Malware protection in AWS Backup - AWS Backup
Integration with Amazon GuardDutyHow to use malware scanningAccessIncremental vs full scansMonitoring your malware scansUnderstanding scan resultsTroubleshooting scan failuresMeteringQuotasConsole and CLI usage steps for malware scan types

Malware protection in AWS Backup

Malware scanning of your backups is provided by Amazon GuardDuty Malware Protection. Using Amazon GuardDuty Malware Protection for AWS Backup allows you to automate scanning of recovery points through existing backup workflows, or initiate on-demand scans of previously created backups. This AWS native solution helps ensure your backups are clean from potential malware, allowing you to meet compliance requirements and respond to malicious incidents faster by ensuring the recovery of clean data.

To see a list of supported resource types and regions, visit the feature availability page.

Topics

Integration with Amazon GuardDuty

AWS Backup integrates with Amazon GuardDuty Malware Protection to provide threat detection for your recovery points. When you start a malware scan, AWS Backup automatically calls Amazon GuardDuty's StartMalwareScan API after each backup completes, passing the recovery point details and your scanner role credentials. Amazon GuardDuty then begins reading, decrypting, and scanning all files and objects within the backup.

When Amazon GuardDuty accesses your backup data, that access is logged in AWS CloudTrail for visibility.

For more information about this integration, see the Amazon GuardDuty Malware Protection documentation.

How to use malware scanning

When you use Amazon GuardDuty Malware Protection with AWS Backup, you can automatically scan your backups for malware. This integration helps you detect malicious code in your backups and identify clean recovery points for restore operations.

Amazon GuardDuty Malware Protection supports two primary workflows for scanning your backups:

  • Automatic malware scanning through backup plans – Enable malware scanning in backup plans to automate malware detection with AWS Backup. When enabled, AWS Backup automatically initiates an Amazon GuardDuty scan after each successful backup completion. You can configure either full or incremental scanning for specific backup plan rules, which determines how frequently your backups are scanned. For more information about scan types, see Incremental vs full scans below. AWS Backup recommends enabling automatic malware scanning in backup plans for proactive threat detection after backup creation.

  • On-demand scans – Run on-demand scans to manually scan existing backups, choosing between full or incremental scan types. AWS Backup recommends using on-demand scans to identify your last clean backup. When scanning before a restore operation, use a full scan to examine the entire backup with the latest threat detection model.

Access

Before you start with malware protection, your account must have required permissions for the operations.

AWS Backup malware scanning requires two IAM roles to scan your recovery points for potential malware:

  • First, the AWSBackupServiceRolePolicyForScans managed policy must be attached to your existing or new backup role. This managed policy allows AWS Backup to initiate malware scans with Amazon GuardDuty.

  • Second, a new scanner role is required with AWSBackupGuardDutyRolePolicyForScans managed policy that trusts malware-protection.guardduty.amazonaws.com. This role is passed by AWS Backup to Amazon GuardDuty when a scan is initiated, providing access to backups.

Incremental vs full scans

With malware scanning, you have the option to choose between incremental and full scans based on your security requirements and cost considerations.

Incremental scans analyze only the data that changed between the target and base recovery point. These scans are faster and more cost-effective for regular scanning, making them ideal for frequent periodic backups where you want to scan newly backed up data.

Even when incremental scanning is selected, AWS Backup performs a full scan in these situations:

  • First-time scans: The initial scan of a resource is always a full scan, allowing Amazon GuardDuty to establish a baseline of potential threats. Subsequent scans will then be incremental.

  • Expired baseline: If your baseline recovery point was scanned more than 90 days ago, a full scan occurs. Because Amazon GuardDuty retains finding information for only 90 days, a new baseline must be established to ensure accurate scanning results.

  • Deleted baseline: If your base recovery point is deleted before your next incremental scan starts, a full scan occurs automatically.

