Missing required Amazon Organizations management permission when enabling GuardDuty-initiated malware scan I am initiating an On-demand malware scan but it results in a missing required permissions error.I receive an iam:GetRole error while working with Malware Protection for EC2.I am a GuardDuty administrator account who needs to enable GuardDuty-initiated malware scan but doesn't use Amazon managed policy: AmazonGuardDutyFullAccess to manage GuardDuty.

Malware Protection for EC2 issues

This section lists the errors that you may experience when setting up or using Malware Protection for EC2.

Missing required Amazon Organizations management permission when enabling GuardDuty-initiated malware scan

When you want to manage multiple accounts by using Amazon Organizations and you get this error – The request failed because you do not have required AWS Organization master permission., then you're missing the permission to enable GuardDuty-initiated malware scan for multiple accounts in your organization.

For information about providing permissions to the management account, see Establishing trusted access to enable GuardDuty-initiated malware scan.

I am initiating an On-demand malware scan but it results in a missing required permissions error.

If you receive an error suggesting that you do not have the required permissions to start an On-demand malware scan on an Amazon EC2 instance, verify that you've attached the Amazon managed policy: AmazonGuardDutyFullAccess_v2 (recommended) policy to your IAM role.

If you're a member of an Amazon organization and still receive the same error, connect with your management account. For more information, see Amazon Organizations SCP – Denied access.

I receive an `iam:GetRole` error while working with Malware Protection for EC2.

If you receive this error – Unable to get role: AWSServiceRoleForAmazonGuardDutyMalwareProtection, it means that you're missing the permission to either enable GuardDuty-initiated malware scan or use On-demand malware scan. Verify that you've attached the Amazon managed policy: AmazonGuardDutyFullAccess_v2 (recommended) policy to your IAM role.

I am a GuardDuty administrator account who needs to enable GuardDuty-initiated malware scan but doesn't use Amazon managed policy: AmazonGuardDutyFullAccess to manage GuardDuty.

Configure the IAM role that you use with GuardDuty to have the required permissions to enable GuardDuty-initiated malware scan. For more information on the required permissions, see Creating a service-linked role for Malware Protection for EC2.
Attach the Amazon managed policy: AmazonGuardDutyFullAccess_v2 (recommended) to your IAM role. This will help you enable GuardDuty-initiated malware scan for the member accounts.

Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Exporting findings to Amazon S3 - access error

Runtime Monitoring issues