Amazon GuardDuty Malware Protection for S3 versus bucketAV
We started working on bucketAV in 2015. Since then, we have received a lot of feedback from our customers and improved bucketAV every month. Recently, I compared bucketAV with the new kid on the block: Amazon GuardDuty Malware Protection for S3 released in June 2024.
My approach to comparing malware scanners for Amazon S3 is mostly feature-based. I also compared the operational and pricing models of both solutions. Let’s start with the features.
Features
I grouped the features into four categories:
- Scan modes: Do you want to scan a single file or the whole bucket? When do you want to scan to happen? in real-time, right after the upload, on a schedule, on-demand, or on-access, in the moment a file is downloaded? GuardDuty can scan files in real-time, right after the file is uploaded. bucketAV supports real-time file scanning as well. On top of it, bucketAV can scan a whole bucket on a schedule. bucketAV can also scan files and buckets on-demand. Additionally, bucketAV supports on-access file scan, to scan a file just before the download.
- Mitigation: What should happen with the files after the scan? Do you want to delete infected files, move them to a quarantine bucket, or just tag them? GuardDuty supports tagging with the key
GuardDutyMalwareScanStatus. bucketAV supports tagging as well with a configurable tag key. On top of it, bucketAV can delete infected files and move files into other buckets which is handy to move infected files into a quarantine bucket for further analysis. - Reporting: How can you observe the scan results? Do you prefer a daily/weekly/monthly report, a real-time notification via email, Slack, Microsoft Teams, a real-time dashboard, or integration into AWS security services like Security Hub that can also integrate with an SIEM? GuardDuty Malware Protection for S3 can be used in two modes. If you also subscribe to GuardDuty, you will see findings created in GuardDuty for infected files. If you use GuardDuty Malware Protection for S3 independently, there is no way to track the scan results of files besides the object tag. bucketAV supports daily/weekly/monthly reports with statistics and CSV files, and real-time notifications via email, Slack, or Microsoft Teams. bucketAV also offers a real-time dashboard as well as integrations into AWS Security Hub and AWS Systems Manager OpsCenter.
- Developer: Last but not least, what capabilities are provided to extend or embed the solution into your existing applications? For example, what options are available to notify your application about scan results? Is there an API to scan files on-demand? GuardDuty publishes all scan results via EventBridge. bucketAV uses SNS instead to publish similar information. All solutions publish CloudWatch metrics to inform about the number of files scanned, infected, clean, and unscannable files. bucketAV also offers HTTPS APIs to scan files on-demand using an API outside of S3.
The following table provides an overview of the features.
| Amazon GuardDuty Malware Protection for S3 | bucketAV powered by Sophos® | bucketAV powered by ClamAV® | |
|---|---|---|---|
| Malware detection engine | Bitdefender1 | Sophos | ClamAV |
| Scan modes | |||
| Real-time file scan | ✅ | ✅ | ✅ |
| Scheduled bucket scan | ❌ | ✅ | ✅ |
| On-demand bucket scan | ❌ | ✅ | ✅ |
| On-demand file scan | ❌ | ✅ | ✅ |
| On-access file scan | ❌ | ✅ | ✅ |
| Mitigation | |||
| Tag | ✅ | ✅ | ✅ |
| Delete | ❌ | ✅ | ✅ |
| Quarantine/Move | ❌ | ✅ | ✅ |
| Reporting | |||
| Reports | ❌ | ✅ | ✅ |
| Notifications (email) | ❌ | ✅ | ✅ |
| Notifications (Slack) | ❌ | ✅ | ✅ |
| Notifications (Microsoft Teams) | ❌ | ✅ | ✅ |
| Dashboard | ❌ | ✅ | ✅ |
| AWS Security Hub finding integration | ⚠️2 | ✅ | ✅ |
| AWS Systems Manager OpsCenter item integration | ❌ | ✅ | ✅ |
| Amazon GuardDuty finding integration | ⚠️3 | ❌4 | ❌4 |
| Developer | |||
| Amazon EventBridge integration | ✅ | ❌ | ❌ |
| Amazon SNS integration | ❌ | ✅ | ✅ |
| Amazon CloudWatch metrics integration | ✅ | ✅ | ✅ |
| async HTTPS API | ❌ | ✅ | ✅ |
| sync HTTPS API | ❌ | ✅ | ✅ |
Operational model
Amazon GuardDuty Malware Protection for S3 is a managed service operated by AWS. bucketAV, on the other hand, is installed by the customer and runs in the customer’s AWS account. bucketAV provides CloudFormation templates and EC2 AMIs that our customers use to deploy the solution.
