Permissions Required for AWS Accounts
This section outlines the required and optional permissions for AWS accounts necessary to fully leverage the capabilities of ACE. The tables below details the permissions requested by each specified role, along with justifications for their necessity.
AlgoSec Cloud Enterprise (ACE) comprises two distinct components, each offering a unique set of functionalities:
-
Cloud Network Security (CNS)
-
Cloud App Analyzer (CAA)
When ASMS is connected to ACE, permissions are required also for ASMS functionalities as marked.
The permissions listed below are classified according to the following key:
| Read | READ permissions | |
| R/W | READ/WRITE permissions | |
| Write | WRITE permissions |
Important: Missing permissions can cause ACE to malfunction and lead to data inconsistencies. AlgoSec is not responsible for any issues arising from missing permissions.
AWS permissions and justifications
The following required permissions are part of the AWS IAM role. When ASMS is connected to ACE, permissions that are required also for ASMS data collection are marked.
| Type | Permission | Component | Justification | For ASMS Data Collection |
|---|---|---|---|---|
| Read | directconnect:DescribeDirectConnect* |
CNS | For network topology map and TSQ: Permission for ASMS to list all your Direct Connect gateways or only the specified Direct Connect gateway. | |
| Read | ec2:DescribeFlowLogs |
CNS | For Network policy: Permission to flag unused rules. | |
| Read | ec2:DescribeInstances |
CNS | For Overview of assets and security controls, Network policy and Risks: Permission to retrieve VM instances information | For ASMS Devices tree, network map & Traffic Simulation Query. |
| Read | ec2:DescribeInternetGateways |
CNS | For Overview of assets and security controls, Network policy and Risks: Permission to retrieve internet GW information | For ASMS VPN support in network map & Traffic Simulation Query. |
| Read | ec2:DescribeNetworkAcls |
CNS | For Overview of assets and security controls, Network policy and Risks: Permission to retrieve network ACLs information. | For ASMS Policy visibility, Traffic Simulation Query. |
| Read | ec2:DescribeNetworkInterfaces |
CNS | For Overview of assets and security controls, Network policy and Risks: Permission to retrieve network interfaces information. | For ASMS Network map & Traffic Simulation Query |
| Read | ec2:DescribeRegions |
CNS | For Network policy and Risks: Permission to flag unused rules and retrieve availabilityZone. | For ASMS Devices tree, network map & Traffic Simulation Query. |
| Read | ec2:DescribeRouteTables |
CNS | For Overview of assets and security controls, Network policy and Risks: Permission to retrieve route tables information. | For ASMS Network map & Traffic Simulation Query |
| Read | ec2:DescribeSecurityGroups |
CNS | For Overview of assets and security controls, Network policy and Risks: Permission to retrieve Security Groups information. | For ASMS Policy visibility, Traffic Simulation Query. |
| Read | ec2:DescribeSecurityGroupRules |
CNS | For Overview of assets and security controls, Network policy and Risks: Permission to retrieve Security Group Rules information. | |
| Read | ec2:DescribeSubnets |
CNS | For Overview of assets and security controls, Network policy and Risks: Permission to retrieve subnets information. | For ASMS Network map & Traffic Simulation Query |
| Read | ec2:DescribeTransitGatewayAttachments |
CNS | For Overview of assets and security controls, Network policy and Risks: Permission to retrieve Transit GW attachments information. | |
| Read | ec2:DescribeTransitGatewayRouteTables |
CNS | For Overview of assets and security controls, Network policy and Risks: Permission to retrieve route tables information. | |
| Read | ec2:DescribeTransitGateways |
CNS | For Overview of assets and security controls, Network policy and Risks: Permission to retrieve VPC peering connections information. | |
| Read | ec2:DescribeVpcPeeringConnections |
CNS | For Overview of assets and security controls, Network policy and Risks: permission to retrieve VPC peering connections information. | For ASMS Network map & Traffic Simulation Query |
| Read | ec2:DescribeVpcs |
CNS | For Overview of assets and security controls, Network policy and Risks: Permission to retrieve VPC information. | For ASMS Devices tree, network map & Traffic Simulation Query. |
