AWS aws-backup documentation change
Summary
Updated IAM policy references and extended GuardDuty finding retention period from 90 to 365 days
Security assessment
The changes clarify required IAM policies for malware scanning and extend threat detection retention period. While related to security features, there's no evidence of addressing a specific vulnerability. The retention period extension improves threat monitoring capabilities but doesn't fix a security flaw.
Diff
diff --git a/aws-backup/latest/devguide/malware-protection.md b/aws-backup/latest/devguide/malware-protection.md index ed2e7fe7c..9af116721 100644 --- a//aws-backup/latest/devguide/malware-protection.md +++ b//aws-backup/latest/devguide/malware-protection.md @@ -67 +67 @@ AWS Backup malware scanning requires two IAM roles to scan your recovery points - * First, the `AWSBackupServiceRolePolicyForScans` managed policy must be attached to your existing or new backup role. This is the same role found in the resource assignment for your backup plan in the console, or through the [BackupSelection API](./API_CreateBackupSelection.html). This managed policy allows AWS Backup to initiate malware scans with Amazon GuardDuty. + * First, the [AWSBackupServiceRolePolicyForBackup](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSBackupServiceRolePolicyForBackup.html) or [AWSBackupServiceRolePolicyForScans](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSBackupServiceRolePolicyForScans.html) managed policy must be attached to your existing or new backup role. This is the same role found in the resource assignment for your backup plan in the console, or through the [BackupSelection API](./API_CreateBackupSelection.html). This managed policy allows AWS Backup to initiate malware scans with Amazon GuardDuty. @@ -69 +69 @@ AWS Backup malware scanning requires two IAM roles to scan your recovery points - * Second, a new scanner role is required with `AWSBackupGuardDutyRolePolicyForScans` managed policy that trusts `malware-protection.guardduty.amazonaws.com`. This is the same role found in the malware protection portion of your backup plan in the console or through the scan settings in your [BackupPlan API](./API_CreateBackupPlan.html). This role is passed by AWS Backup to Amazon GuardDuty when a scan is initiated, providing access to backups. + * Second, a new scanner role is required with [AWSBackupGuardDutyRolePolicyForScans](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSBackupGuardDutyRolePolicyForScans.html) managed policy that trusts `malware-protection.guardduty.amazonaws.com`. This is the same role found in the malware protection portion of your backup plan in the console or through the scan settings in your [BackupPlan API](./API_CreateBackupPlan.html). This role is passed by AWS Backup to Amazon GuardDuty when a scan is initiated, providing access to backups. @@ -84 +84 @@ Even when incremental scanning is selected, AWS Backup performs a full scan in t - * **Expired baseline:** If your baseline recovery point was scanned more than 90 days ago, a full scan occurs. Because Amazon GuardDuty retains finding information for only 90 days, a new baseline must be established to ensure accurate scanning results. + * **Expired baseline:** If your baseline recovery point was scanned more than 365 days ago, a full scan occurs. Because Amazon GuardDuty retains finding information for only 365 days, a new baseline must be established to ensure accurate scanning results. @@ -146 +146 @@ Scan results indicate whether potential malware was detected in your recovery po -Amazon GuardDuty retains findings for 90 days, tracking files or objects across incremental scans to monitor if threats are removed or malware signatures change. For example, if malware is detected in backup 2, the scan result shows `THREATS_FOUND`. When you perform an incremental scan on backup 3 using backup 2 as a base, the scan result remains `THREATS_FOUND` unless the threat has been removed from the data. +Amazon GuardDuty retains findings for 365 days, tracking files or objects across incremental scans to monitor if threats are removed or malware signatures change. For example, if malware is detected in backup 2, the scan result shows `THREATS_FOUND`. When you perform an incremental scan on backup 3 using backup 2 as a base, the scan result remains `THREATS_FOUND` unless the threat has been removed from the data.