Alert Logic® utilizes an IAM Role and IAM Policy to allow Alert Logic third-party access to your Amazon Web Services (AWS) environment. The IAM policy used depends on the Alert Logic product and type of deployment in use. This article applies to:
- Alert Logic Cloud Insight™ - Automatic deployment and Guided deployment modes
- Alert Logic Managed Detection & Response (MDR) - Automatic deployment mode
Note: See the Manual Deployment of Amazon Web Services IAM Policy and Permissions article for information that applies to Alert Logic SIEMless Threat Management - Manual deployment mode.
This article houses the IAM policy that you will need to implement in order for Alert Logic to access your AWS environment, as well as brief overviews of the permissions granted to Alert Logic, broken up by AWS service.
Permissions Granted to Alert Logic
Note: The "*" that you will see below, after some of the permissions listed, indicates that all actions that start with the original listed action will apply. For example, Describe* under Auto Scaling will include DescribeAutoscalingGroups, DescribeAutoscalingInstances, DescribeLaunchConfiguration, etc., as listed in the AWS Auto Scaling API.
Write and Read Permissions
- Auto Scaling
- CloudTrail
- EC2
- S3
- SNS
- SQS
Read Permissions
- CloudFormation
- CloudFront
- CloudWatch
- Config
- Cost and Usage Report
- Direct Connect
- DynamoDB
- Elastic Beanstalk
- Elasticache
- Elastic Load Balancer
- Elastic Map Reduce
- Glacier
- GuardDuty
- IAM
- Kinesis
- KMS
- Lambda
- RDS
- Redshift
- Route 53
- SDB
- Tags
Auto Scaling
- Describe*
- CreateLaunchConfiguration
- DeleteLaunchConfiguration
- CreateAutoScalingGroup
- DeleteAutoScalingGroup
Alert Logic uses Describe calls to discover the auto scaling you've already set up inside your AWS environment. We also have the ability to create and delete Launch Configurations and Auto Scaling Groups. Alert Logic deploys in an auto scaling group to ensure that the desired number of appliances is always running. This also allows the updating of the appliance by terminating the existing EC2 appliance instance and having auto scaling replace the instance with an updated AMI.
CloudFormation
- DescribeStack*
- GetTemplate
- ListStack*
These CloudFormation permissions allow Alert Logic to discover your AWS environment.
CloudFront
- Get*
- List*
This allows Alert Logic to discover your AWS environment.
CloudTrail
- *
This allows Alert Logic to turn on and set up the AWS CloudTrail logging service that drives Alert Logic's functionality.
- DescribeTrails
- GetTrailStatus
- ListTags
- LookupEvents
These allow Alert Logic to perform configuration checks related to CloudTrail.
CloudWatch
- Describe*
This allows Alert Logic to discover your AWS environment.
CloudWatch Events
- Describe*
- List*
This allows Alert Logic to discover your AWS environment.
CloudWatch Logs
- Describe*
This allows Alert Logic to discover your AWS environment.
Config
- DeliverConfigSnapshot
- Describe*
- Get*
- ListDiscoveredResources
These allow Alert Logic to perform configuration checks related to Config.
Cost and Usage Report
- DescribeReportDefinitions
This allows Alert Logic to perform configuration checks related to Cost and Usage Report.
Direct Connect
- Describe*
This allows Alert Logic to discover your AWS environment.
Dynamo DB
- ListTables
This allows Alert Logic to discover your AWS environment.
EC2
- Describe*
- CreateTags
- CreateSubnet
- CreateInternetGateway
- AttachInternetGateway
- CreateRoute
- CreateRouteTable
- AssociateRouteTable
- CreateSecurityGroup
- CreateKeyPair
- ImportKeyPair
- CreateNetworkAclEntry
- TerminateInstances
- StartInstances
- StopInstances
- DeleteSubnet
- AuthorizeSecurityGroupIngress
- AuthorizeSecurityGroupEgress
- RevokeSecurityGroupIngress
- RevokeSecurityGroupEgress
- DeleteSecurityGroup
- DeleteNetworkAclEntry
- DeleteRouteTable
- RunInstances
These allow Alert Logic to: discover your account during deployment, permit the allocation of base infrastructure (subnet routes, security group, NACL), allow the creation of the Alert Logic Security subnet(s) to house only appliances shared via AMI from Alert Logic's AWS account, give access to create tags on the Alert Logic appliances, update appliances, permit the auto-removal of Alert Logic appliances and AlertLogic:Security tagged subnets, and allow the modification of Security Groups, NACLs, and route tables that are tagged AlertLogic:Security. NACL changes are made to each in-scope VPC to allow outbound connectivity between the Alert Logic security appliance and the Internet.
Elastic Beanstalk
- Describe*
This allows Alert Logic to discover your AWS environment.
Elasticache
- Describe*
This allows Alert Logic to discover your AWS environment.
Elastic Load Balancing
- Describe*
This allows Alert Logic to discover your AWS environment.
Elastic Map Reduce
- DescribeJobFlows
This allows Alert Logic to discover your AWS environment.
Glacier
- ListVaults
This allows Alert Logic to discover your AWS environment.
