Service-linked role permissions for Malware Protection for EC2
Malware Protection for EC2 uses the service-linked role (SLR) named AWSServiceRoleForAmazonGuardDutyMalwareProtection. This SLR
allows Malware Protection for EC2 to perform agentless scans to detect malware in your GuardDuty account. It
allows GuardDuty to create an EBS volume snapshot in your account, and share that snapshot
with the GuardDuty service account. After GuardDuty evaluates the snapshot, it includes the
retrieved EC2 instance and container workload metadata in the Malware Protection for EC2 findings. The
AWSServiceRoleForAmazonGuardDutyMalwareProtection service-linked role trusts the
malware-protection.guardduty.amazonaws.com service to assume the role.
The permission policies for this role helps Malware Protection for EC2 to perform the following tasks:
-
Use Amazon Elastic Compute Cloud (Amazon EC2) actions to retrieve information about your Amazon EC2 instances, volumes, and snapshots. Malware Protection for EC2 also provides permission to access the Amazon EKS and Amazon ECS cluster metadata.
-
Create snapshots for EBS volumes that have
GuardDutyExcludedtag not set totrue. By default, the snapshots get created with aGuardDutyScanIdtag. Don't remove this tag, otherwise Malware Protection for EC2 will not have access to the snapshots.Important
When you set the
GuardDutyExcludedtotrue, the GuardDuty service won't be able to access these snapshots in the future. This is because the other statements in this service-linked role prevent GuardDuty from performing any action on the snapshots that have theGuardDutyExcludedset totrue. -
Allow sharing and deleting snapshots only if the
GuardDutyScanIdtag exists andGuardDutyExcludedtag is not set totrue.Note
Doesn't allow Malware Protection for EC2 to make the snapshots public.
-
Access customer managed keys, except those that have a
GuardDutyExcludedtag set totrue, to callCreateGrantto create and access an encrypted EBS volume from the encrypted snapshot that gets shared with the GuardDuty service account. For a list of GuardDuty service accounts for each Region, see GuardDuty service accounts by AWS Region. -
Access customers' CloudWatch logs to create the Malware Protection for EC2 log group as well as put the malware scan events logs under the
/aws/guardduty/malware-scan-eventslog group. -
Allow the customer to decide if they want to keep the snapshots on which malware was detected, in their account. If the scan detects malware, the service-linked role allows GuardDuty to add two tags to snapshots -
GuardDutyFindingDetectedandGuardDutyExcluded.Note
The
GuardDutyFindingDetectedtag specifies that the snapshots contains malware. -
Determine if a volume is encrypted with an EBS managed key. GuardDuty performs the
DescribeKeyaction to determine thekey Idof the EBS-managed key in your account. -
Fetch the snapshot of the EBS volumes encrypted using AWS managed key, from your AWS account and copy it to the GuardDuty service account. For this purpose, we use the permissions
GetSnapshotBlockandListSnapshotBlocks. GuardDuty will then scan the snapshot in the service account. Presently, the Malware Protection for EC2 support for scanning EBS volumes encrypted with AWS managed key might not be available in all the AWS Regions. For more information, see Region-specific feature availability. -
Allow Amazon EC2 to call AWS KMS on behalf of Malware Protection for EC2 to perform several cryptographic actions on customer managed keys. Actions such as
kms:ReEncryptToandkms:ReEncryptFromare required to share the snapshots that are encrypted with the customer managed keys. Only those keys are accessible for which theGuardDutyExcludedtag is not set totrue.
The role is configured with the following AWS managed policy, named
AmazonGuardDutyMalwareProtectionServiceRolePolicy.
