Troubleshooting S3 object post-scan tag failures in Malware Protection for S3
This section applies to you only if you Enable tagging for scanned objects in your protected bucket.
When GuardDuty attempts to add a tag to your scanned S3 object, the action of tagging may result in a failure. The potential
reasons why this may happen to your bucket are ACCESS_DENIED
and MAX_TAG_LIMIT_EXCEEDED
.
Use the following topics to understand the potential reasons for these post-scan tag failure reasons and troubleshoot them.
- ACCESS_DENIED
-
The following list provides potential reasons that may cause this issue:
-
The IAM role used for this protected S3 bucket is missing the AllowPostScanTag permission. Verify that the associated IAM role uses this bucket policy. For more information, see Prerequisite - Create or update IAM role policy.
-
The protected S3 bucket policy does't allow GuardDuty to add tags to this object.
-
The scanned S3 object no longer exists.
-
- MAX_TAG_LIMIT_EXCEEDED
-
By default, you can associate up to 10 tags with an S3 object. For more information, see Considerations for GuardDuty to add a tag to your S3 object under Enable tagging for scanned objects.