IAM Policy and Permissions for Cloud Insight Essentials

Alert Logic® Cloud Insight™ Essentials utilizes an IAM Role and IAM Policy to allow Alert Logic third-party access to your Amazon Web Services (AWS) environment. This article lists the IAM policy that you will need to implement in order for Alert Logic to access your AWS environment, as well as brief overviews of the permissions granted to Cloud Insight Essentials.

Permissions Granted to Alert Logic

Note: The "*" that you will see below, after some of the permissions listed, indicates that all actions that start with the originally listed action will apply. For example, Describe* under Auto Scaling will include DescribeAutoscalingGroups, DescribeAutoscalingInstances, DescribeLaunchConfiguration, etc., as listed in the AWS AutoScaling API.

Write and Read Permissions 

• CloudTrail 
• S3 
• SNS 
• SQS 

Read Permissions 

• Auto Scaling
• CloudFormation 
• CloudFront 
• CloudWatch 
• Config
• Cost and Usage Report
• Direct Connect 
• DynamoDB 
• EC2
• Elastic Beanstalk 
• Elasticache 
• Elastic Load Balancer
• Elastic Map Reduce 
• Glacier 
• GuardDuty
• IAM 
• Kinesis
• KMS
• Lambda
• RDS 
• Redshift 
• Route 53
• SDB 
• Tags

Auto Scaling 

• Describe* 

Alert Logic uses describe calls to discover the auto scaling you've already set up inside your AWS environment.

CloudFormation 

• DescribeStack* 
• GetTemplate 
• ListStack* 

These CloudFormation permissions allow Cloud Insight to discover your AWS environment. 

CloudFront 

• Get* 
• List* 

This allows Cloud Insight to discover your AWS environment. 

CloudTrail 

• DescribeTrails
• GetTrailStatus
• ListTags
• LookupEvents

These allow Cloud Insight to perform configuration checks related to CloudTrail.

CloudWatch 

• Describe* 

This allows Cloud Insight to discover your AWS environment. 

CloudWatch Events

• Describe*
• List*

These allow Cloud Insight to discover your AWS environment.

CloudWatch Logs

• Describe*

This allows Cloud Insight to discover your AWS environment.

Config

• DeliverConfigSnapshot
• Describe*
• Get*
• ListDiscoveredResources

These allow Cloud Insight to perform configuration checks related to Config.

Cost and Usage Report

• DescribeReportDefinitions

This allows Cloud Insight to perform configuration checks related to Cost and Usage Report.

Direct Connect 

• Describe* 

This allows Cloud Insight to discover your AWS environment. 

Dynamo DB 

• ListTables 

This allows Cloud Insight to discover your AWS environment. 

EC2 

• Describe* 

These allow Cloud Insight to discover your account during deployment.

Elastic Beanstalk 

• Describe* 

This allows Cloud Insight to discover your AWS environment. 

Elasticache 

• Describe* 

This allows Cloud Insight to discover your AWS environment. 

Elastic Load Balancing

• Describe* 

This allows Cloud Insight to discover your AWS environment. 

Elastic MapReduce 

• DescribeJobFlows 

This allows Cloud Insight to discover your AWS environment. 

Glacier 

• ListVaults 

This allows Cloud Insight to discover your AWS environment. 

GuardDuty

• Get*
• List*

These allow Cloud Insight to discover your AWS environment.

IAM 

• Get* 
• List* 
• GenerateCredentialReport 

These enable Cloud Insight to generate a credential report for the AWS account and ensure identification of IAM vulnerabilities. They also allow the retrieval of attributes, including: account summaries, group and group policy information, roles, policies, server certificates, user lists, and multi-factor authentication devices. 

Kinesis

• Describe*
• List*

These allow Cloud Insight to discover your AWS environment. 

KMS

• DescribeKey
• GetKeyPolicy
• GetKeyRotationStatus
• ListAliases
• ListGrants
• ListKeys
• ListKeyPolicies
• ListResourceTags

These allow Cloud Insight to perform configuration checks related to KMS.

Note: These permissions do not allow Cloud Insight to access encryption keys or other sensitive data stored in KMS.

Lambda

• List*

This allows Cloud Insight to discover your AWS environment.

RDS 

• Describe* 
• ListTagsForResource 

These allow Cloud Insight to discover your AWS environment and keep an up-to-date asset model. 

Redshift 

• Describe* 

This allows Cloud Insight to discover your AWS environment. 

Route 53 

• GetHostedZone 
• ListHostedZone 
• ListResourceRecordSets 

These allow Cloud Insight to discover your AWS environment and maintain an up-to-date asset model. 

SDB 

• DomainMetadata 
• ListDomains 

This allows Cloud Insight to discover your AWS environment. 

SNS 

• CreateTopic 
• DeleteTopic 
• AddPermission
• ListTopics
• SetTopicAttributes
• GetTopicAttributes
• Subscribe

These grant permissions for continuous discovery of assets and updates of the asset model (to ensure that all product functionality is based off the most up-to-date view of the asset model). 

• ListSubscriptions
• ListSubscriptionsByTopic
• ListTopics
• GetEndpointAttributes
• GetSubscriptionAttributes
• GetTopicAttributes

These allow Cloud Insight to perform configuration checks related to SNS.

SQS 

• CreateQueue 
• DeleteQueue 
• SetQueueAttributes 
• GetQueueAttributes 
• ListQueues 
• ReceiveMessage 
• DeleteMessage 
• GetQueueUrl 

These set up an SQS queue that Cloud Insight utilizes for the CloudTrail subscription. 

