本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
服務連結角色權限 GuardDuty
GuardDuty 使用名為的服務連結角色 (SLR)。AWSServiceRoleForAmazonGuardDutySLR 允許執 GuardDuty 行以下任務。它還允許 GuardDuty 將屬於 EC2 實例的檢索到的元數據包含在 GuardDuty 可能產生的有關潛在威脅的發現項目中。AWSServiceRoleForAmazonGuardDuty 服務連結角色信任 guardduty.amazonaws.com 服務來擔任該角色。
權限原則有助於 GuardDuty 執行下列工作:
-
使用 Amazon EC2 動作來管理和擷取有關 EC2 執行個體、映像和網路元件 (例如 VPC、子網路、傳輸閘道和安全群組) 的資訊。
-
使用 Amazon EC2 的自動化代理程式啟用執行時 GuardDuty 間監控時,使用動 AWS Systems Manager 作來管理 Amazon EC2 執行個體上的 SSM 關聯。停用 GuardDuty 自動化代理程式組態時,只 GuardDuty 會考慮具有包含標籤 (
GuardDutyManaged:true) 的 EC2 執行個體。 -
使用 AWS Organizations 動作來描述相關聯的帳號和組織 ID。
-
使用 Amazon S3 動作擷取有關 S3 儲存貯體和物件的資訊。
-
使用 AWS Lambda 動作擷取有關 Lambda 函數和標籤的資訊。
-
使用 Amazon EKS 動作來管理和擷取有關 EKS 叢集的資訊,以及管理 EKS 叢集上的 Amazon EKS 附加元件。EKS 動作也會擷取與相關聯之標籤的相關資訊。 GuardDuty
-
在啟用惡意軟體防護之後,使用 IAM 建立 惡意軟體防護的服務連結角色許可。
-
使用 Amazon ECS 動作來管理和擷取有關 Amazon ECS 叢集的資訊,以及使用管理 Amazon ECS 帳戶設定。
guarddutyActivate與 Amazon ECS 相關的動作也會擷取與相關聯標籤的相 GuardDuty關資訊。
該角色使用名為 AmazonGuardDutyServiceRolePolicy 的下列 AWS 受管政策進行設定。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "GuardDutyGetDescribeListPolicy", "Effect": "Allow", "Action": [ "ec2:DescribeInstances", "ec2:DescribeImages", "ec2:DescribeVpcEndpoints", "ec2:DescribeSubnets", "ec2:DescribeVpcPeeringConnections", "ec2:DescribeTransitGatewayAttachments", "organizations:ListAccounts", "organizations:DescribeAccount", "organizations:DescribeOrganization", "s3:GetBucketPublicAccessBlock", "s3:GetEncryptionConfiguration", "s3:GetBucketTagging", "s3:GetAccountPublicAccessBlock", "s3:ListAllMyBuckets", "s3:GetBucketAcl", "s3:GetBucketPolicy", "s3:GetBucketPolicyStatus", "lambda:GetFunctionConfiguration", "lambda:ListTags", "eks:ListClusters", "eks:DescribeCluster", "ec2:DescribeVpcEndpointServices", "ec2:DescribeSecurityGroups", "ecs:ListClusters", "ecs:DescribeClusters" ], "Resource": "*" }, { "Sid": "GuardDutyCreateSLRPolicy", "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "*", "Condition": { "StringEquals": { "iam:AWSServiceName": "malware-protection.guardduty.amazonaws.com" } } }, { "Sid": "GuardDutyCreateVpcEndpointPolicy", "Effect": "Allow", "Action": "ec2:CreateVpcEndpoint", "Resource": "arn:aws:ec2:*:*:vpc-endpoint/*", "Condition": { "ForAnyValue:StringEquals": { "aws:TagKeys": "GuardDutyManaged" }, "StringLike": { "ec2:VpceServiceName": [ "com.amazonaws.*.guardduty-data", "com.amazonaws.*.guardduty-data-fips" ] } } }, { "Sid": "GuardDutyModifyDeleteVpcEndpointPolicy", "Effect": "Allow", "Action": [ "ec2:ModifyVpcEndpoint", "ec2:DeleteVpcEndpoints" ], "Resource": "arn:aws:ec2:*:*:vpc-endpoint/*", "Condition": { "Null": { "aws:ResourceTag/GuardDutyManaged": false } } }, { "Sid": "GuardDutyCreateModifyVpcEndpointNetworkPolicy", "Effect": "Allow", "Action": [ "ec2:CreateVpcEndpoint", "ec2:ModifyVpcEndpoint" ], "Resource": [ "arn:aws:ec2:*:*:vpc/*", "arn:aws:ec2:*:*:security-group/*", "arn:aws:ec2:*:*:subnet/*" ] }, { "Sid": "GuardDutyCreateTagsDuringVpcEndpointCreationPolicy", "Effect": "Allow", "Action": "ec2:CreateTags", "Resource": "arn:aws:ec2:*:*:vpc-endpoint/*", "Condition": { "StringEquals": { "ec2:CreateAction": "CreateVpcEndpoint" }, "ForAnyValue:StringEquals": { "aws:TagKeys": "GuardDutyManaged" } } }, { "Sid": "GuardDutySecurityGroupManagementPolicy", "Effect": "Allow", "Action": [ "ec2:AuthorizeSecurityGroupIngress", "ec2:AuthorizeSecurityGroupEgress", "ec2:RevokeSecurityGroupIngress", "ec2:RevokeSecurityGroupEgress", "ec2:DeleteSecurityGroup" ], "Resource": "arn:aws:ec2:*:*:security-group/*", "Condition": { "Null": { "aws:ResourceTag/GuardDutyManaged": false } } }, { "Sid": "GuardDutyCreateSecurityGroupPolicy", "Effect": "Allow", "Action": "ec2:CreateSecurityGroup", "Resource": "arn:aws:ec2:*:*:security-group/*", "Condition": { "StringLike": { "aws:RequestTag/GuardDutyManaged": "*" } } }, { "Sid": "GuardDutyCreateSecurityGroupForVpcPolicy", "Effect": "Allow", "Action": "ec2:CreateSecurityGroup", "Resource": "arn:aws:ec2:*:*:vpc/*" }, { "Sid": "GuardDutyCreateTagsDuringSecurityGroupCreationPolicy", "Effect": "Allow", "Action": "ec2:CreateTags", "Resource": "arn:aws:ec2:*:*:security-group/*", "Condition": { "StringEquals": { "ec2:CreateAction": "CreateSecurityGroup" }, "ForAnyValue:StringEquals": { "aws:TagKeys": "GuardDutyManaged" } } }, { "Sid": "GuardDutyCreateEksAddonPolicy", "Effect": "Allow", "Action": "eks:CreateAddon", "Resource": "arn:aws:eks:*:*:cluster/*", "Condition": { "ForAnyValue:StringEquals": { "aws:TagKeys": "GuardDutyManaged" } } }, { "Sid": "GuardDutyEksAddonManagementPolicy", "Effect": "Allow", "Action": [ "eks:DeleteAddon", "eks:UpdateAddon", "eks:DescribeAddon" ], "Resource": "arn:aws:eks:*:*:addon/*/aws-guardduty-agent/*" }, { "Sid": "GuardDutyEksClusterTagResourcePolicy", "Effect": "Allow", "Action": "eks:TagResource", "Resource": "arn:aws:eks:*:*:cluster/*", "Condition": { "ForAnyValue:StringEquals": { "aws:TagKeys": "GuardDutyManaged" } } }, { "Sid": "GuardDutyEcsPutAccountSettingsDefaultPolicy", "Effect": "Allow", "Action": "ecs:PutAccountSettingDefault", "Resource": "*", "Condition": { "StringEquals": { "ecs:account-setting": [ "guardDutyActivate" ] } } }, { "Sid": "SsmCreateDescribeUpdateDeleteStartAssociationPermission", "Effect": "Allow", "Action": [ "ssm:DescribeAssociation", "ssm:DeleteAssociation", "ssm:UpdateAssociation", "ssm:CreateAssociation", "ssm:StartAssociationsOnce" ], "Resource": "arn:aws:ssm:*:*:association/*", "Condition": { "StringEquals": { "aws:ResourceTag/GuardDutyManaged": "true" } } }, { "Sid": "SsmAddTagsToResourcePermission", "Effect": "Allow", "Action": [ "ssm:AddTagsToResource" ], "Resource": "arn:aws:ssm:*:*:association/*", "Condition":{ "ForAllValues:StringEquals": { "aws:TagKeys": [ "GuardDutyManaged" ] }, "StringEquals": { "aws:ResourceTag/GuardDutyManaged": "true" } } }, { "Sid": "SsmCreateUpdateAssociationInstanceDocumentPermission", "Effect": "Allow", "Action": [ "ssm:CreateAssociation", "ssm:UpdateAssociation" ], "Resource": "arn:aws:ssm:*:*:document/AmazonGuardDuty-ConfigureRuntimeMonitoringSsmPlugin" }, { "Sid": "SsmSendCommandPermission", "Effect": "Allow", "Action": "ssm:SendCommand", "Resource": [ "arn:aws:ec2:*:*:instance/*", "arn:aws:ssm:*:*:document/AmazonGuardDuty-ConfigureRuntimeMonitoringSsmPlugin" ] }, { "Sid": "SsmGetCommandStatus", "Effect": "Allow", "Action": "ssm:GetCommandInvocation", "Resource": "*" } ] }
以下是附加到 AWSServiceRoleForAmazonGuardDuty 服務連結角色的信任政策:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "guardduty.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }
建立服務連結角色 GuardDuty
當您第一次啟 GuardDuty 用AWSServiceRoleForAmazonGuardDuty服務連結角色,或在先前未啟用的支援地 GuardDuty 區啟用時,就會自動建立服務連結角色。您也可以使用 IAM 主控台、或 IAM API 手動建立服務連結角色。 AWS CLI
重要
針對 GuardDuty 委派系統管理員帳戶建立的服務連結角色不適用於成員 GuardDuty 帳戶。
您必須設定許可,IAM 主體 (如使用者、群組或角色) 才可建立、編輯或刪除服務連結角色。若要成功建立AWSServiceRoleForAmazonGuardDuty服務連結角色,您 GuardDuty 搭配使用的 IAM 主體必須具有必要的許可。如需授與必要的許可,請附加以下政策至此 使用者、群組或角色:
注意
將下列範例中的範例帳戶 ID 取代為您的實際 AWS 帳戶 ID。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "guardduty:*" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "iam:CreateServiceLinkedRole" ], "Resource": "arn:aws:iam::123456789012:role/aws-service-role/guardduty.amazonaws.com/AWSServiceRoleForAmazonGuardDuty", "Condition": { "StringLike": { "iam:AWSServiceName": "guardduty.amazonaws.com" } } }, { "Effect": "Allow", "Action": [ "iam:PutRolePolicy", "iam:DeleteRolePolicy" ], "Resource": "arn:aws:iam::123456789012:role/aws-service-role/guardduty.amazonaws.com/AWSServiceRoleForAmazonGuardDuty" } ] }
如需有關手動建立角色的詳細資訊,請參閱《IAM 使用者指南》中的建立服務連結角色。
編輯下列項目的服務連結角色 GuardDuty
GuardDuty 不允許您編輯AWSServiceRoleForAmazonGuardDuty服務連結角色。因為可能有各種實體會參考服務連結角色,所以您無法在建立角色之後變更其名稱。然而,您可使用 IAM 來編輯角色描述。如需詳細資訊,請參閱 IAM 使用者指南中的編輯服務連結角色。
刪除下列項目的服務連結角色 GuardDuty
若您不再使用需要服務連結角色的功能或服務,我們建議您刪除該角色。如此一來,您就沒有未主動監控或維護的未使用實體。
重要
如果您已啟用惡意軟體防護,刪除 AWSServiceRoleForAmazonGuardDuty 並不會自動刪除 AWSServiceRoleForAmazonGuardDutyMalwareProtection。如果您要刪除 AWSServiceRoleForAmazonGuardDutyMalwareProtection,請參閱 Deleting a service-linked role for Malware Protection。
您必須先 GuardDuty 在啟用此功能的所有區域中停用,才能刪除AWSServiceRoleForAmazonGuardDuty。如果在嘗試刪除 GuardDuty 服務連結角色時未停用服務,則刪除作業會失敗。如需詳細資訊,請參閱 暫停或停用 GuardDuty。
禁用時 GuardDuty,AWSServiceRoleForAmazonGuardDuty不會自動刪除。如果您 GuardDuty 再次啟用,它將開始使用現有的AWSServiceRoleForAmazonGuardDuty.
使用 IAM 手動刪除服務連結角色
使用 IAM 主控台或 IAM API 刪除AWSServiceRoleForAmazonGuardDuty服務連結角色。 AWS CLI如需詳細資訊,請參閱《IAM 使用者指南》中的刪除服務連結角色。
支援 AWS 區域
Amazon GuardDuty 支持在所有可用的地方使用AWSServiceRoleForAmazonGuardDuty服務鏈接 AWS 區域 GuardDuty 的角色。如需目前可用的區域清 Amazon GuardDuty ,請參閱 Amazon Web Services 一般參考. GuardDuty
