Permissions Required for AWS Accounts
AlgoSec Cloud Enterprise (ACE) comprises two distinct components, each offering a unique set of functionalities:
-
Cloud Network Security (CNS)
-
Cloud App Analyzer (CAA)
This section outlines the required and optional permissions for AWS accounts necessary to fully leverage the capabilities of ACE. The table below details the permissions requested by each specified role, along with justifications for their necessity.
You can find all these permissions in the CloudFormation template.
The permissions listed below are classified according to the following key:
READ permissions | ||
WRITE permissions |
Important: Missing permissions can cause ACE to malfunction and lead to data inconsistencies. AlgoSec is not responsible for any issues arising from missing permissions.
AWS Permissions and justifications
The following required permissions are part of the AWS IAM role:
Type | Permission | Component | Justification | |
---|---|---|---|---|
CNS | CAA | |||
directconnect:DescribeDirectConnect* |
✔ | For network topology map and TSQ: Permission for ASMS to list all your Direct Connect gateways or only the specified Direct Connect gateway. | ||
ec2:DescribeFlowLogs |
✔ | For Network policy: Permission to flag unused rules. | ||
ec2:DescribeInstances |
✔ | For Overview of assets and security controls, Network policy and Risks: Permission to retrieve VM instances information | ||
ec2:DescribeInternetGateways |
✔ | For Overview of assets and security controls, Network policy and Risks: Permission to retrieve internet GW information | ||
ec2:DescribeNetworkAcls |
✔ | For Overview of assets and security controls, Network policy and Risks: Permission to retrieve network ACLs information. | ||
ec2:DescribeNetworkInterfaces |
✔ | For Overview of assets and security controls, Network policy and Risks: Permission to retrieve network interfaces information. | ||
ec2:DescribeRegions |
✔ | For Network policy and Risks: Permission to flag unused rules and retrieve availabilityZone. | ||
ec2:DescribeRouteTables |
✔ | For Overview of assets and security controls, Network policy and Risks: Permission to retrieve route tables information. | ||
ec2:DescribeSecurityGroups |
✔ | For Overview of assets and security controls, Network policy and Risks: Permission to retrieve Security Groups information. | ||
ec2:DescribeSubnets |
✔ | For Overview of assets and security controls, Network policy and Risks: Permission to retrieve subnets information. | ||
ec2:DescribeTransitGatewayAttachments |
✔ | For Overview of assets and security controls, Network policy and Risks: Permission to retrieve Transit GW attachments information. | ||
ec2:DescribeTransitGatewayRouteTables |
✔ | For Overview of assets and security controls, Network policy and Risks: Permission to retrieve route tables information. | ||
ec2:DescribeTransitGateways |
✔ | For Overview of assets and security controls, Network policy and Risks: Permission to retrieve VPC peering connections information. | ||
ec2:DescribeVpcPeeringConnections |
✔ | For Overview of assets and security controls, Network policy and Risks: permission to retrieve VPC peering connections information. | ||
ec2:DescribeVpcs |
✔ | For Overview of assets and security controls, Network policy and Risks: Permission to retrieve VPC information. | ||
ec2:DescribeVpnConnections |
✔ | For Overview of assets and security controls, Network policy and Risks: Permission to retrieve VPN connections information. | ||
ec2:DescribeVpnGateways |
✔ | For Overview of assets and security controls, Network policy and Risks: Permission to retrieve VPN GW routes information | ||
ec2:SearchTransitGatewayRoutes |
✔ | For Overview of assets and security controls, Network policy and Risks: Permission to retrieve transit GW routes information | ||
elasticloadbalancing:DescribeLoadBalancers |
✔ | For ACE: Permission to show load balancers on the tree. | ||
logs:GetLogEvents |
✔ | Permission to list log events from CloudWatch. The Traffic log is required to determine unused rules. If only S3 is used then this permission is not required | ||
s3:GetBucketLocation |
✔ | For Overview of assets and security controls: Permission to retrieve Storage Bucket information. | ||
s3:GetObject* |
✔ | For Overview of assets and security controls: Permission to retrieve Storage bucket information. If only CloudWatch is used then this permission is not required. | ||
s3:List* |
✔ | For Overview of assets and security controls: Permission to retrieve Storage Bucket information. Also for Cloud Security misconfiguration information. | ||
SecurityAudit Policy | ✔ | For Cloud Security misconfiguration information. | ||
ses:DescribeActiveReceiptRuleSet | ✔ |
For AWS Simple Email Service: Permission to read metadata and receipt rules for the receipt rule set that is currently active. |
||
logs:DescribeLogGroups | ✔ |
For AWS CloudWatch Logs: Permission to make sure a CloudWatch log group is attached. |
||
logs:DescribeMetricFilters | ✔ |
For AWS CloudWatch Logs: Permission to detect any missing CloudWatch metric filters. |
||
dlm:GetLifecyclePolicies | ✔ |
For AWS Data Lifecycle Manager: Permission to parse summary information about the snapshots of individual volumes or multi-volume snapshots for EC2 instances. |
||
kms:GetKeyRotationStatus | ✔ |
For AWS Key Management Service: Permission to make sure key rotation is enabled for customer-managed keys. |
||
ecr-public:GetAuthorizationToken | ✔ |
For AWS Elastic Container Registry: Permission to authorize with ECR, so that Cloud App Analyzer could pull public container images for scanning. |
||
ecr:GetAuthorizationToken | ✔ |
For AWS Elastic Container Registry: Permission to authorize with ECR, so that Cloud App Analyzer could pull private container images for scanning. |
||
ecr:BatchGetImage | ✔ |
For AWS Elastic Container Registry: Permission to get detailed information about container images. |
||
ecr:GetDownloadUrlForLayer | ✔ |
For AWS Elastic Container Registry: Permission to obtain download URLs corresponding to container image layers. |
||
sts:GetServiceBearerToken | ✔ |
For AWS Elastic Container Registry: Permission to authorize with ECR, an additional permission sts:GetServiceBearerToken is required. |
||
s3:GetObject (arn:aws:s3:::elasticbeanstalk*) |
✔ |
For AWS Elastic Beanstalk: Permission to make sure Elastic Beanstalk is configured to apply managed platform updates; this specific permission is required if Elastic Beanstalk logs are stored in Amazon S3. |
||
inspector2:ListFindings | ✔ |
For AWS Inspector 2: Permission to retrieve a subset of information about one or more findings for ECR container images, reported by the AWS built-in vulnerability scanner. |
||
inspector2:ListCoverage | ✔ |
For AWS Inspector 2: Permission to retrieve the types of statistics Amazon Inspector can generate for the monitored resources. |
Additional optional permissions
While the core functionalities of ACE operate seamlessly with the required permissions above, certain advanced features and specialized functionalities necessitate additional optional permissions. These permissions are not essential for the fundamental operations of the platform but are required to leverage enhanced capabilities tailored to specific use cases or integrations. The table below outlines these optional permissions along with their justifications, detailing how they support specialized functionalities within ACE.
For Changes to AWS Policies
(optional) You will need the following WRITE permissions, if you want to enable:
-
Changes to AWS policies in Cloud Network Security.
-
To make ActiveChange for AWS available in FireFlow when using unified onboarding with AWS. (Note that Unified onboarding is currently in an Early Availability phase. (For more information see onboard AWS to both ACE and ASMS simultaneously.)
The following permissions are part of the AWS IAM role:
Type | Permission | Component | Justification | |
---|---|---|---|---|
CNS | CAA | |||
ec2:AuthorizeSecurityGroupEgress (optional - for Changes to AWS policies ) |
✔ | For Network policy: Permission for policy provision, to add the specified outbound (egress) rules to a security group for use with a VPC. | ||
ec2:AuthorizeSecurityGroupIngress (optional - for Changes to AWS policies ) |
✔ | For Network policy: Permission for policy provision, to add the specified inbound (ingress) rules to a security group. | ||
ec2:RevokeSecurityGroupEgress (optional - for Changes to AWS policies ) |
✔ | For Network policy: Permission for policy provision, to remove the specified outbound (egress) rules from a security group for EC2-VPC. | ||
ec2:RevokeSecurityGroupIngress (optional - for Changes to AWS policies ) |
✔ | For Network policy: Permission for policy provision, to remove the specified inbound (ingress) rules from a security group. |
For CD Mitigation
Note: This permissions is part of the created AWS Stack that App Analyzer creates during onboarding. If the CD Mitigation feature is not required, this permission should be manually removed.
As part of the onboarding, several resources are created in the user's account to support CD mitigation.
