How to create an appropriate role for AWS Guardduty Malware s3?

0

To use the AWS Guardduty malware s3 scanner, the scanner needs a role with appropriate permissions.

We have 2 existing roles in the account for guard, AWSServiceRoleForAmazonGuardDuty and AWSServiceRoleForAmazonGuardDutyMalwareProtection. Both of these were created by GuardDuty, and have a single permissions policy and no new permissions policies can be attached.

If I try to create a new service linked role for GuardDuty, again, I cant modify the role.

If I try to create a new custom role, and I attached the provided policy, it fails because no principal is specified.

How can I create a role and attach the policies so I can use this service?

1 réponse
1

You shouldn't have to manually create a new role in order to use the AWS GuardDuty malware scanner for S3. The existing service-linked-roles that were created by GuardDuty should automatically provide you with the necessary permissions (they aren't editable, since they're service-linked roles).

Then, depending on how you've enabled the GuardDuty malware scanner, it should automatically be able to invoke a malware scan.

What specific issues are you having with the scanner?

If you're having any specific permissions issues, I would check if the IAM user/role has the appropriate permissions to use GuardDuty and initiate scans.

This page may help more: https://docs.aws.amazon.com/guardduty/latest/ug/gdu-initiated-malware-scan-configuration.html

AWS
répondu il y a un mois
profile picture
EXPERT
vérifié il y a un mois
profile picture
EXPERT
vérifié il y a un mois
  • I'm not having issues with the scanner, the issue is attaching policies to an existing role or creating a new one.

    The existing 'AmazonGuardDutyMalwareProtectionServiceRolePolicy' does not include the required permissions, I'm supposed to manually attach them. For example it can't access the S3 bucket or the KMS encryption keys.

    I can't edit this policy, and I can't add new inline policies to the service linked role it's associated with...unlike other policies and roles, there are no buttons to do this. I have full permissions to modify IAM on the account.

Vous n'êtes pas connecté. Se connecter pour publier une réponse.

Une bonne réponse répond clairement à la question, contient des commentaires constructifs et encourage le développement professionnel de la personne qui pose la question.

Instructions pour répondre aux questions