Permissions required by Prevasio to scan your AWS accounts
Prevasio allows onboarding both single and multiple AWS accounts.
To onboard a single AWS account, Prevasio web application suggests the user to launch the CloudFormation template to create a new stack in the targeted AWS account.
To onboard multiple accounts, the user should create a stack set in the AWS account that manages an organization or an organizational unit.
Regardless of the method chosen, the targeted AWS account will have a CloudFormation stack created that will create resources that allow Prevasio to get read-only access to your AWS resources.
Such read-only access is permitted by a special cross-account role created in your AWS account.
This role can only be assumed by Prevasio's security scanner that consists of a scanner (cspm-collector) operating from Prevasio's own AWS account. That is, no other AWS principle can assume the cross-account role created in your AWS account for Prevasio, apart from Prevasio security scanner itself.
Apart from that and in strict accordance with AWS' best security practices, another important aspect of security is the External ID. This ID is a random string generated by Prevasio each time it is instructed to connect an AWS account. The ID has a form of GUID ('Globally Unique Identifier') - a 128-bit integer number. Prevasio generates GUID as a version 4 UUID that has a 50% probability of at least one collision in 2.71 quintillions (2 x 1018) of UUIDs.
For example, the External ID generated by Prevasio may look like this:
99736b4b-6977-4018-adcd-c4be329f7b8d
When assuming the cross-account role created in your account for Prevasio security scanner, the scanner provides the External ID as an additional security mechanism that addresses and prevents The confused deputy problem.
Note: even though we do not recommend this, the user may choose to have an identical External ID to be used across all onboarded AWS accounts.
CloudFormation template
As mentioned above, the read-only cross-account role in each AWS account is created by a stack.
During onboarding, if you open the CloudFormation template in the AWS CloudFormation template designer or download it as a JSON file and view it in a text viewer or in your browser, you will see what AWS principles (what entities) are allowed to assume the newly created cross-account role, what role that is, how the External ID is provided, and what kind of access to your AWS resources will be allowed by the newly created role.
From the raw view of the CloudFormation template in JSON format, you can see that the new cross-account role is declared in the AWS::IAM::Role entity (this entity is used to create new roles in your account).
The trust policy specified for this role is declared in AssumeRolePolicyDocument role property. Trust policies define which entities can assume the role.
As seen in the template, the only one entity is allowed to assume 'PrevasioCSPMRole' role:
-
arn:aws:iam::263835861635:role/cspm-collector-role
This role is assumed by Prevasio's security scanner that consists of the scanner, antivirus, vulnerability scanner and dynamic analysis sandbox for your containers. The account number 263835861635 is the AWS account number of Prevasio.
Apart from this entity, no one else can assume 'PrevasioCSPMRole' role.
In order to assume 'PrevasioCSPMRole' role, as an additional security measure, the Prevasio's security scanner entity also need to provide an External ID - its role is described above.
The newly created role specifies what policies are attached to it.
The Policies
The ManagedPolicyArns property of the 'PrevasioCSPMRole' role specifies a managed policy that needs to be attached to the role: arn:aws:iam::aws:policy/SecurityAudit.
The 'SecurityAudit' managed policy grants access to read security configuration metadata. It is useful for software that audits the configuration of an AWS account, and it consists over 400 other read-only policies, such as:
- cloud9:Describe*
- acm:List*
- config:Get*
Most of the policies included in SecurityAudit managed policy start from the words 'Describe', 'List', and 'Get', underlying the fact that these policies are strictly to read metadata.
The SecurityAudit policy alone is not sufficient for Prevasio to do a full scope of its security scan. For example, this policy does not allow container image downloads from ECR. With no ability to download container images from ECR, Prevasio scanner will not be able to scan any containers.
Because of the limitation of the SecurityAudit policy, an additional policy prevasio-cspm-additional-policy is requested. It enlists additional permissions that are required for the 'PrevasioCSPMRole' role.
Additional Permissions
The following table lists the additional permissions requested by the 'PrevasioCSPMRole' role along with the justification of why they are needed. You can find all these permissions in the CloudFormation template from Prevasio.
Read only permissions
|
Permission |
Required in AWS Service |
Justification - why Prevasio requires this additional permission |
|---|---|---|
| ses:DescribeActiveReceiptRuleSet |
Simple Email Service |
To read metadata and receipt rules for the receipt rule set that is currently active |
| logs:DescribeLogGroups |
CloudWatch Logs |
To make sure a CloudWatch log group is attached |
| logs:DescribeMetricFilters |
CloudWatch Logs |
To detect any missing CloudWatch metric filters |
| dlm:GetLifecyclePolicies |
Data Lifecycle Manager |
To parse summary information about the snapshots of individual volumes or multi-volume snapshots for EC2 instances |
| kms:GetKeyRotationStatus |
Key Management Service |
To make sure key rotation is enabled for customer-managed keys |
| ecr-public:GetAuthorizationToken |
Elastic Container Registry |
To authorize with ECR, so that Prevasio could pull public container images for scanning |
| ecr:GetAuthorizationToken |
Elastic Container Registry |
To authorize with ECR, so that Prevasio could pull private container images for scanning |
| ecr:BatchGetImage |
Elastic Container Registry |
To get detailed information about container images |
| ecr:GetDownloadUrlForLayer |
Elastic Container Registry |
To obtain download URLs corresponding to container image layers |
| sts:GetServiceBearerToken |
Elastic Container Registry |
In order to authorize with ECR, an additional permission sts:GetServiceBearerToken is required |
|
s3:GetObject (arn:aws:s3:::elasticbeanstalk*) |
Elastic Beanstalk |
To make sure Elastic Beanstalk is configured to apply managed platform updates; this specific permission is required if Elastic Beanstalk logs are stored in Amazon S3 |
| inspector2:ListFindings |
Inspector 2 |
In order to retrieve a subset of information about one or more findings for ECR container images, reported by the AWS built-in vulnerability scanner |
| inspector2:ListCoverage |
Inspector 2 |
In order to retrieve the types of statistics Amazon Inspector can generate for the monitored resources |
As can be seen in the list above, the additional permissions requested for Prevasio role are prefixed with the "Describe", "List" and "Get" strings, as they are all read-only permissions.
Write permissions:
|
Permission |
Required in AWS Service |
Justification - why Prevasio requires this additional permission |
|---|---|---|
| ecr:SetRepositoryPolicy | Elastic Container Registry | Allows setting/changing a policy of a container image, detected to be a high risk, so that it will not be pulled from the registry into a workload. |
As a result, once an AWS account is connected to Prevasio, Prevasio is unable to create or modify any resources in the connected account.
Clear your browser's cache