Using tag-based access control (TBAC) with Malware Protection for S3

When enabling Malware Protection for S3 for your bucket, you can optionally choose to enable tagging. After attempting to scan a newly uploaded S3 object in the selected bucket, GuardDuty adds a tag to the scanned object to provide the malware scan status. There is a direct usage cost associated when you enable tagging. For more information, see Pricing and usage cost for Malware Protection for S3.

GuardDuty uses a predefined tag with the key as GuardDutyMalwareScanStatus and the value as one of the malware scan statuses. For information about these values, see S3 object potential scan status and result status.

Considerations for GuardDuty to add a tag to your S3 object:

By default, you can associate up to 10 tags with an object. For more information, see Categorizing your storage using tags in the Amazon S3 User Guide.

If all 10 tags are already in use, GuardDuty can't add the predefined tag to the scanned object. GuardDuty also publishes the scan result to your default EventBridge event bus. For more information, see Monitoring S3 object scans with Amazon EventBridge.
When the selected IAM role doesn't include the permission for GuardDuty to tag the S3 object, then even with tagging enabled for your protected bucket, GuardDuty will be unable to add tag to this scanned S3 object. For more information about the required IAM role permission for tagging, see Create or update IAM role policy.

GuardDuty also publishes the scan result to your default EventBridge event bus. For more information, see Monitoring S3 object scans with Amazon EventBridge.

Adding TBAC on S3 bucket resource

You can use the S3 bucket resource policies to manage tag-based access control (TBAC) for your S3 objects. You can provide access to specific users to access and read the S3 object. If you have an organization that was created by using AWS Organizations, you must enforce that no one can modify the tags added by GuardDuty. For more information, see Preventing tags from being modified except by authorized principals in the AWS Organizations User Guide. The example used in the linked topic mentions ec2. When you use this example, replace ec2 with s3.

The following list explains what you can do by using TBAC:

Prevent all the users except Malware Protection for S3 service principal from reading the S3 objects that are not yet tagged with the following tag key-value pair:

GuardDutyMalwareScanStatus:Potential key value
Allow only GuardDuty to add the tag key GuardDutyMalwareScanStatus with value as the scan result, to a scanned S3 object. The following policy template can allow specific users that have access, to potentially override the tag key-value pair.

Example S3 bucket resource policy:

Replace the following placeholder values in the example policy:

IAM-role-name - Provide the IAM role that you used for configuring Malware Protection for S3 in your bucket.
555555555555 - Provide the AWS account associated with the protected bucket.
amzn-s3-demo-bucket - Provide the protected bucket name.


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "NoReadExceptForClean",
            "Effect": "Deny",
            "Principal": {
                "AWS": "*"
            },
            "Action": [
                "s3:GetObject",
                "s3:GetObjectVersion"
            ],
            "Resource": [
                "arn:aws:s3:::amzn-s3-demo-bucket",
                "arn:aws:s3:::amzn-s3-demo-bucket/*"
            ],
            "Condition": {
                "StringNotEquals": {
                    "s3:ExistingObjectTag/GuardDutyMalwareScanStatus": "NO_THREATS_FOUND",
                    "aws:PrincipalArn": [
                    "arn:aws:iam::555555555555:assumed-role/IAM-role-name/GuardDutyMalwareProtection",
                    "arn:aws:iam::555555555555:role/IAM-role-name"
                    ]
                }
            }
        },
        {
            "Sid": "OnlyGuardDutyCanTag",
            "Effect": "Deny",
            "Principal": {
                "AWS": "*"
            },
            "Action": "s3:PutObjectTagging",
            "Resource": [
                "arn:aws:s3:::amzn-s3-demo-bucket",
                "arn:aws:s3:::amzn-s3-demo-bucket/*"
            ],
            "Condition": {
                "StringNotEquals": {
                    "aws:PrincipalArn": [
                    "arn:aws:iam::555555555555:assumed-role/IAM-role-name/GuardDutyMalwareProtection",
                    "arn:aws:iam::555555555555:role/IAM-role-name"
                    ]
                }
            }
        }
    ]
}

For more information about tagging your S3 resource, Tagging and access control policies.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Steps after enabling Malware Protection for S3

View and understand protected bucket status