Supportability of Amazon S3 features

The following table specifies whether or not Malware Protection for S3 supports the listed Amazon S3 features.

S3 feature name	Is the support available?	Description
S3 Storage Class - S3 Standard S3 Storage Class - S3 Standard-Infrequent Access S3 Storage Class - S3 One Zone-Infrequent Access S3 Storage Class - S3 Glacier Instant Retrieval	Yes	S3 objects can be retrieved without restoring asynchronously.
S3 Storage Class - S3 Intelligent-Tiering	Conditional	Intelligent Tiering support is available for S3 objects in the Frequent, Infrequent, and Archive Instance Access tiers. The opt-in Archive and Deep Archive tiers are not supported. Intelligent Tiering always creates a new object in Frequent Access tier. Therefore, object scan on create is supported. Future Intelligent tiering features might start out objects in Archive. Therefore, this is not supported.
S3 Storage Class - S3 Express One Zone (Directory bucket)	No	GuardDuty supports only general purpose buckets for Malware Protection for S3.
S3 Storage Class - S3 Glacier Flexible Retrieval S3 Storage Class - S3 Glacier Deep Archive	No	The S3 objects must be restored before they can be accessed.
Amazon S3 on Outposts	No	Malware Protection for S3 is not supported on Outposts.
S3 versioning	Yes	All the uploaded S3 objects are scanned for malware. If you uploaded an object with file version v1 and immediately uploaded another version override with v2, then GuardDuty will scan both the object file versions v1 and v2. However, the scan start time might not be in the same order.
S3 Replication - scan replicated object	Yes	If the destination bucket is a protected resource, then GuardDuty will scan all the S3 objects are replicated to the prefixes that are protected and monitored.
S3 Replication: Replicate on scan result tag	No	You can't define a replication rule based on the scan result tag. Amazon S3 does't support replication for tag, except for on create.
Data Encryption - S3-SSE Data Encryption - SSE-KMS Data Encryption - DSSE-KMS AWS KMS - Customer managed key	Yes	GuardDuty supports malware scans for S3 objects that are encrypted with managed and customer managed keys. Ensure that the IAM role includes the permission to use the key. For more information, see Adding IAM policy permissions.
Data Encryption - SSE-C	No	Malware Protection for S3 doesn't support scanning S3 objects that are encrypted with keys that are not accessible.
Client side encryption	No	When your S3 objects are encrypted by using Amazon S3 Encryption Client, your objects aren't exposed to any third party, including AWS. For more information about why this is not supported, see Protecting data by using client-side encryption in the Amazon S3 User Guide.
S3 object lock and legal hold	Yes	Locked S3 objects are locked based on WORM - Write Once Read Many. Malware Protection for S3 can access and scan the objects.
Requester pays	Yes	Malware Protection for S3 can scan the buckets that are set up with Requester Pays. The requester will pay for the S3 calls. For more information, see Using Requester Pays buckets for storage transfers and usage in the Amazon S3 User Guide.
S3: Storage lifecycle	Yes	You can define lifecycle policies based on the scan result tag. For example, auto-delete malicious objects. For more information about lifcycle configuration, see Managing your storage lifecycle in the Amazon S3 User Guide.
S3: Tag-based access control (TBAC)	Yes	You can define bucket resource policies based on your S3 object scan result tag. For example, prevent access to S3 objects that are not yet scanned, or GuardDuty detected threats. For more information, see Using tag-based access control (TBAC) with Malware Protection for S3.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Disabling Malware Protection for S3 for a protected bucket

Quotas in Malware Protection for S3