Service-linked role permissions for GuardDuty Malware Protection
GuardDuty Malware Protection uses the service-linked role (SLR) named AWSServiceRoleForAmazonGuardDutyMalwareProtection
. This SLR
allows GuardDuty Malware Protection to perform agentless scans to detect malware in your GuardDuty account. It
allows GuardDuty to create an EBS volume snapshot in your account, and share that snapshot with
the GuardDuty service account. After GuardDuty evaluates the snapshot, it includes the retrieved EC2
instance and container workload metadata in the GuardDuty Malware Protection findings. The
AWSServiceRoleForAmazonGuardDutyMalwareProtection
service-linked role trusts the
malware-protection.guardduty.amazonaws.com
service to assume the role.
The permissions policy for the role allows GuardDuty Malware Protection to perform tasks such as:
-
Use Amazon EC2 actions to retrieve information about your EC2 instances, volumes, and snapshots. GuardDuty Malware Protection also provides permission to access the Amazon EKS and Amazon ECS cluster metadata.
-
Create snapshots for EBS volumes that have
GuardDutyExcluded
tag not set totrue
. By default, the snapshots get created with aGuardDutyScanId
tag. Don't remove this tag, otherwise GuardDuty Malware Protection will not have access to the snapshots.Important When you set the
GuardDutyExcluded
totrue
, the GuardDuty service won't be able to access these snapshots in the future. This is because the other statements in this service-linked role prevent GuardDuty from performing any action on the snapshots that have theGuardDutyExcluded
set totrue
. -
Allow sharing and deleting snapshots only if the
GuardDutyScanId
tag exists andGuardDutyExcluded
tag is not set totrue
.Note Doesn't allow GuardDuty Malware Protection to make the snapshots public.
-
Access customer managed keys, except those that have a
GuardDutyExcluded
tag set totrue
, to callCreateGrant
to create and access an encrypted EBS volume from the encrypted snapshot that gets shared with the GuardDuty service account. For a list of GuardDuty service accounts for each Region, see GuardDuty service accounts by Amazon Web Services Region. -
Access customers' CloudWatch logs to create the GuardDuty Malware Protection log group as well as put the malware scan events logs under the
/aws/guardduty/malware-scan-events
log group. -
Allow the customer to decide if they want to keep the snapshots on which malware was detected, in their account. If the scan detects malware, the service-linked role allows GuardDuty to add two tags to snapshots -
GuardDutyFindingDetected
andGuardDutyExcluded
.Note The
GuardDutyFindingDetected
tag specifies that the snapshots contains malware. -
Determine if a volume is encrypted with an EBS managed key. GuardDuty performs the
DescribeKey
action to determine thekey Id
of the EBS-managed key in your account.GuardDuty support volumes that are both unencrypted and encrypted with customer managed keys. However, GuardDuty doesn’t support volumes encrypted with EBS managed keys. For more information, see Supported volumes in Malware Protection.
-
Allow Amazon EC2 to call Amazon KMS on behalf of GuardDuty Malware Protection to perform several cryptographic actions on customer managed keys. Actions such as
kms:ReEncryptTo
andkms:ReEncryptFrom
are required to share the snapshots that are encrypted with the customer managed keys. Only those keys are accessible for which theGuardDutyExcluded
tag is not set totrue
.
The role is configured with the following Amazon managed policy, named AmazonGuardDutyMalwareProtectionServiceRolePolicy
.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:DescribeInstances", "ec2:DescribeVolumes", "ec2:DescribeSnapshots", "ecs:ListClusters", "ecs:ListContainerInstances", "ecs:ListTasks", "ecs:DescribeTasks", "eks:DescribeCluster" ], "Resource": "*" }, { "Effect": "Allow", "Action": "ec2:CreateSnapshot", "Resource": "arn:aws-cn:ec2:*:*:volume/*", "Condition": { "Null": { "aws:ResourceTag/GuardDutyExcluded": "true" } } }, { "Effect": "Allow", "Action": "ec2:CreateSnapshot", "Resource": "arn:aws-cn:ec2:*:*:snapshot/*", "Condition": { "ForAnyValue:StringEquals": { "aws:TagKeys": "GuardDutyScanId" } } }, { "Effect": "Allow", "Action": "ec2:CreateTags", "Resource": "arn:aws-cn:ec2:*:*:*/*", "Condition": { "StringEquals": { "ec2:CreateAction": "CreateSnapshot" } } }, { "Effect": "Allow", "Action": "ec2:CreateTags", "Resource": "arn:aws-cn:ec2:*:*:snapshot/*", "Condition": { "StringLike": { "ec2:ResourceTag/GuardDutyScanId": "*" }, "ForAllValues:StringEquals": { "aws:TagKeys": [ "GuardDutyExcluded", "GuardDutyFindingDetected" ] } } }, { "Effect": "Allow", "Action": [ "ec2:DeleteSnapshot", "ec2:ModifySnapshotAttribute" ], "Resource": "arn:aws-cn:ec2:*:*:snapshot/*", "Condition": { "StringLike": { "ec2:ResourceTag/GuardDutyScanId": "*" }, "Null": { "aws:ResourceTag/GuardDutyExcluded": "true" } } }, { "Effect": "Deny", "Action": [ "ec2:ModifySnapshotAttribute" ], "Resource": "arn:aws-cn:ec2:*:*:snapshot/*", "Condition": { "StringEquals": { "ec2:Add/group": "all" } } }, { "Effect": "Allow", "Action": "kms:CreateGrant", "Resource": "arn:aws-cn:kms:*:*:key/*", "Condition": { "Null": { "aws:ResourceTag/GuardDutyExcluded": "true" }, "StringLike": { "kms:EncryptionContext:aws:ebs:id": "snap-*" }, "ForAllValues:StringEquals": { "kms:GrantOperations": [ "Decrypt", "CreateGrant", "GenerateDataKeyWithoutPlaintext", "ReEncryptFrom", "ReEncryptTo", "RetireGrant", "DescribeKey" ] }, "Bool": { "kms:GrantIsForAWSResource": "true" } } }, { "Effect": "Allow", "Action": [ "kms:ReEncryptTo", "kms:ReEncryptFrom" ], "Resource": "arn:aws-cn:kms:*:*:key/*", "Condition": { "StringLike": { "kms:ViaService": "ec2.