| Read | ec2:DescribeVpnConnections |
CNS | For Overview of assets and security controls, Network policy and Risks: Permission to retrieve VPN connections information. | For ASMS VPN support in network map & Traffic Simulation Query. |
| Read | ec2:DescribeVpnGateways |
CNS | For Overview of assets and security controls, Network policy and Risks: Permission to retrieve VPN GW routes information | For ASMS VPN support in network map & Traffic Simulation Query. |
| Read | ec2:SearchTransitGatewayRoutes |
CNS | For Overview of assets and security controls, Network policy and Risks: Permission to retrieve transit GW routes information | |
| Read | ec2:GetTransitGatewayRouteTableAssociations |
CNS | For network topology map and TSQ: Permission to list Transit Gateway route table associations and fetch their associated attachments. | |
| Read | elasticloadbalancing:DescribeTargetGroups |
CNS | Permission so that it can show load balancer target groups on the tree. | |
| Read | elasticloadbalancing:DescribeTargetHealth |
CNS | Permission so that it can show load balancer target health on the tree. | |
| Read | elasticloadbalancing:DescribeListeners |
CNS | Permission so that it can show load balancer listeners on the tree. | |
| Read | elasticloadbalancing:DescribeLoadBalancers |
CNS | Permission to show load balancers on the tree. | For ASMS Network map & Traffic Simulation Query |
| Read | ec2:DescribeVpcEndpoints | CNS | For ASMS Network map and TSQ: Describes one or more of VPC endpoints. | |
| Read | ec2:DescribeVpcEndpointServiceConfigurations | CNS | For ASMS Network map and TSQ: Describes one or more of VPC endpoint service configurations. | |
| Read |
ec2:DescribeTransitGatewayVpcAttachments (optional) |
CNS | For ASMS Network map and TSQ: Describes one or more VPC attachments. This permission is optional to support enhanced topology for AWS transit gateway | |
| Read | logs:GetLogEvents |
CNS | Permission to list log events from CloudWatch. The Traffic log is required to determine unused rules. If only S3 is used then this permission is not required | |
| Read | s3:GetBucketLocation |
CNS | For Overview of assets and security controls: Permission to retrieve Storage Bucket information. | |
| Read | s3:GetObject* |
CNS | For Overview of assets and security controls: Permission to retrieve Storage bucket information. If only CloudWatch is used then this permission is not required. | |
| Read | s3:List* |
CNS | For Overview of assets and security controls: Permission to retrieve Storage Bucket information. Also for Cloud Security misconfiguration information. | |
| Read | sts:GetCallerIdentity | - | - | For ASMS A33.10+ Needed for all supported AWS API calls. |
| Read | SecurityAudit Policy | CAA | For Cloud Security misconfiguration information. | |
| Read | ses:DescribeActiveReceiptRuleSet | CAA |
For AWS Simple Email Service: Permission to read metadata and receipt rules for the receipt rule set that is currently active. |
|
| Read | logs:DescribeLogGroups | CAA |
For AWS CloudWatch Logs: Permission to make sure a CloudWatch log group is attached. |
|
| Read | logs:DescribeMetricFilters | CAA |
For AWS CloudWatch Logs: Permission to detect any missing CloudWatch metric filters. |
|
| Read | dlm:GetLifecyclePolicies | CAA |
For AWS Data Lifecycle Manager: Permission to parse summary information about the snapshots of individual volumes or multi-volume snapshots for EC2 instances. |
|
| Read | kms:GetKeyRotationStatus | CAA |
For AWS Key Management Service: Permission to make sure key rotation is enabled for customer-managed keys. |
|
| Read | ecr-public:GetAuthorizationToken | CAA |
For AWS Elastic Container Registry: Permission to authorize with ECR, so that Cloud App Analyzer could pull public container images for scanning. |
|
| Read | ecr:GetAuthorizationToken | CAA |
For AWS Elastic Container Registry: Permission to authorize with ECR, so that Cloud App Analyzer could pull private container images for scanning. |
|
| Read | ecr:BatchGetImage | CAA |
For AWS Elastic Container Registry: Permission to get detailed information about container images. |
|
| Read | ecr:GetDownloadUrlForLayer | CAA |
For AWS Elastic Container Registry: Permission to obtain download URLs corresponding to container image layers. |
|
| Read | sts:GetServiceBearerToken | CAA |
For AWS Elastic Container Registry: Permission to authorize with ECR, an additional permission sts:GetServiceBearerToken is required. |
