# Troubleshooting Malware Protection plan status
<a name="troubleshoot-s3-malware-protection-status-errors"></a>

For any protected bucket, GuardDuty displays the **Status** based on the ranking. For example, if a protected bucket has issues under both **Error** and **Warning** categories, GuardDuty will first display the issue that is associated with the **Error** status.

The following list includes the errors and the warning for the Malware Protection plan status.

**Errors**  
+ [EventBridge notification is disabled for this S3 bucket](#eventbridge-notification-disabled-malware-protection-s3-error)
+ [EventBridge managed rule to receive S3 bucket events is missing](#eventbridge-managed-rule-missing-malware-protection-s3-error)
+ [S3 bucket no longer exists](#bucket-no-longer-exists-malware-protection-s3-error)

**Warning**  
[Unable to put test object](#unable-put-test-object-malware-protection-s3-warning)

## EventBridge notification is disabled for this S3 bucket
<a name="eventbridge-notification-disabled-malware-protection-s3-error"></a>

The associated status reason code is `EVENTBRIDGE_MANAGED_EVENTS_DELIVERY_DISABLED`.

**Status detail**  
GuardDuty uses EventBridge to receive a notification when a new object gets uploaded to this S3 bucket. This permission is missing in your IAM role.

**Steps to troubleshoot**  
**Option 1: Add the following permission statement to your IAM role:**  

```
{
          "Sid": "AllowEnableS3EventBridgeEvents",
          "Effect": "Allow",
          "Action": [
             "s3:PutBucketNotification",
             "s3:GetBucketNotification"
             ],
          "Resource": [
             "arn:aws:s3:::amzn-s3-demo-bucket"
            ]
}
```
Replace *amzn-s3-demo-bucket* with your Amazon S3 bucket name.  

**Option 2: Enable EventBridge notification by using the Amazon S3 console**

1. Open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/).

1. On the **Buckets** page, under **General purpose buckets** tab, select the bucket name associated with this error.

1. On this bucket page, choose the **Properties** tab.

1. Under the **Amazon EventBridge** section, select **Edit**.

1. On the **Edit Amazon EventBridge** page, for **Send notification to Amazon EventBridge for all events in this bucket**, select **On**.

1. Choose **Save changes**.
It may take a few minutes for the **Status** column value to change to **Active**.

## EventBridge managed rule to receive S3 bucket events is missing
<a name="eventbridge-managed-rule-missing-malware-protection-s3-error"></a>

The associated status reason code is `EVENTBRIDGE_MANAGED_RULE_DISABLED`.

 **Status detail**   
The EventBridge managed rule permissions to manage the EventBridge rule setup is missing.

**Steps to troubleshoot**  
Add the following permission statement to your IAM role:  

```
{
         "Sid": "AllowManagedRuleToSendS3EventsToGuardDuty",
        "Effect": "Allow",
        "Action": [
                "events:PutRule",
                "events:DeleteRule",
                "events:PutTargets",
                "events:RemoveTargets"
            ],
        "Resource": [
           "arn:aws:events:*:*:rule/DO-NOT-DELETE-AmazonGuardDutyMalwareProtectionS3*"
           ],
        "Condition": {
           "StringEquals": {
              "events:ManagedBy": "malware-protection-plan.guardduty.amazonaws.com"
              }
           }
}
```
It may take a few minutes for the **Status** column value to change to **Active**.

## S3 bucket no longer exists
<a name="bucket-no-longer-exists-malware-protection-s3-error"></a>

The associated status reason code is `PROTECTED_RESOURCE_DELETED`.

 **Status detail**   
This S3 bucket was deleted from your account and it no longer exists.

 **Step to troubleshoot**   
If deleting the S3 bucket was not intentional, then you can create a new bucket by using the Amazon S3 console.  
After creating the bucket successfully, enable Malware Protection for S3 by following the steps under the [Configuring Malware Protection for S3 for your bucket](configuring-malware-protection-for-s3-guardduty.md) page.

## Unable to put test object
<a name="unable-put-test-object-malware-protection-s3-warning"></a>

The associated status reason code is `INSUFFICIENT_TEST_OBJECT_PERMISSIONS`.

**Note**  
The permission to add a test object is optional. Missing this permission in your IAM role doesn't prevent Malware Protection for S3 to initiate malware scan on a newly uploaded object. After a scan initiates successfully, it may take a few minutes for the Malware Protection plan **Status** to change from **Warning** to **Active**.  
If the IAM role includes this permission already, then this warning indicates a restrictive Amazon S3 bucket policy that does't allow the IAM access to put the test object in this S3 bucket.

**Status detail**  
To validate the setup of the selected bucket, GuardDuty puts a test object in your bucket.

**Steps to troubleshoot**  
You can choose to update the IAM role to include the missing permissions. To the selected IAM role, add the following permissions so that GuardDuty can put the test object to the selected resource:  

```
{
         "Sid": "AllowPutValidationObject",
         "Effect": "Allow",
         "Action": [
           "s3:PutObject"
           ],
         "Resource": [
           "arn:aws:s3:::amzn-s3-demo-bucket/malware-protection-resource-validation-object"
           ]
}
```
Replace *amzn-s3-demo-bucket* with your Amazon S3 bucket name. For information about IAM role permissions, see [Create or update IAM role policy](malware-protection-s3-iam-policy-prerequisite.md).  
It may take a few minutes for the **Status** column value to change to **Active**.