AWS Security ChangesHomeSearch

AWS guardduty high security documentation change

Service: guardduty · 2025-06-07 · Security-related high

File: guardduty/latest/ug/security-iam-awsmanpol.md

Summary

Added new AmazonGuardDutyFullAccess_v2 policy with enhanced security restrictions and deprecated old policy recommendation

Security assessment

The change introduces a new IAM policy (v2) that explicitly restricts administrative actions to GuardDuty service principals and adds granular permissions for malware protection roles. This reduces potential privilege escalation risks by limiting IAM PassRole actions to specific service principals and enforcing service-linked role usage. The documentation explicitly states this version is recommended for enhanced security.

Diff

diff --git a/guardduty/latest/ug/security-iam-awsmanpol.md b/guardduty/latest/ug/security-iam-awsmanpol.md
index 51cd142dd..9b5847b9d 100644
--- a//guardduty/latest/ug/security-iam-awsmanpol.md
+++ b//guardduty/latest/ug/security-iam-awsmanpol.md
@@ -5 +5 @@
-AmazonGuardDutyFullAccessAmazonGuardDutyReadOnlyAccessAmazonGuardDutyServiceRolePolicyPolicy updates
+AmazonGuardDutyFullAccess_v2 (recommended)AmazonGuardDutyFullAccessAmazonGuardDutyReadOnlyAccessAmazonGuardDutyServiceRolePolicyPolicy updates
@@ -16,0 +17,104 @@ The `Version` policy element specifies the language syntax rules that are to be
+## AWS managed policy: AmazonGuardDutyFullAccess_v2 (recommended)
+
+You can attach the AmazonGuardDutyFullAccess_v2 policy to your IAM identities. Between AmazonGuardDutyFullAccess_v2 and AmazonGuardDutyFullAccess, GuardDuty recommends attaching AmazonGuardDutyFullAccess_v2 because it offers enhanced security and restricts administrative actions to GuardDuty service principals. This policy will still allow a user full access to perform all GuardDuty actions and access required resources.
+
+### Permission details
+
+The AmazonGuardDutyFullAccess_v2 policy includes the following permissions:
+
+  * `GuardDuty` – Allows users full access to all GuardDuty actions.
+
+  * `IAM`:
+
+    * Allows users to create GuardDuty service-linked role.
+
+    * Allows viewing and managing IAM roles and their policies for GuardDuty.
+
+    * Allows users to pass a role to GuardDuty that uses this role to enable the GuardDuty Malware Protection for S3 feature. This is regardless of how you enable Malware Protection for S3 \- within the GuardDuty service or independently.
+
+    * The permission to perform an `iam:GetRole` action on `AWSServiceRoleForAmazonGuardDutyMalwareProtection` establishes if the service-linked role (SLR) for Malware Protection for EC2 exists in an account.
+
+  * `Organizations`: 
+
+    * Allow users to read (view) GuardDuty organization structure and accounts.
+
+    * Allows users to designate a delegated administrator and manage members for a GuardDuty organization.
+
+
+
+    
+    
+    {
+        "Version": "2012-10-17",
+        "Statement": [{
+                "Sid": "GuardDutyFullAccess",
+                "Effect": "Allow",
+                "Action": "guardduty:*",
+                "Resource": "*"
+            },
+            {
+                "Sid": "CreateGuardDutyServiceLinkedRole",
+                "Effect": "Allow",
+                "Action": "iam:CreateServiceLinkedRole",
+                "Resource": "*",
+                "Condition": {
+                    "StringEquals": {
+                        "iam:AWSServiceName": [
+                            "guardduty.amazonaws.com",
+                            "malware-protection.guardduty.amazonaws.com"
+                        ]
+                    }
+                }
+            },
+            {
+                "Sid": "GuardDutyOrganizationsReadOnly",
+                "Effect": "Allow",
+                "Action": [
+                    "organizations:ListAWSServiceAccessForOrganization",
+                    "organizations:DescribeOrganizationalUnit",
+                    "organizations:DescribeAccount",
+                    "organizations:DescribeOrganization",
+                    "organizations:ListAccounts"
+                ],
+                "Resource": "*"
+            },
+            {
+                "Sid": "GuardDutyOrganizationsAdminAccess",
+                "Effect": "Allow",
+                "Action": [
+                    "organizations:EnableAWSServiceAccess",
+                    "organizations:DisableAWSServiceAccess",
+                    "organizations:RegisterDelegatedAdministrator",
+                    "organizations:DeregisterDelegatedAdministrator",
+                    "organizations:ListDelegatedAdministrators"
+                ],
+                "Resource": "*",
+                "Condition": {
+                    "StringEquals": {
+                        "organizations:ServicePrincipal": [
+                            "guardduty.amazonaws.com",
+                            "malware-protection.guardduty.amazonaws.com"
+                        ]
+                    }
+                }
+            },
+            {
+                "Sid": "GuardDutyIamRoleAccess",
+                "Effect": "Allow",
+                "Action": "iam:GetRole",
+                "Resource": "arn:aws:iam::*:role/*AWSServiceRoleForAmazonGuardDutyMalwareProtection"
+            },
+            {
+                "Sid": "PassRoleToMalwareProtectionPlan",
+                "Effect": "Allow",
+                "Action": "iam:PassRole",
+                "Resource": "arn:aws:iam::*:role/*",
+                "Condition": {
+                    "StringEquals": {
+                        "iam:PassedToService": "malware-protection-plan.guardduty.amazonaws.com"
+                    }
+                }
+            }
+        ]
+    }
+
@@ -21 +125 @@ You can attach the `AmazonGuardDutyFullAccess` policy to your IAM identities.
-This policy grants administrative permissions that allow a user full access to all GuardDuty actions.
+###### Important
@@ -23 +127,5 @@ This policy grants administrative permissions that allow a user full access to a
-**Permissions details**
+For enhanced security and restrictive permissions to GuardDuty service principals, we recommend you to use AWS managed policy: AmazonGuardDutyFullAccess_v2 (recommended).
+
+This policy grants administrative permissions that allow a user full access to perform all GuardDuty actions and resources.
+
+### Permission details
@@ -158,0 +267 @@ Change | Description | Date
+AmazonGuardDutyFullAccess_v2 – Added a new policy | Added a new AmazonGuardDutyFullAccess_v2 policy. This is recommended because its permissions enhance security by restricting administrative actions to GuardDuty service principals based on IAM roles and policies, and AWS Organizations integration. | June 04, 2025