# Malware Protection for EC2 issues
<a name="troubleshooting-guardduty-malware-protection-issues"></a>

This section lists the errors that you may experience when setting up or using Malware Protection for EC2.

## Missing required Amazon Organizations management permission when enabling GuardDuty-initiated malware scan
<a name="troubleshooting-guardduty-managing-org-accounts"></a>

When you want to manage multiple accounts by using Amazon Organizations and you get this error – `The request failed because you do not have required AWS Organization master permission.`, then you're missing the permission to enable GuardDuty-initiated malware scan for multiple accounts in your organization.

For information about providing permissions to the management account, see [Establishing trusted access to enable GuardDuty-initiated malware scan](configure-malware-protection-guardduty-initiated-multi-account.md#delegated-admin-different-management-account).

## I am initiating an On-demand malware scan but it results in a missing required permissions error.
<a name="troubleshooting-permission-deny-error-scp"></a>

If you receive an error suggesting that you do not have the required permissions to start an On-demand malware scan on an Amazon EC2 instance, verify that you've attached the [Amazon managed policy: AmazonGuardDutyFullAccess\_v2 (recommended)](security-iam-awsmanpol.md#security-iam-awsmanpol-AmazonGuardDutyFullAccess-v2) policy to your IAM role.

If you're a member of an Amazon organization and still receive the same error, connect with your management account. For more information, see [Amazon Organizations SCP – Denied access](malware-protection-getting-started-on-demand-scan.md#malware-protection-on-demand-scan-org-scp).

## I receive an `iam:GetRole` error while working with Malware Protection for EC2.
<a name="troubleshooting-unable-get-role"></a>

If you receive this error – `Unable to get role: AWSServiceRoleForAmazonGuardDutyMalwareProtection`, it means that you're missing the permission to either enable GuardDuty-initiated malware scan or use On-demand malware scan. Verify that you've attached the [Amazon managed policy: AmazonGuardDutyFullAccess\_v2 (recommended)](security-iam-awsmanpol.md#security-iam-awsmanpol-AmazonGuardDutyFullAccess-v2) policy to your IAM role.

## I am a GuardDuty administrator account who needs to enable GuardDuty-initiated malware scan but doesn't use Amazon managed policy: AmazonGuardDutyFullAccess to manage GuardDuty.
<a name="troubleshooting-how-admin-enable-malpro"></a>
+ Configure the IAM role that you use with GuardDuty to have the required permissions to enable GuardDuty-initiated malware scan. For more information on the required permissions, see [Creating a service-linked role for Malware Protection for EC2](https://docs.amazonaws.cn/guardduty/latest/ug/slr-permissions-malware-protection.html#create-slr). 
+ Attach the [Amazon managed policy: AmazonGuardDutyFullAccess\_v2 (recommended)](security-iam-awsmanpol.md#security-iam-awsmanpol-AmazonGuardDutyFullAccess-v2) to your IAM role. This will help you enable GuardDuty-initiated malware scan for the member accounts.