AWS guardduty documentation change
Summary
Added documentation for malware scanning of Point-in-Time-Recovery (PITR) backups, including scanning frequency, on-demand scan limitations, and timestamp constraints.
Security assessment
This change documents operational aspects of a security feature (malware scanning) but contains no evidence of addressing a specific vulnerability. The 15-minute timestamp constraint appears operational rather than security-focused.
Diff
diff --git a/guardduty/latest/ug/malware-protection-backup-how-it-works.md b/guardduty/latest/ug/malware-protection-backup-how-it-works.md index da46c11bd..e9c13c5b7 100644 --- a//guardduty/latest/ug/malware-protection-backup-how-it-works.md +++ b//guardduty/latest/ug/malware-protection-backup-how-it-works.md @@ -20,0 +21,15 @@ A full scan is where the API will accept a resource ARN and scan all the files w +### Malware Scanning for Point-in-Time-Recovery (PITR) + +When enabled from AWS Backup, malware scanning for continuous backups or PITR happens according to the frequency configured on the Backup plan. This is orchestrated by the AWS Backup service. For example, GuardDuty will run the first scan from t0 to t2, the next scan from t2 to t4, the subsequent scan from t4 to t6 and so on. Each of these scans generates a scan ID that can be queried using the `GetMalwareScan` API to obtain the status and result of the scan for that time period. + +Alternatively, you can also scan the full PITR resource from the GuardDuty console or by using the GuardDuty `StartMalwareScan` API on-demand by passing in an end timestamp. This will ensure that GuardDuty scans the entire resource from the beginning, until the end timestamp. + +###### Note + + * You cannot trigger partial or incremental scans on PITR from GuardDuty. + + * The end timestamp passed for an on-demand scan cannot be older than (_current time - 15 minutes_). + + + +