AWS guardduty documentation change
Summary
Added documentation for the statusReasons field in EventBridge notifications for skipped S3 malware scans, detailing various skip reasons such as access denials and unsupported features.
Security assessment
This change clarifies reasons for scan skips in GuardDuty Malware Protection, helping users identify configuration issues that could impact security monitoring, but there is no evidence of addressing a specific security vulnerability or incident.
Diff
diff --git a/guardduty/latest/ug/monitoring-malware-protection-s3-scans-gdu.md b/guardduty/latest/ug/monitoring-malware-protection-s3-scans-gdu.md index 003077123..627416408 100644 --- a//guardduty/latest/ug/monitoring-malware-protection-s3-scans-gdu.md +++ b//guardduty/latest/ug/monitoring-malware-protection-s3-scans-gdu.md @@ -69,0 +70,17 @@ GuardDuty will also skip the scan if the required IAM role gets deleted. +When the scan status is `SKIPPED`, the EventBridge notification for the S3 object scan result includes a `statusReasons` field within `scanResultDetails`. This field is a list of strings that provides the specific reason why the scan was skipped. The following table describes the possible `statusReasons` values. + +Status reason | Scan result status | Description +---|---|--- +`UNAUTHORIZED_TO_GET_OBJECT` | `ACCESS_DENIED` | Malware Protection for S3 doesn't have permission to read the S3 object, or the S3 object does not exist. Verify that the IAM role associated with the protected bucket has the required permissions and any bucket AWS KMS policy allows the role to decrypt objects. +`UNAUTHORIZED_TO_ASSUME_ROLE` | `ACCESS_DENIED` | Malware Protection for S3 can't assume the IAM role configured for the protected bucket. Verify that the role trust policy allows Malware Protection for S3 to assume the role. +`SSE_C_ENCRYPTED_OBJECT` | `ACCESS_DENIED` | The S3 object is encrypted with a customer-provided encryption key (SSE-C). GuardDuty can't access objects encrypted with SSE-C. For more information, see [Supportability of Amazon S3 features](./supported-s3-features-malware-protection-s3.html). +`OBJECT_E_TAG_CHANGED` | `ACCESS_DENIED` | The S3 object ETag changed between the time the scan was initiated and when GuardDuty attempted to read the object. The subsequent upload or new version will be scanned. +`BUCKET_NOT_FOUND` | `ACCESS_DENIED` | The S3 bucket associated with the scan no longer exists. +`UNSUPPORTED_STORAGE_CLASS` | `UNSUPPORTED` | The S3 object uses a storage class that is not supported by Malware Protection for S3. For more information, see [Supportability of Amazon S3 features](./supported-s3-features-malware-protection-s3.html). +`OBJECT_SIZE_LIMIT_EXCEEDED` | `UNSUPPORTED` | The S3 object size exceeds the maximum file size limit for Malware Protection for S3. For more information, see [Malware Protection for S3 quotas](./malware-protection-s3-quotas-guardduty.html). +`PASSWORD_PROTECTED` | `UNSUPPORTED` | The object is password-protected. +`EXTRACTED_FILE_LIMIT_EXCEEDED` | `UNSUPPORTED` | The archive contains more files than the maximum allowed limit. For more information, see [Malware Protection for S3 quotas](./malware-protection-s3-quotas-guardduty.html). +`EXTRACTED_LEVEL_LIMIT_EXCEEDED` | `UNSUPPORTED` | The archive exceeds the maximum nesting depth allowed. +`EXTRACTED_BYTE_LIMIT_EXCEEDED` | `UNSUPPORTED` | The extracted archive content exceeds the maximum byte size allowed. For more information, see [Malware Protection for S3 quotas](./malware-protection-s3-quotas-guardduty.html). +`EXTRACTION_RATIO_LIMIT_EXCEEDED` | `UNSUPPORTED` | The archive has an extremely high compression ratio that exceeds the allowed limit. For more information, see [Malware Protection for S3 quotas](./malware-protection-s3-quotas-guardduty.html). +