Service-linked role permissions for Malware Protection - Amazon GuardDuty

Service-linked role permissions for Malware Protection

Malware Protection uses the service-linked role (SLR) named AWSServiceRoleForAmazonGuardDutyMalwareProtection. This SLR allows Malware Protection to perform agentless scans to detect malware in your GuardDuty account. It allows GuardDuty to create an EBS volume snapshot in your account, and share that snapshot with the GuardDuty service account. After GuardDuty evaluates the snapshot, it includes the retrieved EC2 instance and container workload metadata in the Malware Protection findings. The AWSServiceRoleForAmazonGuardDutyMalwareProtection service-linked role trusts the malware-protection.guardduty.amazonaws.com service to assume the role.

The permission policies for this role helps Malware Protection to perform the following tasks:

  • Use Amazon Elastic Compute Cloud (Amazon EC2) actions to retrieve information about your Amazon EC2 instances, volumes, and snapshots. Malware Protection also provides permission to access the Amazon EKS and Amazon ECS cluster metadata.

  • Create snapshots for EBS volumes that have GuardDutyExcluded tag not set to true. By default, the snapshots get created with a GuardDutyScanId tag. Don't remove this tag, otherwise Malware Protection will not have access to the snapshots.

    Important

    When you set the GuardDutyExcluded to true, the GuardDuty service won't be able to access these snapshots in the future. This is because the other statements in this service-linked role prevent GuardDuty from performing any action on the snapshots that have the GuardDutyExcluded set to true.

  • Allow sharing and deleting snapshots only if the GuardDutyScanId tag exists and GuardDutyExcluded tag is not set to true.

    Note

    Doesn't allow Malware Protection to make the snapshots public.

  • Access customer managed keys, except those that have a GuardDutyExcluded tag set to true, to call CreateGrant to create and access an encrypted EBS volume from the encrypted snapshot that gets shared with the GuardDuty service account. For a list of GuardDuty service accounts for each Region, see GuardDuty service accounts by AWS Region.

  • Access customers' CloudWatch logs to create the Malware Protection log group as well as put the malware scan events logs under the /aws/guardduty/malware-scan-events log group.

  • Allow the customer to decide if they want to keep the snapshots on which malware was detected, in their account. If the scan detects malware, the service-linked role allows GuardDuty to add two tags to snapshots - GuardDutyFindingDetected and GuardDutyExcluded.

    Note

    The GuardDutyFindingDetected tag specifies that the snapshots contains malware.

  • Determine if a volume is encrypted with an EBS managed key. GuardDuty performs the DescribeKey action to determine the key Id of the EBS-managed key in your account.

  • Fetch the snapshot of the EBS volumes encrypted using AWS managed key, from your AWS account and copy it to the GuardDuty service account. For this purpose, we use the permissions GetSnapshotBlock and ListSnapshotBlocks. GuardDuty will then scan the snapshot in the service account. Presently, the Malware Protection support for scanning EBS volumes encrypted with AWS managed key might not be available in all the AWS Regions. For more information, see Region-specific feature availability.

  • Allow Amazon EC2 to call AWS KMS on behalf of Malware Protection to perform several cryptographic actions on customer managed keys. Actions such as kms:ReEncryptTo and kms:ReEncryptFrom are required to share the snapshots that are encrypted with the customer managed keys. Only those keys are accessible for which the GuardDutyExcluded tag is not set to true.

The role is configured with the following AWS managed policy, named AmazonGuardDutyMalwareProtectionServiceRolePolicy.