Full scans examine the entire recovery point regardless of previous scans. While these scans provide comprehensive coverage, they take longer to complete and incur higher costs. You can run full scans on-demand or schedule them through your backup plans. AWS Backup recommends configuring periodic full scans in your backup plans at extended intervals to ensure your entire backup data is regularly scanned with the latest malware signature model.

For optimal security versus cost management, consider your backup frequency when choosing scan types.

Note

Malware scanning is not currently supported for Amazon S3 continuous recovery points. To scan Amazon S3 continuous backups, configure periodic backups for your Amazon S3 resources and enable malware scanning on those periodic backups. You can use a combination of continuous and periodic backups for your Amazon S3 buckets.

Note

Incremental malware scanning is not supported for Amazon EC2 recovery points in a logically air-gapped vault or copied Amazon EC2 recovery points.

Monitoring your malware scans

After scanning is enabled, both AWS Backup and Amazon GuardDuty provide monitoring and notification mechanisms you can use to track your results:

  • AWS Backup Console: The AWS Backup console is powered by ListScanJobs and DescribeScanJob APIs. You can visit the Malware protection section to view the list of scan jobs, representing job status and scan results. AWS Backup also supports a ListScanJobSummaries API, though not available in the console.

  • AWS Backup Audit Manager: You can set up a scanning report to view all AWS Backup initiated malware scan jobs over the last 24 hours.

  • Amazon GuardDuty Console: If base Amazon GuardDuty is enabled, you can view details in the Malware Scan results and investigate malware on the Amazon GuardDuty findings page. You can view information such as the threat and file name, file path, objects/files scanned, bytes scanned, etc. Note that this detailed threat information is not available through AWS Backup, and you must have the appropriate Amazon GuardDuty permissions to view this information.

  • Amazon EventBridge: Both AWS Backup and Amazon GuardDuty emit EventBridge events, allowing backup and security administrators to be alerted synchronously. You can set up custom rules to receive notifications when scans complete or malware is detected.

  • AWS CloudTrail: Both AWS Backup and Amazon GuardDuty emit CloudTrail events, allowing you to monitor API access.

Understanding scan results

Your scan jobs from AWS Backup will have a scan state and scan result.

Scan States

The scan state indicates the job state and can have values of: CREATED, COMPLETED, COMPLETED_WITH_ISSUES, RUNNING, FAILED, or CANCELED.

There are multiple situations in which your scan job will finish with state COMPLETED_WITH_ISSUES:

For Amazon S3 backups, there are object size/type limitations which will prevent objects from being scanned. When at least one object is skipped within a scan, the corresponding scan job will be marked as COMPLETED_WITH_ISSUES. For Amazon EC2/Amazon EBS backups, there are volume size/quantity limitations which result in volumes being skipped during scanning. These situations will result in an Amazon EC2/Amazon EBS backup job to result in COMPLETED_WITH_ISSUES.

If your job finishes with state COMPLETED_WITH_ISSUES and you need further information about the reasons, you will need to get those details from the corresponding scan job through Amazon GuardDuty.

Note

Incremental scan jobs only scan the difference in data between two backups. Therefore, if an incremental scan job does not encounter any of the situations described above, it will finish in state COMPLETE and will not inherit the COMPLETED_WITH_ISSUES from the base recovery point.

In rare cases, Amazon GuardDuty may experience internal issues when scanning files and objects, and retry attempts may be exhausted. When this happens, the scan job appears as FAILED in AWS Backup and COMPLETED_WITH_ISSUES in Amazon GuardDuty. This status difference allows you to view available scan results in Amazon GuardDuty while indicating that not all supported files and objects were successfully scanned.

Scan Results

The scan results indicate an aggregated result from Amazon GuardDuty and can have values of: THREATS_FOUND, or NO_THREATS_FOUND.

