Troubleshooting Malware Protection plan status
For any protected bucket, GuardDuty displays the Status based on the ranking. For example, if a protected bucket has issues under both Error and Warning categories, GuardDuty will first display the issue that is associated with the Error status.
The following list includes the errors and the warning for the Malware Protection plan status.
- Errors
- Warning
EventBridge notification is disabled for this S3 bucket
The associated status reason code is
EVENTBRIDGE_MANAGED_EVENTS_DELIVERY_DISABLED
.
- Status detail
-
GuardDuty uses EventBridge to receive a notification when a new object gets uploaded to this S3 bucket. This permission is missing in your IAM role.
- Steps to troubleshoot
-
Option 1: Add the following permission statement to your IAM role:
{ "Sid": "AllowEnableS3EventBridgeEvents", "Effect": "Allow", "Action": [ "s3:PutBucketNotification", "s3:GetBucketNotification" ], "Resource": [ "arn:aws:s3:::
amzn-s3-demo-bucket
" ] }Replace
amzn-s3-demo-bucket
with your Amazon S3 bucket name.Option 2: Enable EventBridge notification by using the Amazon S3 console
Open the Amazon S3 console at https://console.aws.amazon.com/s3/
. -
On the Buckets page, under General purpose buckets tab, select the bucket name associated with this error.
-
On this bucket page, choose the Properties tab.
-
Under the Amazon EventBridge section, select Edit.
-
On the Edit Amazon EventBridge page, for Send notification to Amazon EventBridge for all events in this bucket, select On.
-
Choose Save changes.
It may take a few minutes for the Status column value to change to Active.
EventBridge managed rule to receive S3 bucket events is missing
The associated status reason code is EVENTBRIDGE_MANAGED_RULE_DISABLED
.
- Status detail
-
The EventBridge managed rule permissions to manage the EventBridge rule setup is missing.
- Steps to troubleshoot
-
Add the following permission statement to your IAM role:
{ "Sid": "AllowManagedRuleToSendS3EventsToGuardDuty", "Effect": "Allow", "Action": [ "events:PutRule", "events:DeleteRule", "events:PutTargets", "events:RemoveTargets" ], "Resource": [ "arn:aws:events:*:*:rule/DO-NOT-DELETE-AmazonGuardDutyMalwareProtectionS3*" ], "Condition": { "StringEquals": { "events:ManagedBy": "malware-protection-plan.guardduty.amazonaws.com" } } }
It may take a few minutes for the Status column value to change to Active.
S3 bucket no longer exists
The associated status reason code is PROTECTED_RESOURCE_DELETED
.
- Status detail
-
This S3 bucket was deleted from your account and it no longer exists.
- Step to troubleshoot
-
If deleting the S3 bucket was not intentional, then you can create a new bucket by using the Amazon S3 console.
After creating the bucket successfully, enable Malware Protection for S3 by following the steps under the Configuring Malware Protection for S3 for your bucket page.
Unable to put test object
The associated status reason code is
INSUFFICIENT_TEST_OBJECT_PERMISSIONS
.
Note
The permission to add a test object is optional. Missing this permission in your IAM role doesn't prevent Malware Protection for S3 to initiate malware scan on a newly uploaded object. After a scan initiates successfully, it may take a few minutes for the Malware Protection plan Status to change from Warning to Active.
If the IAM role includes this permission already, then this warning indicates a restrictive Amazon S3 bucket policy that does't allow the IAM access to put the test object in this S3 bucket.
- Status detail
-
To validate the setup of the selected bucket, GuardDuty puts a test object in your bucket.
- Steps to troubleshoot
-
You can choose to update the IAM role to include the missing permissions. To the selected IAM role, add the following permissions so that GuardDuty can put the test object to the selected resource:
{ "Sid": "AllowPutValidationObject", "Effect": "Allow", "Action": [ "s3:PutObject" ], "Resource": [ "arn:aws:s3:::
amzn-s3-demo-bucket
/malware-protection-resource-validation-object" ] }Replace
amzn-s3-demo-bucket
with your Amazon S3 bucket name. For information about IAM role permissions, see Create or update IAM role policy.It may take a few minutes for the Status column value to change to Active.