AWS guardduty documentation change
Summary
Added IAM permission requirements, custom policy example, S3 throttling considerations, and troubleshooting links for enabling Malware Protection
Security assessment
The changes emphasize proper IAM role configuration (guardDuty:CreateMalwareProtectionPlan and iam:PassRole) and include a custom policy example to prevent misconfigurations. While this improves security documentation, there's no evidence of addressing an active vulnerability. The S3 throttling note addresses performance rather than security.
Diff
diff --git a/guardduty/latest/ug/enable-malware-protection-s3-bucket.md b/guardduty/latest/ug/enable-malware-protection-s3-bucket.md index 037f19ee2..30b808120 100644 --- a//guardduty/latest/ug/enable-malware-protection-s3-bucket.md +++ b//guardduty/latest/ug/enable-malware-protection-s3-bucket.md @@ -7 +7 @@ -This section provides detailed steps on how to enable Malware Protection for S3 for a bucket in your own account. +This section provides detailed steps on how to enable Malware Protection for S3 for a bucket in your own account. Before you proceed, review the following considerations: @@ -9 +9,15 @@ This section provides detailed steps on how to enable Malware Protection for S3 -You can choose a preferred access method to enable Malware Protection for S3 for your buckets - GuardDuty console or API/AWS CLI. + * When you enable this protection plan using the GuardDuty console, it includes the step to create a new role or use an existing role under the **Service access** section. + + * When you enable this protection plan using the GuardDuty API or CLI, then you must [Create or update IAM role policy](./malware-protection-s3-iam-policy-prerequisite.html) before proceeding further. + + * Regardless of how you enable this protection plan, you must have the required Permissions to create a Malware Protection plan resource. + + + + +**Considering Amazon S3 bucket throttling** + + +S3 Throttling might limit the rate at which data can be transferred to or from your Amazon S3 buckets. This can potentially delay malware scans of your newly uploaded objects. + +If you expect high volumes of `GET` and `PUT` requests to your S3 buckets, consider implementing measures to prevent throttling. For information on how to do this, see [Prevent Amazon S3 throttling](https://docs.aws.amazon.com/athena/latest/ug/performance-tuning-s3-throttling.html) in the _Amazon Athena User Guide_. @@ -15,0 +30,37 @@ You can choose a preferred access method to enable Malware Protection for S3 for +When you enable Malware Protection for S3 for an Amazon S3 bucket, GuardDuty creates a Malware Protection plan resource that acts as an identifier for the bucket's protection plan. If you are not already using the [AWS managed policy: AmazonGuardDutyFullAccess](./security-iam-awsmanpol.html#security-iam-awsmanpol-AmazonGuardDutyFullAccess), then you must add the following permissions to create this resource: + + * `guardDuty:CreateMalwareProtectionPlan` + + * `iam:PassRole` + + + + +You can use the following custom policy example and replace the `placeholder values` with the values appropriate for your account: + + + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "iam:PassRole" + ], + "Resource": "arn:aws:iam::111122223333:role/role-name", + "Condition": { + "StringEquals": { + "iam:PassedToService": "malware-protection-plan.guardduty.amazonaws.com" + } + } + }, + { + "Effect": "Allow", + "Action": [ + "guardduty:CreateMalwareProtectionPlan" + ], + "Resource": "*" + } + ] + } + @@ -85 +136 @@ GuardDuty also publishes the scan result to your default EventBridge event bus. -Use the following steps to choose an existing service role or create a new service role that has the necessary permissions to perform malware scan actions on your behalf. These actions may include scanning the newly uploaded S3 objects and (optionally) adding tags to those objects. +Use the following steps to choose an existing service role or create a new service role that has the necessary permissions to perform malware scan actions on your behalf. These actions may include scanning the newly uploaded S3 objects and (optionally) adding tags to those objects. For information about the permissions that this role will have, see [Create or update IAM role policy](./malware-protection-s3-iam-policy-prerequisite.html). @@ -91 +142 @@ In the **Service access** section, you can do one of the following: -Under the **Role name** you can choose to use the name pre-populated by GuardDuty or enter a meaningful name of your choice to identify the role. For example `GuardDutyS3MalwareScanRole`. The Role name must be 1-64 characters. Valid characters are are a-z, A-Z, 0-9, and '+=,.@-_' characters. +Under the **Role name** you can choose to use the name pre-populated by GuardDuty or enter a meaningful name of your choice to identify the role. For example `GuardDutyS3MalwareScanRole`. The Role name must be 1-64 characters. Valid characters are a-z, A-Z, 0-9, and '+=,.@-_' characters. @@ -103,0 +155,2 @@ You can make changes to the policy based on your requirements For more details o +For issues with IAM role permissions, see [Troubleshooting IAM role permissions error](./troubleshoot-malware-protection-s3-iam-role-permissions-error.html). + @@ -151,0 +205,2 @@ After you run these commands successfully, a unique Malware Protection plan ID w +For issues with IAM role permissions, see [Troubleshooting IAM role permissions error](./troubleshoot-malware-protection-s3-iam-role-permissions-error.html). +