Closed virtualjj closed 8 years ago
Good catch @virtualjj! I´m wondering why AWS missed that action on their arn:aws:iam::aws:policy/SecurityAudit policy. I´m also comparing it with the role I use for Security Monkey and it may be more accurate to mix both and add that to the documentation. WTYT?
So this is the arn:aws:iam::aws:policy/SecurityAudit default policy:
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "cloudformation:getStackPolicy", "cloudwatchlogs:describeLogGroups", "cloudwatchlogs:describeMetricFilters", "autoscaling:Describe*", "cloudformation:DescribeStack*", "cloudformation:GetTemplate", "cloudformation:ListStack*", "cloudfront:Get*", "cloudfront:List*", "cloudtrail:DescribeTrails", "cloudtrail:GetTrailStatus", "cloudtrail:ListTags", "cloudwatch:Describe*", "codecommit:BatchGetRepositories", "codecommit:GetBranch", "codecommit:GetObjectIdentifier", "codecommit:GetRepository", "codecommit:List*", "codedeploy:Batch*", "codedeploy:Get*", "codedeploy:List*", "config:Deliver*", "config:Describe*", "config:Get*", "datapipeline:DescribeObjects", "datapipeline:DescribePipelines", "datapipeline:EvaluateExpression", "datapipeline:GetPipelineDefinition", "datapipeline:ListPipelines", "datapipeline:QueryObjects", "datapipeline:ValidatePipelineDefinition", "directconnect:Describe*", "dynamodb:ListTables", "ec2:Describe*", "ecs:Describe*", "ecs:List*", "elasticache:Describe*", "elasticbeanstalk:Describe*", "elasticloadbalancing:Describe*", "elasticmapreduce:DescribeJobFlows", "elasticmapreduce:ListClusters", "firehose:Describe*", "firehose:List*", "glacier:ListVaults", "iam:GenerateCredentialReport", "iam:Get*", "iam:List*", "kms:Describe*", "kms:Get*", "kms:List*", "lambda:GetPolicy", "lambda:ListFunctions", "rds:Describe*", "rds:DownloadDBLogFilePortion", "rds:ListTagsForResource", "redshift:Describe*", "route53:GetChange", "route53:GetCheckerIpRanges", "route53:GetGeoLocations", "route53:GetHealthCheck", "route53:GetHealthCheckCount", "route53:GetHealthCheckLastFailureReason", "route53:GetHostedZone", "route53:GetHostedZoneCount", "route53:GetReusableDelegationSet", "route53:ListGeoLocations", "route53:ListHealthChecks", "route53:ListHostedZones", "route53:ListHostedZonesByName", "route53:ListResourceRecordSets", "route53:ListReusableDelegationSets", "route53:ListTagsForResource", "route53:ListTagsForResources", "route53domains:GetDomainDetail", "route53domains:GetOperationDetail", "route53domains:ListDomains", "route53domains:ListOperations", "route53domains:ListTagsForDomain", "s3:GetBucket*", "s3:GetLifecycleConfiguration", "s3:GetObjectAcl", "s3:GetObjectVersionAcl", "s3:ListAllMyBuckets", "sdb:DomainMetadata", "sdb:ListDomains", "ses:GetIdentityDkimAttributes", "ses:ListIdentities", "sns:GetTopicAttributes", "sns:ListTopics", "sqs:GetQueueAttributes", "sqs:ListQueues", "tag:GetResources", "tag:GetTagKeys" ], "Effect": "Allow", "Resource": "*" } ] }
And this is the custom SecurityMonkeyReadOnly role used to perform all checks that Security Monkey needs:
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "acm:describecertificate", "acm:listcertificates", "cloudtrail:describetrails", "config:describeconfigrules", "config:describeconfigurationrecorders", "directconnect:describeconnections", "ec2:describeaddresses", "ec2:describedhcpoptions", "ec2:describeflowlogs", "ec2:describeimages", "ec2:describeinstances", "ec2:describeinternetgateways", "ec2:describekeypairs", "ec2:describenatgateways", "ec2:describenetworkacls", "ec2:describenetworkinterfaces", "ec2:describeregions", "ec2:describeroutetables", "ec2:describesecuritygroups", "ec2:describesnapshots", "ec2:describesubnets", "ec2:describetags", "ec2:describevolumes", "ec2:describevpcendpoints", "ec2:describevpcpeeringconnections", "ec2:describevpcs", "elasticloadbalancing:describeloadbalancerattributes", "elasticloadbalancing:describeloadbalancerpolicies", "elasticloadbalancing:describeloadbalancers", "es:describeelasticsearchdomainconfig", "es:listdomainnames", "iam:getaccesskeylastused", "iam:getgroup", "iam:getgrouppolicy", "iam:getloginprofile", "iam:getpolicyversion", "iam:getrole", "iam:getrolepolicy", "iam:getservercertificate", "iam:getuser", "iam:getuserpolicy", "iam:listaccesskeys", "iam:listattachedgrouppolicies", "iam:listattachedrolepolicies", "iam:listattacheduserpolicies", "iam:listentitiesforpolicy", "iam:listgrouppolicies", "iam:listgroups", "iam:listinstanceprofilesforrole", "iam:listmfadevices", "iam:listpolicies", "iam:listrolepolicies", "iam:listroles", "iam:listservercertificates", "iam:listsigningcertificates", "iam:listuserpolicies", "iam:listusers", "kms:describekey", "kms:getkeypolicy", "kms:listaliases", "kms:listgrants", "kms:listkeypolicies", "kms:listkeys", "lambda:listfunctions", "rds:describedbclusters", "rds:describedbclustersnapshots", "rds:describedbinstances", "rds:describedbsecuritygroups", "rds:describedbsnapshots", "rds:describedbsubnetgroups", "redshift:describeclusters", "route53:listhostedzones", "route53:listresourcerecordsets", "route53domains:listdomains", "s3:getbucketacl", "s3:getbucketlocation", "s3:getbucketlogging", "s3:getbucketpolicy", "s3:getbuckettagging", "s3:getbucketversioning", "s3:getlifecycleconfiguration", "s3:listallmybuckets", "ses:getidentityverificationattributes", "ses:listidentities", "ses:listverifiedemailaddresses", "ses:sendemail", "sns:gettopicattributes", "sns:listsubscriptionsbytopic", "sns:listtopics", "sqs:getqueueattributes", "sqs:listqueues" ], "Effect": "Allow", "Resource": "*" } ] }
This one would be the mix of both to be like a ProwlerPolicyReadOnly
{
"Version": "2012-10-17",
"Statement": [{
"Action": [
"acm:describecertificate",
"acm:listcertificates",
"autoscaling:describe*",
"cloudformation:describestack*",
"cloudformation:getstackpolicy",
"cloudformation:gettemplate",
"cloudformation:liststack*",
"cloudfront:get*",
"cloudfront:list*",
"cloudtrail:describetrails",
"cloudtrail:gettrailstatus",
"cloudtrail:listtags",
"cloudwatch:describe*",
"cloudwatchlogs:describeloggroups",
"cloudwatchlogs:describemetricfilters",
"codecommit:batchgetrepositories",
"codecommit:getbranch",
"codecommit:getobjectidentifier",
"codecommit:getrepository",
"codecommit:list*",
"codedeploy:batch*",
"codedeploy:get*",
"codedeploy:list*",
"config:deliver*",
"config:describe*",
"config:get*",
"datapipeline:describeobjects",
"datapipeline:describepipelines",
"datapipeline:evaluateexpression",
"datapipeline:getpipelinedefinition",
"datapipeline:listpipelines",
"datapipeline:queryobjects",
"datapipeline:validatepipelinedefinition",
"directconnect:describe*",
"dynamodb:listtables",
"ec2:describe*",
"ecs:describe*",
"ecs:list*",
"elasticache:describe*",
"elasticbeanstalk:describe*",
"elasticloadbalancing:describe*",
"elasticmapreduce:describejobflows",
"elasticmapreduce:listclusters",
"es:describeelasticsearchdomainconfig",
"es:listdomainnames",
"firehose:describe*",
"firehose:list*",
"glacier:listvaults",
"iam:generatecredentialreport",
"iam:get*",
"iam:list*",
"kms:describe*",
"kms:get*",
"kms:list*",
"lambda:getpolicy",
"lambda:listfunctions",
"rds:describe*",
"rds:downloaddblogfileportion",
"rds:listtagsforresource",
"redshift:describe*",
"route53:getchange",
"route53:getcheckeripranges",
"route53:getgeolocations",
"route53:gethealthcheck",
"route53:gethealthcheckcount",
"route53:gethealthchecklastfailurereason",
"route53:gethostedzone",
"route53:gethostedzonecount",
"route53:getreusabledelegationset",
"route53:listgeolocations",
"route53:listhealthchecks",
"route53:listhostedzones",
"route53:listhostedzonesbyname",
"route53:listresourcerecordsets",
"route53:listreusabledelegationsets",
"route53:listtagsforresource",
"route53:listtagsforresources",
"route53domains:getdomaindetail",
"route53domains:getoperationdetail",
"route53domains:listdomains",
"route53domains:listoperations",
"route53domains:listtagsfordomain",
"s3:getbucket*",
"s3:getlifecycleconfiguration",
"s3:getobjectacl",
"s3:getobjectversionacl",
"s3:listallmybuckets",
"sdb:domainmetadata",
"sdb:listdomains",
"ses:getidentitydkimattributes",
"ses:getidentityverificationattributes",
"ses:listidentities",
"ses:listverifiedemailaddresses",
"ses:sendemail",
"sns:gettopicattributes",
"sns:listsubscriptionsbytopic",
"sns:listtopics",
"sqs:getqueueattributes",
"sqs:listqueues",
"tag:getresources",
"tag:gettagkeys"
],
"Effect": "Allow",
"Resource": "*"
}]
}
I'm going to add it in the README as well.
done, can you test that role in your environment? @virtualjj
Worked as expected - thanks!
Good to hear :)
The default SecurityAudit IAM policy only contains the following SNS actions:
"sns:GetTopicAttributes", "sns:ListTopics"
As a result, this causes an error for https://github.com/Alfresco/aws-cis-security-benchmark/blob/master/prowler#L802
An error occurred (AuthorizationError) when calling the ListSubscriptionsByTopic operation: User: arn:aws:iam::XXXXXXXX:user/BobHope is not authorized to perform: SNS:ListSubscriptionsByTopic on resource: arn:aws:sns:eu-west-1:XXXXXXXXX:PagerDuty
The IAM policy needs the following action added to remove the error:
sns:ListSubscriptionsByTopic