Create or update IAM role policy
For Malware Protection for S3 to scan and (optionally) add tags to your S3 objects, you can use service roles that has the necessary permissions to perform malware scan actions on your behalf. For more information about using service roles to enable malware protection for S3, see Service Access. This role is different from the GuardDuty Malware Protection service-linked role.
If you prefer to use IAM roles, you can attach an IAM role that includes the required permissions to scan and (optionally) add tags to your S3 objects. You must create an IAM role or update an existing role to include these permissions. Because these permissions are required for each Amazon S3 bucket for which you enable Malware Protection for S3, you need to perform this step for each Amazon S3 bucket that you to protect.
The following list explains how certain permissions help GuardDuty perform the malware scan on your behalf:
-
Allow Amazon EventBridge actions to create and manage the EventBridge managed rule so that Malware Protection for S3 can listen to your S3 object notifications.
For more information, see Amazon EventBridge managed rules in the Amazon EventBridge User Guide.
-
Allow Amazon S3 and EventBridge actions to send notiļ¬cation to EventBridge for all events in this bucket
For more information, see Enabling Amazon EventBridge in the Amazon S3 User Guide.
-
Allow Amazon S3 actions to access the uploaded S3 object and add a predefined tag,
GuardDutyMalwareScanStatus, to the scanned S3 object. When using an object prefix, add ans3:prefixcondition on the targeted prefixes only. This prevents GuardDuty from accessing all the S3 objects in your bucket. -
Allow KMS key actions to access the object before scanning and putting a test object on buckets with the supported DSSE-KMS and SSE-KMS encryption.
Note
This step is required each time you enable Malware Protection for S3 for a bucket in your account. If you already have an existing IAM role, you can update its policy to include the details of another Amazon S3 bucket resource. The Adding IAM policy permissions topic provides an example on how to do this.
Use the following policies to create or update an IAM role.
Adding IAM policy permissions
You can choose to update the inline policy of an existing IAM role, or create a new IAM role. For information about the steps, see Creating an IAM role or Modifying a role permissions policy in the IAM User Guide.
Add the following permissions template to your preferred IAM role. Replace the following placeholder values with appropriate values associated with your account:
-
For
amzn-s3-demo-bucket, replace with your Amazon S3 bucket name.To use the same IAM role for more than one S3 bucket resource, update an existing policy as displayed in the following example:
... ... "Resource": [ "arn:aws:s3:::amzn-s3-demo-bucket/*", "arn:aws:s3:::amzn-s3-demo-bucket2/*" ], ... ...Make sure to add a comma (,) before adding a new ARN associated with the S3 bucket. Do this wherever you refer to an S3 bucket
Resourcein the policy template. -
For
111122223333, replace with your AWS account ID. -
For
us-east-1, replace with your AWS Region. -
For
APKAEIBAERJR2EXAMPLE, replace with your customer managed key ID. If your S3 bucket is encrypted by using an AWS KMS key, we add the relevant permissions if you choose the Create a new role option when configuring malware protection for your bucket."Resource": "arn:aws:kms:us-east-1:111122223333:key/*"
IAM role policy template
{ "Version": "2012-10-17", "Statement": [{ "Sid": "AllowManagedRuleToSendS3EventsToGuardDuty", "Effect": "Allow", "Action": [ "events:PutRule", "events:DeleteRule", "events:PutTargets", "events:RemoveTargets" ], "Resource": [ "arn:aws:events:us-east-1:111122223333:rule/DO-NOT-DELETE-AmazonGuardDutyMalwareProtectionS3*" ], "Condition": { "StringLike": { "events:ManagedBy": "malware-protection-plan.guardduty.amazonaws.com" } } }, { "Sid": "AllowGuardDutyToMonitorEventBridgeManagedRule", "Effect": "Allow", "Action": [ "events:DescribeRule", "events:ListTargetsByRule" ], "Resource": [ "arn:aws:events:us-east-1:111122223333:rule/DO-NOT-DELETE-AmazonGuardDutyMalwareProtectionS3*" ] }, { "Sid": "AllowPostScanTag", "Effect": "Allow", "Action": [ "s3:PutObjectTagging", "s3:GetObjectTagging", "s3:PutObjectVersionTagging", "s3:GetObjectVersionTagging" ], "Resource": [ "arn:aws:s3:::amzn-s3-demo-bucket/*" ] }, { "Sid": "AllowEnableS3EventBridgeEvents", "Effect": "Allow", "Action": [ "s3:PutBucketNotification", "s3:GetBucketNotification" ], "Resource": [ "arn:aws:s3:::amzn-s3-demo-bucket" ] }, { "Sid": "AllowPutValidationObject", "Effect": "Allow", "Action": [ "s3:PutObject" ], "Resource": [ "arn:aws:s3:::amzn-s3-demo-bucket/malware-protection-resource-validation-object" ] }, { "Sid": "AllowCheckBucketOwnership", "Effect": "Allow", "Action": [ "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::amzn-s3-demo-bucket" ] }, { "Sid": "AllowMalwareScan", "Effect": "Allow", "Action": [ "s3:GetObject", "s3:GetObjectVersion" ], "Resource": [ "arn:aws:s3:::amzn-s3-demo-bucket/*" ] }, { "Sid": "AllowDecryptForMalwareScan", "Effect": "Allow", "Action": [ "kms:GenerateDataKey", "kms:Decrypt" ], "Resource": "arn:aws:kms:us-east-1:111122223333:key/APKAEIBAERJR2EXAMPLE", "Condition": { "StringLike": { "kms:ViaService": "s3.us-east-1.amazonaws.com" } } } ] }
Adding Trust relationship policy
Attach the following trust policy to your IAM role. For information about steps, see Modifying a role trust policy.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "malware-protection-plan.guardduty.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }
