Monitoring S3 object scans with GuardDuty managed tags

Use enable tagging option so that GuardDuty can add tags to your Amazon S3 object after completing the malware scan.

Considerations for enabling tagging

There is an associated usage cost when GuardDuty tags your S3 objects. For more information, see Pricing and usage cost for Malware Protection for S3.
You must keep the required tagging permissions to your preferred IAM role associated with this bucket; otherwise, GuardDuty can't add tags to your scanned objects. The IAM role already includes the permissions to add tags to the scanned S3 objects. For more information, see Create or update IAM role policy.
By default, you can associate up to 10 tags with an S3 object. For more information, see Using tag-based access control (TBAC).

After you enable tagging for an S3 bucket or specific prefixes, any newly uploaded object that gets scanned, will have an associated tag in the following key-value pair format:

GuardDutyMalwareScanStatus:Scan-Result-Status

For information about potential tag values, see S3 object potential scan status and result status.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Using Amazon EventBridge

Troubleshooting S3 object post-scan tag failures