Using tag-based access control (TBAC) with Malware Protection for S3
When enabling Malware Protection for S3 for your bucket, you can optionally choose to enable tagging. After attempting to scan a newly uploaded S3 object in the selected bucket, GuardDuty adds a tag to the scanned object to provide the malware scan status. There is a direct usage cost associated when you enable tagging. For more information, see Pricing for Malware Protection for S3.
GuardDuty uses a predefined tag with the key as
GuardDutyMalwareScanStatus and the value as one of the malware scan statuses. For information
about these values, see S3 object potential scan result value.
Considerations for GuardDuty to add a tag to your S3 object:
-
By default, you can associate up to 10 tags with an object. For more information, see Categorizing your storage using tags in the Amazon S3 User Guide.
If all 10 tags are already in use, GuardDuty can't add the predefined tag to the scanned object. GuardDuty also publishes the scan result to your default EventBridge event bus. For more information, see Using Amazon EventBridge.
-
When the selected IAM role does't include the permission for GuardDuty to tag the S3 object, then even with tagging enabled for your protected bucket, GuardDuty will be unable to add tag to this scanned S3 object. For more information about the required IAM role permission for tagging, see Prerequisite - Create or update IAM PassRole policy.
GuardDuty also publishes the scan result to your default EventBridge event bus. For more information, see Using Amazon EventBridge.
Adding TBAC on S3 bucket resource
You can use the S3 bucket resource policies to manage tag-based access control (TBAC) for your S3 objects. You can
provide access to specific users to access and read the S3 object. If you have an organization that was
created by using AWS Organizations, you must enforce that no one can modify the tags added by GuardDuty. For more information,
see Preventing tags from being modified except by authorized principals in the AWS Organizations User Guide. The
example used in the linked topic mentions ec2. When you use this example, replace
ec2 with s3.
The following list explains what you can do by using TBAC:
-
Prevent all the users except Malware Protection for S3 service principal from reading the S3 objects that are not yet tagged with the following tag key-value pair:
GuardDutyMalwareScanStatus:Potential key value -
Allow only GuardDuty to add the tag key
GuardDutyMalwareScanStatuswith value as the scan result, to a scanned S3 object. The following policy template can allow specific users that have access, to potentially override the tag key-value pair.
Example S3 bucket resource policy:
Replace IAM-role-name with the IAM PassRole that you used for configuring
Malware Protection for S3 in your bucket.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "NoReadExceptForClean", "Effect": "Deny", "NotPrincipal": { "AWS": [ "arn:aws:iam::555555555555:root", "arn:aws:iam::555555555555:role/IAM-role-name", "arn:aws:iam::555555555555:assumed-role/IAM-role-name/GuardDutyMalwareProtection" ] }, "Action": [ "s3:GetObject", "s3:GetObjectVersion" ], "Resource": [ "arn:aws:s3:::DOC-EXAMPLE-BUCKET", "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*" ], "Condition": { "StringNotEquals": { "s3:ExistingObjectTag/GuardDutyMalwareScanStatus": "NO_THREATS_FOUND" } } }, { "Sid": "OnlyGuardDutyCanTag", "Effect": "Deny", "NotPrincipal": { "AWS": [ "arn:aws:iam::555555555555:root", "arn:aws:iam::555555555555:role/IAM-role-name", "arn:aws:iam::555555555555:assumed-role/IAM-role-name/GuardDutyMalwareProtection" ] }, "Action": "s3:PutObjectTagging", "Resource": [ "arn:aws:s3:::DOC-EXAMPLE-BUCKET", "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*" ] } ] }
For more information about tagging your S3 resource, Tagging and access control policies.
