本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
AmazonGuardDutyMalwareProtectionServiceRolePolicy
說明: GuardDuty 惡意程式碼防護會使用名為的服務連結角色 (SLR)。 AWSServiceRoleForAmazonGuardDutyMalwareProtection此服務連結角色可讓 GuardDuty 惡意程式碼防護執行無代理程式掃描,以偵測惡意程式碼。它 GuardDuty 允許在您的帳戶中創建快照,並與 GuardDuty 服務帳戶共享快照以掃描惡意軟件。它會評估這些共用快照,並將擷取的 EC2 執行個體中繼資料包含在 GuardDuty 惡意程式碼防護發現 AWSServiceRoleForAmazonGuardDutyMalwareProtection 服務連結的角色會信任惡意軟體保護。
AmazonGuardDutyMalwareProtectionServiceRolePolicy是AWS 受管理的策略。
使用此政策
此原則附加至服務連結角色,可讓服務代表您執行動作。您無法將此政策連接至使用者、群組或角色。
政策詳情
-
類型:服務連結角色原則
-
創建時間:世界標準時間 7 月 19 日,2022 年 7 月 19 日
-
編輯時間:世界標準時間 2024 年 1 月 25 日 22:24
-
ARN:
arn:aws:iam::aws:policy/aws-service-role/AmazonGuardDutyMalwareProtectionServiceRolePolicy
政策版本
策略版本:v2(預設值)
原則的預設版本是定義原則權限的版本。當具有策略的使用者或角色發出要求以存取 AWS 資源時,請 AWS 檢查原則的預設版本,以決定是否允許該要求。
政策文件
{
"Version" : "2012-10-17",
"Statement" : [
{
"Sid" : "DescribeAndListPermissions",
"Effect" : "Allow",
"Action" : [
"ec2:DescribeInstances",
"ec2:DescribeVolumes",
"ec2:DescribeSnapshots",
"ecs:ListClusters",
"ecs:ListContainerInstances",
"ecs:ListTasks",
"ecs:DescribeTasks",
"eks:DescribeCluster"
],
"Resource" : "*"
},
{
"Sid" : "CreateSnapshotVolumeConditionalStatement",
"Effect" : "Allow",
"Action" : "ec2:CreateSnapshot",
"Resource" : "arn:aws:ec2:*:*:volume/*",
"Condition" : {
"Null" : {
"aws:ResourceTag/GuardDutyExcluded" : "true"
}
}
},
{
"Sid" : "CreateSnapshotConditionalStatement",
"Effect" : "Allow",
"Action" : "ec2:CreateSnapshot",
"Resource" : "arn:aws:ec2:*:*:snapshot/*",
"Condition" : {
"ForAnyValue:StringEquals" : {
"aws:TagKeys" : "GuardDutyScanId"
}
}
},
{
"Sid" : "CreateTagsPermission",
"Effect" : "Allow",
"Action" : "ec2:CreateTags",
"Resource" : "arn:aws:ec2:*:*:*/*",
"Condition" : {
"StringEquals" : {
"ec2:CreateAction" : "CreateSnapshot"
}
}
},
{
"Sid" : "AddTagsToSnapshotPermission",
"Effect" : "Allow",
"Action" : "ec2:CreateTags",
"Resource" : "arn:aws:ec2:*:*:snapshot/*",
"Condition" : {
"StringLike" : {
"ec2:ResourceTag/GuardDutyScanId" : "*"
},
"ForAllValues:StringEquals" : {
"aws:TagKeys" : [
"GuardDutyExcluded",
"GuardDutyFindingDetected"
]
}
}
},
{
"Sid" : "DeleteAndShareSnapshotPermission",
"Effect" : "Allow",
"Action" : [
"ec2:DeleteSnapshot",
"ec2:ModifySnapshotAttribute"
],
"Resource" : "arn:aws:ec2:*:*:snapshot/*",
"Condition" : {
"StringLike" : {
"ec2:ResourceTag/GuardDutyScanId" : "*"
},
"Null" : {
"aws:ResourceTag/GuardDutyExcluded" : "true"
}
}
},
{
"Sid" : "PreventPublicAccessToSnapshotPermission",
"Effect" : "Deny",
"Action" : [
"ec2:ModifySnapshotAttribute"
],
"Resource" : "arn:aws:ec2:*:*:snapshot/*",
"Condition" : {
"StringEquals" : {
"ec2:Add/group" : "all"
}
}
},
{
"Sid" : "CreateGrantPermission",
"Effect" : "Allow",
"Action" : "kms:CreateGrant",
"Resource" : "arn:aws:kms:*:*:key/*",
"Condition" : {
"Null" : {
"aws:ResourceTag/GuardDutyExcluded" : "true"
},
"StringLike" : {
"kms:EncryptionContext:aws:ebs:id" : "snap-*"
},
"ForAllValues:StringEquals" : {
"kms:GrantOperations" : [
"Decrypt",
"CreateGrant",
"GenerateDataKeyWithoutPlaintext",
"ReEncryptFrom",
"ReEncryptTo",
"RetireGrant",
"DescribeKey"
]
},
"Bool" : {
"kms:GrantIsForAWSResource" : "true"
}
}
},
{
"Sid" : "ShareSnapshotKMSPermission",
"Effect" : "Allow",
"Action" : [
"kms:ReEncryptTo",
"kms:ReEncryptFrom"
],
"Resource" : "arn:aws:kms:*:*:key/*",
"Condition" : {
"StringLike" : {
"kms:ViaService" : "ec2.*.amazonaws.com"
},
"Null" : {
"aws:ResourceTag/GuardDutyExcluded" : "true"
}
}
},
{
"Sid" : "DescribeKeyPermission",
"Effect" : "Allow",
"Action" : "kms:DescribeKey",
"Resource" : "arn:aws:kms:*:*:key/*"
},
{
"Sid" : "GuardDutyLogGroupPermission",
"Effect" : "Allow",
"Action" : [
"logs:DescribeLogGroups",
"logs:CreateLogGroup",
"logs:PutRetentionPolicy"
],
"Resource" : "arn:aws:logs:*:*:log-group:/aws/guardduty/*"
},
{
"Sid" : "GuardDutyLogStreamPermission",
"Effect" : "Allow",
"Action" : [
"logs:CreateLogStream",
"logs:PutLogEvents",
"logs:DescribeLogStreams"
],
"Resource" : "arn:aws:logs:*:*:log-group:/aws/guardduty/*:log-stream:*"
},
{
"Sid" : "EBSDirectAPIPermissions",
"Effect" : "Allow",
"Action" : [
"ebs:GetSnapshotBlock",
"ebs:ListSnapshotBlocks"
],
"Resource" : "arn:aws:ec2:*:*:snapshot/*",
"Condition" : {
"StringLike" : {
"aws:ResourceTag/GuardDutyScanId" : "*"
},
"Null" : {
"aws:ResourceTag/GuardDutyExcluded" : "true"
}
}
}
]
}進一步了解
