AWS Security ChangesHomeSearch

AWS guardduty high security documentation change

Service: guardduty · 2025-08-13 · Security-related high

File: guardduty/latest/ug/slr-permissions-malware-protection.md

Summary

Added detailed malware protection service-linked role policy with snapshot access controls and KMS permissions

Security assessment

Introduces explicit security controls including a Deny rule for public snapshot access (ec2:ModifySnapshotAttribute with Add/group=all condition) and granular KMS encryption context requirements. These changes directly implement security best practices to prevent accidental exposure of sensitive data.

Diff

diff --git a/guardduty/latest/ug/slr-permissions-malware-protection.md b/guardduty/latest/ug/slr-permissions-malware-protection.md
index 40f948a34..a9cede919 100644
--- a//guardduty/latest/ug/slr-permissions-malware-protection.md
+++ b//guardduty/latest/ug/slr-permissions-malware-protection.md
@@ -47,0 +48,6 @@ The role is configured with the following [AWS managed policy](https://docs.aws.
+JSON
+    
+
+****
+    
+    
@@ -236,0 +243,180 @@ The role is configured with the following [AWS managed policy](https://docs.aws.
+
+JSON
+    
+
+****
+    
+    
+    
+    {
+        "Version": "2012-10-17",
+        "Statement": [{
+                "Sid": "DescribeAndListPermissions",
+                "Effect": "Allow",
+                "Action": [
+                    "ec2:DescribeInstances",
+                    "ec2:DescribeVolumes",
+                    "ec2:DescribeSnapshots",
+                    "ecs:ListClusters",
+                    "ecs:ListContainerInstances",
+                    "ecs:ListTasks",
+                    "ecs:DescribeTasks",
+                    "eks:DescribeCluster"
+                ],
+                "Resource": "*"
+            },
+            {
+                "Sid": "CreateSnapshotVolumeConditionalStatement",
+                "Effect": "Allow",
+                "Action": "ec2:CreateSnapshot",
+                "Resource": "arn:aws:ec2:*:*:volume/*",
+                "Condition": {
+                    "Null": {
+                        "aws:ResourceTag/GuardDutyExcluded": "true"
+                    }
+                }
+            },
+            {
+                "Sid": "CreateSnapshotConditionalStatement",
+                "Effect": "Allow",
+                "Action": "ec2:CreateSnapshot",
+                "Resource": "arn:aws:ec2:*:*:snapshot/*",
+                "Condition": {
+                    "ForAnyValue:StringEquals": {
+                        "aws:TagKeys": "GuardDutyScanId"
+                    }
+                }
+            },
+            {
+                "Sid": "CreateTagsPermission",
+                "Effect": "Allow",
+                "Action": "ec2:CreateTags",
+                "Resource": "arn:aws:ec2:*:*:*/*",
+                "Condition": {
+                    "StringEquals": {
+                        "ec2:CreateAction": "CreateSnapshot"
+                    }
+                }
+            },
+            {
+                "Sid": "AddTagsToSnapshotPermission",
+                "Effect": "Allow",
+                "Action": "ec2:CreateTags",
+                "Resource": "arn:aws:ec2:*:*:snapshot/*",
+                "Condition": {
+                    "StringLike": {
+                        "ec2:ResourceTag/GuardDutyScanId": "*"
+                    },
+                    "ForAllValues:StringEquals": {
+                        "aws:TagKeys": [
+                            "GuardDutyExcluded",
+                            "GuardDutyFindingDetected"
+                        ]
+                    }
+                }
+            },
+            {
+                "Sid": "DeleteAndShareSnapshotPermission",
+                "Effect": "Allow",
+                "Action": [
+                    "ec2:DeleteSnapshot",
+                    "ec2:ModifySnapshotAttribute"
+                ],
+                "Resource": "arn:aws:ec2:*:*:snapshot/*",
+                "Condition": {
+                    "StringLike": {
+                        "ec2:ResourceTag/GuardDutyScanId": "*"
+                    },
+                    "Null": {
+                        "aws:ResourceTag/GuardDutyExcluded": "true"
+                    }
+                }
+            },
+            {
+                "Sid": "PreventPublicAccessToSnapshotPermission",
+                "Effect": "Deny",
+                "Action": [
+                    "ec2:ModifySnapshotAttribute"
+                ],
+                "Resource": "arn:aws:ec2:*:*:snapshot/*",
+                "Condition": {
+                    "StringEquals": {
+                        "ec2:Add/group": "all"
+                    }
+                }
+            },
+            {
+                "Sid": "CreateGrantPermission",
+                "Effect": "Allow",
+                "Action": "kms:CreateGrant",
+                "Resource": "arn:aws:kms:*:*:key/*",
+                "Condition": {
+                    "Null": {
+                        "aws:ResourceTag/GuardDutyExcluded": "true"
+                    },
+                    "StringLike": {
+                        "kms:EncryptionContext:aws:ebs:id": "snap-*"
+                    },
+                    "ForAllValues:StringEquals": {
+                        "kms:GrantOperations": [
+                            "Decrypt",
+                            "CreateGrant",
+                            "GenerateDataKeyWithoutPlaintext",
+                            "ReEncryptFrom",
+                            "ReEncryptTo",
+                            "RetireGrant",
+                            "DescribeKey"
+                        ]
+                    },
+                    "Bool": {
+                        "kms:GrantIsForAWSResource": "true"
+                    }
+                }
+            },
+            {
+                "Sid": "ShareSnapshotKMSPermission",
+                "Effect": "Allow",
+                "Action": [
+                    "kms:ReEncryptTo",
+                    "kms:ReEncryptFrom"
+                ],
+                "Resource": "arn:aws:kms:*:*:key/*",
+                "Condition": {
+                    "StringLike": {
+                        "kms:ViaService": "ec2.*.amazonaws.com"
+                    },
+                    "Null": {
+                        "aws:ResourceTag/GuardDutyExcluded": "true"
+                    }
+                }
+            },
+            {
+                "Sid": "DescribeKeyPermission",
+                "Effect": "Allow",
+                "Action": "kms:DescribeKey",
+                "Resource": "arn:aws:kms:*:*:key/*"
+            },
+            {
+                "Sid": "GuardDutyLogGroupPermission",
+                "Effect": "Allow",
+                "Action": [
+                    "logs:DescribeLogGroups",
+                    "logs:CreateLogGroup",
+                    "logs:PutRetentionPolicy"
+                ],
+                "Resource": "arn:aws:logs:*:*:log-group:/aws/guardduty/*"
+            },
+            {
+                "Sid": "GuardDutyLogStreamPermission",
+                "Effect": "Allow",
+                "Action": [
+                    "logs:CreateLogStream",
+                    "logs:PutLogEvents",
+                    "logs:DescribeLogStreams"
+                ],
+                "Resource": "arn:aws:logs:*:*:log-group:/aws/guardduty/*:log-stream:*"
+            }
+        ]
+    }
+    
+
@@ -238,0 +425,6 @@ The following trust policy is attached to the `AWSServiceRoleForAmazonGuardDutyM
+JSON
+    
+
+****
+    
+    
@@ -246 +438 @@ The following trust policy is attached to the `AWSServiceRoleForAmazonGuardDutyM