Alert Logic® Cloud Insight™ Essentials utilizes an IAM Role and IAM Policy to allow Alert Logic third-party access to your Amazon Web Services (AWS) environment. This article lists the IAM policy that you will need to implement in order for Alert Logic to access your AWS environment, as well as brief overviews of the permissions granted to Cloud Insight Essentials.
Note: This article refers to the manual policy; if using automatic mode, refer to the following article.
Note: The following information applies only to customers with Alert Logic® Cloud Insight™ or Alert Logic Could Insight Essentials™ entitlements.
Permissions Granted to Alert Logic
Note: The "*" that you will see below, after some of the permissions listed, indicates that all actions that start with the originally listed action will apply. For example, Describe* under Auto Scaling will include DescribeAutoscalingGroups, DescribeAutoscalingInstances, DescribeLaunchConfiguration, etc., as listed in the AWS AutoScaling API.
Write and Read Permissions
- CloudTrail
- S3
- SNS
- SQS
Read Permissions
- Auto Scaling
- CloudFormation
- CloudFront
- CloudWatch
- Config
- Cost and Usage Report
- Direct Connect
- DynamoDB
- EC2
- Elastic Beanstalk
- Elasticache
- Elastic Load Balancer
- Elastic Map Reduce
- Glacier
- GuardDuty
- IAM
- Kinesis
- KMS
- Lambda
- RDS
- Redshift
- Route 53
- SDB
- Tags
Auto Scaling
- Describe*
Alert Logic uses describe calls to discover the auto scaling you've already set up inside your AWS environment.
CloudFormation
- DescribeStack*
- GetTemplate
- ListStack*
These CloudFormation permissions allow Cloud Insight to discover your AWS environment.
CloudFront
- Get*
- List*
This allows Cloud Insight to discover your AWS environment.
CloudTrail
- DescribeTrails
- GetTrailStatus
- ListTags
- LookupEvents
These allow Cloud Insight to perform configuration checks related to CloudTrail.
CloudWatch
- Describe*
This allows Cloud Insight to discover your AWS environment.
CloudWatch Events
- Describe*
- List*
These allow Cloud Insight to discover your AWS environment.
CloudWatch Logs
- Describe*
This allows Cloud Insight to discover your AWS environment.
Config
- DeliverConfigSnapshot
- Describe*
- Get*
- ListDiscoveredResources
These allow Cloud Insight to perform configuration checks related to Config.
Cost and Usage Report
- DescribeReportDefinitions
This allows Cloud Insight to perform configuration checks related to Cost and Usage Report.
Direct Connect
- Describe*
This allows Cloud Insight to discover your AWS environment.
Dynamo DB
- ListTables
This allows Cloud Insight to discover your AWS environment.
EC2
- Describe*
These allow Cloud Insight to discover your account during deployment.
Elastic Beanstalk
- Describe*
This allows Cloud Insight to discover your AWS environment.
Elasticache
- Describe*
This allows Cloud Insight to discover your AWS environment.
Elastic Load Balancing
- Describe*
This allows Cloud Insight to discover your AWS environment.
Elastic MapReduce
- DescribeJobFlows
This allows Cloud Insight to discover your AWS environment.
Glacier
- ListVaults
This allows Cloud Insight to discover your AWS environment.
GuardDuty
- Get*
- List*
These allow Cloud Insight to discover your AWS environment.
IAM
- Get*
- List*
- GenerateCredentialReport
These enable Cloud Insight to generate a credential report for the AWS account and ensure identification of IAM vulnerabilities. They also allow the retrieval of attributes, including: account summaries, group and group policy information, roles, policies, server certificates, user lists, and multi-factor authentication devices.
Kinesis
- Describe*
- List*
These allow Cloud Insight to discover your AWS environment.
KMS
- DescribeKey
- GetKeyPolicy
- GetKeyRotationStatus
- ListAliases
- ListGrants
- ListKeys
- ListKeyPolicies
- ListResourceTags
These allow Cloud Insight to perform configuration checks related to KMS.
Note: These permissions do not allow Cloud Insight to access encryption keys or other sensitive data stored in KMS.
Lambda
- List*
This allows Cloud Insight to discover your AWS environment.
RDS
- Describe*
- ListTagsForResource
These allow Cloud Insight to discover your AWS environment and keep an up-to-date asset model.
Redshift
- Describe*
This allows Cloud Insight to discover your AWS environment.
Route 53
- GetHostedZone
- ListHostedZone
- ListResourceRecordSets
These allow Cloud Insight to discover your AWS environment and maintain an up-to-date asset model.
SDB
- DomainMetadata
- ListDomains
This allows Cloud Insight to discover your AWS environment.
SNS
- CreateTopic
- DeleteTopic
- AddPermission
- ListTopics
- SetTopicAttributes
- GetTopicAttributes
- Subscribe
These grant permissions for continuous discovery of assets and updates of the asset model (to ensure that all product functionality is based off the most up-to-date view of the asset model).
- ListSubscriptions
- ListSubscriptionsByTopic
- ListTopics
- GetEndpointAttributes
- GetSubscriptionAttributes
- GetTopicAttributes
These allow Cloud Insight to perform configuration checks related to SNS.
SQS
- CreateQueue
- DeleteQueue
- SetQueueAttributes
- GetQueueAttributes
- ListQueues
- ReceiveMessage
- DeleteMessage
- GetQueueUrl
These set up an SQS queue that Cloud Insight utilizes for the CloudTrail subscription.
