Overview
Alert Logic® Cloud Insight™ Essentials utilizes an IAM Role and IAM Policy to allow Alert Logic third-party access to your Amazon Web Services (AWS) environment. This article lists the IAM policy that you will need to implement in order for Alert Logic to access your AWS environment, as well as brief overviews of the permissions granted to Cloud Insight Essentials.
Permissions Granted to Alert Logic
Note: The "*" that you will see below, after some of the permissions listed, indicates that all actions that start with the originally listed action will apply. For example, Describe* under Auto Scaling will include DescribeAutoscalingGroups, DescribeAutoscalingInstances, DescribeLaunchConfiguration, etc., as listed in the AWS AutoScaling API.
Write and Read Permissions
- CloudTrail
- CloudWatch
- S3
- SNS
- SQS
Read Permissions
- Auto Scaling
- CloudFormation
- CloudFront
- Direct Connect
- DynamoDB
- EC2
- Elastic Beanstalk
- Elasticache
- Elastic Load Balancer
- Elastic Map Reduce
- Glacier
- GuardDuty
- IAM
- Kinesis
- Lambda
- RDS
- Redshift
- Route 53
- SDB
Auto Scaling
- Describe*
Alert Logic uses describe calls to discover the auto scaling you've already set up inside your AWS environment.
CloudFormation
- DescribeStack*
- GetTemplate
- ListStack*
These CloudFormation permissions allow Cloud Insight to discover your AWS environment.
CloudFront
- Get*
- List*
This allows Cloud Insight to discover your AWS environment.
CloudTrail
- CloudTrail:*
This allows Cloud Insight to turn on and set up the AWS CloudTrail logging service that drives Cloud Insight's functionality.
CloudWatch
- Describe*
This allows Cloud Insight to discover your AWS environment.
CloudWatch Events
- Describe*
- List*
These allow Cloud Insight to discover your AWS environment.
CloudWatch Logs
- Describe*
This allows Cloud Insight to discover your AWS environment.
Direct Connect
- Describe*
This allows Cloud Insight to discover your AWS environment.
Dynamo DB
- ListTables
This allows Cloud Insight to discover your AWS environment.
EC2
- Describe*
These allow Cloud Insight to discover your account during deployment.
Elastic Beanstalk
- Describe*
This allows Cloud Insight to discover your AWS environment.
Elasticache
- Describe*
This allows Cloud Insight to discover your AWS environment.
Elastic Load Balancing
- Describe*
This allows Cloud Insight to discover your AWS environment.
Elastic MapReduce
- DescribeJobFlows
This allows Cloud Insight to discover your AWS environment.
Glacier
- ListVaults
This allows Cloud Insight to discover your AWS environment.
GuardDuty
- Describe*
- Get*
- List*
These allow Cloud Insight to discover your AWS environment.
IAM
- Get*
- List*
- GenerateCredentialReport
These enable Cloud Insight to generate a credential report for the AWS account and ensure identification of IAM vulnerabilities. They also allow the retrieval of attributes, including: account summaries, group and group policy information, roles, policies, server certificates, user lists, and multi-factor authentication devices.
Kinesis
- Describe*
- List*
These allow Cloud Insight to discover your AWS environment.
Lambda
- List*
This allows Cloud Insight to discover your AWS environment.
RDS
- Describe*
- DownloadDBLogFilePortion
- ListTagsForResource
These allow Cloud Insight to discover your AWS environment and keep an up-to-date asset model.
Redshift
- Describe*
This allows Cloud Insight to discover your AWS environment.
Route 53
- GetHostedZone
- ListHostedZone
- ListResourceRecordSets
These allow Cloud Insight to discover your AWS environment and maintain an up-to-date asset model.
SDB
- DomainMetadata
- ListDomains
This allows Cloud Insight to discover your AWS environment.
SNS
- CreateTopic
- DeleteTopic
- addpermission
- listtopics
- settopicattributes
- gettopicattributes
- subscribe
These grant Cloud Insight access to create and delete the "outcomestopic" topic utilized by the solution during deployment and solution removal if necessary.
SQS
- CreateQueue
- DeleteQueue
- SetQueueAttributes
- GetQueueAttributes
- ListQueues
- ReceiveMessage
- DeleteMessage
- GetQueueUrl
These set up an SQS queue that Cloud Insight utilizes for the CloudTrail subscription.
