# AmazonGuardDutyServiceRolePolicy
**Description**: Enable access to AWS Resources used or managed by Amazon Guard Duty
`AmazonGuardDutyServiceRolePolicy` is an [AWS managed policy](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies).
## Using this policy
This policy is attached to a service-linked role that allows the service to perform actions on your behalf. You cannot attach this policy to your users, groups, or roles.
## Policy details
+ **Type**: Service-linked role policy
+ **Creation time**: November 28, 2017, 20:12 UTC
+ **Edited time:** March 25, 2026, 20:57 UTC
+ **ARN**: `arn:aws:iam::aws:policy/aws-service-role/AmazonGuardDutyServiceRolePolicy`
## Policy version
**Policy version:** v11 (default)
The policy's default version is the version that defines the permissions for the policy. When a user or role with the policy makes a request to access an AWS resource, AWS checks the default version of the policy to determine whether to allow the request.
## JSON policy document
```
{
"Version" : "2012-10-17",
"Statement" : [
{
"Sid" : "GuardDutyGetDescribeListPolicy",
"Effect" : "Allow",
"Action" : [
"ec2:DescribeInstances",
"ec2:DescribeImages",
"ec2:DescribeVpcEndpoints",
"ec2:DescribeSubnets",
"ec2:DescribeVpcPeeringConnections",
"ec2:DescribeTransitGatewayAttachments",
"organizations:ListAccounts",
"organizations:DescribeAccount",
"organizations:DescribeOrganization",
"s3:GetBucketPublicAccessBlock",
"s3:GetEncryptionConfiguration",
"s3:GetBucketTagging",
"s3:GetAccountPublicAccessBlock",
"s3:ListAllMyBuckets",
"s3:GetBucketAcl",
"s3:GetBucketPolicy",
"s3:GetBucketPolicyStatus",
"lambda:GetFunctionConfiguration",
"lambda:ListTags",
"eks:ListClusters",
"eks:DescribeCluster",
"ec2:DescribeVpcEndpointServices",
"ec2:DescribeVpcs",
"ec2:DescribeSecurityGroups",
"ecs:ListClusters",
"ecs:DescribeClusters"
],
"Resource" : "*"
},
{
"Sid" : "GuardDutyCreateSLRPolicy",
"Effect" : "Allow",
"Action" : "iam:CreateServiceLinkedRole",
"Resource" : "*",
"Condition" : {
"StringEquals" : {
"iam:AWSServiceName" : "malware-protection.guardduty.amazonaws.com"
}
}
},
{
"Sid" : "GuardDutyCreateVpcEndpointPolicy",
"Effect" : "Allow",
"Action" : "ec2:CreateVpcEndpoint",
"Resource" : "arn:aws:ec2:*:*:vpc-endpoint/*",
"Condition" : {
"ForAnyValue:StringEquals" : {
"aws:TagKeys" : "GuardDutyManaged"
},
"StringLike" : {
"ec2:VpceServiceName" : [
"com.amazonaws.*.guardduty-data",
"com.amazonaws.*.guardduty-data-fips"
]
}
}
},
{
"Sid" : "GuardDutyModifyDeleteVpcEndpointPolicy",
"Effect" : "Allow",
"Action" : [
"ec2:ModifyVpcEndpoint",
"ec2:DeleteVpcEndpoints"
],
"Resource" : "arn:aws:ec2:*:*:vpc-endpoint/*",
"Condition" : {
"Null" : {
"aws:ResourceTag/GuardDutyManaged" : false
}
}
},
{
"Sid" : "GuardDutyCreateModifyVpcEndpointNetworkPolicy",
"Effect" : "Allow",
"Action" : [
"ec2:CreateVpcEndpoint",
"ec2:ModifyVpcEndpoint"
],
"Resource" : [
"arn:aws:ec2:*:*:vpc/*",
"arn:aws:ec2:*:*:security-group/*",
"arn:aws:ec2:*:*:subnet/*"
]
},
{
"Sid" : "GuardDutyCreateTagsDuringVpcEndpointCreationPolicy",
"Effect" : "Allow",
"Action" : "ec2:CreateTags",
"Resource" : "arn:aws:ec2:*:*:vpc-endpoint/*",
"Condition" : {
"StringEquals" : {
"ec2:CreateAction" : "CreateVpcEndpoint"
},
"ForAnyValue:StringEquals" : {
"aws:TagKeys" : "GuardDutyManaged"
}
}
},
{
"Sid" : "GuardDutySecurityGroupManagementPolicy",
"Effect" : "Allow",
"Action" : [
"ec2:AuthorizeSecurityGroupIngress",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:RevokeSecurityGroupIngress",
"ec2:RevokeSecurityGroupEgress",
"ec2:DeleteSecurityGroup"
],
"Resource" : "arn:aws:ec2:*:*:security-group/*",
