AWS Security ChangesHomeSearch

AWS guardduty medium security documentation change

Service: guardduty · 2025-08-13 · Security-related medium

File: guardduty/latest/ug/slr-permissions.md

Summary

Added detailed IAM policy JSON structures for GuardDuty service-linked role, including malware protection permissions and corrected trust policy syntax

Security assessment

The changes explicitly define IAM policies required for malware protection features, including security-critical permissions like s3:GetEncryptionConfiguration and iam:CreateServiceLinkedRole with service-specific conditions. The documentation now properly restricts CreateServiceLinkedRole to only allow creation for malware-protection.guardduty.amazonaws.com service, which is a security hardening measure. However, the diff also contains potentially dangerous placeholder values (empty Service fields and incomplete ARNs) that could lead to misconfigurations if not properly replaced.

Diff

diff --git a/guardduty/latest/ug/slr-permissions.md b/guardduty/latest/ug/slr-permissions.md
index 34c2c6f1d..cb6d5183b 100644
--- a//guardduty/latest/ug/slr-permissions.md
+++ b//guardduty/latest/ug/slr-permissions.md
@@ -33,0 +34,6 @@ The role is configured with the following [AWS managed policy](https://docs.aws.
+JSON
+    
+
+****
+    
+    
@@ -294,0 +301,147 @@ The role is configured with the following [AWS managed policy](https://docs.aws.
+
+JSON
+    
+
+****
+    
+    
+    
+    {
+        "Version": "2012-10-17",
+        "Statement": [
+            {
+                "Effect": "Allow",
+                "Action": [
+                    "ec2:DescribeInstances",
+                    "ec2:DescribeImages",
+                    "ec2:DescribeVpcEndpoints",
+                    "ec2:DescribeSubnets",
+                    "ec2:DescribeVpcPeeringConnections",
+                    "ec2:DescribeTransitGatewayAttachments",
+                    "organizations:ListAccounts",
+                    "organizations:DescribeAccount",
+                    "s3:GetBucketPublicAccessBlock",
+                    "s3:GetEncryptionConfiguration",
+                    "s3:GetBucketTagging",
+                    "s3:GetAccountPublicAccessBlock",
+                    "s3:ListAllMyBuckets",
+                    "s3:GetBucketAcl",
+                    "s3:GetBucketPolicy",
+                    "s3:GetBucketPolicyStatus",
+                    "lambda:GetFunctionConfiguration",
+                    "lambda:ListTags"
+                ],
+                "Resource": "*"
+            },
+            {
+                "Effect": "Allow",
+                "Action": "iam:CreateServiceLinkedRole",
+                "Resource": "*",
+                "Condition": {
+                    "StringEquals": {
+                        "iam:AWSServiceName": "malware-protection.guardduty.amazonaws.com"
+                    }
+                }
+            }
+        ]
+    }
+    
+
+JSON
+    
+
+****
+    
+    
+    
+    {
+        "Version": "2012-10-17",
+        "Statement": [
+            {
+                "Effect": "Allow",
+                "Action": [
+                    "ec2:DescribeInstances",
+                    "ec2:DescribeImages",
+                    "ec2:DescribeVpcEndpoints",
+                    "ec2:DescribeSubnets",
+                    "ec2:DescribeVpcPeeringConnections",
+                    "ec2:DescribeTransitGatewayAttachments",
+                    "organizations:ListAccounts",
+                    "organizations:DescribeAccount",
+                    "s3:GetBucketPublicAccessBlock",
+                    "s3:GetEncryptionConfiguration",
+                    "s3:GetBucketTagging",
+                    "s3:GetAccountPublicAccessBlock",
+                    "s3:ListAllMyBuckets",
+                    "s3:GetBucketAcl",
+                    "s3:GetBucketPolicy",
+                    "s3:GetBucketPolicyStatus",
+                    "lambda:GetFunctionConfiguration",
+                    "lambda:ListTags"
+                ],
+                "Resource": "*"
+            },
+            {
+                "Effect": "Allow",
+                "Action": "iam:CreateServiceLinkedRole",
+                "Resource": "*",
+                "Condition": {
+                    "StringEquals": {
+                        "iam:AWSServiceName": "malware-protection.guardduty.amazonaws.com"
+                    }
+                }
+            }
+        ]
+    }
+    
+
+JSON
+    
+
+****
+    
+    
+    
+    {
+      "Version": "2012-10-17",
+      "Statement": [
+        {
+          "Sid": "GuardDutyGetDescribeListPolicy",  
+          "Effect": "Allow",
+          "Action": [
+            "ec2:DescribeInstances",
+            "ec2:DescribeImages",
+            "ec2:DescribeVpcEndpoints",
+            "ec2:DescribeSubnets",
+            "ec2:DescribeVpcPeeringConnections",
+            "ec2:DescribeTransitGatewayAttachments",
+            "organizations:ListAccounts",
+            "organizations:DescribeAccount",
+            "s3:GetBucketPublicAccessBlock",
+            "s3:GetEncryptionConfiguration",
+            "s3:GetBucketTagging",
+            "s3:GetAccountPublicAccessBlock",
+            "s3:ListAllMyBuckets",
+            "s3:GetBucketAcl",
+            "s3:GetBucketPolicy",
+            "s3:GetBucketPolicyStatus",
+            "lambda:GetFunctionConfiguration",
+            "lambda:ListTags"
+          ],
+            "Resource": "*"
+        },
+        {
+          "Sid": "GuardDutyCreateSLRPolicy",
+          "Effect": "Allow",
+          "Action": "iam:CreateServiceLinkedRole",
+          "Resource": "*",
+          "Condition": {
+            "StringEquals": {
+              "iam:AWSServiceName": "malware-protection.guardduty.amazonaws.com"
+            }
+          }
+        }
+      ]
+    }
+    
+
@@ -296,0 +450,6 @@ The following is the trust policy that is attached to the `AWSServiceRoleForAmaz
+JSON
+    
+
+****
+    
+    
@@ -304 +463 @@ The following is the trust policy that is attached to the `AWSServiceRoleForAmaz
-            "Service": "guardduty.amazonaws.com"
+            "Service": ""
@@ -326,0 +487,6 @@ Replace the sample `account ID` in the following example with your actual AWS ac
+JSON
+    
+
+****
+    
+    
@@ -343 +509 @@ Replace the sample `account ID` in the following example with your actual AWS ac
-                "Resource": "arn:aws:iam::123456789012:role/aws-service-role/guardduty.amazonaws.com/AWSServiceRoleForAmazonGuardDuty",
+                "Resource": "arn:aws:iam::123456789012:role/aws-service-role//",
@@ -346 +512 @@ Replace the sample `account ID` in the following example with your actual AWS ac
-                        "iam:AWSServiceName": "guardduty.amazonaws.com"
+                        "iam:AWSServiceName": ""
@@ -356 +522 @@ Replace the sample `account ID` in the following example with your actual AWS ac
-                "Resource": "arn:aws:iam::123456789012:role/aws-service-role/guardduty.amazonaws.com/AWSServiceRoleForAmazonGuardDuty"
+                "Resource": "arn:aws:iam::123456789012:role/aws-service-role//"