Enabling object tagging in Malware Protection for S3
Use enable tagging option so that GuardDuty can add tags to your Amazon S3 object after completing the malware scan.
Considerations for enabling tagging
-
There is an associated usage cost when GuardDuty tags your S3 objects. For more information, see Pricing for Malware Protection for S3.
-
You must keep the required tagging permissions to your preferred IAM PassRole associated with this bucket; otherwise, GuardDuty can't add tags to your scanned objects. The IAM PassRole already includes the permissions to add tags to the scanned S3 objects. For more information, see Prerequisite - Create or update IAM PassRole policy.
-
By default, you can associate up to 10 tags with an S3 object. For more information, see Using tag-based access control (TBAC).
After you enable tagging for an S3 bucket or specific prefixes, any newly uploaded object that gets scanned, will have an associated tag in the following key-value pair format:
GuardDutyMalwareScanStatus
:Scan-Status
For information about potential tag values, see Using tag-based access control (TBAC).