S3
- ListAllMyBuckets
- ListBucket
- GetBucketLocation
- GetObject
- GetBucket*
- GetLifecycleConfiguration
- GetObjectAcl
- GetObjectVersionAcl
- CreateBucket
- PutBucketPolicy
- DeleteBucket
These allow Cloud Insight to discover buckets. They also permit Alert Logic to create an S3 bucket with the "outcomesbucket-*" naming scheme to store CloudTrail logs. They grant Cloud Insight the ability to create, delete, or alter the policies on buckets that match "outcomesbucket-*", created by Cloud Insight.
IAM Policy
IMPORTANT: This IAM policy is listed here for your reference; however, when adding the policy to your AWS environment, it is HIGHLY RECOMMENDED to copy the policy from the Alert Logic console.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "EnabledDiscoveryOfVariousAWSServices",
"Effect": "Allow",
"Action": [
"autoscaling:Describe*",
"cloudformation:DescribeStack*",
"cloudformation:GetTemplate",
"cloudformation:ListStack*",
"cloudfront:Get*",
"cloudfront:List*",
"cloudwatch:Describe*",
"directconnect:Describe*",
"dynamodb:ListTables",
"ec2:Describe*",
"elasticbeanstalk:Describe*",
"elasticache:Describe*",
"elasticloadbalancing:Describe*",
"elasticmapreduce:DescribeJobFlows",
"events:Describe*",
"events:List*",
"glacier:ListVaults",
"guardduty:Describe*",
"guardduty:Get*",
"guardduty:List*",
"kinesis:Describe*",
"kinesis:List*",
"lambda:List*",
"logs:Describe*",
"rds:Describe*",
"rds:DownloadDBLogFilePortion",
"rds:ListTagsForResource",
"redshift:Describe*",
"route53:GetHostedZone",
"route53:ListHostedZones",
"route53:ListResourceRecordSets",
"sdb:DomainMetadata",
"sdb:ListDomains",
"s3:ListAllMyBuckets",
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:GetObject",
"s3:GetBucket*",
"s3:GetLifecycleConfiguration",
"s3:GetObjectAcl",
"s3:GetObjectVersionAcl"
],
"Resource": "*"
},
{
"Sid": "EnableInsightDiscovery",
"Effect": "Allow",
"Action": [
"iam:Get*",
"iam:List*",
"iam:ListRoles",
"iam:GetRolePolicy",
"iam:GetAccountSummary",
"iam:GenerateCredentialReport"
],
"Resource": "*"
},
{
"Sid": "EnableCloudTrailIfAccountDoesntHaveCloudTrailsEnabled",
"Effect": "Allow",
"Action": [
"cloudtrail:*"
],
"Resource": "*"
},
{
"Sid": "CreateCloudTrailS3BucketIfCloudTrailsAreBeingSetupByAlertLogic",
"Effect": "Allow",
"Action": [
"s3:CreateBucket",
"s3:PutBucketPolicy",
"s3:DeleteBucket"
],
"Resource": "arn:aws:s3:::outcomesbucket-*"
},
{
"Sid": "CreateCloudTrailsTopicTfOneWasntAlreadySetupForCloudTrails",
"Effect": "Allow",
"Action": [
"sns:CreateTopic",
"sns:DeleteTopic"
],
"Resource": "arn:aws:sns:*:*:outcomestopic"
},
{
"Sid": "MakeSureThatCloudTrailsSnsTopicIsSetupCorrectlyForCloudTrailPublishingAndSqsSubsription",
"Effect": "Allow",
"Action": [
"sns:addpermission",
"sns:gettopicattributes",
"sns:listtopics",
"sns:settopicattributes",
"sns:subscribe"
],
"Resource": "arn:aws:sns:*:*:*"
},
{
"Sid": "CreateAlertLogicSqsQueueToSubscribeToCloudTrailsSnsTopicNotifications",
"Effect": "Allow",
"Action": [
"sqs:CreateQueue",
"sqs:DeleteQueue",
"sqs:SetQueueAttributes",
"sqs:GetQueueAttributes",
"sqs:ListQueues",
"sqs:ReceiveMessage",
"sqs:DeleteMessage",
"sqs:GetQueueUrl"
],
"Resource": "arn:aws:sqs:*:*:outcomesbucket*"
}
]
}
Still have questions? Check out other customers’ posts or add your own in the Cloud Insight Essentials community.
Comments
0 comments
Please sign in to leave a comment.