|
| Read |
s3:GetObject (arn:aws:s3:::elasticbeanstalk*) |
CAA |
For AWS Elastic Beanstalk: Permission to make sure Elastic Beanstalk is configured to apply managed platform updates; this specific permission is required if Elastic Beanstalk logs are stored in Amazon S3. |
|
| Read | inspector2:ListFindings | CAA |
For AWS Inspector 2: Permission to retrieve a subset of information about one or more findings for ECR container images, reported by the AWS built-in vulnerability scanner. |
|
| Read | inspector2:ListCoverage | CAA |
For AWS Inspector 2: Permission to retrieve the types of statistics Amazon Inspector can generate for the monitored resources. |
|
| Read | appflow:DescribeFlow | CAA |
For AppFlow: Permission to get metadata and configuration details of a flow—used to assess data transfer risks between SaaS applications and AWS. |
|
| Read | imagebuilder:List* | CAA |
For EC2 Image Builder: Permission to list components, distributions, and pipelines—used in inventorying and auditing build resources. |
|
| Read | imagebuilder:Get* | CAA |
For EC2 Image Builder: Permission to get detailed information about image recipes, builds, and components—used to verify integrity and security compliance. |
|
| Read | wafv2:DescribeManagedRuleGroup | CAA |
For AWS WAF: Permission to understand the configuration and scope of managed rule groups—used during evaluation or simulation of WAF behavior. |
|
| Read | wafv2:GetRuleGroup | CAA |
For AWS WAF: Permission to get the structure and content of a rule group—required for risk analysis and rule impact simulation. |
|
| Read | wafv2:ListManagedRuleSets | CAA |
For AWS WAF: Permission to enumerate all available managed rule sets—used for identifying applicable WAF protections. |
|
| Read | wafv2:ListResourcesForWebACL | CAA |
For AWS WAF: Permission to determine which resources are associated with a Web ACL—used in identifying risk exposure paths. |
|
| Read | apprunner:ListAssociatedServicesForWebAcl | CAA |
For App Runner: Permission to list App Runner services associated with a Web ACL—used in tracking WAF protection coverage. |
|
| Read | cognito-idp:ListResourcesForWebACL | CAA |
For Cognito: Permission to list Cognito User Pools associated with Web ACLs—used to ensure identity endpoints are WAF-protected. |
|
| Read | ec2:DescribeVerifiedAccessInstanceWebAclAssociations | CAA |
For EC2 Verified Access: Permission to check which Verified Access instances are associated with Web ACLs—used in access flow risk mitigation. |
|
| Read | wafv2:CheckCapacity | CAA |
For AWS WAF: Permission to determine if a rule set or Web ACL configuration fits within WAF capacity limits—used during safe rule deployment or updates. |
|
| Read | account:ListRegions | CAA | Permission to list the AWS regions that are enabled for the account—used to dynamically identify active regions for discovery, auditing, and compliance operations. |
Permissions for AWS Native Firewall
AWS Native Firewalls provide an extra level of protection, complementing the protection already enforced through AWS security groups. To enable it in ACE, add the following permissions:
| Type | Permission | Component | Justification |
|---|---|---|---|
| Read | network-firewall:DescribeFirewall |
CNS | For Network policy. Permission to describe firewall. |
| Read | network-firewall:ListFirewalls |
CNS | For Network policy. Permission to list firewalls. |
| Read | network-firewall:DescribeFirewallPolicy |
CNS | For Network policy. Permission to describe firewall policy. |
| Read | network-firewall:ListFirewallPolicies |
CNS | For Network policy. Permission to list firewall policies. |
| Read | network-firewall:DescribeRuleGroup |
CNS | For Network policy. Permission to describe rule group. |
| Read | network-firewall:ListRuleGroups |
CNS | For Network policy. Permission to list rule groups. |
Additional permissions for optional features
While the core functionalities of ACE operate seamlessly with the required permissions above, certain advanced features and specialized functionalities necessitate additional optional permissions. These permissions are not essential for the fundamental operations of the platform but are required to leverage enhanced capabilities tailored to specific use cases or integrations. The table below outlines these optional permissions along with their justifications, detailing how they support specialized functionalities within ACE.