*.amazonaws.com" }, "Null": { "aws:ResourceTag/GuardDutyExcluded": "true" } } }, { "Effect": "Allow", "Action": "kms:DescribeKey", "Resource": "arn:aws-cn:kms:*:*:key/*" }, { "Effect": "Allow", "Action": [ "logs:DescribeLogGroups", "logs:CreateLogGroup", "logs:PutRetentionPolicy" ], "Resource": "arn:aws-cn:logs:*:*:log-group:/aws/guardduty/*" }, { "Effect": "Allow", "Action": [ "logs:CreateLogStream", "logs:PutLogEvents", "logs:DescribeLogStreams" ], "Resource": "arn:aws-cn:logs:*:*:log-group:/aws/guardduty/*:log-stream:*" } ] }
The following trust policy is attached to the AWSServiceRoleForAmazonGuardDutyMalwareProtection
service-linked
role:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "malware-protection.guardduty.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }
Creating a service-linked role for GuardDuty Malware Protection
The AWSServiceRoleForAmazonGuardDutyMalwareProtection
service-linked role is automatically created when you
enable GuardDuty Malware Protection for the first time or enable GuardDuty Malware Protection in a supported Region where you
previously didn't have it enabled. You can also create the AWSServiceRoleForAmazonGuardDutyMalwareProtection
service-linked role manually using the IAM console, the IAM CLI, or the IAM API.
By default, if you are new to Amazon GuardDuty, Malware Protection is automatically enabled.
The service-linked role that is created for the GuardDuty delegated administrator account doesn't apply to the member GuardDuty accounts.
You must configure permissions to allow an IAM principal (such as a user, group, or
role) to create, edit, or delete a service-linked role. For the AWSServiceRoleForAmazonGuardDutyMalwareProtection
service-linked role to be successfully created, the IAM identity that you use GuardDuty with
must have the required permissions. To grant the required permissions, attach the following
policy to this IAM user, group, or role:
{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": "guardduty:*", "Resource": "*" }, { "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "*", "Condition": { "StringLike": { "iam:AWSServiceName": [ "malware-protection.guardduty.amazonaws.com" ] } } }, { "Effect": "Allow", "Action": [ "organizations:EnableAWSServiceAccess", "organizations:RegisterDelegatedAdministrator", "organizations:ListDelegatedAdministrators", "organizations:ListAWSServiceAccessForOrganization", "organizations:DescribeOrganizationalUnit", "organizations:DescribeAccount", "organizations:DescribeOrganization" ], "Resource": "*" }, { "Effect": "Allow", "Action": "iam:GetRole", "Resource": "arn:aws-cn:iam::*:role/*AWSServiceRoleForAmazonGuardDutyMalwareProtection" } ] }
For more information about creating the role manually, see Creating a service-linked role in the IAM User Guide.
Editing a service-linked role for GuardDuty Malware Protection
GuardDuty Malware Protection doesn't allow you to edit the AWSServiceRoleForAmazonGuardDutyMalwareProtection
service-linked role.
After you create a service-linked role, you can't change the name of the role because
various entities might reference the role. However, you can edit the description of the role
using IAM. For more information, see Editing a
service-linked role in the IAM User Guide.
Deleting a service-linked role for GuardDuty Malware Protection
If you no longer need to use a feature or service that requires a service-linked role, we recommend that you delete that role. That way you don't have an unused entity that isn't actively monitored or maintained.
In order to delete the AWSServiceRoleForAmazonGuardDutyMalwareProtection
, you must first disable GuardDuty Malware Protection
in all of the Regions where it is enabled.
If GuardDuty Malware Protection isn't disabled when you try to delete the service-linked role, the deletion will fail. For more information, see To enable or disable Malware Protection.
When you choose Disable to stop the GuardDuty Malware Protection service, the
AWSServiceRoleForAmazonGuardDutyMalwareProtection
is not automatically deleted. If you then choose
Enable to start the GuardDuty Malware Protection service again, GuardDuty will start using
the existing AWSServiceRoleForAmazonGuardDutyMalwareProtection
.
To manually delete the service-linked role using IAM
Use the IAM console, the Amazon CLI, or the IAM API to delete the
AWSServiceRoleForAmazonGuardDutyMalwareProtection
service-linked role. For more information, see Deleting a
service-linked role in the IAM User Guide.
Supported Amazon Web Services Regions
Amazon GuardDuty supports using the AWSServiceRoleForAmazonGuardDutyMalwareProtection
service-linked role in all the
Amazon Web Services Regions where Malware Protection is available.
For a list of Regions where GuardDuty is currently available, see Amazon GuardDuty endpoints and quotas in the Amazon Web Services General Reference.
Malware Protection is currently unavailable in Amazon GovCloud (US-East) and Amazon GovCloud (US-West).