1 回答
- 最新
- 投票最多
- 评论最多
1
You shouldn't have to manually create a new role in order to use the AWS GuardDuty malware scanner for S3. The existing service-linked-roles that were created by GuardDuty should automatically provide you with the necessary permissions (they aren't editable, since they're service-linked roles).
Then, depending on how you've enabled the GuardDuty malware scanner, it should automatically be able to invoke a malware scan.
What specific issues are you having with the scanner?
If you're having any specific permissions issues, I would check if the IAM user/role has the appropriate permissions to use GuardDuty and initiate scans.
This page may help more: https://docs.aws.amazon.com/guardduty/latest/ug/gdu-initiated-malware-scan-configuration.html
已回答 1 个月前
相关内容
- AWS 官方已更新 1 年前
- AWS 官方已更新 2 年前
I'm not having issues with the scanner, the issue is attaching policies to an existing role or creating a new one.
The existing 'AmazonGuardDutyMalwareProtectionServiceRolePolicy' does not include the required permissions, I'm supposed to manually attach them. For example it can't access the S3 bucket or the KMS encryption keys.
I can't edit this policy, and I can't add new inline policies to the service linked role it's associated with...unlike other policies and roles, there are no buttons to do this. I have full permissions to modify IAM on the account.
This link may be more helpful: https://docs.aws.amazon.com/guardduty/latest/ug/malware-protection-s3-iam-policy-prerequisite.html