S3 

• ListAllMyBuckets 
• ListBucket 
• GetBucketLocation 
• GetObject 
• GetBucket* 
• GetLifecycleConfiguration 
• GetObjectAcl 
• GetObjectVersionAcl 
• CreateBucket 
• PutBucketPolicy 
• DeleteBucket 

These allow Alert Logic to create, delete, and update the policy on the bucket to process the CloudTrail in order to keep the asset model up-to-date.

Tag

• GetResources
• GetTagKeys

These allow Cloud Insight to perform configuration checks related to tags.

IAM Policy

IMPORTANT: This IAM policy is listed here for your reference; however, when adding the policy to your AWS environment, it is HIGHLY RECOMMENDED to copy the policy from the Alert Logic console.

Note: You can get the newest policy for Cloud Insight Essentials here and the full.json from that directory here.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "EnabledDiscoveryOfVariousAWSServices",
      "Resource": "*",
      "Effect": "Allow",
      "Action": [
        "autoscaling:Describe*",
        "cloudformation:DescribeStack*",
        "cloudformation:GetTemplate",
        "cloudformation:ListStack*",
        "cloudfront:Get*",
        "cloudfront:List*",
        "cloudtrail:DescribeTrails",
        "cloudtrail:GetTrailStatus",
        "cloudtrail:ListTags",
        "cloudtrail:LookupEvents",
        "config:DeliverConfigSnapshot",
        "config:Describe*",
        "config:Get*",
        "config:ListDiscoveredResources",
        "cur:DescribeReportDefinitions",
        "directconnect:Describe*",
        "dynamodb:ListTables",
        "ec2:Describe*",
        "elasticbeanstalk:Describe*",
        "elasticache:Describe*",
        "elasticloadbalancing:Describe*",
        "elasticmapreduce:DescribeJobFlows",
        "events:Describe*",
        "events:List*",
        "glacier:ListVaults",
        "guardduty:Get*",
        "guardduty:List*",
        "kinesis:Describe*",
        "kinesis:List*",
        "kms:DescribeKey",
        "kms:GetKeyPolicy",
        "kms:GetKeyRotationStatus",
        "kms:ListAliases",
        "kms:ListGrants",
        "kms:ListKeys",
        "kms:ListKeyPolicies",
        "kms:ListResourceTags",
        "lambda:List*",
        "logs:Describe*",
        "rds:Describe*",
        "rds:ListTagsForResource",
        "redshift:Describe*",
        "route53:GetHostedZone",
        "route53:ListHostedZones",
        "route53:ListResourceRecordSets",
        "sdb:DomainMetadata",
        "sdb:ListDomains",
        "sns:ListSubscriptions",
        "sns:ListSubscriptionsByTopic",
        "sns:ListTopics",
        "sns:GetEndpointAttributes",
        "sns:GetSubscriptionAttributes",
        "sns:GetTopicAttributes",
        "s3:ListAllMyBuckets",
        "s3:ListBucket",
        "s3:GetBucketLocation",
        "s3:GetObject",
        "s3:GetBucket*",
        "s3:GetLifecycleConfiguration",
        "s3:GetObjectAcl",
        "s3:GetObjectVersionAcl",
        "tag:GetResources",
        "tag:GetTagKeys"
      ]
    },
    {
      "Sid": "EnableInsightDiscovery",
      "Resource": "*",
      "Effect": "Allow",
      "Action": [
        "iam:Get*",
        "iam:List*",
        "iam:ListRoles",
        "iam:GetRolePolicy",
        "iam:GetAccountSummary",
        "iam:GenerateCredentialReport"
      ]
    },
    {
      "Sid": "EnableCloudTrailIfAccountDoesntHaveCloudTrailsEnabled",
      "Resource": "*",
      "Effect": "Allow",
      "Action": [
        "cloudtrail:*"
      ]
    },
    {
      "Sid": "CreateCloudTrailS3BucketIfCloudTrailsAreBeingSetupByAlertLogic",
      "Resource": "arn:aws:s3:::outcomesbucket-*",
      "Effect": "Allow",
      "Action": [
        "s3:CreateBucket",
        "s3:PutBucketPolicy",
        "s3:DeleteBucket"
      ]
    },
    {
      "Sid": "CreateCloudTrailsTopicTfOneWasntAlreadySetupForCloudTrails",
      "Resource": "arn:aws:sns:*:*:outcomestopic",
      "Effect": "Allow",
      "Action": [
        "sns:CreateTopic",
        "sns:DeleteTopic"
      ]
    },
    {
      "Sid": "MakeSureThatCloudTrailsSnsTopicIsSetupCorrectlyForCloudTrailPublishingAndSqsSubsription",
      "Resource": "arn:aws:sns:*:*:*",
      "Effect": "Allow",
      "Action": [
        "sns:addpermission",
        "sns:gettopicattributes",
        "sns:listtopics",
        "sns:settopicattributes",
        "sns:subscribe"
      ]
    },
    {
      "Sid": "CreateAlertLogicSqsQueueToSubscribeToCloudTrailsSnsTopicNotifications",
      "Resource": "arn:aws:sqs:*:*:outcomesbucket*",
      "Effect": "Allow",
      "Action": [
        "sqs:CreateQueue",
        "sqs:DeleteQueue",
        "sqs:SetQueueAttributes",
        "sqs:GetQueueAttributes",
        "sqs:ListQueues",
        "sqs:ReceiveMessage",
        "sqs:DeleteMessage",
        "sqs:GetQueueUrl"
      ]
    }
  ]
}

Still have questions? Check out other customers’ posts or add your own in the Cloud Insight Essentials community.