How to create an appropriate role for AWS Guardduty Malware s3?

0

To use the AWS Guardduty malware s3 scanner, the scanner needs a role with appropriate permissions.

We have 2 existing roles in the account for guard, AWSServiceRoleForAmazonGuardDuty and AWSServiceRoleForAmazonGuardDutyMalwareProtection. Both of these were created by GuardDuty, and have a single permissions policy and no new permissions policies can be attached.

If I try to create a new service linked role for GuardDuty, again, I cant modify the role.

If I try to create a new custom role, and I attached the provided policy, it fails because no principal is specified.

How can I create a role and attach the policies so I can use this service?

已提问 1 个月前85 查看次数
1 回答
1

You shouldn't have to manually create a new role in order to use the AWS GuardDuty malware scanner for S3. The existing service-linked-roles that were created by GuardDuty should automatically provide you with the necessary permissions (they aren't editable, since they're service-linked roles).

Then, depending on how you've enabled the GuardDuty malware scanner, it should automatically be able to invoke a malware scan.

What specific issues are you having with the scanner?

If you're having any specific permissions issues, I would check if the IAM user/role has the appropriate permissions to use GuardDuty and initiate scans.

This page may help more: https://docs.aws.amazon.com/guardduty/latest/ug/gdu-initiated-malware-scan-configuration.html

AWS
已回答 1 个月前
profile picture
专家
已审核 1 个月前
profile picture
专家
已审核 1 个月前
  • I'm not having issues with the scanner, the issue is attaching policies to an existing role or creating a new one.

    The existing 'AmazonGuardDutyMalwareProtectionServiceRolePolicy' does not include the required permissions, I'm supposed to manually attach them. For example it can't access the S3 bucket or the KMS encryption keys.

    I can't edit this policy, and I can't add new inline policies to the service linked role it's associated with...unlike other policies and roles, there are no buttons to do this. I have full permissions to modify IAM on the account.

您未登录。 登录 发布回答。

一个好的回答可以清楚地解答问题和提供建设性反馈,并能促进提问者的职业发展。

回答问题的准则