Enable VM Threat Detection for AWS

This page describes how to set up and use Virtual Machine Threat Detection to scan for malware in the persistent disks of Amazon Elastic Compute Cloud (EC2) VMs.

To enable VM Threat Detection for AWS, you need to create an AWS IAM role on the AWS platform, enable the VM Threat Detection for AWS in Security Command Center, and then deploy a CloudFormation template on AWS.

Before you begin

To enable the VM Threat Detection for use with AWS, you need certain IAM permissions and Security Command Center must be connected to AWS.

Roles and permissions

To complete the setup of VM Threat Detection for AWS, you need to be granted roles with the necessary permissions in both Google Cloud and AWS.

Google Cloud roles

Make sure that you have the following role or roles on the organization: Security Center Admin Editor (roles/securitycenter.adminEditor)

Check for the roles

  1. In the Google Cloud console, go to the IAM page.

    Go to IAM
  2. Select the organization.

  3. In the Principal column, find all rows that identify you or a group that you're included in. To learn which groups you're included in, contact your administrator.

  4. For all rows that specify or include you, check the Role column to see whether the list of roles includes the required roles.

Grant the roles

  1. In the Google Cloud console, go to the IAM page.

    Go to IAM
  2. Select the organization.
  3. Click Grant access.

  4. In the New principals field, enter your user identifier. This is typically the email address for a Google Account.

  5. In the Select a role list, select a role.
  6. To grant additional roles, click Add another role and add each additional role.
  7. Click Save.

AWS roles

In AWS, an AWS administrative user must create the AWS account that you need for enabling scans.

To create a role for VM Threat Detection in AWS, follow these steps:

  1. Using an AWS administrative user account, go to the IAM Roles page in the AWS Management Console.
  2. From the Service or Use Case menu, select lambda.
  3. Add the following permission policies:
    • AmazonSSMManagedInstanceCore
    • AWSLambdaBasicExecutionRole
    • AWSLambdaVPCAccessExecutionRole
  4. Click Add Permission > Create Inline policy to create a new permission policy:
    1. Open the following page and copy the policy: Role policy for Vulnerability Assessment for AWS and VM Threat Detection.
    2. In the JSON Editor, paste the policy.
    3. Specify a name for the policy.
    4. Save the policy.
  5. Open the Trust Relationships tab.

  6. Paste in the following JSON object, adding it to any existing statement array:

    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Statement1 or replace with a unique statementId",
      "Effect": "Allow",
      "Principal": {
        "Service": "cloudformation.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

  7. Save the role.

You assign this role later when you install the CloudFormation template on AWS.

Confirm Security Command Center is connected to AWS

VM Threat Detection requires access to the inventory of AWS resources that Cloud Asset Inventory maintains when you create an AWS connector.

If a connection is not already established, you are required to set one up when you enable VM Threat Detection for AWS.

To set up a connection, create an AWS connector.

Enable VM Threat Detection for AWS in Security Command Center

VM Threat Detection for AWS must be enabled on Google Cloud at the organization level.

Console

  1. In the Google Cloud console, go to the Virtual Machine Threat Detection Service Enablement page.

    Go to Service Enablement

  2. Select your organization.

  3. Click the Amazon Web Services tab.

  4. In the Service Enablement section, in the Status field, select Enable.

  5. In the AWS connector section, verify that the status displays AWS Connector added.

    If the status displays No AWS connector added, click Add AWS connector. Complete the steps in Connect to AWS for configuration and resource data collection before you go to the next step.

gcloud

The gcloud scc manage services update command updates the state of a Security Command Center service or module.

Before using any of the command data below, make the following replacements:

  • ORGANIZATION_ID: the numeric identifier of the organization
  • NEW_STATE: ENABLED to enable VM Threat Detection for AWS; DISABLED to disable VM Threat Detection for AWS

Execute the gcloud scc manage services update command:

Linux, macOS, or Cloud Shell

gcloud scc manage services update vm-threat-detection-aws \
    --organization=ORGANIZATION_ID \
    --enablement-state=NEW_STATE

Windows (PowerShell)

gcloud scc manage services update vm-threat-detection-aws `
    --organization=ORGANIZATION_ID `
    --enablement-state=NEW_STATE

Windows (cmd.exe)

gcloud scc manage services update vm-threat-detection-aws ^
    --organization=ORGANIZATION_ID ^
    --enablement-state=NEW_STATE

You should receive a response similar to the following:

effectiveEnablementState: ENABLED
intendedEnablementState: ENABLED
modules:
  MALWARE_DISK_SCAN_YARA_AWS:
    effectiveEnablementState: ENABLED
    intendedEnablementState: ENABLED
name: organizations/1234567890/locations/global/securityCenterServices/vm-threat-detection-aws
updateTime: '2025-03-21T18:45:52.033110465Z'

REST

The Security Command Center Management API's organizations.locations.securityCenterServices.patch method updates the state of a Security Command Center service or module.

