How to create an appropriate role for AWS Guardduty Malware s3?

0

To use the AWS Guardduty malware s3 scanner, the scanner needs a role with appropriate permissions.

We have 2 existing roles in the account for guard, AWSServiceRoleForAmazonGuardDuty and AWSServiceRoleForAmazonGuardDutyMalwareProtection. Both of these were created by GuardDuty, and have a single permissions policy and no new permissions policies can be attached.

If I try to create a new service linked role for GuardDuty, again, I cant modify the role.

If I try to create a new custom role, and I attached the provided policy, it fails because no principal is specified.

How can I create a role and attach the policies so I can use this service?

1 Antwort
1

You shouldn't have to manually create a new role in order to use the AWS GuardDuty malware scanner for S3. The existing service-linked-roles that were created by GuardDuty should automatically provide you with the necessary permissions (they aren't editable, since they're service-linked roles).

Then, depending on how you've enabled the GuardDuty malware scanner, it should automatically be able to invoke a malware scan.

What specific issues are you having with the scanner?

If you're having any specific permissions issues, I would check if the IAM user/role has the appropriate permissions to use GuardDuty and initiate scans.

This page may help more: https://docs.aws.amazon.com/guardduty/latest/ug/gdu-initiated-malware-scan-configuration.html

AWS
beantwortet vor einem Monat
profile picture
EXPERTE
überprüft vor einem Monat
profile picture
EXPERTE
überprüft vor einem Monat
  • I'm not having issues with the scanner, the issue is attaching policies to an existing role or creating a new one.

    The existing 'AmazonGuardDutyMalwareProtectionServiceRolePolicy' does not include the required permissions, I'm supposed to manually attach them. For example it can't access the S3 bucket or the KMS encryption keys.

    I can't edit this policy, and I can't add new inline policies to the service linked role it's associated with...unlike other policies and roles, there are no buttons to do this. I have full permissions to modify IAM on the account.

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen