How to create an appropriate role for AWS Guardduty Malware s3?

0

To use the AWS Guardduty malware s3 scanner, the scanner needs a role with appropriate permissions.

We have 2 existing roles in the account for guard, AWSServiceRoleForAmazonGuardDuty and AWSServiceRoleForAmazonGuardDutyMalwareProtection. Both of these were created by GuardDuty, and have a single permissions policy and no new permissions policies can be attached.

If I try to create a new service linked role for GuardDuty, again, I cant modify the role.

If I try to create a new custom role, and I attached the provided policy, it fails because no principal is specified.

How can I create a role and attach the policies so I can use this service?

已提問 1 個月前檢視次數 95 次
1 個回答
1

You shouldn't have to manually create a new role in order to use the AWS GuardDuty malware scanner for S3. The existing service-linked-roles that were created by GuardDuty should automatically provide you with the necessary permissions (they aren't editable, since they're service-linked roles).

Then, depending on how you've enabled the GuardDuty malware scanner, it should automatically be able to invoke a malware scan.

What specific issues are you having with the scanner?

If you're having any specific permissions issues, I would check if the IAM user/role has the appropriate permissions to use GuardDuty and initiate scans.

This page may help more: https://docs.aws.amazon.com/guardduty/latest/ug/gdu-initiated-malware-scan-configuration.html

AWS
已回答 1 個月前
profile picture
專家
已審閱 1 個月前
profile picture
專家
已審閱 1 個月前
  • I'm not having issues with the scanner, the issue is attaching policies to an existing role or creating a new one.

    The existing 'AmazonGuardDutyMalwareProtectionServiceRolePolicy' does not include the required permissions, I'm supposed to manually attach them. For example it can't access the S3 bucket or the KMS encryption keys.

    I can't edit this policy, and I can't add new inline policies to the service linked role it's associated with...unlike other policies and roles, there are no buttons to do this. I have full permissions to modify IAM on the account.

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

回答問題指南