"Condition" : {
"Null" : {
"aws:ResourceTag/GuardDutyManaged" : false
}
}
},
{
"Sid" : "GuardDutyCreateSecurityGroupPolicy",
"Effect" : "Allow",
"Action" : "ec2:CreateSecurityGroup",
"Resource" : "arn:aws:ec2:*:*:security-group/*",
"Condition" : {
"StringLike" : {
"aws:RequestTag/GuardDutyManaged" : "*"
}
}
},
{
"Sid" : "GuardDutyCreateSecurityGroupForVpcPolicy",
"Effect" : "Allow",
"Action" : "ec2:CreateSecurityGroup",
"Resource" : "arn:aws:ec2:*:*:vpc/*"
},
{
"Sid" : "GuardDutyCreateTagsDuringSecurityGroupCreationPolicy",
"Effect" : "Allow",
"Action" : "ec2:CreateTags",
"Resource" : "arn:aws:ec2:*:*:security-group/*",
"Condition" : {
"StringEquals" : {
"ec2:CreateAction" : "CreateSecurityGroup"
},
"ForAnyValue:StringEquals" : {
"aws:TagKeys" : "GuardDutyManaged"
}
}
},
{
"Sid" : "GuardDutyCreateEksAddonPolicy",
"Effect" : "Allow",
"Action" : "eks:CreateAddon",
"Resource" : "arn:aws:eks:*:*:cluster/*",
"Condition" : {
"ForAnyValue:StringEquals" : {
"aws:TagKeys" : "GuardDutyManaged"
}
}
},
{
"Sid" : "GuardDutyEksAddonManagementPolicy",
"Effect" : "Allow",
"Action" : [
"eks:DeleteAddon",
"eks:UpdateAddon",
"eks:DescribeAddon"
],
"Resource" : "arn:aws:eks:*:*:addon/*/aws-guardduty-agent/*"
},
{
"Sid" : "GuardDutyEksClusterTagResourcePolicy",
"Effect" : "Allow",
"Action" : "eks:TagResource",
"Resource" : "arn:aws:eks:*:*:cluster/*",
"Condition" : {
"ForAnyValue:StringEquals" : {
"aws:TagKeys" : "GuardDutyManaged"
}
}
},
{
"Sid" : "GuardDutyEcsPutAccountSettingsDefaultPolicy",
"Effect" : "Allow",
"Action" : "ecs:PutAccountSettingDefault",
"Resource" : "*",
"Condition" : {
"StringEquals" : {
"ecs:account-setting" : [
"guardDutyActivate"
]
}
}
},
{
"Sid" : "SsmCreateDescribeUpdateDeleteStartAssociationPermission",
"Effect" : "Allow",
"Action" : [
"ssm:DescribeAssociation",
"ssm:DeleteAssociation",
"ssm:UpdateAssociation",
"ssm:CreateAssociation",
"ssm:StartAssociationsOnce"
],
"Resource" : "arn:aws:ssm:*:*:association/*",
"Condition" : {
"StringEquals" : {
"aws:ResourceTag/GuardDutyManaged" : "true"
}
}
},
{
"Sid" : "SsmAddTagsToResourcePermission",
"Effect" : "Allow",
"Action" : [
"ssm:AddTagsToResource"
],
"Resource" : "arn:aws:ssm:*:*:association/*",
"Condition" : {
"ForAllValues:StringEquals" : {
"aws:TagKeys" : [
"GuardDutyManaged"
]
},
"StringEquals" : {
"aws:ResourceTag/GuardDutyManaged" : "true"
}
}
},
{
"Sid" : "SsmCreateUpdateAssociationInstanceDocumentPermission",
"Effect" : "Allow",
"Action" : [
"ssm:CreateAssociation",
"ssm:UpdateAssociation"
],
"Resource" : "arn:aws:ssm:*:*:document/AmazonGuardDuty-ConfigureRuntimeMonitoringSsmPlugin"
},
{
"Sid" : "SsmSendCommandPermission",
"Effect" : "Allow",
"Action" : "ssm:SendCommand",
"Resource" : [
"arn:aws:ec2:*:*:instance/*",
"arn:aws:ssm:*:*:document/AmazonGuardDuty-ConfigureRuntimeMonitoringSsmPlugin"
]
},
{
"Sid" : "SsmGetCommandStatus",
"Effect" : "Allow",
"Action" : "ssm:GetCommandInvocation",
"Resource" : "*"
},
{
"Sid" : "CloudTrailCreateServiceLinkedChannelSid",
"Effect" : "Allow",
"Action" : [
"cloudtrail:CreateServiceLinkedChannel"
],
"Resource" : "arn:aws:cloudtrail:*:*:channel/aws-service-channel/guardduty/*",
"Condition" : {
"StringEquals" : {
"aws:ResourceAccount" : "${aws:PrincipalAccount}"
}
}
}
]
}
```
## Learn more
+ [Understand versioning for IAM policies](https://docs.aws.amazon.com//IAM/latest/UserGuide/access_policies_managed-versioning.html)
+ [Get started with AWS managed policies and move toward least-privilege permissions](https://docs.aws.amazon.com//IAM/latest/UserGuide/best-practices.html#bp-use-aws-defined-policies)