Permissions Required for AWS Accounts

AlgoSec Cloud Enterprise (ACE) comprises two distinct components, each offering a unique set of functionalities:

  • Cloud Network Security (CNS)

  • Cloud App Analyzer (CAA)

This section outlines the required and optional permissions for AWS accounts necessary to fully leverage the capabilities of ACE. The table below details the permissions requested by each specified role, along with justifications for their necessity.

You can find all these permissions in the CloudFormation template.

The permissions listed below are classified according to the following key:

    READ permissions
    WRITE permissions

Important: Missing permissions can cause ACE to malfunction and lead to data inconsistencies. AlgoSec is not responsible for any issues arising from missing permissions.

AWS Permissions and justifications

The following required permissions are part of the AWS IAM role:

Type   Permission Component   Justification
CNS CAA
 
directconnect:DescribeDirectConnect*
  For network topology map and TSQ: Permission for ASMS to list all your Direct Connect gateways or only the specified Direct Connect gateway.
 
ec2:DescribeFlowLogs
  For Network policy: Permission to flag unused rules.
 
ec2:DescribeInstances
  For Overview of assets and security controls, Network policy and Risks: Permission to retrieve VM instances information
 
ec2:DescribeInternetGateways
  For Overview of assets and security controls, Network policy and Risks: Permission to retrieve internet GW information
 
ec2:DescribeNetworkAcls
  For Overview of assets and security controls, Network policy and Risks: Permission to retrieve network ACLs information.
 
ec2:DescribeNetworkInterfaces
  For Overview of assets and security controls, Network policy and Risks: Permission to retrieve network interfaces information.
 
ec2:DescribeRegions
  For Network policy and Risks: Permission to flag unused rules and retrieve availabilityZone.
 
ec2:DescribeRouteTables
  For Overview of assets and security controls, Network policy and Risks: Permission to retrieve route tables information.
 
ec2:DescribeSecurityGroups
  For Overview of assets and security controls, Network policy and Risks: Permission to retrieve Security Groups information.
 
ec2:DescribeSubnets
  For Overview of assets and security controls, Network policy and Risks: Permission to retrieve subnets information.
 
ec2:DescribeTransitGatewayAttachments
  For Overview of assets and security controls, Network policy and Risks: Permission to retrieve Transit GW attachments information.
 
ec2:DescribeTransitGatewayRouteTables
  For Overview of assets and security controls, Network policy and Risks: Permission to retrieve route tables information.
 
ec2:DescribeTransitGateways
  For Overview of assets and security controls, Network policy and Risks: Permission to retrieve VPC peering connections information.
 
ec2:DescribeVpcPeeringConnections
  For Overview of assets and security controls, Network policy and Risks: permission to retrieve VPC peering connections information.
 
ec2:DescribeVpcs
  For Overview of assets and security controls, Network policy and Risks: Permission to retrieve VPC information.
 
ec2:DescribeVpnConnections
  For Overview of assets and security controls, Network policy and Risks: Permission to retrieve VPN connections information.
 
ec2:DescribeVpnGateways
  For Overview of assets and security controls, Network policy and Risks: Permission to retrieve VPN GW routes information
 
ec2:SearchTransitGatewayRoutes
  For Overview of assets and security controls, Network policy and Risks: Permission to retrieve transit GW routes information
 
elasticloadbalancing:DescribeLoadBalancers
  For ACE: Permission to show load balancers on the tree.
 
logs:GetLogEvents
  Permission to list log events from CloudWatch. The Traffic log is required to determine unused rules. If only S3 is used then this permission is not required
 
s3:GetBucketLocation
  For Overview of assets and security controls: Permission to retrieve Storage Bucket information.
 
s3:GetObject*
  For Overview of assets and security controls: Permission to retrieve Storage bucket information. If only CloudWatch is used then this permission is not required.
 
s3:List*
  For Overview of assets and security controls: Permission to retrieve Storage Bucket information. Also for Cloud Security misconfiguration information.
  SecurityAudit Policy   For Cloud Security misconfiguration information.
  ses:DescribeActiveReceiptRuleSet  

For AWS Simple Email Service: Permission to read metadata and receipt rules for the receipt rule set that is currently active.

  logs:DescribeLogGroups  

For AWS CloudWatch Logs: Permission to make sure a CloudWatch log group is attached.

  logs:DescribeMetricFilters  

For AWS CloudWatch Logs: Permission to detect any missing CloudWatch metric filters.

