AWS Security ChangesHomeSearch

AWS guardduty medium security documentation change

Service: guardduty · 2025-08-28 · Security-related medium

File: guardduty/latest/ug/security-iam-awsmanpol.md

Summary

Updated AWS managed policy documentation to deprecate AmazonGuardDutyFullAccess in favor of AmazonGuardDutyFullAccess_v2, removed inline JSON policy examples, and added references to AWS Managed Policy Reference Guide

Security assessment

The change explicitly deprecates an older policy (AmazonGuardDutyFullAccess) and recommends using v2 which restricts administrative actions to GuardDuty service principals. This addresses potential over-permission issues by phasing out less secure policies.

Diff

diff --git a/guardduty/latest/ug/security-iam-awsmanpol.md b/guardduty/latest/ug/security-iam-awsmanpol.md
index 9941abfdb..989ea06df 100644
--- a//guardduty/latest/ug/security-iam-awsmanpol.md
+++ b//guardduty/latest/ug/security-iam-awsmanpol.md
@@ -5 +5 @@
-AmazonGuardDutyFullAccess_v2 (recommended)AmazonGuardDutyFullAccessAmazonGuardDutyReadOnlyAccessAmazonGuardDutyServiceRolePolicyPolicy updates
+AmazonGuardDutyFullAccess_v2 AmazonGuardDutyReadOnlyAccessAmazonGuardDutyServiceRolePolicyPolicy updates
@@ -17 +17 @@ The `Version` policy element specifies the language syntax rules that are to be
-## AWS managed policy: AmazonGuardDutyFullAccess_v2 (recommended)
+## AWS managed policy: AmazonGuardDutyFullAccess_v2
@@ -19 +19 @@ The `Version` policy element specifies the language syntax rules that are to be
-You can attach the AmazonGuardDutyFullAccess_v2 policy to your IAM identities. Between AmazonGuardDutyFullAccess_v2 and AmazonGuardDutyFullAccess, GuardDuty recommends attaching AmazonGuardDutyFullAccess_v2 because it offers enhanced security and restricts administrative actions to GuardDuty service principals. This policy will still allow a user full access to perform all GuardDuty actions and access required resources.
+You can attach the AmazonGuardDutyFullAccess_v2 policy to your IAM identities. This policy will allow a user full access to perform all GuardDuty actions and access required resources.
@@ -46,179 +46 @@ The AmazonGuardDutyFullAccess_v2 policy includes the following permissions:
-JSON
-    
-
-****
-    
-    
-    
-    {
-        "Version": "2012-10-17",
-        "Statement": [{
-                "Sid": "GuardDutyFullAccess",
-                "Effect": "Allow",
-                "Action": "guardduty:*",
-                "Resource": "*"
-            },
-            {
-                "Sid": "CreateGuardDutyServiceLinkedRole",
-                "Effect": "Allow",
-                "Action": "iam:CreateServiceLinkedRole",
-                "Resource": "*",
-                "Condition": {
-                    "StringEquals": {
-                        "iam:AWSServiceName": [
-                            "guardduty.amazonaws.com",
-                            "malware-protection.guardduty.amazonaws.com"
-                        ]
-                    }
-                }
-            },
-            {
-                "Sid": "GuardDutyOrganizationsReadOnly",
-                "Effect": "Allow",
-                "Action": [
-                    "organizations:ListAWSServiceAccessForOrganization",
-                    "organizations:DescribeOrganizationalUnit",
-                    "organizations:DescribeAccount",
-                    "organizations:DescribeOrganization",
-                    "organizations:ListAccounts"
-                ],
-                "Resource": "*"
-            },
-            {
-                "Sid": "GuardDutyOrganizationsAdminAccess",
-                "Effect": "Allow",
-                "Action": [
-                    "organizations:EnableAWSServiceAccess",
-                    "organizations:DisableAWSServiceAccess",
-                    "organizations:RegisterDelegatedAdministrator",
-                    "organizations:DeregisterDelegatedAdministrator",
-                    "organizations:ListDelegatedAdministrators"
-                ],
-                "Resource": "*",
-                "Condition": {
-                    "StringEquals": {
-                        "organizations:ServicePrincipal": [
-                            "guardduty.amazonaws.com",
-                            "malware-protection.guardduty.amazonaws.com"
-                        ]
-                    }
-                }
-            },
-            {
-                "Sid": "GuardDutyIamRoleAccess",
-                "Effect": "Allow",
