1 Risposta
- Più recenti
- Maggior numero di voti
- Maggior numero di commenti
1
You shouldn't have to manually create a new role in order to use the AWS GuardDuty malware scanner for S3. The existing service-linked-roles that were created by GuardDuty should automatically provide you with the necessary permissions (they aren't editable, since they're service-linked roles).
Then, depending on how you've enabled the GuardDuty malware scanner, it should automatically be able to invoke a malware scan.
What specific issues are you having with the scanner?
If you're having any specific permissions issues, I would check if the IAM user/role has the appropriate permissions to use GuardDuty and initiate scans.
This page may help more: https://docs.aws.amazon.com/guardduty/latest/ug/gdu-initiated-malware-scan-configuration.html
con risposta un mese fa
Contenuto pertinente
- AWS UFFICIALEAggiornata 2 anni fa
I'm not having issues with the scanner, the issue is attaching policies to an existing role or creating a new one.
The existing 'AmazonGuardDutyMalwareProtectionServiceRolePolicy' does not include the required permissions, I'm supposed to manually attach them. For example it can't access the S3 bucket or the KMS encryption keys.
I can't edit this policy, and I can't add new inline policies to the service linked role it's associated with...unlike other policies and roles, there are no buttons to do this. I have full permissions to modify IAM on the account.
This link may be more helpful: https://docs.aws.amazon.com/guardduty/latest/ug/malware-protection-s3-iam-policy-prerequisite.html