  dlm:GetLifecyclePolicies  

For AWS Data Lifecycle Manager: Permission to parse summary information about the snapshots of individual volumes or multi-volume snapshots for EC2 instances.

  kms:GetKeyRotationStatus  

For AWS Key Management Service: Permission to make sure key rotation is enabled for customer-managed keys.

  ecr-public:GetAuthorizationToken  

For AWS Elastic Container Registry: Permission to authorize with ECR, so that Cloud App Analyzer could pull public container images for scanning.

  ecr:GetAuthorizationToken  

For AWS Elastic Container Registry: Permission to authorize with ECR, so that Cloud App Analyzer could pull private container images for scanning.

  ecr:BatchGetImage  

For AWS Elastic Container Registry: Permission to get detailed information about container images.

  ecr:GetDownloadUrlForLayer  

For AWS Elastic Container Registry: Permission to obtain download URLs corresponding to container image layers.

  sts:GetServiceBearerToken  

For AWS Elastic Container Registry: Permission to authorize with ECR, an additional permission sts:GetServiceBearerToken is required.

 

s3:GetObject (arn:aws:s3:::elasticbeanstalk*)

 

For AWS Elastic Beanstalk: Permission to make sure Elastic Beanstalk is configured to apply managed platform updates; this specific permission is required if Elastic Beanstalk logs are stored in Amazon S3.

  inspector2:ListFindings  

For AWS Inspector 2: Permission to retrieve a subset of information about one or more findings for ECR container images, reported by the AWS built-in vulnerability scanner.

  inspector2:ListCoverage  

For AWS Inspector 2: Permission to retrieve the types of statistics Amazon Inspector can generate for the monitored resources.

Additional optional permissions

While the core functionalities of ACE operate seamlessly with the required permissions above, certain advanced features and specialized functionalities necessitate additional optional permissions. These permissions are not essential for the fundamental operations of the platform but are required to leverage enhanced capabilities tailored to specific use cases or integrations. The table below outlines these optional permissions along with their justifications, detailing how they support specialized functionalities within ACE.

For Changes to AWS Policies

(optional) You will need the following WRITE permissions, if you want to enable:

  1. Changes to AWS policies in Cloud Network Security.

  2. To make ActiveChange for AWS available in FireFlow when using unified onboarding with AWS. (Note that Unified onboarding is currently in an Early Availability phase. (For more information see onboard AWS to both ACE and ASMS simultaneously.)

The following permissions are part of the AWS IAM role:

Type   Permission Component   Justification
CNS CAA
 
ec2:AuthorizeSecurityGroupEgress
(optional - for Changes  to AWS policies )
  For Network policy: Permission for policy provision, to add the specified outbound (egress) rules to a security group for use with a VPC.
 
ec2:AuthorizeSecurityGroupIngress 
(optional - for Changes to AWS policies )
  For Network policy: Permission for policy provision, to add the specified inbound (ingress) rules to a security group.
 
ec2:RevokeSecurityGroupEgress
(optional - for Changes to AWS policies )
  For Network policy: Permission for policy provision, to remove the specified outbound (egress) rules from a security group for EC2-VPC.
 
ec2:RevokeSecurityGroupIngress
(optional - for Changes to AWS policies )
  For Network policy: Permission for policy provision, to remove the specified inbound (ingress) rules from a security group.

For CD Mitigation

Note: This permissions is part of the created AWS Stack that App Analyzer creates during onboarding. If the CD Mitigation feature is not required, this permission should be manually removed.

As part of the onboarding, several resources are created in the user's account to support CD mitigation.

Type   Permission Component   Justification
CNS CAA
  ecr:SetRepositoryPolicy

(optional - for CD Mitigation)

 

For Elastic Container Registry: Permission to allow setting/changing a policy of a container image, detected to be a high risk, so that it will not be pulled from the registry into a workload.

For AWS EC2 scanning

Type   Permission Component   Justification
CNS CAA
 

ec2:DescribeSnapshots

(optional - for VM scanner)

 

For VM scanner: Permission to get the relevant data about the snapshots, and make sure they are being deleted

 

ec2:DescribeInstances

(optional - for VM scanner)

 

For VM scanner: : Permission to get the public IP address of the EC2 spot instance

 

ec2:DescribeImages

(optional - for VM scanner)

 

For VM scanner: Permission to get the required AMI for creating the EC2 spot instance that scans the volumes

 

ec2:DescribeVolumes

(optional - for VM scanner)

 

For VM scanner: Permission to choose which volumes/partitions to scan

 

ec2:CreateSnapshots

(optional - for VM scanner)

 

