Troubleshooting Malware Protection plan status details - Amazon GuardDuty

Troubleshooting Malware Protection plan status details

For any protected bucket, GuardDuty displays the Status based on the ranking. For example, if a protected bucket has issues under both Error and Warning categories, GuardDuty will first display the issue that is associated with the Error status.

The following table provides status details and the corresponding steps to resolve these issues.

Status

Issue

Status details

Steps to troubleshoot

Warning

Unable to put test object

To validate the setup of the selected bucket, GuardDuty puts a test object in your bucket.

To the selected IAM role, add the following permissions so that GuardDuty can put the test object to the selected resource:

{
         "Sid": "AllowPutValidationObject",
         "Effect": "Allow",
         "Action": [
           "s3:PutObject"
           ],
         "Resource": [
           "arn:aws:s3:::DOC-EXAMPLE-BUCKET/malware-protection-resource-validation-object"
           ]
}

Replace DOC-EXAMPLE-BUCKET with your Amazon S3 bucket name. For information about IAM role permissions, see Prerequisite - Create or update IAM PassRole policy.

It may take a few minutes for the Status column value to change to Active.

Unable to monitor Malware Protection for S3 setup

The IAM role is missing permissions for GuardDuty to monitor the Malware Protection for S3 setup for this bucket.

Add the following permissions to your IAM role:

{
         "Sid": "AllowManagedRuleToSendS3EventsToGuardDuty",
         "Effect": "Allow",
         "Action": [
            "events:PutRule",
            "events:DeleteRule",
            "events:PutTargets",
            "events:RemoveTargets"
           ],
         "Resource": [
            "arn:aws:events:us-east-1:111122223333:rule/DO-NOT-DELETE-AmazonGuardDutyMalwareProtectionS3*"
           ],
         "Condition": {
            "StringEquals": {
               "events:ManagedBy": "malware-protection-plan.guardduty.amazonaws.com"
             }
         }
},
{
         "Sid": "AllowEnableS3EventBridgeEvents",
         "Effect": "Allow",
         "Action": [
              "s3:PutBucketNotification",
              "s3:GetBucketNotification"
           ],
           "Resource": [
              "arn:aws:s3:::DOC-EXAMPLE-BUCKET"
           ]
}

It may take a few minutes for the Status column value to change to Active.

Error

EventBridge notification is disabled for this S3 bucket.

GuardDuty uses EventBridge to receive a notification when a new object gets uploaded to this S3 bucket. This permission is missing in your IAM role.

  • Option 1: Add the following permission statement to your IAM role:

    {
          "Sid": "AllowEnableS3EventBridgeEvents",
          "Effect": "Allow",
          "Action": [
             "s3:PutBucketNotification",
             "s3:GetBucketNotification"
             ],
          "Resource": [
             "arn:aws:s3:::DOC-EXAMPLE-BUCKET"
            ]
}

    Replace DOC-EXAMPLE-BUCKET with your Amazon S3 bucket name.

  • Option 2: Enable EventBridge notification by using the Amazon S3 console

    1. Open the Amazon S3 console at https://console.aws.amazon.com/s3/.

    2. On the Buckets page, under General purpose buckets tab, select the bucket name associated with this error.

    3. On this bucket page, choose the Properties tab.

    4. Under the Amazon EventBridge section, select Edit.

    5. On the Edit Amazon EventBridge page, for Send notification to Amazon EventBridge for all events in this bucket, select On.

    6. Choose Save changes.

It may take a few minutes for the Status column value to change to Active.

EventBridge managed rule to receive S3 bucket events is missing.

The EventBridge managed rule permissions to manage the EventBridge rule setup is missing.

Add the following permission statement to your IAM role:

{
         "Sid": "AllowManagedRuleToSendS3EventsToGuardDuty",
        "Effect": "Allow",
        "Action": [
                "events:PutRule",
                "events:DeleteRule",
                "events:PutTargets",
                "events:RemoveTargets"
            ],
        "Resource": [
           "arn:aws:events:*:*:rule/DO-NOT-DELETE-AmazonGuardDutyMalwareProtectionS3*"
           ],
        "Condition": {
           "StringEquals": {
              "events:ManagedBy": "malware-protection-plan.guardduty.amazonaws.com"
              }
           }
}

It may take a few minutes for the Status column value to change to Active.

This S3 bucket no longer exists.

This S3 bucket was deleted from your account and it no longer exists.

If deleting the S3 bucket was not intentional, then you can create a new bucket by using the Amazon S3 console.

After creating the bucket successfully, enable Malware Protection for S3 by following the steps under the Configuring Malware Protection for S3 for your bucket page.