Enabling Malware Protection for S3
AWS Malware Protection for S3 provides advanced scanning for newly uploaded objects in your S3 buckets for potential malware, providing an added layer of protection for your data.
Configuration Overview
All Modernisation Platform accounts have GuardDuty enabled by default, which includes S3 Protection. However, Malware Protection for S3 must be configured at the account level. This configuration allows you to specify which S3 buckets should be scanned for malware.
Steps to Enable Malware Protection for S3 with Terraform for your account
-
Define the Buckets to Protect
Begin by identifying the S3 buckets you want to enable malware protection for and specify these buckets in your Terraform configuration. -
Create a Malware Protection Plan
Set up a resource in Terraform to enable malware protection for each bucket in your list. This involves linking each bucket to a protection plan and ensuring that tagging or logging settings are properly configured for each bucket. -
Assign IAM Permissions
Reference theGuardDutyS3MalwareProtectionRoleIAM role, which is specifically created to provide GuardDuty the necessary permissions to access and scan the specified S3 buckets. -
Raise a PR for the Configuration
Deploy your Terraform configuration. Validate your setup by runningterraform planto confirm the changes. Once validated, raise a Pull Request for review and approval to apply the configuration and enable malware protection for the specified buckets. -
Verify the Deployment
After applying the configuration, confirm that malware protection has been successfully enabled for the specified buckets by reviewing your GuardDuty settings or checking for findings related to malware scanning.
By following these steps, you can enable Malware Protection for S3 using Terraform, ensuring a scalable and automated approach to securing your S3 buckets.
Example Implementation
An example of enabling Malware Protection for S3 can be found here.
Was this page useful?