Follow

Cloud Insight for Amazon Web Services IAM Policy and Permissions | Feature Education

Overview

Alert Logic® Cloud Insight™ utilizes an IAM Role and IAM Policy to allow Alert Logic third party access to your Amazon Web Services (AWS) environment. This article houses the IAM policy that you will need to implement in order for Alert Logic to access your AWS environment, as well as brief overviews of the permissions granted to Cloud Insight, broken up by AWS service.

IAM Policy

{ 
"Version": "2012-10-17", 
"Statement": [ 
{ "Sid": "EnabledDiscoveryOfVariousAWSServices", 
"Effect": "Allow", 
"Action": [ 
"autoscaling:Describe*", 
"cloudformation:DescribeStack*", 
"cloudformation:GetTemplate", 
"cloudformation:ListStack*", 
"cloudfront:Get*", 
"cloudfront:List*", 
"cloudwatch:Describe*", 
"directconnect:Describe*", 
"dynamodb:ListTables", 
"ec2:Describe*", 
"elasticbeanstalk:Describe*", 
"elasticache:Describe*", 
"elasticloadbalancing:Describe*", 
"elasticmapreduce:DescribeJobFlows", 
"glacier:ListVaults", 
"rds:Describe*", 
"rds:DownloadDBLogFilePortion", 
"rds:ListTagsForResource", 
"redshift:Describe*", 
"route53:GetHostedZone", 
"route53:ListHostedZones", 
"route53:ListResourceRecordSets", 
"sdb:DomainMetadata", 
"sdb:ListDomains", 
"s3:ListAllMyBuckets", 
"s3:ListBucket", 
"s3:GetBucketLocation", 
"s3:GetObject", 
"s3:GetBucket*", 
"s3:GetLifecycleConfiguration", 
"s3:GetObjectAcl", 
"s3:GetObjectVersionAcl" 
], 
"Resource": "*" 
}, 
{ 
"Sid": "EnableInsightDiscovery", 
"Effect": "Allow", 
"Action": [ 
"iam:Get*", 
"iam:List*", 
"iam:ListRoles", 
"iam:GetRolePolicy", 
"iam:GetAccountSummary", 
"iam:GenerateCredentialReport" 
], 
"Resource": "*" 
}, 
{ 
"Sid": "EnableCloudTrailIfAccountDoesntHaveCloudTrailsEnabled", 
"Effect": "Allow", 
"Action": [ 
"cloudtrail:*" 
], 
"Resource": "*" 
}, 
{ 
"Sid": "CreateCloudTrailS3BucketIfCloudTrailsAreBeingSetupByAlertLogic", 
"Effect": "Allow", 
"Action": [ 
"s3:CreateBucket", 
"s3:PutBucketPolicy", 
"s3:DeleteBucket" 
], 
"Resource": "arn:aws:s3:::outcomesbucket-*" 
}, 
{ 
"Sid": "CreateCloudTrailsTopicTfOneWasntAlreadySetupForCloudTrails", 
"Effect": "Allow", 
"Action": [ 
"sns:CreateTopic", 
"sns:DeleteTopic" 
], 
"Resource": "arn:aws:sns:*:*:outcomestopic" 
}, 
{ 
"Sid": "MakeSureThatCloudTrailsSnsTopicIsSetupCorrectlyForCloudTrailPublishingAndSqsSubsription", 
"Effect": "Allow", 
"Action": [ 
"sns:addpermission", 
"sns:gettopicattributes", 
"sns:listtopics", 
"sns:settopicattributes", 
"sns:subscribe" 
], 
"Resource": "arn:aws:sns:*:*:*" 
}, 
{ 
"Sid": "CreateAlertLogicSqsQueueToSubscribeToCloudTrailsSnsTopicNotifications", 
"Effect": "Allow", 
"Action": [ 
"sqs:CreateQueue", 
"sqs:DeleteQueue", 
"sqs:SetQueueAttributes", 
"sqs:GetQueueAttributes", 
"sqs:ListQueues", 
"sqs:ReceiveMessage", 
"sqs:DeleteMessage", 
"sqs:GetQueueUrl" 
], 
"Resource": "arn:aws:sqs:*:*:outcomesbucket*" 
}, 
{ 
"Sid": "EnableAlertLogicSecurityInfrastructureDeployment", 
"Effect": "Allow", 
"Action": [ 
"ec2:CreateTags", 
"ec2:CreateSubnet", 
"ec2:CreateInternetGateway", 
"ec2:AttachInternetGateway", 
"ec2:CreateRoute", 
"ec2:CreateRouteTable", 
"ec2:AssociateRouteTable", 
"ec2:CreateSecurityGroup", 
"ec2:CreateKeyPair", 
"ec2:ImportKeyPair", 
"ec2:CreateNetworkAclEntry" 
], 
"Resource": "*" 
}, 
{ 
"Sid": "ModifyNetworkSettingsToEnableNetworkVisibilityFromAlertLogicSecurityAppliance", 
"Effect": "Allow", 
"Action": [ 
"ec2:AuthorizeSecurityGroupIngress", 
"ec2:AuthorizeSecurityGroupEgress", 
"ec2:RevokeSecurityGroupIngress", 
"ec2:RevokeSecurityGroupEgress", 
"ec2:DeleteSecurityGroup", 
"ec2:DeleteNetworkAclEntry", 
"ec2:DeleteRouteTable" 
], 
"Resource": [ 
"arn:aws:ec2:*:*:security-group/*", 
"arn:aws:ec2:*:*:route-table/*", 
"arn:aws:ec2:*:*:network-acl/*" 
], 
"Condition": { 
"StringEquals": { 
"ec2:ResourceTag/AlertLogic": "Security" 
} 
} 
}, 
{ 
"Sid": "DeleteSecuritySubnet", 
"Effect": "Allow", 
"Action": [ 
"ec2:DeleteSubnet" 
], 
"Resource": "*" 
}, 
{ 
"Sid": "EnabledLaunchingAlertLogicSecurityAppliancesInAlertLogicSubnet", 
"Effect": "Allow", 
"Action": [ 
"ec2:RunInstances" 
], 
"Resource": "arn:aws:ec2:*:*:subnet/*", 
"Condition": { 
"StringEquals": { 
"ec2:ResourceTag/AlertLogic": "Security" 
} 
} 
}, 
{ 
"Sid": "EnabledLaunchingAlertLogicSecurityAppliancesFromAlertLogicAmi", 
"Effect": "Allow", 
"Action": [ 
"ec2:RunInstances" 
], 
"Resource": "arn:aws:ec2:*::image/ami-*", 
"Condition": { 
"StringEquals": { 
"ec2:Owner": "733251395267" 
} 
} 
}, 
{ 
"Sid": "EnsureThatAlertLogicApplianceCanCreateNecessaryResources", 
"Effect": "Allow", 
"Action": [ 
"ec2:RunInstances" 
], 
"Resource": [ 
"arn:aws:ec2:*:*:instance/*", 
"arn:aws:ec2:*:*:volume/*", 
"arn:aws:ec2:*:*:network-interface/*", 
"arn:aws:ec2:*:*:key-pair/*", 
"arn:aws:ec2:*:*:security-group/*" 
] 
}, 
{ 
"Sid": "EnabletAlertLogicApplianceStateManagement", 
"Effect": "Allow", 
"Action": [ 
"ec2:TerminateInstances", 
"ec2:StartInstances", 
"ec2:StopInstances" 
], 
"Resource": "arn:aws:ec2:*:*:instance/*", 
"Condition": { 
"StringEquals": { 
"ec2:ResourceTag/AlertLogic": "Security" 
} 
} 
}, 
{ 
"Sid": "EnableAlertLogicAutoScalingGroup", 
"Effect": "Allow", 
"Action": [ 
"autoscaling:CreateLaunchConfiguration", 
"autoscaling:DeleteLaunchConfiguration", 
"autoscaling:CreateAutoScalingGroup", 
"autoscaling:DeleteAutoScalingGroup" 
], 
"Resource": "*" 
} 
] 
} 

