Alert Logic® utilizes an IAM Role and IAM Policy to allow Alert Logic third-party access to your Amazon Web Services (AWS) environment. The IAM policy used depends on the Alert Logic product and type of deployment in use. This article applies to Alert Logic Essential, Professional, and Enterprise - Manual deployment mode.
Note: See the Automatic Deployment of Amazon Web Services IAM Policy and Permissions article for information that applies to Alert Logic Cloud Insight™ automatic deployment and guided deployment modes and SIEMless Threat Management automatic deployment mode.
This article houses the IAM policy that you will need to implement in order for Alert Logic to access your AWS environment, as well as brief overviews of the permissions granted to Alert Logic, broken up by AWS service.
Permissions Granted to Alert Logic
Note: The "*" that you will see below after some of the permissions listed indicates that all actions that start with the original listed action will apply. For example, Describe* under Auto Scaling will include DescribeAutoScalingGroups, DescribeAutoScalingInstances, DescribeLaunchConfiguration, etc., as listed in the AWS Auto Scaling API.
Write and Read Permissions
- Auto Scaling
- CloudTrail
- EC2
- S3
- SNS
- SQS
Read Permissions
- CloudFormation
- CloudFront
- CloudWatch
- Config
- Cost and Usage Report
- Direct Connect
- DynamoDB
- Elastic Beanstalk
- Elasticache
- Elastic Load Balancer
- Elastic Map Reduce
- Events
- Glacier
- GuardDuty
- IAM
- Kinesis
- KMS
- Lambda
- Logs
- RDS
- Redshift
- Route 53
- SDB
- Tags
Auto Scaling
- Describe*
- UpdateAutoScalingGroup
Alert Logic uses Describe calls to discover the auto scaling you've already set up inside your AWS environment.
CloudFormation
- DescribeStack*
- GetTemplate
- ListStack*
These CloudFormation permissions allow Alert Logic to discover your AWS environment.
CloudFront
- Get*
- List*
This allows Alert Logic to discover your AWS environment.
CloudTrail
- DescribeTrails
- GetEventSelectors
- GetTrailStatus
- ListPublicKeys
- ListTags
- LookupEvents
- StartLogging
- UpdateTrail
These allow Alert Logic to perform configuration checks related to CloudTrail.
CloudWatch
- Describe*
This allows Alert Logic to discover your AWS environment.
Config
- DeliverConfigSnapshot
- Describe*
- Get*
- ListDiscoveredResources
These allow Alert Logic to perform configuration checks related to Config.
Cost and Usage Report
- DescribeReportDefinitions
This allows Alert Logic to perform configuration checks related to Cost and Usage Report.
Direct Connect
- Describe*
This allows Alert Logic to discover your AWS environment.
Dynamo DB
- ListTables
This allows Alert Logic to discover your AWS environment.
EC2
- Describe*
- GetConsoleOutput
- GetConsoleScreenshot
- StartInstances
- StopInstances
- TerminateInstances
These allow Alert Logic to: discover your account during deployment, troubleshoot issues with Alert Logic appliances, and permit the auto-start and auto-removal of Alert Logic appliances.
Elastic Beanstalk
- Describe*
This allows Alert Logic to discover your AWS environment.
Elasticache
- Describe*
This allows Alert Logic to discover your AWS environment.
Elastic Load Balancing
- Describe*
This allows Alert Logic to discover your AWS environment.
Elastic Map Reduce
- DescribeJobFlows
This allows Alert Logic to discover your AWS environment.
Events
- Describe*
- List
This allows Alert Logic to manage remote collectors
Glacier
- ListVaults
This allows Alert Logic to discover your AWS environment.
GuardDuty
- Get*
- List*
These allow Alert Logic to discover your AWS environment.
IAM
- Get*
- List*
- GetPolicyVersion
- GetPolicy
- ListRolePolicies
- ListAttachedRolePolicies
- ListRoles
- GetRolePolicy
- GetAccountSummary
- GenerateCredentialReport
These allow Alert Logic to validate the provided policy and to discover your AWS enviornment.
Kinesis
- Describe*
- List*
These allow Alert Logic to discover your AWS environment.
KMS
- DescribeKey
- GetKeyPolicy
- GetKeyRotationStatus
- ListAliases
- ListGrants
- ListKeys
- ListKeyPolicies
- ListResourceTags
These allow Alert Logic to perform configuration checks related to KMS.
Note: These permissions do not allow Alert Logic to access encryption keys or other sensitive data stored in KMS.
Lambda
- List*
This allows Alert Logic to discover your AWS environment.
Logs
- Describe*
This allows Alert Logic to manage remote collectors.
RDS
- Describe*
- ListTagsForResource
These allow Alert Logic to discover your AWS environment and keep an up-to-date asset model.
Redshift
- Describe*
This allows Alert Logic to discover your AWS environment.
Route 53
- GetHostedZone
- ListHostedZone
- ListResourceRecordSets
These allow Alert Logic to discover your AWS environment and maintain an up-to-date asset model.
SDB
- DomainMetadata
- ListDomains
This allows Alert Logic to discover your AWS environment.
SNS
- AddPermission
- CreateTopic
- DeleteTopic
- GetEndpointAttributes
- GetSubscriptionAttributes
- GetTopicAttributes
- ListSubscriptions
- ListSubscriptionsByTopic
- ListTopics
- SetTopicAttributes
- Subscribe
These allow Alert Logic to perform configuration checks related to SNS.
