AWS Security ChangesHomeSearch

AWS guardduty high security documentation change

Service: guardduty · 2025-05-16 · Security-related high

File: guardduty/latest/ug/tag-based-access-s3-malware-protection.md

Summary

Modified IAM policy examples to use NotPrincipal with specific GuardDuty roles and simplified resource patterns

Security assessment

The policy changes enforce stricter access controls by explicitly denying access except to GuardDuty malware protection roles and removing broad permissions. This directly impacts security by preventing unauthorized access to S3 objects unless scanned clean, addressing potential privilege escalation risks.

Diff

diff --git a/guardduty/latest/ug/tag-based-access-s3-malware-protection.md b/guardduty/latest/ug/tag-based-access-s3-malware-protection.md
index 1c340d6b7..9b30fc45c 100644
--- a//guardduty/latest/ug/tag-based-access-s3-malware-protection.md
+++ b//guardduty/latest/ug/tag-based-access-s3-malware-protection.md
@@ -57,3 +57,2 @@ Replace the following placeholder values in the example policy:
-        "Statement": [
-            {
-                "Sid": "NoReadExceptForClean",
+        "Statement": [{
+                "Sid": "NoReadUnlessClean",
@@ -61,2 +60,5 @@ Replace the following placeholder values in the example policy:
-                "Principal": {
-                    "AWS": "*"
+                "NotPrincipal": {
+                    "AWS": [
+                        "arn:aws:sts::555555555555:assumed-role/IAM-role-name/GuardDutyMalwareProtection",
+                        "arn:aws:iam::555555555555:role/IAM-role-name"
+                    ]
@@ -68,4 +70 @@ Replace the following placeholder values in the example policy:
-                "Resource": [
-                    "arn:aws:s3:::amzn-s3-demo-bucket",
-                    "arn:aws:s3:::amzn-s3-demo-bucket/*"
-                ],
+                "Resource": "arn:aws:s3:::amzn-s3-demo-bucket/*",
@@ -74,5 +73 @@ Replace the following placeholder values in the example policy:
-                        "s3:ExistingObjectTag/GuardDutyMalwareScanStatus": "NO_THREATS_FOUND",
-                        "aws:PrincipalArn": [
-                        "arn:aws:iam::555555555555:assumed-role/IAM-role-name/GuardDutyMalwareProtection",
-                        "arn:aws:iam::555555555555:role/IAM-role-name"
-                        ]
+                        "s3:ExistingObjectTag/GuardDutyMalwareScanStatus": "NO_THREATS_FOUND"
@@ -83 +78 @@ Replace the following placeholder values in the example policy:
-                "Sid": "OnlyGuardDutyCanTag",
+                "Sid": "OnlyGuardDutyCanTagScanStatus",
@@ -85,2 +80,5 @@ Replace the following placeholder values in the example policy:
-                "Principal": {
-                    "AWS": "*"
+                "NotPrincipal": {
+                    "AWS": [
+                        "arn:aws:sts::555555555555:assumed-role/IAM-role-name/GuardDutyMalwareProtection",
+                        "arn:aws:iam::555555555555:role/IAM-role-name"
+                    ]
@@ -89,4 +87 @@ Replace the following placeholder values in the example policy:
-                "Resource": [
-                    "arn:aws:s3:::amzn-s3-demo-bucket",
-                    "arn:aws:s3:::amzn-s3-demo-bucket/*"
-                ],
+                "Resource": "arn:aws:s3:::amzn-s3-demo-bucket/*",
@@ -94,5 +89,2 @@ Replace the following placeholder values in the example policy:
-                    "StringNotEquals": {
-                        "aws:PrincipalArn": [
-                        "arn:aws:iam::555555555555:assumed-role/IAM-role-name/GuardDutyMalwareProtection",
-                        "arn:aws:iam::555555555555:role/IAM-role-name"
-                        ]
+                    "ForAnyValue:StringEquals": {
+                        "s3:RequestObjectTagKeys": "GuardDutyMalwareScanStatus"