Permissions Granted to Alert Logic

NOTE: The "*" that you will see below, after some of the permissions listed, indicates that all actions that start with the original listed action will apply. For example, Describe* under Auto Scaling will include DescribeAutoscalingGroups, DescribeAutoscalingInstances, DescribeLaunchConfiguration, etc., as listed in the AWS AutoScaling API.

Write and Read Permissions 

  • Auto Scaling 
  • CloudTrail 
  • CloudWatch 
  • EC2 
  • S3 
  • SNS 
  • SQS 

Read Permissions 

  • CloudFormation 
  • CloudFront 
  • Direct Connect 
  • DynamoDB 
  • Elastic Beanstalk 
  • Elasticache 
  • Elastic Load Balancer
  • Elastic Map Reduce 
  • Glacier 
  • IAM 
  • RDS 
  • Redshift 
  • Route 53 
  • SDB 

Auto Scaling 

  • Describe* 
  • CreateLaunchConfiguration 
  • DeleteLaunchConfiguration 
  • CreateAutoScalingGroup 
  • DeleteAutoScalingGroup 

Alert Logic uses describe calls to discover the auto scaling you've already set up inside your AWS environment. We also have the ability to create and delete Launch Configurations and Auto Scaling Groups. Cloud Insight deploys in an auto scaling group with a min/max/desired setting of 1 to ensure that the appliance is always running. This also allows the updating of the appliance by terminating the existing EC2 appliance instance and having auto scaling replace the instance with the update Alert Logic Cloud Insight AMI.

