How to create an appropriate role for AWS Guardduty Malware s3?

0

To use the AWS Guardduty malware s3 scanner, the scanner needs a role with appropriate permissions.

We have 2 existing roles in the account for guard, AWSServiceRoleForAmazonGuardDuty and AWSServiceRoleForAmazonGuardDutyMalwareProtection. Both of these were created by GuardDuty, and have a single permissions policy and no new permissions policies can be attached.

If I try to create a new service linked role for GuardDuty, again, I cant modify the role.

If I try to create a new custom role, and I attached the provided policy, it fails because no principal is specified.

How can I create a role and attach the policies so I can use this service?

1개 답변
1

You shouldn't have to manually create a new role in order to use the AWS GuardDuty malware scanner for S3. The existing service-linked-roles that were created by GuardDuty should automatically provide you with the necessary permissions (they aren't editable, since they're service-linked roles).

Then, depending on how you've enabled the GuardDuty malware scanner, it should automatically be able to invoke a malware scan.

What specific issues are you having with the scanner?

If you're having any specific permissions issues, I would check if the IAM user/role has the appropriate permissions to use GuardDuty and initiate scans.

This page may help more: https://docs.aws.amazon.com/guardduty/latest/ug/gdu-initiated-malware-scan-configuration.html

AWS
답변함 한 달 전
profile picture
전문가
검토됨 한 달 전
profile picture
전문가
검토됨 한 달 전
  • I'm not having issues with the scanner, the issue is attaching policies to an existing role or creating a new one.

    The existing 'AmazonGuardDutyMalwareProtectionServiceRolePolicy' does not include the required permissions, I'm supposed to manually attach them. For example it can't access the S3 bucket or the KMS encryption keys.

    I can't edit this policy, and I can't add new inline policies to the service linked role it's associated with...unlike other policies and roles, there are no buttons to do this. I have full permissions to modify IAM on the account.

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