Orchestrate automated response for Amazon GuardDuty Malware Protection for AWS Backup at scale
Storage Blog
This article explains how to implement automated malware detection and response for AWS Backup recovery points using GuardDuty, preventing infected backups from being restored to production.
- GuardDuty Malware Protection scans backups; EventBridge triggers Lambda to tag infected recovery points
- Service Control Policies deny restore operations on tagged infected recovery points organization-wide
- Lambda function also sends SNS notifications to security teams and optionally copies infected backups to forensics account
- Solution uses phased rollout: foundation setup, pilot testing, scaling, and operational maturity
- Tiered scanning strategy matches scan frequency to workload criticality to optimize costs
- Centralized visibility through Security Hub aggregation in delegated administrator account
This automated enforcement prevents compromised backups from reaching production during incidents by coupling detection with prevention at the organizational level.
The AWS News Feed is currently looking for gold sponsors. If you want to support the AWS community and reach a large audience of AWS professionals, consider sponsoring the AWS News Feed.
Related articles
May 26
2026
2026
Amazon GuardDuty Malware Protection for AWS Backup supports Amazon S3 continuous backups
Nov 19
2025
2025
Amazon GuardDuty Malware Protection for AWS Backup is now available
Nov 19
2025
2025
Scan backups for malware with Amazon GuardDuty Malware Protection for AWS Backup
Jun 11
2024
2024
Introducing Amazon GuardDuty Malware Protection for Amazon S3
The AWS News Feed is currently looking for silver sponsors. If you want to support the AWS community and reach a large audience of AWS professionals, consider sponsoring the AWS News Feed.