Before using any of the request data, make the following replacements:

  • QUOTA_PROJECT: the project ID to use for billing and quota tracking
  • ORGANIZATION_ID: the numeric identifier of the organization
  • NEW_STATE: ENABLED to enable VM Threat Detection for AWS; DISABLED to disable VM Threat Detection for AWS

HTTP method and URL: 

PATCH https://securitycentermanagement.googleapis.com/v1/organizations/ORGANIZATION_ID/locations/global/securityCenterServices/vm-threat-detection-aws?updateMask=intendedEnablementState

Request JSON body: 

{
  "intendedEnablementState": "NEW_STATE"
}

To send your request, expand one of these options:

You should receive a JSON response similar to the following:

{
  "name": "organizations/1234567890/locations/global/securityCenterServices/vm-threat-detection-aws",
  "intendedEnablementState": "ENABLED",
  "effectiveEnablementState": "ENABLED",
  "modules": {
    "MALWARE_DISK_SCAN_YARA_AWS": {
      "intendedEnablementState": "ENABLED",
      "effectiveEnablementState": "ENABLED"
    }
  },
  "updateTime": "2025-03-21T18:45:52.033110465Z"
}

If you have already enabled the Vulnerability Assessment for AWS service and have deployed the CloudFormation template as part of that feature, then you are done setting up VM Threat Detection for AWS.

Otherwise, wait six hours and then perform the next task: download the CloudFormation template.

Download the CloudFormation template

Perform this task at least six hours after enabling VM Threat Detection for AWS.

  1. In the Google Cloud console, go to the Virtual Machine Threat Detection Service Enablement page.

    Go to Service Enablement

  2. Select your organization.

  3. Click the Amazon Web Services tab.

  4. In the Deploy CloudFormation template section, click Download CloudFormation template. A JSON template is downloaded to your workstation. You need to deploy the template in each AWS account that you need to scan.

Deploy the AWS CloudFormation template

Perform these steps at least six hours after creating an AWS connector.

For detailed information about how to deploy a CloudFormation template, see Create a stack from the CloudFormation console in the AWS documentation.

  1. Go to the AWS CloudFormation Template page in the AWS Management Console.
  2. Click Stacks > With new resources (standard).
  3. On the Create stack page, select Choose an existing template and Upload a template file to upload the CloudFormation template.
  4. After the upload is complete, enter a unique stack name. Don't modify any other parameters in the template.
  5. Select Specify stack details. The Configure stack options page opens.
  6. Under Permissions, select the AWS role that you created previously.
  7. If prompted, check the box for acknowledgement.
  8. Click Submit to deploy the template. The stack takes a few minutes to start running.

The status of the deployment is displayed in the AWS console. If the CloudFormation template fails to deploy, see Troubleshooting.

After scans start running, if any threats are detected, the corresponding findings are generated and displayed on the Security Command Center Findings page in the Google Cloud console. For more information, see Review findings in the Google Cloud console.

Manage modules

This section describes how to enable or disable modules and view their settings.

Enable or disable a module

After you enable or disable a module, it can take up to an hour for your changes to take effect.

For information about all VM Threat Detection threat findings and the modules that generate them, see Threat findings.

Console

The Google Cloud console lets you enable or disable VM Threat Detection modules at the organization level.

  1. In the Google Cloud console, go to the Modules page.

    Go to Modules

  2. Select your organization.

  3. On the Modules tab, in the Status column, select the current status of the module that you want to enable or disable, and then select one of the following:

    • Enable: Enable the module.
    • Disable: Disable the module.

gcloud

The gcloud scc manage services update command updates the state of a Security Command Center service or module.

Before using any of the command data below, make the following replacements:

  • ORGANIZATION_ID: the numeric identifier of the organization
  • MODULE_NAME: the name of the module to enable or disable—for example, MALWARE_DISK_SCAN_YARA_AWS. Valid values include only the modules in Threat findings that support AWS.
  • NEW_STATE: ENABLED to enable the module; DISABLED to disable the module

Save the following content in a file called request.json: 

{
  "MODULE_NAME": {
    "intendedEnablementState": "NEW_STATE"
  }
}

Execute the gcloud scc manage services update command:

Linux, macOS, or Cloud Shell

gcloud scc manage services update vm-threat-detection-aws \
    --organization=ORGANIZATION_ID \
    --enablement-state=ENABLED \  
    --module-config-file=request.json

Windows (PowerShell)

gcloud scc manage services update vm-threat-detection-aws `
    --organization=ORGANIZATION_ID `
    --enablement-state=ENABLED \  
    --module-config-file=request.json

Windows (cmd.exe)

gcloud scc manage services update vm-threat-detection-aws ^
    --organization=ORGANIZATION_ID ^
    --enablement-state=ENABLED \  
    --module-config-file=request.json

You should receive a response similar to the following:

effectiveEnablementState: ENABLED
intendedEnablementState: ENABLED
modules:
  MALWARE_DISK_SCAN_YARA_AWS:
    effectiveEnablementState: ENABLED
    intendedEnablementState: ENABLED
name: organizations/1234567890/locations/global/securityCenterServices/vm-threat-detection-aws
updateTime: '2025-03-21T18:45:52.033110465Z'

REST

The Security Command Center Management API's organizations.locations.securityCenterServices.patch method updates the state of a Security Command Center service or module.