Pricing model
Comparing the pricing model is a little harder. I will use three examples that represent typical customers of bucketAV.
| Workload | Amazon GuardDuty Malware Protection for S3 | bucketAV powered by Sophos® | bucketAV powered by ClamAV® |
|---|---|---|---|
| Tiny (90 GB/month) | $57.68 | $69.65 | $55.74 |
| Small (3 TB / month) | $1,991.07 | $689.00 | $88.69 |
| Larger (15 TB / month) | $12,696.81 | $3,276.84 | $2,070.90 |
In the following, I present detailed cost estimations of all examples. I end with a detailed comparison of the pricing models.
Tiny workload
The customer scans 300 files per day with an average file size of 10 MB. This results in 9,000 files and 90 GB per month. Objects are tagged with scan results. AWS region is us-east-1.
| Amazon GuardDuty Malware Protection for S3 | bucketAV powered by Sophos® | bucketAV powered by ClamAV® | |
|---|---|---|---|
| Scanning | GB: $54.00 files: $1.94 Total: $55.94 (price depends on region) | GB: $18.00 vCPUs: $36.00 Total: $54.00 | vCPUs: $36.00 Total: $36.00 |
| Infrastructure | S3: $0.05 EventBridge: $0.01 GuardDuty: optional, AWS usage dependent Total: $0.06 (price depends on region) | S3: $0.05 EC2 (t3.nano, spot $0.0024): $5.33 EBS: $2.56 SNS: $0.00 SQS: $0.01 CloudWatch: $7.70 Total: $15.65 (price depends on region) | S3: $0.05 EC2 (t3.medium, spot $0.0085): $9.72 EBS: $2.56 SNS: $0 SQS: $0.01 CloudWatch: $7.40 Total: $48.18 (price depends on region) |
| Support | At least $1.68 | Free | Free |
| Total | $57.68 | $69.65 | $55.74 |
Small workload
The customer scans 20,000 files per day with an average file size of 5 MB. This results in 600,000 files and 3,000 GB per month. Objects are tagged with scan results. AWS region is us-east-1.
| Amazon GuardDuty Malware Protection for S3 | bucketAV powered by Sophos® | bucketAV powered by ClamAV® | |
|---|---|---|---|
| Scanning | GB: $1,800.00 files: $129.00 Total: $1,929.00 (price depends on region) | GB: $600.00 vCPUs: $36.00 Total: $636.00 | vCPUs: $36.00 Total: $36.00 |
| Infrastructure | S3: $3.48 EventBridge: $0.60 GuardDuty: optional, AWS usage dependent Total: $4.08 (price depends on region) | S3: $3.48 EC2 (m5.large, spot $0.048): $38.16 EBS: $2.56 SNS: $0.30 SQS: $0.72 CloudWatch: $7.78 Total: $53.00 (price depends on region) | S3: $3.48 EC2 (m5.large, spot $0.048): $38.16 EBS: $2.56 SNS: $0.30 SQS: $0.72 CloudWatch: $7.47 Total: $52.69 (price depends on region) |
| Support | At least $57.99 | Free | Free |
| Total | $1,991.07 | $689.00 | $88.69 |
Larger workload
The customer scans 500,000 files per day with an average file size of 1 MB. This results in 15,000,000 files and 15,000 GB per month. Objects are tagged with scan results. AWS region is us-east-1.