-                "Action": "iam:GetRole",
-                "Resource": "arn:aws:iam::*:role/*AWSServiceRoleForAmazonGuardDutyMalwareProtection"
-            },
-            {
-                "Sid": "PassRoleToMalwareProtectionPlan",
-                "Effect": "Allow",
-                "Action": "iam:PassRole",
-                "Resource": "arn:aws:iam::*:role/*",
-                "Condition": {
-                    "StringEquals": {
-                        "iam:PassedToService": "malware-protection-plan.guardduty.amazonaws.com"
-                    }
-                }
-            }
-        ]
-    }
-    
-
-## AWS managed policy: AmazonGuardDutyFullAccess
-
-You can attach the `AmazonGuardDutyFullAccess` policy to your IAM identities.
-
-###### Important
-
-For enhanced security and restrictive permissions to GuardDuty service principals, we recommend you to use AWS managed policy: AmazonGuardDutyFullAccess_v2 (recommended).
-
-This policy grants administrative permissions that allow a user full access to perform all GuardDuty actions and resources.
-
-### Permission details
-
-This policy includes the following permissions.
-
-  * `GuardDuty` – Allows users full access to all GuardDuty actions.
-
-  * `IAM`:
-
-    * Allows users to create the GuardDuty service-linked role.
-
-    * Allows an administrator account to enable GuardDuty for member accounts. 
-
-    * Allows users to pass a role to GuardDuty that uses this role to enable the GuardDuty Malware Protection for S3 feature. This is regardless of how you enable Malware Protection for S3 \- within the GuardDuty service or independently.
-
-  * `Organizations` – Allows users to designate a delegated administrator and manage members for a GuardDuty organization.
-
-
-
-
-The permission to perform an `iam:GetRole` action on `AWSServiceRoleForAmazonGuardDutyMalwareProtection` establishes if the service-linked role (SLR) for Malware Protection for EC2 exists in an account.
-
-JSON
-    
-
-****
-    
-    
-    
-    {
-        "Version": "2012-10-17",
-        "Statement": [{
-                "Sid": "AmazonGuardDutyFullAccessSid1",
-                "Effect": "Allow",
-                "Action": "guardduty:*",
-                "Resource": "*"
-            },
-            {
-                "Sid": "CreateServiceLinkedRoleSid1",
-                "Effect": "Allow",
-                "Action": "iam:CreateServiceLinkedRole",
-                "Resource": "*",
-                "Condition": {
-                    "StringLike": {
-                        "iam:AWSServiceName": [
-                            "guardduty.amazonaws.com",
-                            "malware-protection.guardduty.amazonaws.com"
-                        ]
-                    }
-                }
-            },
-            {
-                "Sid": "ActionsForOrganizationsSid1",
-                "Effect": "Allow",
-                "Action": [
-                    "organizations:EnableAWSServiceAccess",
-                    "organizations:RegisterDelegatedAdministrator",
-                    "organizations:ListDelegatedAdministrators",
-                    "organizations:ListAWSServiceAccessForOrganization",
-                    "organizations:DescribeOrganizationalUnit",
-                    "organizations:DescribeAccount",
-                    "organizations:DescribeOrganization",
-                    "organizations:ListAccounts"
-                ],
-                "Resource": "*"
-            },
-            {
-                "Sid": "IamGetRoleSid1",
-                "Effect": "Allow",
-                "Action": "iam:GetRole",
-                "Resource": "arn:aws:iam::*:role/*AWSServiceRoleForAmazonGuardDutyMalwareProtection"
-            },
-            {
-                "Sid": "AllowPassRoleToMalwareProtectionPlan",
-                "Effect": "Allow",
-                "Action": [
-                    "iam:PassRole"
-                ],
-                "Resource": "arn:aws:iam::*:role/*",
-                "Condition": {
-                    "StringEquals": {
-                        "iam:PassedToService": "malware-protection-plan.guardduty.amazonaws.com"
-                    }
-                }
-            }
-        ]
-    }
-    
+To review the permissions for this policy, see [AmazonGuardDutyFullAccess_v2](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonGuardDutyFullAccess_v2.html) in the _AWS Managed Policy Reference Guide_.
@@ -243,34 +65 @@ This policy includes the following permissions.
-JSON
-    
-
-****
-