Amazon Web Services Inc. is rolling out new features that will help customers more easily scan their cloud environments for malware and secure software container applications.

The features made their debut today at the cloud giant’s AWS re:Inforce event. They’re becoming available as part of two existing services, Amazon GuardDuty and Amazon Detective, that AWS offers as part of its platform.

GuardDuty is a managed service designed to detect malicious activity in cloud environments. The service can, for example, detect when a hacker attempts to download business data from an important cloud application. GuardDuty also spots other types of malicious activity.

AWS is expanding GuardDuty’s feature set with a new tool dubbed GuardDuty Malware Protection. According to AWS, the tool will enable the service to detect not only malicious activity but also malicious files. 

GuardDuty Malware Protection can scan a wide range of files for malware. AWS says that the tool is capable of detecting malicious code in Windows and Linux programs, as well as PDF documents, software installers, scripts and a long list of other files.

The service automatically launches malware scans when it detects suspicious activity in a company’s AWS environment. “For example, a malware scan is triggered when an EC2 instance is communicating with a command-and-control server that is known to be malicious or is performing denial of service (DoS) or brute-force attacks against other EC2 instances,” Danilo Poccia, AWS’ chief evangelist for EMEA, detailed in a blog post today.

GuardDuty Malware Protection finds malware by searching for malicious files in the Amazon EBS volume attached to an instance. An EBS volume is a pool of storage capacity used to hold the instance’s files. GuardDuty Malware Protection creates a copy of the instance’s EBS volume, then scans the copy for malware without impacting the original data.

The tool makes the results of malware scans available through a centralized console. It displays the type of malware that was detected in an EC2 instance, how many malicious files were found and other data points.

For situations where an administrator may require additional data about a malicious file, the console provides a shortcut that makes it possible to quickly launch AWS’ Amazon Detective service. The latter service includes features that administrators can use to investigate data breaches. Alongside the enhancements that it rolled out to GuardDuty at re:Inforce today, AWS also released an update for Detective.

Thanks to the update, Detective can now be used to investigate cybersecurity incidents affecting workloads running on Amazon Elastic Kubernetes Service. The service, which is commonly referred to as EKS, is Amazon’s managed implementation of Kubernetes.

Investigating a data breach to map out what caused it and how many systems are affected often requires administrators to collect a large amount of technical information about the incident. According to AWS, Detective streamlines the process. The service automatically collects data about a breach and, using machine learning, organizes the data into a form that eases analysis.

To help companies investigate cybersecurity incidents affecting their EKS-powered container workloads, Detective now ingests data from EKS. Detective can collect both user and application activity data from an EKS-based Kubernetes environment. The tool also analyzes activity generated in the so-called Kubernetes control plane, a collection of cloud instances used to run key software components of the Kubernetes platform. 

“Detective automatically correlates user activity using CloudTrail, and network activity using Amazon VPC Flow logs, without the need for you to enable, store, or retain logs manually,” AWS principal developer advocate Channy Yun explained in a blog post.

AWS also made other additions to its cybersecurity portfolio today. It announced the preview of AWS Wickr, an enterprise communications service with end-to-end encryption that is based on a software product the Amazon.com Inc. unit acquired last year. Moreover, the cloud giant is introducing features that will make it easier for companies to evaluate the security of third-party software products before buying them.

The new features expand AWS’ already extensive lineup of cybersecurity capabilities. The cloud giant offers services that companies can use to set up firewalls, secure the encryption keys that they rely on to protect business data and block distributed denial-of-service attacks. AWS’ cybersecurity portfolio also covers several other use cases. 

Image: AWS