Configuring Malware Protection for S3 for your bucket
For Malware Protection for S3 to scan and (optionally) add tags to your S3 objects, you can use service roles that has the necessary permissions to perform malware scan actions on your behalf. For more information about using service roles to enable malware protection for S3, see Service Access. This role is different from the GuardDuty Malware Protection service-linked role.
If you prefer to use IAM roles, you can attach an IAM role that includes the required permissions to scan and (optionally) add tags to your S3 objects. GuardDuty then assumes this IAM role to perform these actions on your behalf. You will need this IAM role name at the time of enabling this protection plan for your Amazon S3 bucket.
If you are using IAM roles, for each time you want to protect an Amazon S3 bucket, you must perform both the steps listed in this section.
To enable Malware Protection for S3, you will need details such as S3 bucket name, object prefixes if you want to focus the protection for specific prefixes, and the IAM role name with required permissions.
The steps remain the same whether you get started with Malware Protection for S3 independently or enable it as a part of the GuardDuty service.
Topics