Prerequisite - Create or update IAM PassRole policy - Amazon GuardDuty

Prerequisite - Create or update IAM PassRole policy

For Malware Protection for S3 to scan and (optionally) add tags to your S3 objects, you must create and attach an IAM role that includes the following required permissions to:

  • Allow Amazon EventBridge actions to create and manage the EventBridge managed rule so that Malware Protection for S3 can listen to your S3 object notifications.

    For more information, see Amazon EventBridge managed rules in the Amazon EventBridge User Guide.

  • Allow Amazon S3 and EventBridge actions to send notiļ¬cation to EventBridge for all events in this bucket

    For more information, see Enabling Amazon EventBridge in the Amazon S3 User Guide.

  • Allow Amazon S3 actions to access the uploaded S3 object and add a predefined tag, GuardDutyMalwareScanStatus, to the scanned S3 object. When using an object prefix, add an s3:prefix condition on the targeted prefixes only. This prevents GuardDuty from accessing all the S3 objects in your bucket.

  • Allow KMS key actions to access the object before scanning and putting a test object on buckets with the supported DSSE-KMS and SSE-KMS encryption.


This step is required each time you enable Malware Protection for S3 for a bucket in your account. If you already have an existing IAM PassRole, you can update its policy to include the details of another S3 bucket resource. The Adding IAM policy permissions topic provides an example on how to do this.

Use the following policies to create or update an IAM PassRole.

Adding IAM policy permissions

You can choose to update the inline policy of an existing IAM PassRole, or create a new IAM PassRole. For information about the steps, see Creating an IAM role or Modifying a role permissions policy in the IAM User Guide.

Add the following permissions template to your preferred IAM role. Replace the following placeholder values with appropriate values associated with your account:

  • For DOC-EXAMPLE-BUCKET, replace with your Amazon S3 bucket name.

    To use the same IAM PassRole for more than one S3 bucket resource, update an existing policy as displayed in the following example:

    ... ... "Resource": [ "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*", "arn:aws:s3:::DOC-EXAMPLE-BUCKET2/*" ], ... ...

    Make sure to add a comma (,) before adding a new ARN associated with the S3 bucket. Do this wherever you refer to an S3 bucket Resource in the policy template.

  • For 111122223333, replace with your AWS account ID.

  • For us-east-1, replace with your AWS Region.

  • For APKAEIBAERJR2EXAMPLE, replace with your customer managed key ID. If your bucket is encrypted by using an AWS KMS key, replace the placeholder value with an *, as shown in the following example:

    "Resource": "arn:aws:kms:us-east-1:111122223333:key/*"

IAM PassRole policy template

{ "Version": "2012-10-17", "Statement": [{ "Sid": "AllowManagedRuleToSendS3EventsToGuardDuty", "Effect": "Allow", "Action": [ "events:PutRule", "events:DeleteRule", "events:PutTargets", "events:RemoveTargets" ], "Resource": [ "arn:aws:events:us-east-1:111122223333:rule/DO-NOT-DELETE-AmazonGuardDutyMalwareProtectionS3*" ], "Condition": { "StringLike": { "events:ManagedBy": "" } } }, { "Sid": "AllowGuardDutyToMonitorEventBridgeManagedRule", "Effect": "Allow", "Action": [ "events:DescribeRule", "events:ListTargetsByRule" ], "Resource": [ "arn:aws:events:us-east-1:111122223333:rule/DO-NOT-DELETE-AmazonGuardDutyMalwareProtectionS3*" ] }, { "Sid": "AllowPostScanTag", "Effect": "Allow", "Action": [ "s3:PutObjectTagging", "s3:GetObjectTagging", "s3:PutObjectVersionTagging", "s3:GetObjectVersionTagging" ], "Resource": [ "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*" ] }, { "Sid": "AllowEnableS3EventBridgeEvents", "Effect": "Allow", "Action": [ "s3:PutBucketNotification", "s3:GetBucketNotification" ], "Resource": [ "arn:aws:s3:::DOC-EXAMPLE-BUCKET" ] }, { "Sid": "AllowPutValidationObject", "Effect": "Allow", "Action": [ "s3:PutObject" ], "Resource": [ "arn:aws:s3:::DOC-EXAMPLE-BUCKET/malware-protection-resource-validation-object" ] }, { "Sid": "AllowCheckBucketOwnership", "Effect": "Allow", "Action": [ "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::DOC-EXAMPLE-BUCKET" ] }, { "Sid": "AllowMalwareScan", "Effect": "Allow", "Action": [ "s3:GetObject", "s3:GetObjectVersion" ], "Resource": [ "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*" ] }, { "Sid": "AllowDecryptForMalwareScan", "Effect": "Allow", "Action": [ "kms:GenerateDataKey", "kms:Decrypt" ], "Resource": "arn:aws:kms:us-east-1:111122223333:key/APKAEIBAERJR2EXAMPLE", "Condition": { "StringLike": { "kms:ViaService": "" } } } ] }

Adding Trust relationship policy

Attach the following trust policy to your IAM role. For information about steps, see Modifying a role trust policy.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "" }, "Action": "sts:AssumeRole" } ] }