AWS Storage Blog

Scan backups for malware with Amazon GuardDuty Malware Protection for AWS Backup

Data loss events from malware attacks can compromise your backups, putting your recovery strategy at risk. Organizations rely on backups as a critical defense against data loss, but these same backups can inadvertently preserve malware that has infiltrated production systems without being detected and removed. When malicious events occur, customers face a significant challenge: determining which backups are free from malware before proceeding with restoration. Traditional approaches necessitate that teams restore multiple backups into isolated environments, manually scan each one for threats, and only then restore clean data to production. This is a process that extends recovery time, consumes resources, and prolongs business disruption.

Today, we’re announcing the general availability of Amazon GuardDuty Malware Protection for AWS Backup to scan and identify malware in Amazon Elastic Compute Cloud (Amazon EC2), Amazon Elastic Block Store (Amazon EBS), and Amazon S3 backups. This integration proactively secures your recovery process by eliminating the need for complex, manual scanning workflows and helps organizations respond faster by making sure of the recovery of clean data to resume normal business operations. Using GuardDuty Malware Protection for AWS Backup, customers can now be notified of potential threats in their backups, identify their last known clean backup for recovery, and automate malware scanning across their entire organization.

In this post, we demonstrate how customers can use GuardDuty Malware Protection for AWS Backup to automatically scan their backups for malicious content/files using multiple scanning engines, receive real-time notifications about potential threats, and identify their last clean backups.

How it works

GuardDuty Malware Protection for AWS Backup integrates automated scanning into your existing backup workflows to help protect your backups from malicious threats.

Scanning process

The scanning process uses multiple malware detection engines to thoroughly analyze your backup data for potential threats. GuardDuty automatically reads, decrypts, and scans all files and objects within each backup without manual intervention. After scanning completes, recovery points are marked with the status of either “No threats found” or “Threats found”, allowing you to quickly identify which backups are safe to restore. The feature supports scanning across full and incremental backups.

Notification System

When a scan completes, AWS Backup and GuardDuty provide multiple notification mechanisms:

  • EventBridge events deliver real-time notifications about scan completion and results.
  • AWS Security Hub integration (when GuardDuty is enabled) consolidates security findings.

You can use these notification mechanisms to build automated workflows that respond to malware detections, such as isolating affected resources or initiating more security measures.

Implementation options

Option 1: Automatically scan new backups

When you enable GuardDuty Malware Protection for AWS Backup for a backup plan, AWS Backup automatically initiates a scan after each successful backup completion. The scanning process is completely asynchronous, so it doesn’t impact your backup performance or extend backup windows.

GuardDuty Malware Protection for AWS Backup supports full and incremental scanning. When you opt-in to incremental scans, the first backup of a resource undergoes a full scan of the entire contents. For subsequent backups, the service intelligently performs incremental scans on the data that has changed since last backup. This approach optimizes both performance and cost.

You can combine incremental scans with periodic full scans for a more robust security strategy. Although incremental scans help detect new threats in recently changed data, periodic full scans provide malware detection coverage across your entire backup. This is particularly important when new malware strains are discovered, as these threats may be present in older backups but were undetectable using previous malware signature models. By scheduling regular full scans, you can identify previously undetected threats that might have emerged from evolving malware definitions. This approach creates a more robust strategy by combining the efficiency of incremental scans with thorough threat detection of full scans.

architecture diagram showing how to implement GuardDuty Malware Protection with AWS Backup

Figure 1: Implementation of Amazon GuardDuty Malware Protection with AWS Backup.

In this example, a GuardDuty scans EBS, EC2 and S3 backups for potential threats. EventBridge notifications trigger a custom Lambda function will take action based on the Scan status:

  • Clean backups will be copied to Logically air-gapped vault.
  • Infected backups will be tagged (for example, “Infected”:”true”) and the restore of infected backups is restricted by using Service Control Policy (SCP).

Option 2: Scan existing backups on-demand

You can run on-demand scans to verify your existing backups are malware-free before restoration, especially during incident response. In recovery scenarios, you can use on-demand scans to identify your last clean backup without having to restore multiple backups into isolated environments.When performing an on-demand scan, you can choose between a full scan or incremental scan. Prior to restoring, you should always opt for a full scan to ensure detection of potential threats. This includes dormant malware that might not have been detected previously.

Getting started

Pre-requisites

Before enabling malware scanning, you must configure two AWS Identity and Access Management (IAM) roles with the appropriate permissions:

  • Backup role: Add the AWSBackupServiceRolePolicyForScans managed policy to your backup role. This gives AWS Backup permission to initiate scans from GuardDuty.
  • Scanner role: Create a role with the AWSBackupGuardDutyRolePolicyForScans managed policy. This gives GuardDuty permission to read and scan your backups.

It’s important to note the separation of duties between backup administrators and security teams when implementing this solution. The AWS Backup role allows backup administrators to initiate scans and view scan status, while the GuardDuty Scanner role provides the necessary permissions for GuardDuty to access and scan backup content. This role-based separation ensures that backup administrators can manage the scanning process without requiring direct access to potentially sensitive malware findings, which remain under the purview of security teams through the GuardDuty console.

