According to the shared responsibility model , if you use an encapsulated / managed service such as Amazon Relational Database Service an Abstract / serverless service such as Amazon S3 where the customer does not have access to the operating system, since AWS manages it, the Anti-malware (which is required by PCI-DSS certification), It is managed, updated, and monitored by AWS.
If you chose infrastructure services such as Amazon EC2 , then you’re responsible for the operating system Hardening, applying the patches of both the operating system and the applications that are there, and for implementing an anti-malware or EDR solution (Endpoint Detection and Response).
It is recommended for every instance to have an anti-malware / EDR solution to provide the ability to detect and stop attacks like ransomware , troyans and worms
There are numerous solutions from our partners such as Crowdstrike , McAfee or Trend Micro in the AWS Marketplace