Before using any of the request data, make the following replacements:

  • QUOTA_PROJECT: the project ID to use for billing and quota tracking
  • ORGANIZATION_ID: the numeric identifier of the organization
  • MODULE_NAME: the name of the module to enable or disable—for example, MALWARE_DISK_SCAN_YARA_AWS. Valid values include only the modules in Threat findings that support AWS.
  • NEW_STATE: ENABLED to enable the module; DISABLED to disable the module

HTTP method and URL: 

PATCH https://securitycentermanagement.googleapis.com/v1/organizations/ORGANIZATION_ID/locations/global/securityCenterServices/vm-threat-detection-aws?updateMask=modules

Request JSON body: 

{
  "modules": {
    "MODULE_NAME": {
      "intendedEnablementState": "NEW_STATE"
    }
  }
}

To send your request, expand one of these options:

You should receive a JSON response similar to the following:

{
  "name": "organizations/1234567890/locations/global/securityCenterServices/vm-threat-detection-aws",
  "intendedEnablementState": "ENABLED",
  "effectiveEnablementState": "ENABLED",
  "modules": {
    "MALWARE_DISK_SCAN_YARA_AWS": {
      "intendedEnablementState": "ENABLED",
      "effectiveEnablementState": "ENABLED"
    }
  },
  "updateTime": "2025-03-21T18:45:52.033110465Z"
}

View the settings of VM Threat Detection for AWS modules

For information about all VM Threat Detection threat findings and the modules that generate them, see Threat findings.

Console

The Google Cloud console lets you view settings for VM Threat Detection modules at the organization level.

  1. In the Google Cloud console, go to the Modules page.

    Go to Modules

  2. Select your organization.

gcloud

The gcloud scc manage services describe command gets the state of a Security Command Center service or module.

Before using any of the command data below, make the following replacements:

  • ORGANIZATION_ID: the numeric identifier of the organization to get

Execute the gcloud scc manage services describe command:

Linux, macOS, or Cloud Shell

gcloud scc manage services describe vm-threat-detection-aws \
    --organization=ORGANIZATION_ID

Windows (PowerShell)

gcloud scc manage services describe vm-threat-detection-aws `
    --organization=ORGANIZATION_ID

Windows (cmd.exe)

gcloud scc manage services describe vm-threat-detection-aws ^
    --organization=ORGANIZATION_ID

You should receive a response similar to the following:

effectiveEnablementState: ENABLED
intendedEnablementState: ENABLED
modules:
  MALWARE_DISK_SCAN_YARA_AWS:
    effectiveEnablementState: ENABLED
    intendedEnablementState: ENABLED
name: organizations/1234567890/locations/global/securityCenterServices/vm-threat-detection-aws
updateTime: '2025-03-21T18:45:52.033110465Z'

REST

The Security Command Center Management API's organizations.locations.securityCenterServices.get method gets the state of a Security Command Center service or module.

Before using any of the request data, make the following replacements:

  • QUOTA_PROJECT: the project ID to use for billing and quota tracking
  • ORGANIZATION_ID: the numeric identifier of the organization to get

HTTP method and URL: 

GET https://securitycentermanagement.googleapis.com/v1/organizations/ORGANIZATION_ID/locations/global/securityCenterServices/vm-threat-detection-aws

To send your request, expand one of these options:

You should receive a JSON response similar to the following:

{
  "name": "organizations/1234567890/locations/global/securityCenterServices/vm-threat-detection-aws",
  "intendedEnablementState": "ENABLED",
  "effectiveEnablementState": "ENABLED",
  "modules": {
    "MALWARE_DISK_SCAN_YARA_AWS": {
      "intendedEnablementState": "ENABLED",
      "effectiveEnablementState": "ENABLED"
    }
  },
  "updateTime": "2025-03-21T18:45:52.033110465Z"
}

Troubleshooting

If you enabled the VM Threat Detection service, but scans are not running, check the following:

  • Check that the AWS connector is properly set up.
  • Confirm that the CloudFormation template stack deployed completely. Its status in the AWS account should be CREATION_COMPLETE.

What's next