AWS guardduty medium security documentation change
Summary
Added detailed IAM policy JSON structures for GuardDuty service-linked role, including malware protection permissions and corrected trust policy syntax
Security assessment
The changes explicitly define IAM policies required for malware protection features, including security-critical permissions like s3:GetEncryptionConfiguration and iam:CreateServiceLinkedRole with service-specific conditions. The documentation now properly restricts CreateServiceLinkedRole to only allow creation for malware-protection.guardduty.amazonaws.com service, which is a security hardening measure. However, the diff also contains potentially dangerous placeholder values (empty Service fields and incomplete ARNs) that could lead to misconfigurations if not properly replaced.
Diff
diff --git a/guardduty/latest/ug/slr-permissions.md b/guardduty/latest/ug/slr-permissions.md index 34c2c6f1d..cb6d5183b 100644 --- a//guardduty/latest/ug/slr-permissions.md +++ b//guardduty/latest/ug/slr-permissions.md @@ -33,0 +34,6 @@ The role is configured with the following [AWS managed policy](https://docs.aws. +JSON + + +**** + + @@ -294,0 +301,147 @@ The role is configured with the following [AWS managed policy](https://docs.aws. + +JSON + + +**** + + + + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "ec2:DescribeInstances", + "ec2:DescribeImages", + "ec2:DescribeVpcEndpoints", + "ec2:DescribeSubnets", + "ec2:DescribeVpcPeeringConnections", + "ec2:DescribeTransitGatewayAttachments", + "organizations:ListAccounts", + "organizations:DescribeAccount", + "s3:GetBucketPublicAccessBlock", + "s3:GetEncryptionConfiguration", + "s3:GetBucketTagging", + "s3:GetAccountPublicAccessBlock", + "s3:ListAllMyBuckets", + "s3:GetBucketAcl", + "s3:GetBucketPolicy", + "s3:GetBucketPolicyStatus", + "lambda:GetFunctionConfiguration", + "lambda:ListTags" + ], + "Resource": "*" + }, + { + "Effect": "Allow", + "Action": "iam:CreateServiceLinkedRole", + "Resource": "*", + "Condition": { + "StringEquals": { + "iam:AWSServiceName": "malware-protection.guardduty.amazonaws.com" + } + } + } + ] + } + + +JSON + + +**** + + + + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "ec2:DescribeInstances", + "ec2:DescribeImages", + "ec2:DescribeVpcEndpoints", + "ec2:DescribeSubnets", + "ec2:DescribeVpcPeeringConnections", + "ec2:DescribeTransitGatewayAttachments", + "organizations:ListAccounts", + "organizations:DescribeAccount", + "s3:GetBucketPublicAccessBlock", + "s3:GetEncryptionConfiguration", + "s3:GetBucketTagging", + "s3:GetAccountPublicAccessBlock", + "s3:ListAllMyBuckets", + "s3:GetBucketAcl", + "s3:GetBucketPolicy", + "s3:GetBucketPolicyStatus", + "lambda:GetFunctionConfiguration", + "lambda:ListTags" + ], + "Resource": "*" + }, + { + "Effect": "Allow", + "Action": "iam:CreateServiceLinkedRole", + "Resource": "*", + "Condition": { + "StringEquals": { + "iam:AWSServiceName": "malware-protection.guardduty.amazonaws.com" + } + } + } + ] + } + + +JSON + + +**** + + + + { + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "GuardDutyGetDescribeListPolicy", + "Effect": "Allow", + "Action": [ + "ec2:DescribeInstances", + "ec2:DescribeImages", + "ec2:DescribeVpcEndpoints", + "ec2:DescribeSubnets", + "ec2:DescribeVpcPeeringConnections", + "ec2:DescribeTransitGatewayAttachments", + "organizations:ListAccounts", + "organizations:DescribeAccount", + "s3:GetBucketPublicAccessBlock", + "s3:GetEncryptionConfiguration", + "s3:GetBucketTagging", + "s3:GetAccountPublicAccessBlock", + "s3:ListAllMyBuckets", + "s3:GetBucketAcl", + "s3:GetBucketPolicy", + "s3:GetBucketPolicyStatus", + "lambda:GetFunctionConfiguration", + "lambda:ListTags" + ], + "Resource": "*" + }, + { + "Sid": "GuardDutyCreateSLRPolicy", + "Effect": "Allow", + "Action": "iam:CreateServiceLinkedRole", + "Resource": "*", + "Condition": { + "StringEquals": { + "iam:AWSServiceName": "malware-protection.guardduty.amazonaws.com" + } + } + } + ] + } + + @@ -296,0 +450,6 @@ The following is the trust policy that is attached to the `AWSServiceRoleForAmaz +JSON + + +**** + + @@ -304 +463 @@ The following is the trust policy that is attached to the `AWSServiceRoleForAmaz - "Service": "guardduty.amazonaws.com" + "Service": "" @@ -326,0 +487,6 @@ Replace the sample `account ID` in the following example with your actual AWS ac +JSON + + +**** + + @@ -343 +509 @@ Replace the sample `account ID` in the following example with your actual AWS ac - "Resource": "arn:aws:iam::123456789012:role/aws-service-role/guardduty.amazonaws.com/AWSServiceRoleForAmazonGuardDuty", + "Resource": "arn:aws:iam::123456789012:role/aws-service-role//", @@ -346 +512 @@ Replace the sample `account ID` in the following example with your actual AWS ac - "iam:AWSServiceName": "guardduty.amazonaws.com" + "iam:AWSServiceName": "" @@ -356 +522 @@ Replace the sample `account ID` in the following example with your actual AWS ac - "Resource": "arn:aws:iam::123456789012:role/aws-service-role/guardduty.amazonaws.com/AWSServiceRoleForAmazonGuardDuty" + "Resource": "arn:aws:iam::123456789012:role/aws-service-role//"