# Steps after enabling Malware Protection for S3 This section lists the steps that you may take after enabling Malware Protection for S3 for a bucket. The following steps are listed in an order that will help you navigate through the next steps: **To follow after you enable Malware Protection for S3 for your bucket** 1. **Add tag-based access control (TBAC) resource policy** – When you enable tagging, then before an object gets uploaded to your selected bucket, ensure to add the TBAC policy to your S3 bucket resource. For more information, see [Adding TBAC on S3 bucket resource](tag-based-access-s3-malware-protection.md#apply-tbac-s3-malware-protection). 1. **Monitor Malware Protection plan status** – Monitor the **Status** column for each protected bucket. For information about potential statuses and what they mean, see [Viewing and understanding protected bucket status](malware-protection-s3-bucket-status-gdu.md). 1. **Start a scan** by choosing one of the following options: + **Upload an object**: 1. Open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/). 1. Upload a file to the S3 bucket or the object prefix for which you enabled this feature. For steps to upload a file, see [Upload an object to your bucket](https://docs.aws.amazon.com/AmazonS3/latest/userguide/uploading-an-object-bucket.html) in the *Amazon S3 User Guide*. + **Initiate an on-demand scan**: [On-demand S3 malware scan in GuardDuty](malware-protection-s3-on-demand.md) 1. **Monitor S3 object scan status and scan result** – This step includes information about how to check the malware scan status of the S3 object. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/guardduty/latest/ug/malware-protection-s3-steps-after-enabling.html)