SQS
- CreateQueue
- DeleteQueue
- SetQueueAttributes
- GetQueueAttributes
- ReceiveMessage
- DeleteMessage
- GetQueueUrl
- ListQueues
These allow Alert Logic to automatically set up CloudTrails to monitor changes in your AWS enviornment.
S3
- CreateBucket
- DeleteBucket
- ListAllMyBuckets
- ListBucket
- GetBucketLocation
- GetObject
- GetBucket*
- GetLifeCycleConfiguration
- GetObjectAcl
- GetObjectVersionAcl
- PutBucketPolicy
These allow Alert Logic to discover S3 buckets. They also permit Alert Logic to create an S3 bucket with the "outcomesbucket-*" naming scheme to store CloudTrail logs. They grant Alert Logic the ability to create, delete, or alter the policies on buckets that match "outcomesbucket-*", created by Alert Logic.
Tag
- GetResources
- GetTagKeys
These allow Alert Logic to perform configuration checks related to tags.
IAM Policy
Important: This IAM policy is listed for your reference; however, when adding the policy to your AWS account, it is highly recommended to copy the policy from within the Alert Logic console. This IAM policy was last updated February 27, 2019.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "EnabledDiscoveryOfVariousAWSServices",
"Resource": "*",
"Effect": "Allow",
"Action": [
"autoscaling:Describe*",
"cloudformation:DescribeStack*",
"cloudformation:GetTemplate",
"cloudformation:ListStack*",
"cloudfront:Get*",
"cloudfront:List*",
"cloudtrail:DescribeTrails",
"cloudtrail:GetTrailStatus",
"cloudtrail:LookupEvents",
"cloudtrail:ListTags",
"cloudwatch:Describe*",
"config:DeliverConfigSnapshot",
"config:Describe*",
"config:Get*",
"config:ListDiscoveredResources",
"cur:DescribeReportDefinitions",
"directconnect:Describe*",
"dynamodb:ListTables",
"ec2:Describe*",
"elasticbeanstalk:Describe*",
"elasticache:Describe*",
"elasticloadbalancing:Describe*",
"elasticmapreduce:DescribeJobFlows",
"events:Describe*",
"events:List*",
"glacier:ListVaults",
"guardduty:Get*",
"guardduty:List*",
"kinesis:Describe*",
"kinesis:List*",
"kms:DescribeKey",
"kms:GetKeyPolicy",
"kms:GetKeyRotationStatus",
"kms:ListAliases",
"kms:ListGrants",
"kms:ListKeys",
"kms:ListKeyPolicies",
"kms:ListResourceTags",
"lambda:List*",
"logs:Describe*",
"rds:Describe*",
"rds:ListTagsForResource",
"redshift:Describe*",
"route53:GetHostedZone",
"route53:ListHostedZones",
"route53:ListResourceRecordSets",
"sdb:DomainMetadata",
"sdb:ListDomains",
"sns:ListSubscriptions",
"sns:ListSubscriptionsByTopic",
"sns:ListTopics",
"sns:GetEndpointAttributes",
"sns:GetSubscriptionAttributes",
"sns:GetTopicAttributes",
"s3:ListAllMyBuckets",
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:GetObject",
"s3:GetBucket*",
"s3:GetLifecycleConfiguration",
"s3:GetObjectAcl",
"s3:GetObjectVersionAcl",
"tag:GetResources",
"tag:GetTagKeys"
]
},
{
"Sid": "EnableInsightDiscovery",
"Resource": "*",
"Effect": "Allow",
"Action": [
"iam:Get*",
"iam:List*",
"iam:ListRoles",
"iam:GetRolePolicy",
"iam:GetAccountSummary",
"iam:GenerateCredentialReport"
]
},
{
"Sid": "LimitedCloudTrail",
"Resource": "*",
"Effect": "Allow",
"Action": [
"cloudtrail:DescribeTrails",
"cloudtrail:GetTrailStatus",
"cloudtrail:ListPublicKeys",
"cloudtrail:ListTags",
"cloudtrail:LookupEvents"
]
},
{
"Sid": "LimitedSNSForCloudTrail",
"Resource": "arn:aws:sns:*:*:*",
"Effect": "Allow",
"Action": [
"sns:listtopics",
"sns:gettopicattributes",
"sns:subscribe"
]
},
{
"Sid": "LimitedSQSForCloudTrail",
"Resource": "arn:aws:sqs:*:*:outcomesbucket*",
"Effect": "Allow",
"Action": [
"sqs:GetQueueAttributes",
"sqs:ReceiveMessage",
"sqs:DeleteMessage",
"sqs:GetQueueUrl"
]
},
{
"Sid": "BeAbleToListSQSForCloudTrail",
"Resource": "*",
"Effect": "Allow",
"Action": [
"sqs:ListQueues"
]
},
{
"Sid": "EnableAlertLogicApplianceStateManagement",
"Resource": "arn:aws:ec2:*:*:instance/*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ec2:ResourceTag/AlertLogic": "Security"
}
},
"Action": [
"ec2:GetConsoleOutput",
"ec2:GetConsoleScreenShot",
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:TerminateInstances"
]
},
{
"Sid": "EnableAlertLogicAutoScalingGroupManagement",
"Resource": "arn:aws:autoscaling:*:*:autoScalingGroup/*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ec2:ResourceTag/AlertLogic": "Security"
}
},
"Action": [
"autoscaling:UpdateAutoScalingGroup"
]
}
]
}
Comments
0 comments
Please sign in to leave a comment.