Amazon’s cloud platform is extending security capabilities for a couple of its widely used services; Amazon Elastic Block Store (EBS) and Amazon Elastic Kubernetes Service (EKS).
This latest support comes in the shape of updates to a couple of existing AWS capabilities, namely Amazon GuardDuty and Amazon Detective.
Amazon GuardDuty is described as a threat detection service that can continuously monitor AWS accounts and workloads for malicious activity, and can initiate automated responses.
With the latest update, Amazon GuardDuty now has the ability to detect malware, and a scan for malware will be initiated if GuardDuty detects that customer EC2 instances – or container workloads running on EC2 – is doing something considered suspicious. When a malware scan is initiated, GuardDuty will actually take a snapshot of any Amazon Elastic Block Store (EBS) volumes attached to a suspect EC2 instance that are less than 1TB in size, and then scan the snapshot for malware.
GuardDuty supports many file system types and is able to scan file formats known to be used to spread or contain malware, including Windows and Linux executables, PDF documents, archives, binaries, scripts, installers, email databases, and plain old emails.
In fact, the scanning appears to be actually performed using third-party security tools, since AWS lists a number of partner offerings GuardDuty is integrated with, including those from BitDefender, Sophos, and Palo Alto Networks. Users can opt to preserve a snapshot for further analysis if malware is detected, otherwise they will be deleted upon completion of a scan.
Amazon GuardDuty Malware Protection is available in most AWS Regions where GuardDuty is available with a few exceptions. Customers pay for the volume of data scanned in the file systems, and not for the size of the EBS volumes themselves, Amazon said.
Meanwhile, Amazon Detective is a fully managed service intended to analyze and identify the root cause of potential security issues or suspicious activities. It does this by examining log data into a graph model that summarizes resource behaviors and interactions across an entire AWS environment.
The updated capabilities in Amazon Detective now expand its security investigation coverage to workloads running in containers under Amazon EKS. According to Amazon, Detective will automatically start ingesting EKS audit logs to capture API activity from users, applications, and the Kubernetes control plane in Amazon EKS once enabled by a customer.
AWS said that Amazon Detective for EKS is available in all Regions where Amazon Detective is available, and pricing will be based on the volume of audit logs analyzed.
However, Detective provides a free 30-day trial when EKS coverage is enabled, allowing customers to ensure that the capabilities meet their security needs and to get an estimate of the service’s monthly cost before committing to paid usage. ®