AWS guardduty high security documentation change
Summary
Modified IAM policy examples to use NotPrincipal with specific GuardDuty roles and simplified resource patterns
Security assessment
The policy changes enforce stricter access controls by explicitly denying access except to GuardDuty malware protection roles and removing broad permissions. This directly impacts security by preventing unauthorized access to S3 objects unless scanned clean, addressing potential privilege escalation risks.
Diff
diff --git a/guardduty/latest/ug/tag-based-access-s3-malware-protection.md b/guardduty/latest/ug/tag-based-access-s3-malware-protection.md index 1c340d6b7..9b30fc45c 100644 --- a//guardduty/latest/ug/tag-based-access-s3-malware-protection.md +++ b//guardduty/latest/ug/tag-based-access-s3-malware-protection.md @@ -57,3 +57,2 @@ Replace the following placeholder values in the example policy: - "Statement": [ - { - "Sid": "NoReadExceptForClean", + "Statement": [{ + "Sid": "NoReadUnlessClean", @@ -61,2 +60,5 @@ Replace the following placeholder values in the example policy: - "Principal": { - "AWS": "*" + "NotPrincipal": { + "AWS": [ + "arn:aws:sts::555555555555:assumed-role/IAM-role-name/GuardDutyMalwareProtection", + "arn:aws:iam::555555555555:role/IAM-role-name" + ] @@ -68,4 +70 @@ Replace the following placeholder values in the example policy: - "Resource": [ - "arn:aws:s3:::amzn-s3-demo-bucket", - "arn:aws:s3:::amzn-s3-demo-bucket/*" - ], + "Resource": "arn:aws:s3:::amzn-s3-demo-bucket/*", @@ -74,5 +73 @@ Replace the following placeholder values in the example policy: - "s3:ExistingObjectTag/GuardDutyMalwareScanStatus": "NO_THREATS_FOUND", - "aws:PrincipalArn": [ - "arn:aws:iam::555555555555:assumed-role/IAM-role-name/GuardDutyMalwareProtection", - "arn:aws:iam::555555555555:role/IAM-role-name" - ] + "s3:ExistingObjectTag/GuardDutyMalwareScanStatus": "NO_THREATS_FOUND" @@ -83 +78 @@ Replace the following placeholder values in the example policy: - "Sid": "OnlyGuardDutyCanTag", + "Sid": "OnlyGuardDutyCanTagScanStatus", @@ -85,2 +80,5 @@ Replace the following placeholder values in the example policy: - "Principal": { - "AWS": "*" + "NotPrincipal": { + "AWS": [ + "arn:aws:sts::555555555555:assumed-role/IAM-role-name/GuardDutyMalwareProtection", + "arn:aws:iam::555555555555:role/IAM-role-name" + ] @@ -89,4 +87 @@ Replace the following placeholder values in the example policy: - "Resource": [ - "arn:aws:s3:::amzn-s3-demo-bucket", - "arn:aws:s3:::amzn-s3-demo-bucket/*" - ], + "Resource": "arn:aws:s3:::amzn-s3-demo-bucket/*", @@ -94,5 +89,2 @@ Replace the following placeholder values in the example policy: - "StringNotEquals": { - "aws:PrincipalArn": [ - "arn:aws:iam::555555555555:assumed-role/IAM-role-name/GuardDutyMalwareProtection", - "arn:aws:iam::555555555555:role/IAM-role-name" - ] + "ForAnyValue:StringEquals": { + "s3:RequestObjectTagKeys": "GuardDutyMalwareScanStatus"