AWS guardduty high security documentation change
Summary
Added detailed malware protection service-linked role policy with snapshot access controls and KMS permissions
Security assessment
Introduces explicit security controls including a Deny rule for public snapshot access (ec2:ModifySnapshotAttribute with Add/group=all condition) and granular KMS encryption context requirements. These changes directly implement security best practices to prevent accidental exposure of sensitive data.
Diff
diff --git a/guardduty/latest/ug/slr-permissions-malware-protection.md b/guardduty/latest/ug/slr-permissions-malware-protection.md index 40f948a34..a9cede919 100644 --- a//guardduty/latest/ug/slr-permissions-malware-protection.md +++ b//guardduty/latest/ug/slr-permissions-malware-protection.md @@ -47,0 +48,6 @@ The role is configured with the following [AWS managed policy](https://docs.aws. +JSON + + +**** + + @@ -236,0 +243,180 @@ The role is configured with the following [AWS managed policy](https://docs.aws. + +JSON + + +**** + + + + { + "Version": "2012-10-17", + "Statement": [{ + "Sid": "DescribeAndListPermissions", + "Effect": "Allow", + "Action": [ + "ec2:DescribeInstances", + "ec2:DescribeVolumes", + "ec2:DescribeSnapshots", + "ecs:ListClusters", + "ecs:ListContainerInstances", + "ecs:ListTasks", + "ecs:DescribeTasks", + "eks:DescribeCluster" + ], + "Resource": "*" + }, + { + "Sid": "CreateSnapshotVolumeConditionalStatement", + "Effect": "Allow", + "Action": "ec2:CreateSnapshot", + "Resource": "arn:aws:ec2:*:*:volume/*", + "Condition": { + "Null": { + "aws:ResourceTag/GuardDutyExcluded": "true" + } + } + }, + { + "Sid": "CreateSnapshotConditionalStatement", + "Effect": "Allow", + "Action": "ec2:CreateSnapshot", + "Resource": "arn:aws:ec2:*:*:snapshot/*", + "Condition": { + "ForAnyValue:StringEquals": { + "aws:TagKeys": "GuardDutyScanId" + } + } + }, + { + "Sid": "CreateTagsPermission", + "Effect": "Allow", + "Action": "ec2:CreateTags", + "Resource": "arn:aws:ec2:*:*:*/*", + "Condition": { + "StringEquals": { + "ec2:CreateAction": "CreateSnapshot" + } + } + }, + { + "Sid": "AddTagsToSnapshotPermission", + "Effect": "Allow", + "Action": "ec2:CreateTags", + "Resource": "arn:aws:ec2:*:*:snapshot/*", + "Condition": { + "StringLike": { + "ec2:ResourceTag/GuardDutyScanId": "*" + }, + "ForAllValues:StringEquals": { + "aws:TagKeys": [ + "GuardDutyExcluded", + "GuardDutyFindingDetected" + ] + } + } + }, + { + "Sid": "DeleteAndShareSnapshotPermission", + "Effect": "Allow", + "Action": [ + "ec2:DeleteSnapshot", + "ec2:ModifySnapshotAttribute" + ], + "Resource": "arn:aws:ec2:*:*:snapshot/*", + "Condition": { + "StringLike": { + "ec2:ResourceTag/GuardDutyScanId": "*" + }, + "Null": { + "aws:ResourceTag/GuardDutyExcluded": "true" + } + } + }, + { + "Sid": "PreventPublicAccessToSnapshotPermission", + "Effect": "Deny", + "Action": [ + "ec2:ModifySnapshotAttribute" + ], + "Resource": "arn:aws:ec2:*:*:snapshot/*", + "Condition": { + "StringEquals": { + "ec2:Add/group": "all" + } + } + }, + { + "Sid": "CreateGrantPermission", + "Effect": "Allow", + "Action": "kms:CreateGrant", + "Resource": "arn:aws:kms:*:*:key/*", + "Condition": { + "Null": { + "aws:ResourceTag/GuardDutyExcluded": "true" + }, + "StringLike": { + "kms:EncryptionContext:aws:ebs:id": "snap-*" + }, + "ForAllValues:StringEquals": { + "kms:GrantOperations": [ + "Decrypt", + "CreateGrant", + "GenerateDataKeyWithoutPlaintext", + "ReEncryptFrom", + "ReEncryptTo", + "RetireGrant", + "DescribeKey" + ] + }, + "Bool": { + "kms:GrantIsForAWSResource": "true" + } + } + }, + { + "Sid": "ShareSnapshotKMSPermission", + "Effect": "Allow", + "Action": [ + "kms:ReEncryptTo", + "kms:ReEncryptFrom" + ], + "Resource": "arn:aws:kms:*:*:key/*", + "Condition": { + "StringLike": { + "kms:ViaService": "ec2.*.amazonaws.com" + }, + "Null": { + "aws:ResourceTag/GuardDutyExcluded": "true" + } + } + }, + { + "Sid": "DescribeKeyPermission", + "Effect": "Allow", + "Action": "kms:DescribeKey", + "Resource": "arn:aws:kms:*:*:key/*" + }, + { + "Sid": "GuardDutyLogGroupPermission", + "Effect": "Allow", + "Action": [ + "logs:DescribeLogGroups", + "logs:CreateLogGroup", + "logs:PutRetentionPolicy" + ], + "Resource": "arn:aws:logs:*:*:log-group:/aws/guardduty/*" + }, + { + "Sid": "GuardDutyLogStreamPermission", + "Effect": "Allow", + "Action": [ + "logs:CreateLogStream", + "logs:PutLogEvents", + "logs:DescribeLogStreams" + ], + "Resource": "arn:aws:logs:*:*:log-group:/aws/guardduty/*:log-stream:*" + } + ] + } + + @@ -238,0 +425,6 @@ The following trust policy is attached to the `AWSServiceRoleForAmazonGuardDutyM +JSON + + +**** + + @@ -246 +438 @@ The following trust policy is attached to the `AWSServiceRoleForAmazonGuardDutyM