本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
# AmazonGuardDutyMalwareProtectionServiceRolePolicy
**描述**: GuardDuty 恶意软件防护使用名为的服务关联角色 (SLR)。 AWSServiceRoleForAmazonGuardDutyMalwareProtection此服务相关角色允许 GuardDuty 恶意软件防护执行无代理扫描以检测恶意软件。它 GuardDuty 允许在您的帐户中创建快照,并与 GuardDuty 服务帐户共享快照以扫描恶意软件。它会评估这些共享快照,并将检索到的 EC2 实例元数据包含在 GuardDuty 恶意软件防护结果中。 AWSServiceRoleForAmazonGuardDutyMalwareProtection 服务相关角色信任恶意软件保护.guardduty.amazonaws.com 服务来代替该角色。
`AmazonGuardDutyMalwareProtectionServiceRolePolicy` 是一项 [AWS 托管式策略](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies)。
## 使用此策略
此附加到服务相关角色的策略允许服务代表您执行操作。您无法将此策略附加到您的用户、组或角色。
## 策略详细信息
+ **类型**:服务相关角色策略
+ **创建时间**:2022 年 7 月 19 日 19:06 UTC
+ **编辑时间:**2024 年 1 月 25 日 22:24 UTC
+ **ARN**: `arn:aws:iam::aws:policy/aws-service-role/AmazonGuardDutyMalwareProtectionServiceRolePolicy`
## 策略版本
**策略版本:**v2(默认)
此策略的默认版本是定义策略权限的版本。当使用该策略的用户或角色请求访问 AWS 资源时, AWS 会检查策略的默认版本以确定是否允许该请求。
## JSON 策略文档
```
{
"Version" : "2012-10-17",
"Statement" : [
{
"Sid" : "DescribeAndListPermissions",
"Effect" : "Allow",
"Action" : [
"ec2:DescribeInstances",
"ec2:DescribeVolumes",
"ec2:DescribeSnapshots",
"ecs:ListClusters",
"ecs:ListContainerInstances",
"ecs:ListTasks",
"ecs:DescribeTasks",
"eks:DescribeCluster"
],
"Resource" : "*"
},
{
"Sid" : "CreateSnapshotVolumeConditionalStatement",
"Effect" : "Allow",
"Action" : "ec2:CreateSnapshot",
"Resource" : "arn:aws:ec2:*:*:volume/*",
"Condition" : {
"Null" : {
"aws:ResourceTag/GuardDutyExcluded" : "true"
}
}
},
{
"Sid" : "CreateSnapshotConditionalStatement",
"Effect" : "Allow",
"Action" : "ec2:CreateSnapshot",
"Resource" : "arn:aws:ec2:*:*:snapshot/*",
"Condition" : {
"ForAnyValue:StringEquals" : {
"aws:TagKeys" : "GuardDutyScanId"
}
}
},
{
"Sid" : "CreateTagsPermission",
"Effect" : "Allow",
"Action" : "ec2:CreateTags",
"Resource" : "arn:aws:ec2:*:*:*/*",
"Condition" : {
"StringEquals" : {
"ec2:CreateAction" : "CreateSnapshot"
}
}
},
{
"Sid" : "AddTagsToSnapshotPermission",
"Effect" : "Allow",
"Action" : "ec2:CreateTags",
"Resource" : "arn:aws:ec2:*:*:snapshot/*",
"Condition" : {
"StringLike" : {
"ec2:ResourceTag/GuardDutyScanId" : "*"
},
"ForAllValues:StringEquals" : {
"aws:TagKeys" : [
"GuardDutyExcluded",
"GuardDutyFindingDetected"
]
}
}
},
{
"Sid" : "DeleteAndShareSnapshotPermission",
"Effect" : "Allow",
"Action" : [
"ec2:DeleteSnapshot",
"ec2:ModifySnapshotAttribute"
],
"Resource" : "arn:aws:ec2:*:*:snapshot/*",
"Condition" : {
"StringLike" : {
"ec2:ResourceTag/GuardDutyScanId" : "*"
},
"Null" : {
"aws:ResourceTag/GuardDutyExcluded" : "true"
}
}
},
{
"Sid" : "PreventPublicAccessToSnapshotPermission",
"Effect" : "Deny",
"Action" : [
"ec2:ModifySnapshotAttribute"
],
"Resource" : "arn:aws:ec2:*:*:snapshot/*",
"Condition" : {
"StringEquals" : {
"ec2:Add/group" : "all"
}
}
},
{
"Sid" : "CreateGrantPermission",
"Effect" : "Allow",
"Action" : "kms:CreateGrant",
"Resource" : "arn:aws:kms:*:*:key/*",
"Condition" : {
"Null" : {
"aws:ResourceTag/GuardDutyExcluded" : "true"
},
"StringLike" : {
"kms:EncryptionContext:aws:ebs:id" : "snap-*"
},
"ForAllValues:StringEquals" : {
"kms:GrantOperations" : [
"Decrypt",
"CreateGrant",
"GenerateDataKeyWithoutPlaintext",
"ReEncryptFrom",
"ReEncryptTo",
"RetireGrant",
"DescribeKey"
]
},
"Bool" : {
"kms:GrantIsForAWSResource" : "true"
}
}
},
{
"Sid" : "ShareSnapshotKMSPermission",
"Effect" : "Allow",
"Action" : [
"kms:ReEncryptTo",
"kms:ReEncryptFrom"
],
"Resource" : "arn:aws:kms:*:*:key/*",
"Condition" : {
"StringLike" : {
"kms:ViaService" : "ec2.*.amazonaws.com"
},
"Null" : {
"aws:ResourceTag/GuardDutyExcluded" : "true"
}
}
},
{
"Sid" : "DescribeKeyPermission",
"Effect" : "Allow",
"Action" : "kms:DescribeKey",
"Resource" : "arn:aws:kms:*:*:key/*"
},
{
"Sid" : "GuardDutyLogGroupPermission",
"Effect" : "Allow",
"Action" : [
"logs:DescribeLogGroups",
"logs:CreateLogGroup",
"logs:PutRetentionPolicy"
],
"Resource" : "arn:aws:logs:*:*:log-group:/aws/guardduty/*"
},
{
"Sid" : "GuardDutyLogStreamPermission",
"Effect" : "Allow",
"Action" : [
"logs:CreateLogStream",
"logs:PutLogEvents",
"logs:DescribeLogStreams"
],
"Resource" : "arn:aws:logs:*:*:log-group:/aws/guardduty/*:log-stream:*"
},
{
"Sid" : "EBSDirectAPIPermissions",
"Effect" : "Allow",
"Action" : [
"ebs:GetSnapshotBlock",
"ebs:ListSnapshotBlocks"
],
"Resource" : "arn:aws:ec2:*:*:snapshot/*",
"Condition" : {
"StringLike" : {
"aws:ResourceTag/GuardDutyScanId" : "*"
},
"Null" : {
"aws:ResourceTag/GuardDutyExcluded" : "true"
}
}
}
]
}
```
## 了解更多信息
+ [了解 IAM policy 版本控制](https://docs.aws.amazon.com//IAM/latest/UserGuide/access_policies_managed-versioning.html)
+ [开始使用 AWS 托管策略,转向最低权限权限](https://docs.aws.amazon.com//IAM/latest/UserGuide/best-practices.html#bp-use-aws-defined-policies)