GuardDuty
- Describe*
- Get*
- List*
These allow Alert Logic to discover your AWS environment.
IAM
- Get*
- List*
- GenerateCredentialReport
These enable Alert Logic to generate a credential report for the AWS account and ensure identification of IAM vulnerabilities. They also allow the retrieval of attributes, including: account summaries, group and group policy information, roles, policies, server certificates, user lists, and MFA devices.
Note: These permissions do not allow Alert Logic to access passwords or other sensitive data stored in IAM.
Kinesis
- Describe*
- List*
These allow Alert Logic to discover your AWS environment.
KMS
- DescribeKey
- GetKeyPolicy
- GetKeyRotationStatus
- ListAliases
- ListGrants
- ListKeys
- ListKeyPolicies
- ListResourceTags
These allow Alert Logic to perform configuration checks related to KMS.
Note: These permissions do not allow Alert Logic to access encryption keys or other sensitive data stored in KMS.
Lambda
- List*
This allows Alert Logic to discover your AWS environment.
RDS
- Describe*
- ListTagsForResource
These allow Alert Logic to discover your AWS environment and keep an up-to-date asset model.
Redshift
- Describe*
This allows Alert Logic to discover your AWS environment.
Route 53
- GetHostedZone
- ListHostedZone
- ListResourceRecordSets
These allow Alert Logic to discover your AWS environment and maintain an up-to-date asset model.
SDB
- DomainMetadata
- ListDomains
This allows Alert Logic to discover your AWS environment.
SNS
- CreateTopic
- DeleteTopic
- AddPermission
- ListTopics
- SetTopicAttributes
- GetTopicAttributes
- Subscribe
These grant Alert Logic access to create and delete the "outcomestopic" topic utilized by the solution during deployment and solution removal if necessary.
- ListSubscriptions
- ListSubscriptionsByTopic
- ListTopics
- GetEndpointAttributes
- GetSubscriptionAttributes
- GetTopicAttributes
These allow Alert Logic to perform configuration checks related to SNS.
SQS
- CreateQueue
- DeleteQueue
- SetQueueAttributes
- GetQueueAttributes
- ListQueues
- ReceiveMessage
- DeleteMessage
- GetQueueUrl
These set up an SQS queue that Alert Logic utilizes for the CloudTrail subscription.
S3
- ListAllMyBuckets
- ListBucket
- GetBucketLocation
- GetObject
- GetBucket*
- GetLifecycleConfiguration
- GetObjectAcl
- GetObjectVersionAcl
- CreateBucket
- PutBucketPolicy
- DeleteBucket
These allow Alert Logic to discover S3 buckets. They also permit Alert Logic to create an S3 bucket with the "outcomesbucket-*" naming scheme to store CloudTrail logs. They grant Alert Logic the ability to create, delete, or alter the policies on buckets that match "outcomesbucket-*", created by Alert Logic.
Tags
- GetResources
- GetTagKeys
These allow Alert Logic to perform configuration checks related to tags.
IAM Policy
Important: This IAM policy is listed for your reference; however, when adding the policy to your AWS account, it is highly recommended to copy the policy from within the Alert Logic console. This IAM policy was last updated February 7, 2018.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "EnabledDiscoveryOfVariousAWSServices",
"Resource": "*",
"Effect": "Allow",
"Action": [
"autoscaling:Describe*",
"cloudformation:DescribeStack*",
"cloudformation:GetTemplate",
"cloudformation:ListStack*",
"cloudfront:Get*",
"cloudfront:List*",
"cloudtrail:DescribeTrails",
"cloudtrail:GetTrailStatus",
"cloudtrail:ListTags",
"cloudtrail:LookupEvents",
"cloudwatch:Describe*",
"config:DeliverConfigSnapshot",
"config:Describe*",
"config:Get*",
"config:ListDiscoveredResources",
"cur:DescribeReportDefinitions",
"directconnect:Describe*",
"dynamodb:ListTables",
"ec2:Describe*",
"elasticbeanstalk:Describe*",
"elasticache:Describe*",
"elasticloadbalancing:Describe*",
"elasticmapreduce:DescribeJobFlows",
"events:Describe*",
"events:List*",
"glacier:ListVaults",
"guardduty:Get*",
"guardduty:List*",
"kinesis:Describe*",
"kinesis:List*",
"kms:DescribeKey",
"kms:GetKeyPolicy",
"kms:GetKeyRotationStatus",