Type | Permission | Component | Justification | |
---|---|---|---|---|
CNS | CAA | |||
ecr:SetRepositoryPolicy
(optional - for CD Mitigation) |
✔ |
For Elastic Container Registry: Permission to allow setting/changing a policy of a container image, detected to be a high risk, so that it will not be pulled from the registry into a workload. |
For AWS EC2 scanning
Type | Permission | Component | Justification | |
---|---|---|---|---|
CNS | CAA | |||
ec2:DescribeSnapshots (optional - for VM scanner) |
✔ |
For VM scanner: Permission to get the relevant data about the snapshots, and make sure they are being deleted |
||
ec2:DescribeInstances (optional - for VM scanner) |
✔ |
For VM scanner: : Permission to get the public IP address of the EC2 spot instance |
||
ec2:DescribeImages (optional - for VM scanner) |
✔ |
For VM scanner: Permission to get the required AMI for creating the EC2 spot instance that scans the volumes |
||
ec2:DescribeVolumes (optional - for VM scanner) |
✔ |
For VM scanner: Permission to choose which volumes/partitions to scan |
||
ec2:CreateSnapshots (optional - for VM scanner) |
✔ |
For VM scanner: Permission to create snapshots from the volumes attached to the target EC2 instance |
||
ec2:CreateVolume (optional - for VM scanner) |
✔ |
For VM scanner: Permission to create a volume from a snapshot |
||
ec2:RunInstances (optional - for VM scanner) |
✔ |
For VM scanner: Permission to create an EC2 spot instance that scans the volumes |
||
ec2:AttachVolume (optional - for VM scanner) |
✔ |
For VM scanner: Permission to attach the EC2 spot instance a volume to be scanned |
||
ec2:CreateTags (optional - for VM scanner) |
✔ |
For VM scanner: Permission to create tags for Cloud App Analyzer VM scanner EC2 temporary resources |
||
ec2:TerminateInstances (optional - for VM scanner) |
✔ |
For VM scanner: Permission to delete the temporary EC2 resources after the scan is finished |
||
ec2:DeleteSnapshot (optional - for VM scanner) |
✔ | |||
ec2:DeleteVolume (optional - for VM scanner) |
✔ | |||
ec2:CreateVpc (optional - for VM scanner) |
✔ |
For VM scanner: Permission to create a VPC that will be used by all the temporary EC2 spot instances in the region |
||
ec2:ModifyVpcAttribute (optional - for VM scanner) |
✔ |
For VM scanner: Permission to apply the required configuration for the created VPC |
||
ec2:CreateSubnet (optional - for VM scanner) |
✔ |
For VM scanner: Permission to create a Subnet in the VPC |
||
ec2:CreateInternetGateway (optional - for VM scanner) |
✔ |
For VM scanner: Permission to create an Internet Gateway to be attached to the VPC, in order to allow communications with Cloud App Analyzer account |
||
ec2:AttachInternetGateway (optional - for VM scanner) |
✔ |
For VM scanner: Permission to attach the Internet Gateway to the VPC |
||
ec2:CreateRouteTable (optional - for VM scanner) |
✔ |
For VM scanner: Permission to create a Route Table in the VPC |
||
ec2:AssociateRouteTable (optional - for VM scanner) |
✔ |
For VM scanner: Permission to associate the Route Table to the created Subnet |
||
ec2:CreateRoute (optional - for VM scanner) |
✔ |
For VM scanner: Permission to create a Route in the Route Table |
||
ec2:DeleteVpc (optional - for VM scanner) |
✔ |
For VM scanner: Permission to delete the temporary network resources after the scan is finished |
||
ec2:DeleteSubnet (optional - for VM scanner) |
✔ | |||
ec2:DeleteInternetGateway (optional - for VM scanner) |
✔ | |||
ec2:DetachInternetGateway (optional - for VM scanner) |
✔ | |||
ec2:DeleteRouteTable (optional - for VM scanner) |
✔ | |||
ec2:DisassociateRouteTable (optional - for VM scanner) |
✔ | |||
iam:CreateServiceLinkedRole (optional - for VM scanner) |
✔ |
For VM scanner: Permission to create a service linked role as part of the scan resources creation. This role is required for creating the resources |
||
kms:ReEncryptFrom (optional - for VM scanner) |
✔ |
For VM scanner: Permission to create a snapshot from a volume that is encrypted using KMS CMK (Customer managed key) |
||
kms:ReEncryptTo (optional - for VM scanner) |
✔ | |||
kms:CreateGrant (optional - for VM scanner) |
✔ |
For Kubernetes Cluster Scan
The permissions for Kubernetes scan should be granted in the level of the Cluster.
Create a Cluster role with the following permissions:
API group |
Resource names |
Resources |
Verbs |
---|---|---|---|
"rbac.authorization.k8s.io" |
- |
roles, rolebindings, clusterroles, clusterrolebindings |
list |
"storage.k8s.io" |
- |
storageclasses, volumeattachments |
list |
"" | - |
nodes |
list |
"" |
prevasio-kspm-{ALGOSEC_TENANT_ID} |
namespaces |
create, delete |
Create a cluster role binding to bind this cluster role to the following User:
arn:aws:sts::{account_id}:assumed-role/{Cloud App Analyzer_role_name}/AssumedRoleSession
Create a Role with the following permissions and namespace:
API group |
Resource names |
Resources |
Verbs |
Namespace |
---|---|---|---|---|
"batch" |
- |
jobs |
create, delete |
prevasio-kspm-{ALGOSEC_TENANT_ID} |
Create a cluster role binding to bind this role to the following User:
arn:aws:sts::{account_id}:assumed-role/{Cloud App Analyzer_role_name}/AssumedRoleSession.
Create an Access Entry:
"IAM principal ARN" = Prevasio Role ARN and "Access policies" = "AmazonEKSViewPolicy"
If you use only ConfigMap Auth mode, create another Cluster role binding, to bind the "view" built in cluster role to the following User:
arn:aws:sts::{account_id}:assumed-role/{prevasio_role_name}/AssumedRoleSession.