Control: 8 GuardDuty Malware Protection for EC2 should be enabled
Description
This control checks whether GuardDuty Malware Protection is enabled. For a standalone account, the control fails if GuardDuty Malware Protection is disabled in the account. In a multi-account environment, the control fails if the delegated GuardDuty administrator account and all member accounts don't have Malware Protection enabled.
In a multi-account environment, the control generates findings in only the delegated GuardDuty administrator account. Only the delegated administrator can enable or disable the Malware Protection feature for the member accounts in the organization. GuardDuty member accounts can't modify this configuration from their accounts. This control generates FAILED findings if the delegated GuardDuty administrator has a suspended member account that doesn't have GuardDuty Malware Protection enabled. To receive a PASSED finding, the delegated administrator must disassociate these suspended accounts in GuardDuty.
GuardDuty Malware Protection for EC2 helps you detect the potential presence of malware by scanning the Amazon Elastic Block Store (Amazon EBS) volumes that are attached to Amazon Elastic Compute Cloud (Amazon EC2) instances and container workloads. Malware Protection provides scan options where you can decide if you want to include or exclude specific EC2 instances and container workloads at the time of scanning. It also provides an option to retain the snapshots of EBS volumes attached to the EC2 instances or container workloads, in your GuardDuty accounts. The snapshots get retained only when malware is found and Malware Protection findings are generated.
Remediation
To enable GuardDuty Malware Protection for EC2, see Configuring GuardDuty-initiated malware scan in the Amazon GuardDuty User Guide.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.foundational_security_guardduty_8
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.foundational_security_guardduty_8 --share
SQL
This control uses a named query:
with ec2_malware_protection as ( select arn from aws_guardduty_detector, jsonb_array_elements(features) as f where f ->> 'Name' = 'EBS_MALWARE_PROTECTION' and f ->> 'Status' = 'ENABLED')select d.arn as resource, case when m.arn is not null then 'ok' else 'alarm' end as status, case when m.arn is not null then title || ' has EC2 malware protection enabled.' else title || ' has EC2 malware protection disabled.' end as reason , region, account_idfrom aws_guardduty_detector as d left join ec2_malware_protection as m on m.arn = d.arn