| Amazon GuardDuty Malware Protection for S3 | bucketAV powered by Sophos® | bucketAV powered by ClamAV® | |
|---|---|---|---|
| Scanning | GB: $9,000.00 files: $3,225.00 Total: $12,225.00 (price depends on region) | GB: $3,000.00 vCPUs: $72.00 Total: $3,072.00 | vCPUs: $900.00 Total: $900.00 |
| Infrastructure | S3: $87.00 EventBridge: $15.00 GuardDuty: optional, AWS usage dependent Total: $102.00 (price depends on region) | S3: $87.00 EC2 (m5.large, spot $0.048): $76.32 EBS: $5.12 SNS: $7.50 SQS: $18.00 CloudWatch: $10.90 Total: $204.84 (price depends on region) | S3: $87.00 EC2 (m5.large, spot $0.048): $954.00 EBS: $64.00 SNS: $7.50 SQS: $18.00 CloudWatch: $40.40 Total: $1170.90 (price depends on region) |
| Support | At least $369.81 | Free | Free |
| Total | $12696.81 | $3,276.84 | $2,070.90 |
Detailed pricing model comparison
The following table shows the various aspects of the pricing models.
| Amazon GuardDuty Malware Protection for S3 | bucketAV powered by Sophos® | bucketAV powered by ClamAV® | |
|---|---|---|---|
| Scanning | $0.60 per GB $0.215 per 1,000 objects Price depends on region | $0.20 per GB $0.025 per vCPU hour | $0.025 per vCPU hour |
| Infrastructure | S3, EventBridge, GuardDuty3 | S3, EC2, EBS, SNS, SQS, CloudWatch Calculator | S3, EC2, EBS, SNS, SQS, CloudWatchh Calculator |
| Support | Developer: $29 or 3% of monthly AWS charges Business: $100 per month or 3-10% of monthly AWS charges Enterprise: $15,000 per month or 3-7% of monthly AWS charges | Free | Free |
Limitations
Last but not least, we dive into the technical limitations the products come with.
| Amazon GuardDuty Malware Protection for S3 | bucketAV powered by Sophos® | bucketAV powered by ClamAV® | |
|---|---|---|---|
| Maximum S3 object size | 5 GB | 5 TB | 2 GB |
| Maximum extracted archive size | 5 GB | limited by disk size only | limited by disk size only |
| Maximum number of files in an archive | 1,000 | unlimited | unlimited |
| Maximum archive depth level (archive inside archive inside archive…) | 5 | 100 | 160 |
Summary
bucketAV and Amazon GuardDuty Malware Protection for S3 are two solutions for Amazon S3 malware scanning, each with distinct features, operational models, and pricing. bucketAV, developed since 2015, offers comprehensive scan modes including real-time, scheduled, on-demand, and on-access scans, along with mitigation options such as tagging, deletion, and quarantining of infected files. It provides detailed reporting and integration capabilities and uses either Sophos or ClamAV engines. GuardDuty, released in June 2024, focuses on real-time scanning post-upload and uses tagging for mitigation, with more limited reporting and integration primarily through GuardDuty findings. GuardDuty is a managed AWS service, whereas bucketAV requires customer deployment and management within their AWS account. In terms of cost, GuardDuty is more cost-effective for tiny workloads, while bucketAV becomes more economical for non-tiny data volumes. Both services integrate with various AWS services for operational and reporting purposes, with bucketAV offering more extensive customization and developer support.
https://www.bitdefender.com/blog/businessinsights/bitdefender-and-amazon-web-services-strengthen-cloud-security/ ↩︎
SecurityHub findings are created only if GuardDuty findings are created and forwarded to SecurityHub. ↩︎
GuardDuty findings are created only if you subscribe to GuardDuty. ↩︎ ↩︎
GuardDuty does not allow 3rd parties like bucketAV to create findings. ↩︎ ↩︎
Last modified on September 2, 2024 | Published on June 24, 2024 | Written by Michael