# Monitoring S3 object scans with GuardDuty managed tags
<a name="monitor-enable-s3-object-tagging-malware-protection"></a>

Use enable tagging option so that GuardDuty can add tags to your Amazon S3 object after completing the malware scan.

**Considerations for enabling tagging**
+ There is an associated usage cost when GuardDuty tags your S3 objects. For more information, see [Pricing and usage cost for Malware Protection for S3](pricing-malware-protection-for-s3-guardduty.md).
+ You must keep the required tagging permissions to your preferred IAM role associated with this bucket; otherwise, GuardDuty can't add tags to your scanned objects. The IAM role already includes the permissions to add tags to the scanned S3 objects. For more information, see [Create or update IAM role policy](malware-protection-s3-iam-policy-prerequisite.md).
+ By default, you can associate up to 10 tags with an S3 object. For more information, see [Using tag-based access control (TBAC)](tag-based-access-s3-malware-protection.md).

After you enable tagging for an S3 bucket or specific prefixes, any newly uploaded object that gets scanned, will have an associated tag in the following key-value pair format:

`GuardDutyMalwareScanStatus`:`Scan-Result-Status`

For information about potential tag values, see [S3 object potential scan status and result status](monitoring-malware-protection-s3-scans-gdu.md#s3-object-scan-result-value-malware-protection).

# Troubleshooting S3 object post-scan tag failures in Malware Protection for S3
<a name="troubleshoot-s3-post-scan-tag-failures"></a>

This section applies to you only if you [Enable tagging for scanned objects](enable-malware-protection-s3-bucket.md#tag-scanned-objects-s3-malware-protection) in your protected bucket.

When GuardDuty attempts to add a tag to your scanned S3 object, the action of tagging may result in a failure. The potential reasons why this may happen to your bucket are `ACCESS_DENIED` and `MAX_TAG_LIMIT_EXCEEDED`. Use the following topics to understand the potential reasons for these post-scan tag failure reasons and troubleshoot them.

**ACCESS\$1DENIED**  
The following list provides potential reasons that may cause this issue:  
+ The IAM role used for this protected S3 bucket is missing the **AllowPostScanTag** permission. Verify that the associated IAM role uses this bucket policy. For more information, see [Create or update IAM role policy](malware-protection-s3-iam-policy-prerequisite.md).
+ The protected S3 bucket policy does't allow GuardDuty to add tags to this object.
+ The scanned S3 object no longer exists.

**MAX\$1TAG\$1LIMIT\$1EXCEEDED**  
By default, you can associate up to 10 tags with an S3 object. For more information, see Considerations for GuardDuty to add a tag to your S3 object under [Enable tagging for scanned objects](enable-malware-protection-s3-bucket.md#tag-scanned-objects-s3-malware-protection).