How to enable automatic malware scanning in your backup plans

  1. Navigate to the AWS Backup console.
  2. Choose Backup plans from the navigation pane.
  3. Create a new backup plan or edit an existing one.
  4. Click Enable malware scanning and the select the scan mode (full scans, incremental scans, or no scans).
  5. Choose the IAM role, scope of resources and the scan mode.
  6. Save your backup plan.

console image showing adding malware scanning to a backup plan

Figure 2: Enable Malware scanning within backup plans

How to run on-demand scans

To scan backups you’ve already created:

  1. In the AWS Backup console, navigate to Malware protection.
  2. Go to Create on-demand malware scan, and choose the scan mode.
  3. Choose the resource from vault or provide the recovery point Amazon Resource Name (ARN).
  4. Choose the Backup role and Scanner role with appropriate permissions and choose Start scan.

console image showing creation of a malware scan on-demand

Figure 3: Create on-demand malware scan

The scan results page shows all scanned backups with their Scan results (No threats found or Threats found) and Creation time timestamp.

the scan results page showing malware scan jobs

Figure 4: Monitor scan job details

How to monitor scan results

After scanning is enabled, you can monitor results through multiple channels:

  1. AWS Backup console: Go to the Malware protection section to view the list of scan jobs, representing Job status and Scan results.
  2. GuardDuty console (if enabled): View details in the Malware Scan results and Investigate malware findings page. You can view information such as the threat and file name, file path, objects/files scanned, and bytes scanned.

console image of monitoring malware scans

Figure 5: Monitor Malware Scans

  1. EventBridge: Set up custom rules to receive notifications when scans complete or malware is detected.
  2. AWS Backup Audit Manager: Set up a scanning report to view all scan jobs over the last 24 hours.

How to restore

When you need to restore data:

  1. From the AWS Backup console, navigate to Malware scan jobs.
  2. Review the list of backups and their scan results field (No threats found, or Threats found).

console image of malware scan results

Figure 6: Malware scan results

  1. Select a clean backup, create an on-demand scan if the backup was not scanned recently, and restore if it is clean.
  2. For infected backups, navigate to the GuardDuty console to investigate the specific malware detected, including file paths and threat types.

If malware is detected in specific files within a backup, you can use AWS Backup search and item-level recovery capabilities to selectively restore individual clean files that are critical for operations. This selective approach is particularly valuable for backups where only a subset of data is restored, allowing you to quickly restore business-critical data and maintain operational continuity while you address the broader security incident.

Cleaning up

If you followed along with this walkthrough for test resources, then complete the following steps to avoid incurring unwanted charges in your AWS account.Delete the AWS Backup plan:

  • Navigate to the AWS Backup console.
  • Choose Backup plans from the navigation pane, and choose your test plan.
  • Choose the Resource assignments, then delete.
  • Delete the AWS Backup plan.

Delete the backups:

  • Go to the vault where your test backups are stored.
  • Choose the backups, and delete them.

Pricing and Cost Optimization

GuardDuty Malware Protection for AWS Backup is priced at $0.05 per GB scanned across all supported backup resource types (Amazon EC2, Amazon EBS, and Amazon S3) in the US East (N. Virginia) Region. This straightforward pricing model provides cost predictability while offering comprehensive protection for your backup data.The service’s support for incremental scanning significantly reduces costs for frequently scanned workloads. While the first backup undergoes a full scan of the entire contents, subsequent backups are scanned incrementally, focusing only on data that has changed since the previous backup. For example:

  • Initial full backup of 100GB: 100GB × $0.05/GB = $5.00
  • Daily incremental backup with 2GB changed data: 2GB × $0.05/GB = $0.10 per day

For optimal cost management while maintaining security, consider:

Tiered scanning approach: Classify data based on criticality and apply different scanning frequencies.

  • Mission Critical (Tier 0): Incremental scans after every backup with full scans every week
    Impact: Systems where malware could cause complete business shutdown, significant revenue loss, or severe reputational damage
    Recovery priority: Immediate restoration required with zero tolerance for malware
  • Business Critical (Tier 1): Daily incremental scans with full scans every week or two weeks
    Impact: Systems where malware could impair key business functions or affect customer experience
    Recovery priority: Restoration within hours with minimal acceptable risk
  • Moderately Critical (Tier 2): Weekly incremental scans with monthly or quarterly full scans
    Impact: Systems where malware would have limited operational impact or affect non-essential functions
    Recovery priority: Restoration can be scheduled with appropriate planning

Conclusion

Amazon GuardDuty Malware Protection for AWS Backup transforms how organizations approach backup security and recovery operations. This integration eliminates the traditional process of manually restoring and scanning backups. Furthermore, it reduces operational overhead associated with traditional approaches and allows organizations to respond faster by making sure of the recovery of clean data to resume normal business operations.

This service capability provides visibility into backup scan status through new fields that identify a backup as No threats found or Threats found, along with notification systems that help teams assess their security posture across their entire backup environment. When malware is detected, the seamless integration with GuardDuty enables rapid investigation and response.

This feature serves as a critical building block in an organization’s overall backup recovery planning, making sure that restored data is free from threats. As cyber threats continue to evolve, this capability represents a crucial defense mechanism in organisations’ comprehensive security strategy, providing an additional layer of protection for their backup and recovery operations.

The service is available today across all AWS Commercial and GovCloud (US) Regions. To get started, visit the AWS Backup console and enable malware scanning in your backup plans.

TAGS: , , ,
Mehak Mann

Mehak Mann

Mehak is a Cloud Operations Architect at AWS with foundations in on-premises networking. She specialises in Security, focusing on Threat Detection and Incident Response solutions. At AWS, Mehak serves as a strategic advisor, helping customers optimise their cloud operations to maximise technology investments. She loves public speaking, whether that’s a tech talk or engaging in thoughtful discussions. Outside work, she spends her time practicing Pilates and playing (admittedly bad) polo.

Samreen Taj K P

Samreen Taj K P

Samreen is a Technical Consultant at AWS specializing in storage, resilience, and networking. She architects data protection and migration solutions for large-scale enterprise customers, helping them build secure, highly available cloud infrastructures. As a trusted advisor, she partners with organizations to design tailored cloud strategies that align technical solutions with business objectives.