Service-linked role permissions for GuardDuty Malware Protection - Amazon GuardDuty
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

Service-linked role permissions for GuardDuty Malware Protection

GuardDuty Malware Protection uses the service-linked role (SLR) named AWSServiceRoleForAmazonGuardDutyMalwareProtection. This SLR allows GuardDuty Malware Protection to perform agentless scans to detect malware in your GuardDuty account. It allows GuardDuty to create an EBS volume snapshot in your account, and share that snapshot with the GuardDuty service account. After GuardDuty evaluates the snapshot, it includes the retrieved EC2 instance and container workload metadata in the GuardDuty Malware Protection findings. The AWSServiceRoleForAmazonGuardDutyMalwareProtection service-linked role trusts the malware-protection.guardduty.amazonaws.com service to assume the role.

The permissions policy for the role allows GuardDuty Malware Protection to perform tasks such as:

  • Use Amazon EC2 actions to retrieve information about your EC2 instances, volumes, and snapshots. GuardDuty Malware Protection also provides permission to access the Amazon EKS and Amazon ECS cluster metadata.

  • Create snapshots for EBS volumes that have GuardDutyExcluded tag not set to true. By default, the snapshots get created with a GuardDutyScanId tag. Don't remove this tag, otherwise GuardDuty Malware Protection will not have access to the snapshots.

    Important

    When you set the GuardDutyExcluded to true, the GuardDuty service won't be able to access these snapshots in the future. This is because the other statements in this service-linked role prevent GuardDuty from performing any action on the snapshots that have the GuardDutyExcluded set to true.

  • Allow sharing and deleting snapshots only if the GuardDutyScanId tag exists and GuardDutyExcluded tag is not set to true.

    Note

    Doesn't allow GuardDuty Malware Protection to make the snapshots public.

  • Access customer managed keys with the GuardDutyExcluded tag not set to true. The service-linked role requires the CreateGrant permission to create and access an encrypted EBS volume from the encrypted snapshot that gets shared with the GuardDuty service account.

  • Access customers' CloudWatch logs to create the GuardDuty Malware Protection log group as well as put the malware scan events logs under the /aws/guardduty/malware-scan-events log group.

  • Allow the customer to decide if they want to keep the snapshots on which malware was detected, in their account. If the scan detects malware, the service-linked role allows GuardDuty to add two tags to snapshots - GuardDutyFindingDetected and GuardDutyExcluded.

    Note

    The GuardDutyFindingDetected tag specifies that the snapshots contains malware.

  • Determine if a volume is encrypted with an EBS managed key. GuardDuty performs the DescribeKey action to determine the key Id of the EBS-managed key in your account.

    Note

    GuardDuty support volumes that are both unencrypted and encrypted with customer managed keys. However, GuardDuty doesn’t support volumes encrypted with EBS managed keys.

  • Allow Amazon EC2 to call Amazon KMS on behalf of GuardDuty Malware Protection to perform several cryptographic actions on customer managed keys. Actions such as kms:ReEncryptTo and kms:ReEncryptFrom are required to share the snapshots that are encrypted with the customer managed keys. Only those keys are accessible for which the GuardDutyExcluded tag is not set to true.

The role is configured with the following Amazon managed policy, named AmazonGuardDutyMalwareProtectionServiceRolePolicy.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:DescribeInstances", "ec2:DescribeVolumes", "ec2:DescribeSnapshots", "ecs:ListClusters", "ecs:ListContainerInstances", "ecs:ListTasks", "ecs:DescribeTasks", "eks:DescribeCluster" ], "Resource": "*" }, { "Effect": "Allow", "Action": "ec2:CreateSnapshot", "Resource": "arn:aws:ec2:*:*:volume/*", "Condition": { "Null": { "aws:ResourceTag/GuardDutyExcluded": "true" } } }, { "Effect": "Allow", "Action": "ec2:CreateSnapshot", "Resource": "arn:aws:ec2:*:*:snapshot/*", "Condition": { "ForAnyValue:StringEquals": { "aws:TagKeys": "GuardDutyScanId" } } }, { "Effect": "Allow", "Action": "ec2:CreateTags", "Resource": "arn:aws:ec2:*:*:*/*", "Condition": { "StringEquals": { "ec2:CreateAction": "CreateSnapshot" } } }, { "Effect": "Allow", "Action": "ec2:CreateTags", "Resource": "arn:aws:ec2:*:*:snapshot/*", "Condition": { "StringLike": { "ec2:ResourceTag/GuardDutyScanId": "*" }, "ForAllValues:StringEquals": { "aws:TagKeys": [ "GuardDutyExcluded", "GuardDutyFindingDetected" ] } } }, { "Effect": "Allow", "Action": [ "ec2:DeleteSnapshot", "ec2:ModifySnapshotAttribute" ], "Resource": "arn:aws:ec2:*:*:snapshot/*", "Condition": { "StringLike": { "ec2:ResourceTag/GuardDutyScanId": "*" }, "Null": { "aws:ResourceTag/GuardDutyExcluded": "true" } } }, { "Effect": "Deny", "Action": [ "ec2:ModifySnapshotAttribute" ], "Resource": "arn:aws:ec2:*:*:snapshot/*", "Condition": { "StringEquals": { "ec2:Add/group": "all" } } }, { "Effect": "Allow", "Action": "kms:CreateGrant", "Resource": "arn:aws:kms:*:*:key/*", "Condition": { "Null": { "aws:ResourceTag/GuardDutyExcluded": "true" }, "StringLike": { "kms:EncryptionContext:aws:ebs:id": "snap-*" }, "ForAllValues:StringEquals": { "kms:GrantOperations": [ "Decrypt", "CreateGrant", "GenerateDataKeyWithoutPlaintext", "ReEncryptFrom", "ReEncryptTo", "RetireGrant", "DescribeKey" ] }, "Bool": { "kms:GrantIsForAWSResource": "true" } } }, { "Effect": "Allow", "Action": [ "kms:ReEncryptTo", "kms:ReEncryptFrom" ], "Resource": "arn:aws:kms:*:*:key/*", "Condition": { "StringLike": { "kms:ViaService": "ec2.*.amazonaws.com" }, "Null": { "aws:ResourceTag/GuardDutyExcluded": "true" } } }, { "Effect": "Allow", "Action": "kms:DescribeKey", "Resource": "arn:aws:kms:*:*:key/*" }, { "Effect": "Allow", "Action": [ "logs:DescribeLogGroups", "logs:CreateLogGroup", "logs:PutRetentionPolicy" ], "Resource": "arn:aws:logs:*:*:log-group:/aws/guardduty/*" }, { "Effect": "Allow", "Action": [ "logs:CreateLogStream", "logs:PutLogEvents", "logs:DescribeLogStreams" ], "Resource": "arn:aws:logs:*:*:log-group:/aws/guardduty/*:log-stream:*" } ] }

