Malware Protection for EC2 issues

This section lists the errors that you may experience when setting up or using Malware Protection for EC2.

Missing required AWS Organizations management permission when enabling GuardDuty-initiated malware scan

When you want to manage multiple accounts by using AWS Organizations and you get this error – The request failed because you do not have required AWS Organization master permission., then you're missing the permission to enable GuardDuty-initiated malware scan for multiple accounts in your organization.

For information about providing permissions to the management account, see Establishing trusted access to enable GuardDuty-initiated malware scan.

I am initiating an On-demand malware scan but it results in a missing required permissions error.

If you receive an error suggesting that you do not have the required permissions to start an On-demand malware scan on an Amazon EC2 instance, verify that you've attached the AWS managed policy: AmazonGuardDutyFullAccess policy to your IAM role.

If you're a member of an AWS organization and still receive the same error, connect with your management account. For more information, see AWS Organizations SCP – Denied access.

I receive an iam:GetRole error while working with Malware Protection for EC2.

If you receive this error – Unable to get role: AWSServiceRoleForAmazonGuardDutyMalwareProtection, it means that you're missing the permission to either enable GuardDuty-initiated malware scan or use On-demand malware scan. Verify that you've attached the AWS managed policy: AmazonGuardDutyFullAccess policy to your IAM role.

I am a GuardDuty administrator account who needs to enable GuardDuty-initiated malware scan but doesn't use AWS managed policy: AmazonGuardDutyFullAccess to manage GuardDuty.