Permissions for Changes to AWS Policies
You will need the following WRITE permissions, if you want to enable:
-
Changes to AWS policies in Cloud Network Security.
-
To make ActiveChange for AWS available in FireFlow when using unified onboarding with AWS. For more information see Simultaneously Onboard AWS Accounts into ACE and ASMS.
The following permissions are part of the AWS IAM role. When ASMS is connected to ACE, permissions that are also required for ASMS ActiveChange are marked:
| Type | Permission | Component | Justification | For ASMS ActiveChange |
|---|---|---|---|---|
| Write | ec2:AuthorizeSecurityGroupEgress (optional - for Changes to AWS policies ) |
CNS | For Network policy: Permission for policy provision, to add the specified outbound (egress) rules to a security group for use with a VPC. | For ASMS Adds the specified outbound (egress) rules to a security group for use with a VPC |
| Write | ec2:AuthorizeSecurityGroupIngress (optional - for Changes to AWS policies ) |
CNS | For Network policy: Permission for policy provision, to add the specified inbound (ingress) rules to a security group. | For ASMSAdds the specified inbound (ingress) rules to a security group |
| Write | ec2:RevokeSecurityGroupEgress (optional - for Changes to AWS policies ) |
CNS | For Network policy: Permission for policy provision, to remove the specified outbound (egress) rules from a security group for EC2-VPC. | For ASMSRemoves the specified outbound (egress) rules from the specified security group |
| Write | ec2:RevokeSecurityGroupIngress (optional - for Changes to AWS policies ) |
CNS | For Network policy: Permission for policy provision, to remove the specified inbound (ingress) rules from a security group. | For ASMSRemoves the specified inbound (ingress) rules from a security group |
Permissions for CD Mitigation
Note: This permissions is part of the created AWS Stack that App Analyzer creates during onboarding. If the CD Mitigation feature is not required, this permission should be manually removed.
As part of the onboarding, several resources are created in the user's account to support CD mitigation.
