.scannedResourceDetails.objectKey
Source: S3 object key from scan details
 String Required S3 object key (path) S3 object key (path) of the scanned object containing malware. Note: Object keys may be controlled by malicious actors and should be sanitized when displayed uploads/malware.exe
detail.service.malwareProtectionScanDetails.scannedResourceDetails.objectVersionId
Source: S3 object version ID or null
 String Optional S3 object version ID or 'null' Version ID of the S3 object (if versioning is enabled) null
detail.service.malwareProtectionScanDetails.scanId
Source: random_guid()
 String Required UUID Unique identifier for the malware scan 550e8400-e29b-41d4-a716-446655440000
detail.service.malwareProtectionScanDetails.triggerFindingId
Source: random_hex(32, 32) or empty if upload-triggered
 String Optional 32-character hexadecimal string GuardDuty finding ID that triggered this scan (if scan was triggered by finding) a1b2c3d4e5f6...
detail.service.malwareProtectionScanDetails.sources
Source: random_choice(['THREAT_DETECTION', 'SCHEDULED_SCAN', 'ON_DEMAND'])
 Array Required Source that initiated the scan ['THREAT_DETECTION']
THREAT_DETECTION — Scan triggered by GuardDuty threat detection finding
SCHEDULED_SCAN — Scan performed on scheduled basis
ON_DEMAND — Scan triggered by object upload to protected bucket
detail.service.additionalInfo.threatsDetectedItemCount
Source: random_int(1, 32) - total detections in scan
 Integer Required Integer (1 or more) Total number of threats detected during the scan 3
detail.service.additionalInfo.threatsDetected
Source: Array of threat details from malware scan
 Array Required Details for top 32 threats detected (based on severity). Each finding includes up to 32 threats. [{threatName, severity, itemCount, files}]
detail.service.additionalInfo.threatsDetected[].threatName
Source: random_choice() of malware threat names
 String Required Threat name Name of the detected threat Trojan.Win32.Generic
Trojan.Win32.Generic — Windows trojan
Trojan.Linux.Generic — Linux trojan
Backdoor.Linux.Generic — Linux backdoor
Virus.Win32.Generic — Windows virus
Ransomware.Win32.Generic — Windows ransomware
Spyware.Win32.Generic — Windows spyware
Rootkit.Linux.Generic — Linux rootkit
Miner.Linux.Generic — Cryptocurrency miner
Worm.Win32.Generic — Windows worm
Adware.Mac.Generic — Mac adware
detail.service.additionalInfo.threatsDetected[].files[].filePath
Source: File path from malware scan
 String Required S3 object key or internal file path S3 object key or path within object to the malicious file. Note: File paths may be controlled by malicious actors and should be sanitized when displayed uploads/malware.exe
detail.service.additionalInfo.threatsDetected[].files[].fileHash
Source: SHA-256 hash of file content
 String Required 64-character hexadecimal string SHA-256 hash of the malicious file a1b2c3d4e5f6...
detail.severity
Source: random_choice([5, 8, 8, 8]) - default is High
 Integer Required Finding severity level (default is High/8.0 for S3 malware findings) 8
5 — Medium severity (4.0-6.9)
8 — High severity (7.0-8.9) - default for S3 malware findings

Details

14
Fields
Low
Frequency
4
Tags
malware_prot...
Event Type
Tags:
malware-protection s3 malware-detection object-scanning

Feedback

No ratings yet