{ "Version": "2012-10-17", "Statement": [{ "Sid": "DescribeAndListPermissions", "Effect": "Allow", "Action": [ "ec2:DescribeInstances", "ec2:DescribeVolumes", "ec2:DescribeSnapshots", "ecs:ListClusters", "ecs:ListContainerInstances", "ecs:ListTasks", "ecs:DescribeTasks", "eks:DescribeCluster" ], "Resource": "*" }, { "Sid": "CreateSnapshotVolumeConditionalStatement", "Effect": "Allow", "Action": "ec2:CreateSnapshot", "Resource": "arn:aws:ec2:*:*:volume/*", "Condition": { "Null": { "aws:ResourceTag/GuardDutyExcluded": "true" } } }, { "Sid": "CreateSnapshotConditionalStatement", "Effect": "Allow", "Action": "ec2:CreateSnapshot", "Resource": "arn:aws:ec2:*:*:snapshot/*", "Condition": { "ForAnyValue:StringEquals": { "aws:TagKeys": "GuardDutyScanId" } } }, { "Sid": "CreateTagsPermission", "Effect": "Allow", "Action": "ec2:CreateTags", "Resource": "arn:aws:ec2:*:*:*/*", "Condition": { "StringEquals": { "ec2:CreateAction": "CreateSnapshot" } } }, { "Sid": "AddTagsToSnapshotPermission", "Effect": "Allow", "Action": "ec2:CreateTags", "Resource": "arn:aws:ec2:*:*:snapshot/*", "Condition": { "StringLike": { "ec2:ResourceTag/GuardDutyScanId": "*" }, "ForAllValues:StringEquals": { "aws:TagKeys": [ "GuardDutyExcluded", "GuardDutyFindingDetected" ] } } }, { "Sid": "DeleteAndShareSnapshotPermission", "Effect": "Allow", "Action": [ "ec2:DeleteSnapshot", "ec2:ModifySnapshotAttribute" ], "Resource": "arn:aws:ec2:*:*:snapshot/*", "Condition": { "StringLike": { "ec2:ResourceTag/GuardDutyScanId": "*" }, "Null": { "aws:ResourceTag/GuardDutyExcluded": "true" } } }, { "Sid": "PreventPublicAccessToSnapshotPermission", "Effect": "Deny", "Action": [ "ec2:ModifySnapshotAttribute" ], "Resource": "arn:aws:ec2:*:*:snapshot/*", "Condition": { "StringEquals": { "ec2:Add/group": "all" } } }, { "Sid": "CreateGrantPermission", "Effect": "Allow", "Action": "kms:CreateGrant", "Resource": "arn:aws:kms:*:*:key/*", "Condition": { "Null": { "aws:ResourceTag/GuardDutyExcluded": "true" }, "StringLike": { "kms:EncryptionContext:aws:ebs:id": "snap-*" }, "ForAllValues:StringEquals": { "kms:GrantOperations": [ "Decrypt", "CreateGrant", "GenerateDataKeyWithoutPlaintext", "ReEncryptFrom", "ReEncryptTo", "RetireGrant", "DescribeKey" ] }, "Bool": { "kms:GrantIsForAWSResource": "true" } } }, { "Sid": "ShareSnapshotKMSPermission", "Effect": "Allow", "Action": [ "kms:ReEncryptTo", "kms:ReEncryptFrom" ], "Resource": "arn:aws:kms:*:*:key/*", "Condition": { "StringLike": { "kms:ViaService": "ec2.*.amazonaws.com" }, "Null": { "aws:ResourceTag/GuardDutyExcluded": "true" } } }, { "Sid": "DescribeKeyPermission", "Effect": "Allow", "Action": "kms:DescribeKey", "Resource": "arn:aws:kms:*:*:key/*" }, { "Sid": "GuardDutyLogGroupPermission", "Effect": "Allow", "Action": [ "logs:DescribeLogGroups", "logs:CreateLogGroup", "logs:PutRetentionPolicy" ], "Resource": "arn:aws:logs:*:*:log-group:/aws/guardduty/*" }, { "Sid": "GuardDutyLogStreamPermission", "Effect": "Allow", "Action": [ "logs:CreateLogStream", "logs:PutLogEvents", "logs:DescribeLogStreams" ], "Resource": "arn:aws:logs:*:*:log-group:/aws/guardduty/*:log-stream:*" }, { "Sid": "EBSDirectAPIPermissions", "Effect": "Allow", "Action": [ "ebs:GetSnapshotBlock", "ebs:ListSnapshotBlocks" ], "Resource": "arn:aws:ec2:*:*:snapshot/*", "Condition": { "StringLike": { "aws:ResourceTag/GuardDutyScanId": "*" }, "Null": { "aws:ResourceTag/GuardDutyExcluded": "true" } } } ] }
The following trust policy is attached to the AWSServiceRoleForAmazonGuardDutyMalwareProtection
service-linked role:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "malware-protection.guardduty.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }
Creating a service-linked role for Malware Protection for EC2
The AWSServiceRoleForAmazonGuardDutyMalwareProtection service-linked role is automatically created when
you enable Malware Protection for EC2 for the first time or enable Malware Protection for EC2 in a supported Region
where you previously didn't have it enabled. You can also create the
AWSServiceRoleForAmazonGuardDutyMalwareProtection service-linked role manually using the IAM console,
the IAM CLI, or the IAM API.