{ "Version": "2012-10-17", "Statement": [{ "Sid": "DescribeAndListPermissions", "Effect": "Allow", "Action": [ "ec2:DescribeInstances", "ec2:DescribeVolumes", "ec2:DescribeSnapshots", "ecs:ListClusters", "ecs:ListContainerInstances", "ecs:ListTasks", "ecs:DescribeTasks", "eks:DescribeCluster" ], "Resource": "*" }, { "Sid": "CreateSnapshotVolumeConditionalStatement", "Effect": "Allow", "Action": "ec2:CreateSnapshot", "Resource": "arn:aws:ec2:*:*:volume/*", "Condition": { "Null": { "aws:ResourceTag/GuardDutyExcluded": "true" } } }, { "Sid": "CreateSnapshotConditionalStatement", "Effect": "Allow", "Action": "ec2:CreateSnapshot", "Resource": "arn:aws:ec2:*:*:snapshot/*", "Condition": { "ForAnyValue:StringEquals": { "aws:TagKeys": "GuardDutyScanId" } } }, { "Sid": "CreateTagsPermission", "Effect": "Allow", "Action": "ec2:CreateTags", "Resource": "arn:aws:ec2:*:*:*/*", "Condition": { "StringEquals": { "ec2:CreateAction": "CreateSnapshot" } } }, { "Sid": "AddTagsToSnapshotPermission", "Effect": "Allow", "Action": "ec2:CreateTags", "Resource": "arn:aws:ec2:*:*:snapshot/*", "Condition": { "StringLike": { "ec2:ResourceTag/GuardDutyScanId": "*" }, "ForAllValues:StringEquals": { "aws:TagKeys": [ "GuardDutyExcluded", "GuardDutyFindingDetected" ] } } }, { "Sid": "DeleteAndShareSnapshotPermission", "Effect": "Allow", "Action": [ "ec2:DeleteSnapshot", "ec2:ModifySnapshotAttribute" ], "Resource": "arn:aws:ec2:*:*:snapshot/*", "Condition": { "StringLike": { "ec2:ResourceTag/GuardDutyScanId": "*" }, "Null": { "aws:ResourceTag/GuardDutyExcluded": "true" } } }, { "Sid": "PreventPublicAccessToSnapshotPermission", "Effect": "Deny", "Action": [ "ec2:ModifySnapshotAttribute" ], "Resource": "arn:aws:ec2:*:*:snapshot/*", "Condition": { "StringEquals": { "ec2:Add/group": "all" } } }, { "Sid": "CreateGrantPermission", "Effect": "Allow", "Action": "kms:CreateGrant", "Resource": "arn:aws:kms:*:*:key/*", "Condition": { "Null": { "aws:ResourceTag/GuardDutyExcluded": "true" }, "StringLike": { "kms:EncryptionContext:aws:ebs:id": "snap-*" }, "ForAllValues:StringEquals": { "kms:GrantOperations": [ "Decrypt", "CreateGrant", "GenerateDataKeyWithoutPlaintext", "ReEncryptFrom", "ReEncryptTo", "RetireGrant", "DescribeKey" ] }, "Bool": { "kms:GrantIsForAWSResource": "true" } } }, { "Sid": "ShareSnapshotKMSPermission", "Effect": "Allow", "Action": [ "kms:ReEncryptTo", "kms:ReEncryptFrom" ], "Resource": "arn:aws:kms:*:*:key/*", "Condition": { "StringLike": { "kms:ViaService": "ec2.*.amazonaws.com" }, "Null": { "aws:ResourceTag/GuardDutyExcluded": "true" } } }, { "Sid": "DescribeKeyPermission", "Effect": "Allow", "Action": "kms:DescribeKey", "Resource": "arn:aws:kms:*:*:key/*" }, { "Sid": "GuardDutyLogGroupPermission", "Effect": "Allow", "Action": [ "logs:DescribeLogGroups", "logs:CreateLogGroup", "logs:PutRetentionPolicy" ], "Resource": "arn:aws:logs:*:*:log-group:/aws/guardduty/*" }, { "Sid": "GuardDutyLogStreamPermission", "Effect": "Allow", "Action": [ "logs:CreateLogStream", "logs:PutLogEvents", "logs:DescribeLogStreams" ], "Resource": "arn:aws:logs:*:*:log-group:/aws/guardduty/*:log-stream:*" }, { "Sid": "EBSDirectAPIPermissions", "Effect": "Allow", "Action": [ "ebs:GetSnapshotBlock", "ebs:ListSnapshotBlocks" ], "Resource": "arn:aws:ec2:*:*:snapshot/*", "Condition": { "StringLike": { "aws:ResourceTag/GuardDutyScanId": "*" }, "Null": { "aws:ResourceTag/GuardDutyExcluded": "true" } } } ] }

