Enabling object tagging in Malware Protection for S3

Use enable tagging option so that GuardDuty can add tags to your Amazon S3 object after completing the malware scan.

Considerations for enabling tagging

There is an associated usage cost when GuardDuty tags your S3 objects. For more information, see Pricing for Malware Protection for S3.
You must keep the required tagging permissions to your preferred IAM PassRole associated with this bucket; otherwise, GuardDuty can't add tags to your scanned objects. The IAM PassRole already includes the permissions to add tags to the scanned S3 objects. For more information, see Prerequisite - Create or update IAM PassRole policy.
By default, you can associate up to 10 tags with an S3 object. For more information, see Using tag-based access control (TBAC).

After you enable tagging for an S3 bucket or specific prefixes, any newly uploaded object that gets scanned, will have an associated tag in the following key-value pair format:

GuardDutyMalwareScanStatus:Scan-Status

For information about potential tag values, see Using tag-based access control (TBAC).

Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Using Amazon CloudWatch metrics for Malware Protection plan

Using tag-based access control (TBAC)