# Monitoring S3 object scans with GuardDuty managed tags
<a name="monitor-enable-s3-object-tagging-malware-protection"></a>

Use enable tagging option so that GuardDuty can add tags to your Amazon S3 object after completing the malware scan.

**Considerations for enabling tagging**
+ There is an associated usage cost when GuardDuty tags your S3 objects. For more information, see [Pricing and usage cost for Malware Protection for S3](pricing-malware-protection-for-s3-guardduty.md).
+ You must keep the required tagging permissions to your preferred IAM role associated with this bucket; otherwise, GuardDuty can't add tags to your scanned objects. The IAM role already includes the permissions to add tags to the scanned S3 objects. For more information, see [Create or update IAM role policy](malware-protection-s3-iam-policy-prerequisite.md).
+ By default, you can associate up to 10 tags with an S3 object. For more information, see [Using tag-based access control (TBAC)](tag-based-access-s3-malware-protection.md).

After you enable tagging for an S3 bucket or specific prefixes, any newly uploaded object that gets scanned, will have an associated tag in the following key-value pair format:

`GuardDutyMalwareScanStatus`:`Scan-Result-Status`

For information about potential tag values, see [S3 object potential scan status and result status](monitoring-malware-protection-s3-scans-gdu.md#s3-object-scan-result-value-malware-protection).