"kms:ListAliases",
"kms:ListGrants",
"kms:ListKeys",
"kms:ListKeyPolicies",
"kms:ListResourceTags",
"lambda:List*",
"logs:Describe*",
"rds:Describe*",
"rds:ListTagsForResource",
"redshift:Describe*",
"route53:GetHostedZone",
"route53:ListHostedZones",
"route53:ListResourceRecordSets",
"sdb:DomainMetadata",
"sdb:ListDomains",
"sns:ListSubscriptions",
"sns:ListSubscriptionsByTopic",
"sns:ListTopics",
"sns:GetEndpointAttributes",
"sns:GetSubscriptionAttributes",
"sns:GetTopicAttributes",
"s3:ListAllMyBuckets",
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:GetObject",
"s3:GetBucket*",
"s3:GetLifecycleConfiguration",
"s3:GetObjectAcl",
"s3:GetObjectVersionAcl",
"tag:GetResources",
"tag:GetTagKeys"
]
},
{
"Sid": "EnableInsightDiscovery",
"Resource": "*",
"Effect": "Allow",
"Action": [
"iam:Get*",
"iam:List*",
"iam:ListRoles",
"iam:GetRolePolicy",
"iam:GetAccountSummary",
"iam:GenerateCredentialReport"
]
},
{
"Sid": "EnableCloudTrailIfAccountDoesntHaveCloudTrailsEnabled",
"Resource": "*",
"Effect": "Allow",
"Action": [
"cloudtrail:*"
]
},
{
"Sid": "CreateCloudTrailS3BucketIfCloudTrailsAreBeingSetupByAlertLogic",
"Resource": "arn:aws:s3:::outcomesbucket-*",
"Effect": "Allow",
"Action": [
"s3:CreateBucket",
"s3:PutBucketPolicy",
"s3:DeleteBucket"
]
},
{
"Sid": "CreateCloudTrailsTopicTfOneWasntAlreadySetupForCloudTrails",
"Resource": "arn:aws:sns:*:*:outcomestopic",
"Effect": "Allow",
"Action": [
"sns:CreateTopic",
"sns:DeleteTopic"
]
},
{
"Sid": "MakeSureThatCloudTrailsSnsTopicIsSetupCorrectlyForCloudTrailPublishingAndSqsSubsription",
"Resource": "arn:aws:sns:*:*:*",
"Effect": "Allow",
"Action": [
"sns:addpermission",
"sns:gettopicattributes",
"sns:listtopics",
"sns:settopicattributes",
"sns:subscribe"
]
},
{
"Sid": "CreateAlertLogicSqsQueueToSubscribeToCloudTrailsSnsTopicNotifications",
"Resource": "arn:aws:sqs:*:*:outcomesbucket*",
"Effect": "Allow",
"Action": [
"sqs:CreateQueue",
"sqs:DeleteQueue",
"sqs:SetQueueAttributes",
"sqs:GetQueueAttributes",
"sqs:ListQueues",
"sqs:ReceiveMessage",
"sqs:DeleteMessage",
"sqs:GetQueueUrl"
]
},
{
"Sid": "EnableAlertLogicSecurityInfrastructureDeployment",
"Resource": "*",
"Effect": "Allow",
"Action": [
"ec2:CreateTags",
"ec2:CreateSubnet",
"ec2:CreateInternetGateway",
"ec2:AttachInternetGateway",
"ec2:CreateRoute",
"ec2:CreateRouteTable",
"ec2:AssociateRouteTable",
"ec2:CreateSecurityGroup",
"ec2:CreateKeyPair",
"ec2:ImportKeyPair",
"ec2:CreateNetworkAclEntry"
]
},
{
"Sid": "ModifyNetworkSettingsToEnableNetworkVisibilityFromAlertLogicSecurityAppliance",
"Resource": [
"arn:aws:ec2:*:*:security-group/*",
"arn:aws:ec2:*:*:route-table/*",
"arn:aws:ec2:*:*:network-acl/*"
],
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ec2:ResourceTag/AlertLogic": "Security"
}
},
"Action": [
"ec2:AuthorizeSecurityGroupIngress",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:RevokeSecurityGroupIngress",
"ec2:RevokeSecurityGroupEgress",
"ec2:DeleteSecurityGroup",
"ec2:DeleteNetworkAclEntry",
"ec2:DeleteRouteTable"
]
},
{
"Sid": "DeleteSecuritySubnet",
"Resource": "*",
"Effect": "Allow",
"Action": [
"ec2:DeleteSubnet"
]
},
{
"Sid": "EnsureThatAlertLogicApplianceCanCreateNecessaryResources",
"Resource": [
"arn:aws:ec2:*:*:instance/*",
"arn:aws:ec2:*:*:volume/*",
"arn:aws:ec2:*:*:network-interface/*",
"arn:aws:ec2:*:*:key-pair/*",
"arn:aws:ec2:*:*:security-group/*"
],
"Effect": "Allow",
"Action": [
"ec2:RunInstances"
]
},
{
"Sid": "EnabletAlertLogicApplianceStateManagement",
"Resource": "arn:aws:ec2:*:*:instance/*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ec2:ResourceTag/AlertLogic": "Security"
}
},
"Action": [
"ec2:TerminateInstances",
"ec2:StartInstances",
"ec2:StopInstances"
]
},
{
"Sid": "EnableAlertLogicAutoScalingGroup",
"Resource": "*",
"Effect": "Allow",
"Action": [
"autoscaling:CreateLaunchConfiguration",
"autoscaling:DeleteLaunchConfiguration",
"autoscaling:CreateAutoScalingGroup",
"autoscaling:DeleteAutoScalingGroup"
]
}
]
}
Comments
0 comments
Please sign in to leave a comment.