Additional permissions needed for security audit role

[gene1wood]

When attempting to figure out if a Lambda function in a foreign account is the cause of an issue, I found we don't have rights to look at lambda functions are are specifically missing lambda:GetAccountSettings.

Should we have any read permissions in lambda via security auditing roles?

If so what should or shouldn't we have?

cc @andrewkrug

Additionally we should add more permissions with the route53 product as that is also difficult to audit.

[gene1wood]

These can and probably should be expanded to wildcards with prefixs for each of these products

• acm-pca:ListCertificateAuthorities
• acm:ListCertificates
• aws-portal:View*
• awsbillingconsole:View*
• cloudformation:GetStackPolicy
• cloudformation:ListChangeSets
• cloudformation:ListExports
• cloudwatch:GetMetricStatistics
• dynamodb
• ecs:ListClusters
• guardduty:ListDetectors
• inspector:ListAssessmentTargets
• inspector:ListAssessmentTemplates
• inspector:ListRulesPackages
• ssm:DescribeAutomationExecutions
• ssm:DescribeInstanceProperties
• ssm:DescribePatchBaselines
• ssm:ListAssociations
• trustedadvisor

[gene1wood]

Since Security Monkey uses this role, it would be good to review and diff the current permissions : https://github.com/Netflix/security_monkey/blob/develop/docs/iam_aws.md#creating-securitymonkey-role

[gene1wood]

The permissions present in the Security Monkey role that we would be missing after adding the items above are

• acm:describecertificate
• config:describeconfigrules
• config:describeconfigurationrecorders
• es:describeelasticsearchdomainconfig
• es:listdomainnames
• glacier:DescribeVault
• glacier:GetVaultAccessPolicy
• glacier:ListTagsForVault
• kms:describekey
• kms:getkeypolicy
• kms:getkeyrotationstatus
• kms:listaliases
• kms:listgrants
• kms:listkeypolicies
• kms:listkeys
• lambda:getfunctionconfiguration
• lambda:getpolicy
• lambda:listaliases
• lambda:listeventsourcemappings
• lambda:listtags
• lambda:listversionsbyfunction
• lambda:listfunctions
• route53domains:listdomains
• route53domains:getdomaindetail
• s3:getaccelerateconfiguration
• s3:getreplicationconfiguration
• s3:getanalyticsconfiguration
• s3:getmetricsconfiguration
• s3:getinventoryconfiguration
• sns:listsubscriptionsbytopic
• sqs:listqueuetags
• sqs:listdeadlettersourcequeues

The permission that is present in the Security Monkey role that we don't want is

• ses:sendemail

[gene1wood]

We should also add

• iam:SimulatePrincipalPolicy
• iam:SimulateCustomPolicy