AWS Security ChangesHomeSearch

AWS aws-backup documentation change

Service: aws-backup · 2026-04-25 · Documentation low

File: aws-backup/latest/devguide/malware-protection.md

Summary

Clarified IAM role creation for malware scanning, added note on incremental scan requirements, and updated scan job status handling.

Security assessment

Changes enhance documentation for AWS Backup's malware protection feature, clarifying security configurations like IAM roles and scan dependencies. No evidence of addressing a specific security vulnerability; updates are operational clarifications.

Diff

diff --git a/aws-backup/latest/devguide/malware-protection.md b/aws-backup/latest/devguide/malware-protection.md
index 29ee8de0c..fa99e3476 100644
--- a//aws-backup/latest/devguide/malware-protection.md
+++ b//aws-backup/latest/devguide/malware-protection.md
@@ -71 +71 @@ AWS Backup malware scanning requires two IAM roles to scan your recovery points
-  * Second, a new scanner role is required with [AWSBackupGuardDutyRolePolicyForScans](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSBackupGuardDutyRolePolicyForScans.html) managed policy that trusts `malware-protection.guardduty.amazonaws.com`. This is the same role found in the malware protection portion of your backup plan in the console or through the scan settings in your [BackupPlan API](./API_CreateBackupPlan.html). This role is passed by AWS Backup to Amazon GuardDuty when a scan is initiated, providing access to backups.
+  * Second, a new scanner role is required with [AWSBackupGuardDutyRolePolicyForScans](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSBackupGuardDutyRolePolicyForScans.html) managed policy that trusts `malware-protection.guardduty.amazonaws.com`. To create this role, you can specify a custom trust policy and attach the required managed policy. This is the same role found in the malware protection portion of your backup plan in the console or through the scan settings in your [BackupPlan API](./API_CreateBackupPlan.html). This role is passed by AWS Backup to Amazon GuardDuty when a scan is initiated, providing access to backups.
@@ -104,0 +105,4 @@ Incremental malware scanning is not supported for Amazon EC2 recovery points in
+###### Note
+
+AWS Backup does not support using a recovery point scanned only via on-demand scan from Amazon GuardDuty as a base recovery point for incremental scans. To perform incremental scans via AWS Backup, ensure AWS Backup has previously scanned the base recovery point. 
+
@@ -140 +144 @@ Incremental scan jobs only scan the difference in data between two backups. Ther
-In rare cases, Amazon GuardDuty may experience internal issues when scanning files and objects, and retry attempts may be exhausted. When this happens, the scan job appears as `FAILED` in AWS Backup and `COMPLETED_WITH_ISSUES` in Amazon GuardDuty. This status difference allows you to view available scan results in Amazon GuardDuty while indicating that not all supported files and objects were successfully scanned.
+In rare cases, Amazon GuardDuty might experience internal issues when scanning files and objects, exhausting all retry attempts. When this happens, AWS Backup displays the scan job as `FAILED`, while Amazon GuardDuty shows it as `COMPLETED_WITH_ISSUES`. This status difference enables you to view available scan results in Amazon GuardDuty while indicating that Amazon GuardDuty did not successfully scan all supported files and objects. In these cases, AWS Backup cannot use the recovery point with a `FAILED` scan as a base recovery point for subsequent incremental scans.