CloudFormation 

  • DescribeStack* 
  • GetTemplate 
  • ListStack* 

These CloudFormation permissions allow Cloud Insight to discover your AWS environment. 

CloudFront 

  • Get* 
  • List* 

This allows Cloud Insight to discover your AWS environment. 

CloudTrail 

  • CloudTrail:* 

This allows Cloud Insight to turn on and set up the AWS CloudTrail logging service that drives Cloud Insight's functionality. 

CloudWatch 

  • Describe* 

This allows Cloud Insight to discover your AWS environment. 

Direct Connect 

  • Describe* 

This allows Cloud Insight to discover your AWS environment. 

Dynamo DB 

  • ListTables 

This allows Cloud Insight to discover your AWS environment. 

EC2 

  • Describe* 
  • CreateTags 
  • CreateSubnet 
  • CreateInternetGateway 
  • AttachInternetGateway 
  • CreateRoute 
  • CreateRouteTable 
  • AssociateRouteTable 
  • CreateSecurityGroup 
  • CreateKeyPair 
  • ImportKeyPair 
  • CreateNetworkAclEntry 
  • TerminateInstances 
  • StartInstances 
  • StopInstances 
  • DeleteSubnet 
  • AuthorizeSecurityGroupIngress 
  • AuthorizeSecurityGroupEgress 
  • RevokeSecurityGroupIngress 
  • RevokeSecurityGroupEgress 
  • DeleteSecurityGroup 
  • DeleteNetworkAclEntry 
  • DeleteRouteTable 
  • RunInstances 

These allow Cloud Insight to: discover your account during deployment, permit the allocation of base infrastructure (subnet routes, security group, NACL), allow the creation of the Alert Logic Security subnet(s) to house only appliances shared via AMI from Alert Logic's AWS account, give access to create tags on the Cloud Insight appliances, update appliances, permit the auto-removal of Cloud Insight appliances and AlertLogic:Security tagged subnets, and allow the modification of Security Groups, NACLs, and route tables that are tagged AlertLogic:Security. NACL changes are made to each in-scope VPC to allow outbound connectivity between the Cloud Insight security appliance and the Internet. 

Elastic Beanstalk 

  • Describe* 

This allows Cloud Insight to discover your AWS environment. 

Elasticache 

  • Describe* 

This allows Cloud Insight to discover your AWS environment. 

Elastic Load Balancing

  • Describe* 

This allows Cloud Insight to discover your AWS environment. 

Elastic Mapreduce 

  • DescribeJobFlows 

This allows Cloud Insight to discover your AWS environment. 

Glacier 

  • ListVaults 

This allows Cloud Insight to discover your AWS environment. 

IAM 

  • Get* 
  • List* 
  • GenerateCredentialReport 

These enable Cloud Insight to generate a credential report for the AWS account and ensure identification of IAM vulnerabilities. They also allow the retrieval of attributes, including: account summaries, group and group policy information, roles, policies, server certificates, user lists, and MFA devices. 

RDS 

  • Describe* 
  • DownloadDBLogFilePortion 
  • ListTagsForResource 

These allow Cloud Insight to discover your AWS environment and keep an up-to-date asset model. 

Redshift 

  • Describe* 

This allows Cloud Insight to discover your AWS environment. 

Route 53 

  • GetHostedZone 
  • ListHostedZone 
  • ListResourceRecordSets 

These allow Cloud Insight to discover your AWS environment and maintain an up-to-date asset model. 

SDB 

  • DomainMetadata 
  • ListDomains 

This allows Cloud Insight to discover your AWS environment. 

SNS 

  • CreateTopic 
  • DeleteTopic 
  • addpermission
  • listtopics
  • settopicattributes
  • gettopicattributes
  • subscribe

These grant Cloud Insight access to create and delete the "outcomestopic" topic utilized by the solution during deployment and solution removal if necessary. 

SQS 

  • CreateQueue 
  • DeleteQueue 
  • SetQueueAttributes 
  • GetQueueAttributes 
  • ListQueues 
  • ReceiveMessage 
  • DeleteMessage 
  • GetQueueUrl 

These set up an SQS queue that Cloud Insight utilizes for the CloudTrail subscription. 

S3 

  • ListAllMyBuckets 
  • ListBucket 
  • GetBucketLocation 
  • GetObject 
  • GetBucket* 
  • GetLifecycleConfiguration 
  • GetObjectAcl 
  • GetObjectVersionAcl 
  • CreateBucket 
  • PutBucketPolicy 
  • DeleteBucket 

These allow Cloud Insight to discover buckets. They also permit Alert Logic to create an S3 bucket with the "outcomesbucket-*" naming scheme to store CloudTrail logs. They grant Cloud Insight the ability to create, delete, or alter the policies on buckets that match "outcomesbucket-*", created by Cloud Insight. 

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.