Note
By default, if you are new to Amazon GuardDuty, Malware Protection for EC2 is automatically enabled.
Important
The service-linked role that is created for the delegated GuardDuty administrator account doesn't apply to the member GuardDuty accounts.
You must configure permissions to allow an IAM principal (such as a user, group,
or role) to create, edit, or delete a service-linked role. For the
AWSServiceRoleForAmazonGuardDutyMalwareProtection service-linked role to be successfully created, the
IAM identity that you use GuardDuty with must have the required permissions. To grant
the required permissions, attach the following policy to this user, group, or role:
{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": "guardduty:*", "Resource": "*" }, { "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "*", "Condition": { "StringLike": { "iam:AWSServiceName": [ "malware-protection.guardduty.amazonaws.com" ] } } }, { "Effect": "Allow", "Action": [ "organizations:EnableAWSServiceAccess", "organizations:RegisterDelegatedAdministrator", "organizations:ListDelegatedAdministrators", "organizations:ListAWSServiceAccessForOrganization", "organizations:DescribeOrganizationalUnit", "organizations:DescribeAccount", "organizations:DescribeOrganization" ], "Resource": "*" }, { "Effect": "Allow", "Action": "iam:GetRole", "Resource": "arn:aws:iam::*:role/*AWSServiceRoleForAmazonGuardDutyMalwareProtection" } ] }
For more information about creating the role manually, see Creating a service-linked role in the IAM User Guide.
Editing a service-linked role for Malware Protection for EC2
Malware Protection for EC2 doesn't allow you to edit the AWSServiceRoleForAmazonGuardDutyMalwareProtection service-linked
role. After you create a service-linked role, you can't change the name of the role
because various entities might reference the role. However, you can edit the
description of the role using IAM. For more information, see Editing a service-linked role in the
IAM User Guide.
Deleting a service-linked role for Malware Protection for EC2
If you no longer need to use a feature or service that requires a service-linked role, we recommend that you delete that role. That way you don't have an unused entity that isn't actively monitored or maintained.
Important
In order to delete the AWSServiceRoleForAmazonGuardDutyMalwareProtection, you must first disable
Malware Protection for EC2 in all of the Regions where it is enabled.
If Malware Protection for EC2 isn't disabled when you try to delete the service-linked role, the deletion will fail. Ensure that you first disable Malware Protection for EC2 in your account.
When you choose Disable to stop the Malware Protection for EC2 service, the
AWSServiceRoleForAmazonGuardDutyMalwareProtection is not automatically deleted. If you then choose
Enable to start the Malware Protection for EC2 service again, GuardDuty will
start using the existing AWSServiceRoleForAmazonGuardDutyMalwareProtection.
To manually delete the service-linked role using IAM
Use the IAM console, the AWS CLI, or the IAM API to delete the
AWSServiceRoleForAmazonGuardDutyMalwareProtection service-linked role. For more information, see Deleting a service-linked role in the
IAM User Guide.
Supported AWS Regions
Amazon GuardDuty supports using the AWSServiceRoleForAmazonGuardDutyMalwareProtection service-linked role in all
the AWS Regions where Malware Protection for EC2 is available.
For a list of Regions where GuardDuty is currently available, see Amazon GuardDuty endpoints and quotas in the Amazon Web Services General Reference.
Note
Malware Protection for EC2 is currently unavailable in AWS GovCloud (US-East) and AWS GovCloud (US-West).