S3
- ListAllMyBuckets
- ListBucket
- GetBucketLocation
- GetObject
- GetBucket*
- GetLifecycleConfiguration
- GetObjectAcl
- GetObjectVersionAcl
- CreateBucket
- PutBucketPolicy
- DeleteBucket
These allow Alert Logic to create, delete, and update the policy on the bucket to process the CloudTrail in order to keep the asset model up-to-date.
Tag
- GetResources
- GetTagKeys
These allow Cloud Insight to perform configuration checks related to tags.
IAM Policy
IMPORTANT: This IAM policy is listed here for your reference; however, when adding the policy to your AWS environment, it is HIGHLY RECOMMENDED to copy the policy from the Alert Logic console.
Note: You can get the newest policy for Cloud Insight Essentials here and the full.json from that directory here.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "EnabledDiscoveryOfVariousAWSServices",
"Resource": "*",
"Effect": "Allow",
"Action": [
"autoscaling:Describe*",
"cloudformation:DescribeStack*",
"cloudformation:GetTemplate",
"cloudformation:ListStack*",
"cloudfront:Get*",
"cloudfront:List*",
"cloudtrail:DescribeTrails",
"cloudtrail:GetTrailStatus",
"cloudtrail:ListTags",
"cloudtrail:LookupEvents",
"config:DeliverConfigSnapshot",
"config:Describe*",
"config:Get*",
"config:ListDiscoveredResources",
"cur:DescribeReportDefinitions",
"directconnect:Describe*",
"dynamodb:ListTables",
"ec2:Describe*",
"elasticbeanstalk:Describe*",
"elasticache:Describe*",
"elasticloadbalancing:Describe*",
"elasticmapreduce:DescribeJobFlows",
"events:Describe*",
"events:List*",
"glacier:ListVaults",
"guardduty:Get*",
"guardduty:List*",
"kinesis:Describe*",
"kinesis:List*",
"kms:DescribeKey",
"kms:GetKeyPolicy",
"kms:GetKeyRotationStatus",
"kms:ListAliases",
"kms:ListGrants",
"kms:ListKeys",
"kms:ListKeyPolicies",
"kms:ListResourceTags",
"lambda:List*",
"logs:Describe*",
"rds:Describe*",
"rds:ListTagsForResource",
"redshift:Describe*",
"route53:GetHostedZone",
"route53:ListHostedZones",
"route53:ListResourceRecordSets",
"sdb:DomainMetadata",
"sdb:ListDomains",
"sns:ListSubscriptions",
"sns:ListSubscriptionsByTopic",
"sns:ListTopics",
"sns:GetEndpointAttributes",
"sns:GetSubscriptionAttributes",
"sns:GetTopicAttributes",
"s3:ListAllMyBuckets",
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:GetObject",
"s3:GetBucket*",
"s3:GetLifecycleConfiguration",
"s3:GetObjectAcl",
"s3:GetObjectVersionAcl",
"tag:GetResources",
"tag:GetTagKeys"
]
},
{
"Sid": "EnableInsightDiscovery",
"Resource": "*",
"Effect": "Allow",
"Action": [
"iam:Get*",
"iam:List*",
"iam:ListRoles",
"iam:GetRolePolicy",
"iam:GetAccountSummary",
"iam:GenerateCredentialReport"
]
},
{
"Sid": "EnableCloudTrailIfAccountDoesntHaveCloudTrailsEnabled",
"Resource": "*",
"Effect": "Allow",
"Action": [
"cloudtrail:*"
]
},
{
"Sid": "CreateCloudTrailS3BucketIfCloudTrailsAreBeingSetupByAlertLogic",
"Resource": "arn:aws:s3:::outcomesbucket-*",
"Effect": "Allow",
"Action": [
"s3:CreateBucket",
"s3:PutBucketPolicy",
"s3:DeleteBucket"
]
},
{
"Sid": "CreateCloudTrailsTopicTfOneWasntAlreadySetupForCloudTrails",
"Resource": "arn:aws:sns:*:*:outcomestopic",
"Effect": "Allow",
"Action": [
"sns:CreateTopic",
"sns:DeleteTopic"
]
},
{
"Sid": "MakeSureThatCloudTrailsSnsTopicIsSetupCorrectlyForCloudTrailPublishingAndSqsSubsription",
"Resource": "arn:aws:sns:*:*:*",
"Effect": "Allow",
"Action": [
"sns:addpermission",
"sns:gettopicattributes",
"sns:listtopics",
"sns:settopicattributes",
"sns:subscribe"
]
},
{
"Sid": "CreateAlertLogicSqsQueueToSubscribeToCloudTrailsSnsTopicNotifications",
"Resource": "arn:aws:sqs:*:*:outcomesbucket*",
"Effect": "Allow",
"Action": [
"sqs:CreateQueue",
"sqs:DeleteQueue",
"sqs:SetQueueAttributes",
"sqs:GetQueueAttributes",
"sqs:ListQueues",
"sqs:ReceiveMessage",
"sqs:DeleteMessage",
"sqs:GetQueueUrl"
]
}
]
}
Still have questions? Check out other customers’ posts or add your own in the Cloud Insight Essentials community.
Comments
0 comments
Please sign in to leave a comment.