The following trust policy is attached to the AWSServiceRoleForAmazonGuardDutyMalwareProtection service-linked role:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "malware-protection.guardduty.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }

Creating a service-linked role for GuardDuty Malware Protection

The AWSServiceRoleForAmazonGuardDutyMalwareProtection service-linked role is automatically created when you enable GuardDuty Malware Protection for the first time or enable GuardDuty Malware Protection in a supported Region where you previously didn't have it enabled. You can also create the AWSServiceRoleForAmazonGuardDutyMalwareProtection service-linked role manually using the IAM console, the IAM CLI, or the IAM API.

Note

By default, if you are new to Amazon GuardDuty, Malware Protection is automatically enabled.

Important

The service-linked role that is created for the GuardDuty delegated administrator account doesn't apply to the member GuardDuty accounts.

You must configure permissions to allow an IAM principal (such as a user, group, or role) to create, edit, or delete a service-linked role. For the AWSServiceRoleForAmazonGuardDutyMalwareProtection service-linked role to be successfully created, the IAM identity that you use GuardDuty with must have the required permissions. To grant the required permissions, attach the following policy to this IAM user, group, or role:

Note

Replace the sample account ID in the example below with your actual Amazon account ID.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "guardduty:*" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "iam:CreateServiceLinkedRole" ], "Resource": "arn:aws-cn:iam::123456789012:role/aws-service-role/malware-protection.guardduty.amazonaws.com/AWSServiceRoleForAmazonGuardDutyMalwareProtection", "Condition": { "StringLike": { "iam:AWSServiceName": "malware-protection.guardduty.amazonaws.com" } } }, { "Effect": "Allow", "Action": [ "iam:PutRolePolicy", "iam:DeleteRolePolicy" ], "Resource": "arn:aws-cn:iam::123456789012:role/aws-service-role/malware-protection.guardduty.amazonaws.com/AWSServiceRoleForAmazonGuardDutyMalwareProtection" } ] }

For more information about creating the role manually, see Creating a service-linked role in the IAM User Guide.

Editing a service-linked role for GuardDuty Malware Protection

GuardDuty Malware Protection doesn't allow you to edit the AWSServiceRoleForAmazonGuardDutyMalwareProtection service-linked role. After you create a service-linked role, you can't change the name of the role because various entities might reference the role. However, you can edit the description of the role using IAM. For more information, see Editing a service-linked role in the IAM User Guide.

Deleting a service-linked role for GuardDuty Malware Protection

If you no longer need to use a feature or service that requires a service-linked role, we recommend that you delete that role. That way you don't have an unused entity that isn't actively monitored or maintained.

Important

In order to delete the AWSServiceRoleForAmazonGuardDutyMalwareProtection, you must first disable GuardDuty Malware Protection in all of the Regions where it is enabled.

If GuardDuty Malware Protection isn't disabled when you try to delete the service-linked role, the deletion will fail. For more information, see To enable or disable Malware Protection.

When you choose Disable to stop the GuardDuty Malware Protection service, the AWSServiceRoleForAmazonGuardDutyMalwareProtection is not automatically deleted. If you then choose Enable to start the GuardDuty Malware Protection service again, GuardDuty will start using the existing AWSServiceRoleForAmazonGuardDutyMalwareProtection.

To manually delete the service-linked role using IAM

Use the IAM console, the Amazon CLI, or the IAM API to delete the AWSServiceRoleForAmazonGuardDutyMalwareProtection service-linked role. For more information, see Deleting a service-linked role in the IAM User Guide.

Supported Amazon Web Services Regions

Amazon GuardDuty supports using the AWSServiceRoleForAmazonGuardDutyMalwareProtection service-linked role in all the Amazon Web Services Regions where Malware Protection is available.

For a list of Regions where GuardDuty is currently available, see Amazon GuardDuty endpoints and quotas in the Amazon Web Services General Reference.

Note

Malware Protection is currently unavailable in Amazon GovCloud (US-East) and Amazon GovCloud (US-West).