| Type | Permission | Component | Justification |
|---|---|---|---|
| Write | ecr:SetRepositoryPolicy
(optional - for CD Mitigation) |
CAA |
For Elastic Container Registry: Permission to allow setting/changing a policy of a container image, detected to be a high risk, so that it will not be pulled from the registry into a workload. |
| Write |
ecr:DeleteRepositoryPolicy (optional - for CD Mitigation) |
CAA | For Elastic Container Registry: Permission to delete the policy of a container repository—used to ensure container repositories flagged as high-risk can no longer be accessed. |
| Read |
cloudwatch:GetMetricStatistics (optional - for CD Mitigation) |
CAA | For CloudWatch: Permission to retrieve historical metric data for system monitoring, anomaly detection, and performance troubleshooting. |
Permissions for AWS EC2 scanning
| Type | Permission | Component | Justification |
|---|---|---|---|
| Read |
ec2:DescribeSnapshots (optional - for VM scanner) |
CAA |
For VM scanner: Permission to get the relevant data about the snapshots, and make sure they are being deleted |
| Read |
ec2:DescribeInstances (optional - for VM scanner) |
CAA |
For VM scanner: : Permission to get the public IP address of the EC2 spot instance |
| Read |
ec2:DescribeImages (optional - for VM scanner) |
CAA |
For VM scanner: Permission to get the required AMI for creating the EC2 spot instance that scans the volumes |
| Read |
ec2:DescribeVolumes (optional - for VM scanner) |
CAA |
For VM scanner: Permission to choose which volumes/partitions to scan |
| Write |
ec2:CreateSnapshots (optional - for VM scanner) |
CAA |
For VM scanner: Permission to create snapshots from the volumes attached to the target EC2 instance |
| Write |
ec2:CreateVolume (optional - for VM scanner) |
CAA |
For VM scanner: Permission to create a volume from a snapshot |
| Write |
ec2:RunInstances (optional - for VM scanner) |
CAA |
For VM scanner: Permission to create an EC2 spot instance that scans the volumes |
| Write |
ec2:AttachVolume (optional - for VM scanner) |
CAA |
For VM scanner: Permission to attach the EC2 spot instance a volume to be scanned |
| Write |
ec2:CreateTags (optional - for VM scanner) |
CAA |
For VM scanner: Permission to create tags for Cloud App Analyzer VM scanner EC2 temporary resources |
| Write |
ec2:TerminateInstances (optional - for VM scanner) |
CAA |
For VM scanner: Permission to delete the temporary EC2 resources after the scan is finished |
| Write |
ec2:DeleteSnapshot (optional - for VM scanner) |
CAA | |
| Write |
ec2:DeleteVolume (optional - for VM scanner) |
CAA | |
| Write |
ec2:DetachVolume (optional - for VM scanner) |
CAA | |
| Write |
ec2:CreateVpc (optional - for VM scanner) |
CAA |
For VM scanner: Permission to create a VPC that will be used by all the temporary EC2 spot instances in the region |
| Write |
ec2:ModifyVpcAttribute (optional - for VM scanner) |
CAA |
For VM scanner: Permission to apply the required configuration for the created VPC |
| Write |
ec2:CreateSubnet (optional - for VM scanner) |
CAA |
For VM scanner: Permission to create a Subnet in the VPC |
| Write |
ec2:CreateInternetGateway (optional - for VM scanner) |
CAA |
For VM scanner: Permission to create an Internet Gateway to be attached to the VPC, in order to allow communications with Cloud App Analyzer account |
| Write |
ec2:AttachInternetGateway (optional - for VM scanner) |
CAA |
For VM scanner: Permission to attach the Internet Gateway to the VPC |
| Write |
ec2:CreateRouteTable (optional - for VM scanner) |
CAA |
For VM scanner: Permission to create a Route Table in the VPC |
| Write |
ec2:AssociateRouteTable (optional - for VM scanner) |
CAA |
For VM scanner: Permission to associate the Route Table to the created Subnet |
| Write |
ec2:CreateRoute (optional - for VM scanner) |
CAA |
For VM scanner: Permission to create a Route in the Route Table |
| Write |