The following trust policy is attached to the AWSServiceRoleForAmazonGuardDutyMalwareProtection service-linked role:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "malware-protection.guardduty.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }

Creating a service-linked role for Malware Protection

The AWSServiceRoleForAmazonGuardDutyMalwareProtection service-linked role is automatically created when you enable Malware Protection for the first time or enable Malware Protection in a supported Region where you previously didn't have it enabled. You can also create the AWSServiceRoleForAmazonGuardDutyMalwareProtection service-linked role manually using the IAM console, the IAM CLI, or the IAM API.

Note

By default, if you are new to Amazon GuardDuty, Malware Protection is automatically enabled.

Important

The service-linked role that is created for the delegated GuardDuty administrator account doesn't apply to the member GuardDuty accounts.

You must configure permissions to allow an IAM principal (such as a user, group, or role) to create, edit, or delete a service-linked role. For the AWSServiceRoleForAmazonGuardDutyMalwareProtection service-linked role to be successfully created, the IAM identity that you use GuardDuty with must have the required permissions. To grant the required permissions, attach the following policy to this user, group, or role:

{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": "guardduty:*", "Resource": "*" }, { "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "*", "Condition": { "StringLike": { "iam:AWSServiceName": [ "malware-protection.guardduty.amazonaws.com" ] } } }, { "Effect": "Allow", "Action": [ "organizations:EnableAWSServiceAccess", "organizations:RegisterDelegatedAdministrator", "organizations:ListDelegatedAdministrators", "organizations:ListAWSServiceAccessForOrganization", "organizations:DescribeOrganizationalUnit", "organizations:DescribeAccount", "organizations:DescribeOrganization" ], "Resource": "*" }, { "Effect": "Allow", "Action": "iam:GetRole", "Resource": "arn:aws:iam::*:role/*AWSServiceRoleForAmazonGuardDutyMalwareProtection" } ] }

For more information about creating the role manually, see Creating a service-linked role in the IAM User Guide.

Editing a service-linked role for Malware Protection

Malware Protection doesn't allow you to edit the AWSServiceRoleForAmazonGuardDutyMalwareProtection service-linked role. After you create a service-linked role, you can't change the name of the role because various entities might reference the role. However, you can edit the description of the role using IAM. For more information, see Editing a service-linked role in the IAM User Guide.

Deleting a service-linked role for Malware Protection

If you no longer need to use a feature or service that requires a service-linked role, we recommend that you delete that role. That way you don't have an unused entity that isn't actively monitored or maintained.

Important

In order to delete the AWSServiceRoleForAmazonGuardDutyMalwareProtection, you must first disable Malware Protection in all of the Regions where it is enabled.

If Malware Protection isn't disabled when you try to delete the service-linked role, the deletion will fail. For more information, see To enable or disable GuardDuty-initiated malware scan.

When you choose Disable to stop the Malware Protection service, the AWSServiceRoleForAmazonGuardDutyMalwareProtection is not automatically deleted. If you then choose Enable to start the Malware Protection service again, GuardDuty will start using the existing AWSServiceRoleForAmazonGuardDutyMalwareProtection.

To manually delete the service-linked role using IAM

Use the IAM console, the AWS CLI, or the IAM API to delete the AWSServiceRoleForAmazonGuardDutyMalwareProtection service-linked role. For more information, see Deleting a service-linked role in the IAM User Guide.

Supported AWS Regions

Amazon GuardDuty supports using the AWSServiceRoleForAmazonGuardDutyMalwareProtection service-linked role in all the AWS Regions where Malware Protection is available.

For a list of Regions where GuardDuty is currently available, see Amazon GuardDuty endpoints and quotas in the Amazon Web Services General Reference.

Note

Malware Protection is currently unavailable in AWS GovCloud (US-East) and AWS GovCloud (US-West).