Scan results indicate whether potential malware was detected in your recovery points. A NO_THREATS_FOUND status means no potential malware was detected, while THREATS_FOUND indicates potential malware was discovered. For detailed threat information, access the full Amazon GuardDuty findings through the Amazon GuardDuty console or APIs. Scan results are also available through EventBridge events, allowing you to build automated workflows that respond to infected backups.

Amazon GuardDuty retains findings for 90 days, tracking files or objects across incremental scans to monitor if threats are removed or malware signatures change. For example, if malware is detected in backup 2, the scan result shows THREATS_FOUND. When you perform an incremental scan on backup 3 using backup 2 as a base, the scan result remains THREATS_FOUND unless the threat has been removed from the data.

Troubleshooting scan failures

Common scan failures include insufficient IAM permissions, service limits, and resource access issues.

Permission errors occur when the backup role lacks AWSBackupServiceRolePolicyForScans permissions or the scanner role doesn't have AWSBackupGuardDutyRolePolicyForScans with proper trust relationships.

Service limit errors happen when you exceed the 150 concurrent scans per account or 5 concurrent scans per resource type - scan jobs will remain in CREATED state until capacity becomes available.

Access denied errors may indicate encrypted recovery points without proper AWS KMS permissions or deleted parent recovery points for incremental scans.

Timeout failures can occur with very large recovery points or during high Amazon GuardDuty load periods.

To troubleshoot, check the scan job status using DescribeScanJob API, verify IAM role configurations, ensure recovery points exist and are accessible, and consider switching to full scans if incremental scan parent references are missing.

Monitor your concurrent scan usage and implement jittering in automated workflows to avoid hitting service limits.

Metering

Malware protection is provided and billed by Amazon GuardDuty. You will not see any AWS Backup charges related to using this feature. All usage can be viewed under Amazon GuardDuty's billing. To learn more, visit Amazon GuardDuty pricing.

Quotas

Both AWS Backup and Amazon GuardDuty have quota limits for Amazon GuardDuty Malware Protection for AWS Backup.

For more information, visit AWS Backup quotas and Amazon GuardDuty quotas.

Console and CLI usage steps for malware scan types

The following sections show the steps for configuring different malware scan types using both the console and AWS CLI.

How to set up malware scans

Console

  1. Navigate to AWS Backup console → Backup plans

  2. Create new backup plan or select existing plan

  3. Enable Malware protection toggle

  4. Select Scanner role to choose a new scanner role. Make sure both backup role and scanner role have appropriate permissions as discussed in Access.

  5. Select Scannable resource types. This will filter malware scanning to the resource selection criteria you have chosen. As an example, if your scannable resource type selection is Amazon EBS, but your plan's resource selection includes Amazon EBS and Amazon S3, then only Amazon EBS malware scans will take place.

  6. Set Scan type for each backup rule. You can choose between full, incremental, and no scan. The scan type selection means that scan will occur at the schedule frequency of the associated backup rule.

  7. Save backup plan

AWS CLI

CreateBackupPlan

You can create a backup plan with malware scanning enabled using the create-backup-plan command.