ec2:DeleteVpc (optional - for VM scanner) |
CAA |
For VM scanner: Permission to delete the temporary network resources after the scan is finished |
| Write |
ec2:DeleteSubnet (optional - for VM scanner) |
CAA | |
| Write |
ec2:DeleteInternetGateway (optional - for VM scanner) |
CAA | |
| Write |
ec2:DetachInternetGateway (optional - for VM scanner) |
CAA | |
| Write |
ec2:DeleteRouteTable (optional - for VM scanner) |
CAA | |
| Write |
ec2:DisassociateRouteTable (optional - for VM scanner) |
CAA | |
| Write |
iam:CreateServiceLinkedRole (optional - for VM scanner) |
CAA |
For VM scanner: Permission to create a service linked role as part of the scan resources creation. This role is required for creating the resources |
| Write |
kms:ReEncryptFrom (optional - for VM scanner) |
CAA |
For VM scanner: Permission to create a snapshot from a volume that is encrypted using KMS CMK (Customer managed key) |
| Write |
kms:ReEncryptTo (optional - for VM scanner) |
CAA | |
| Write |
kms:CreateGrant (optional - for VM scanner) |
CAA |
Permissions for AWS WAF Support
| Type | Permission | Component | Justification |
|---|---|---|---|
| Read |
wafv2:DescribeManagedRuleGroup (optional - for AWS WAF Support) |
CAA |
For AWS WAF Support: Permission to view details of AWS-managed rule groups |
| Read |
wafv2:GetRuleGroup (optional - for AWS WAF Support) |
CAA | For AWS WAF Support: Permission to retrieve custom rule group configurations |
| Read |
wafv2:ListManagedRuleSets (optional - for AWS WAF Support) |
CAA | For AWS WAF Support: Permission to list all available AWS-managed rule sets |
| Read |
wafv2:ListResourcesForWebACL (optional - for AWS WAF Support) |
CAA | For AWS WAF Support: Permission to identify which resources are associated with a specific Web ACL |
| Read |
apprunner:ListAssociatedServicesForWebAcl (optional - for AWS WAF Support) |
CAA | For AWS WAF Support: Permission to discover App Runner protected by a Web ACL |
| Read |
cognito-idp:ListResourcesForWebACL (optional - for AWS WAF Support) |
CAA | For AWS WAF Support: Permission to discover Cognito resources protected by a Web ACL |
| Read |
ec2:DescribeVerifiedAccessInstanceWebAclAssociations (optional - for AWS WAF Support) |
CAA | For AWS WAF Support: Permission to discover EC2 Verified Access instances protected by a Web ACL |
| Read |
wafv2:CheckCapacity (optional - for AWS WAF Support) |
CAA | For AWS WAF Support: Permission to estimate WCU (WebACL Capacity Units) used by a rule group or Web ACLs |
For Kubernetes Cluster Scan
Note:
-
For instructions to Kubernetes Security Manual onboarding, see Kubernetes Security Manual onboarding.
-
For instructions to Kubernetes Security Automatic onboarding, see Kubernetes Security Automatic onboarding.
When the Kubernetes scan is onboarded—either automatically or manually—the setup process includes assigning the necessary permissions. These permissions are granted at the Cluster level.
As part of the setup, a ClusterRole is created with the following permissions:
|
API group |
Resource names |
Resources |
Verbs |
|---|---|---|---|
|
"rbac.authorization.k8s.io" |
- |
roles, rolebindings, clusterroles, clusterrolebindings |
list |
|
"storage.k8s.io" |
- |
storageclasses, volumeattachments |
list |
| "" | - |
nodes |
list |
|
"" |
prevasio-kspm-{ALGOSEC_TENANT_ID} |
namespaces |
create, delete |
A role is created with the following permissions and namespace:
|
API group |
Resource names |
Resources |
Verbs |
Namespace |
|---|---|---|---|---|
|
"batch" |
- |
jobs |
create, delete |
prevasio-kspm-{ALGOSEC_TENANT_ID} |
For EKS API Auth mode, an Access Entry is created with the following permissions:
"IAM principal ARN" = Prevasio Role ARN and "Access policies" = "AmazonEKSViewPolicy"
For ConfigMap only Auth mode, a Cluster role binding is created with "view" built in cluster role:
arn:aws:sts::{account_id}:assumed-role/{prevasio_role_name}/algosec
Clear your browser's cache