For VM scanner: Permission to create snapshots from the volumes attached to the target EC2 instance

 

ec2:CreateVolume

(optional - for VM scanner)

 

For VM scanner: Permission to create a volume from a snapshot

 

ec2:RunInstances

(optional - for VM scanner)

 

For VM scanner: Permission to create an EC2 spot instance that scans the volumes

 

ec2:AttachVolume

(optional - for VM scanner)

 

For VM scanner: Permission to attach the EC2 spot instance a volume to be scanned

 

ec2:CreateTags

(optional - for VM scanner)

 

For VM scanner: Permission to create tags for Cloud App Analyzer VM scanner EC2 temporary resources

 

ec2:TerminateInstances

(optional - for VM scanner)

 

For VM scanner: Permission to delete the temporary EC2 resources after the scan is finished

 

ec2:DeleteSnapshot

(optional - for VM scanner)

 
 

ec2:DeleteVolume

(optional - for VM scanner)

 
 

ec2:CreateVpc

(optional - for VM scanner)

 

For VM scanner: Permission to create a VPC that will be used by all the temporary EC2 spot instances in the region

 

ec2:ModifyVpcAttribute

(optional - for VM scanner)

 

For VM scanner: Permission to apply the required configuration for the created VPC

 

ec2:CreateSubnet

(optional - for VM scanner)

 

For VM scanner: Permission to create a Subnet in the VPC

 

ec2:CreateInternetGateway

(optional - for VM scanner)

 

For VM scanner: Permission to create an Internet Gateway to be attached to the VPC, in order to allow communications with Cloud App Analyzer account

 

ec2:AttachInternetGateway

(optional - for VM scanner)

 

For VM scanner: Permission to attach the Internet Gateway to the VPC

 

ec2:CreateRouteTable

(optional - for VM scanner)

 

For VM scanner: Permission to create a Route Table in the VPC

 

ec2:AssociateRouteTable

(optional - for VM scanner)

 

For VM scanner: Permission to associate the Route Table to the created Subnet

 

ec2:CreateRoute

(optional - for VM scanner)

 

For VM scanner: Permission to create a Route in the Route Table

 

ec2:DeleteVpc

(optional - for VM scanner)

 

For VM scanner: Permission to delete the temporary network resources after the scan is finished

 

ec2:DeleteSubnet

(optional - for VM scanner)

 
 

ec2:DeleteInternetGateway

(optional - for VM scanner)

 
 

ec2:DetachInternetGateway

(optional - for VM scanner)

 
 

ec2:DeleteRouteTable

(optional - for VM scanner)

 
 

ec2:DisassociateRouteTable

(optional - for VM scanner)

 
 

iam:CreateServiceLinkedRole

(optional - for VM scanner)

 

For VM scanner: Permission to create a service linked role as part of the scan resources creation. This role is required for creating the resources

 

kms:ReEncryptFrom

(optional - for VM scanner)

 

For VM scanner: Permission to create a snapshot from a volume that is encrypted using KMS CMK (Customer managed key)

 

kms:ReEncryptTo

(optional - for VM scanner)

 
 

kms:CreateGrant

(optional - for VM scanner)

 

For Kubernetes Cluster Scan

The permissions for Kubernetes scan should be granted in the level of the Cluster.

Create a Cluster role with the following permissions:

API group

Resource names

Resources

Verbs

"rbac.authorization.k8s.io"

-

roles, rolebindings, clusterroles, clusterrolebindings

list

"storage.k8s.io"

-

storageclasses, volumeattachments

list

"" -

nodes

list

""

prevasio-kspm-{ALGOSEC_TENANT_ID}

namespaces

create, delete

Create a cluster role binding to bind this cluster role to the following User:

arn:aws:sts::{account_id}:assumed-role/{Cloud App Analyzer_role_name}/AssumedRoleSession

Create a Role with the following permissions and namespace:

API group

Resource names

Resources

Verbs

Namespace

"batch"

-

jobs

create, delete

prevasio-kspm-{ALGOSEC_TENANT_ID}

Create a cluster role binding to bind this role to the following User:

arn:aws:sts::{account_id}:assumed-role/{Cloud App Analyzer_role_name}/AssumedRoleSession.

Create an Access Entry:

"IAM principal ARN" = Prevasio Role ARN and "Access policies" = "AmazonEKSViewPolicy"

If you use only ConfigMap Auth mode, create another Cluster role binding, to bind the "view" built in cluster role to the following User:

arn:aws:sts::{account_id}:assumed-role/{prevasio_role_name}/AssumedRoleSession.