aws backup create-backup-plan \
    --region us-west-2 \
    --cli-input-json '{
                        "BackupPlan": {
                          "BackupPlanName": "scan-initial-test-demo",
                          "Rules": [
                            {
                              "RuleName": "full",
                              "TargetBackupVaultName": "Default",
                              "ScheduleExpression": "cron(0 * * * ? *)",
                              "StartWindowMinutes": 120,
                              "CompletionWindowMinutes": 6000,
                              "Lifecycle": {
                                "DeleteAfterDays": 3,
                                "OptInToArchiveForSupportedResources": true
                              },
                              "RecoveryPointTags": {
                                "key1": "foo",
                                "key2": "foo"
                              },
                              "EnableContinuousBackup": true,
                              "ScanActions": [
                                {
                                  "MalwareScanner": "GUARDDUTY",
                                  "ScanMode": "FULL_SCAN"
                                }
                              ]
                            },
                            {
                              "RuleName": "incremental",
                              "TargetBackupVaultName": "Default",
                              "ScheduleExpression": "cron(30 * * * ? *)",
                              "StartWindowMinutes": 100,
                              "CompletionWindowMinutes": 5000,
                              "Lifecycle": {
                                "DeleteAfterDays": 2,
                                "OptInToArchiveForSupportedResources": true
                              },
                              "RecoveryPointTags": {
                                "key1": "foo",
                                "key2": "foo"
                              },
                              "EnableContinuousBackup": true,
                              "ScanActions": [
                                {
                                  "MalwareScanner": "GUARDDUTY",
                                  "ScanMode": "INCREMENTAL_SCAN"
                                }
                              ]
                            }
                          ],
                          "ScanSettings": [
                            {
                              "MalwareScanner": "GUARDDUTY",
                              "ResourceTypes": ["EBS", "EC2", "S3"],
                              "ScannerRoleArn": "arn:aws:iam::300949271314:role/TestBackupScannerRole"
                            }
                          ]
                        }
                      }'

UpdateBackupPlan

You can update a backup plan with malware scanning enabled using the update-backup-plan command.

aws backup update-backup-plan \
    --region us-west-2 \
    --cli-input-json '{
                        "BackupPlanId": "d1391282-68cf-4fce-93ad-e08bc5178bac",
                        "BackupPlan": {
                        "BackupPlanName": "scan-initial-test-demo",
                        "Rules": 
                          [
                            {"RuleName": "full",
                            "TargetBackupVaultName": "Default",
                            "ScheduleExpression": "cron(0 * * * ? *)",
                            "StartWindowMinutes": 60,
                            "CompletionWindowMinutes": 3000,
                            "Lifecycle": 
                              {
                              "DeleteAfterDays": 6,
                              "OptInToArchiveForSupportedResources": false},
                            "RecoveryPointTags": 
                              {"key1": "foo",
                              "key2": "foo"},
                            "EnableContinuousBackup": false,
                            "ScanActions": 
                              [
                                {"MalwareScanner": "GUARDDUTY",
                                "ScanMode": "FULL_SCAN"}
                              ]
                            },
                            {
                              "RuleName": "incremental",
                              "TargetBackupVaultName": "Default",
                              "ScheduleExpression": "cron(30 * * * ? *)",
                              "StartWindowMinutes": 120,
                              "CompletionWindowMinutes": 6000,
                              "Lifecycle": 
                                {
                                "DeleteAfterDays": 9,
                                "OptInToArchiveForSupportedResources": false},
                              "RecoveryPointTags": 
                                {"key1": "foo",
                                "key2": "foo"},
                              "EnableContinuousBackup": false,
                              "ScanActions": 
                                [
                                  {
                                  "MalwareScanner": "GUARDDUTY",
                                  "ScanMode": "INCREMENTAL_SCAN"
                                  }
                                ]
                            }
                          ],
                        "ScanSettings": 
                          [
                            {
                            "MalwareScanner": "GUARDDUTY",
                            "ResourceTypes": 
                              ["ALL", "EBS"],
                            "ScannerRoleArn": "arn:aws:iam::300949271314:role/TestBackupScannerRole"
                            }
                          ]
                        }
                      }'
Key Notes

  • Target ARN entry is required before scan options become enabled (Console)

  • Both backup IAM role and scanner IAM role required for all configurations

  • Use aws backup list-scan-jobs to view all scan jobs (AWS CLI)

  • Cost implications vary by scan type (incremental vs full) and frequency

AWS CLI Key Notes

  • Use aws backup list-scan-jobs to view all scan jobs (AWS CLI)

  • Scan results available via describe-recovery-point API with ScanResults field

  • Both backup IAM role and scanner IAM role required for all configurations

  • JSON backup plan structure includes ScanSettings at plan level and ScanActions in rules