Minimum Permissions for AWS Connector

This page describes how to configure minimum permissions required by AWS connector to access AWS. The goal is to avoid All Admin rights and give only minimum permissions required for Compliance check and Remediation action.

This page explains how to create custom IAM policies of required roles and privileges in AWS using a JSON file.

Creating custom IAM policies:

This section talks about how to create the IAM policies using JSON file (containing details of permission required by AWS connector on AWS) and attach the Policy to AWS user (configured in AWS connector).

Steps for importing JSON document and attaching to the user:

Create policy -

The following steps will show you how to create a custom IAM Policy with minimum permission required for Compliance check. To create a custom IAM Policy with minimum permission required for both Compliance check and Remediation action, follow the same steps and alter the JSON code accordingly, as indicated in step 6.

	Steps	Example Screens
1.	Log in to Amazon Console.
2.	Go to IAM service.
3.	Select Policies from the left side of the screen.
4.	Select Create Policy and the following is displayed.
5.	Select option "JSON".
6.	Copy past below JSON in Policy document text box. If you wish to do Compliance only (as is the case in this example), then use Compliance JSON. If you wish to do Compliance and Remediation, then use Compliance And Remediation JSON.
7.	Select Review policy to evaluate the policy.
8.	Enter the Policy name (Eg. CompliancePolicy) and a description if required.
9.	Click Create policy. You will be notified when the policy is successfully created.

For more details, go through AWS document to create policy - http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create.html

Attach Policy -

Attach Policy to specific user which is created for BMC Helix Cloud Security.

	Steps	Sample Screens
1.	Go to IAM service.
2.	Select Users option from the side navigation bar. For new user, click Add User. For existing user, select from listed users.
3.	Select Grant permissions button.
4.	Click option "Attach existing policies directly".
5.	Select policy which you wish to attach (Eg. CompliancePolicy in this case).
6.	Click on button "Next: Review" at the bottom right corner of the page.
7.	A permissions summary is shown. Click Add permissions option at the bottom right corner of the page.
8.	Click Add permissions option again on the displayed page.
9.	After configuring the options available, click Add permissions option once more. The policy will be attached.

For more details, go through document how to attach policy to user - http://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-create-and-attach-iam-policy.html

Compliance JSON

For compliance, open the following JSON file:

Compliance JSON

{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"s3:GetBucketLogging",
"s3:GetBucketAcl",
"s3:GetBucketPolicy",
"s3:GetBucketLocation",
"s3:GetEncryptionConfiguration"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"kms:DescribeKey",
"kms:ListKeys",
"kms:ListAliases"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"iam:generateCredentialReport",
"iam:getAccountPasswordPolicy",
"iam:getAccountSummary",
"iam:getCredentialReport",
"iam:getPolicy",
"iam:getPolicyVersion",
"iam:getUser",
"iam:listAccessKeys",
"iam:listAttachedRolePolicies",
"iam:listAttachedUserPolicies",
"iam:listEntitiesForPolicy",
"iam:listPolicies",
"iam:listRoles",
"iam:listUserPolicies",
"iam:ListGroupsForUser",
"iam:ListAttachedGroupPolicies",
"iam:ListGroupPolicies",
"iam:ListVirtualMFADevices"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"Cloudwatch:describeAlarms"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"cloudtrail:listTags",
"cloudtrail:getTrailStatus",
"cloudtrail:GetEventSelectors",
"cloudtrail:describeTrails"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"cloudwatchlogs:describeMetricFilters"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"sns:listSubscriptionsByTopic"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"configService:describeConfigurationRecorders",
"configService:describeConfigurationRecorderStatus",
"configService:describeDeliveryChannels"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"ec2:DescribeVolumes",
"ec2:describeSecurityGroups",
"ec2:describeInstances",
"ec2:describeSnapshots",
"ec2:DescribeVpcs",
"ec2:DescribeFlowLogs"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"es:ListTags",
"es:describeElasticsearchDomainConfig",
"es:listDomainNames"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"config:DescribeConfigurationRecorders",
"config:DescribeConfigurationRecorderStatus",
"config:DescribeDeliveryChannels"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeLoadBalancerAttributes",
"elasticloadbalancing:DescribeTags"
],
"Resource": [
"*"
]
},

{
"Effect": "Allow",
"Action": [
"rds:describeDBInstances",
"rds:listTagsForResource",
"rds:DescribeEventSubscriptions"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"ssm:describeInstanceInformation",
"ssm:getCommandInvocation",
"ssm:sendCommand"
],
"Resource": [
"*"
]
}
]
}

Compliance and Remediation JSON

For compliance and Remediation, open the following JSON file:

Compliance and Remediation JSON

{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"s3:GetBucketLogging",
"s3:GetBucketAcl",
"s3:GetBucketPolicy",
"s3:PutBucketAcl",
"s3:PutBucketLogging",
"s3:createBucket",
"s3:PutBucketPolicy",
"s3:GetBucketLocation",
"s3:GetBucketTagging",
"s3:ListBucket",
"s3:GetEncryptionConfiguration"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"kms:DescribeKey",
"kms:EnableKeyRotation",
"kms:DisableKeyRotation",
"kms:GetKeyRotationStatus",
"kms:ListResourceTags",
"kms:ListKeys",
"kms:ListAliases",
"kms:DescribeKey",
"kms:CreateKey"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"iam:generateCredentialReport",
"iam:getAccountPasswordPolicy",
"iam:ListRolePolicies",
"iam:PassRole",
"iam:DeleteRolePolicy",
"iam:addUserToGroup",
"iam:attachGroupPolicy",
"iam:attachRolePolicy",
"iam:createAccessKey",
"iam:createGroup",
"iam:createRole",
"iam:deleteAccessKey",
"iam:deleteLoginProfile",
"iam:deleteUserPolicy",
"iam:detachGroupPolicy",
"iam:detachRolePolicy",
"iam:detachUserPolicy",
"iam:DeleteRole",
"iam:getGroup",
"iam:getRole",
"iam:getUserPolicy",
"iam:putGroupPolicy",
"iam:putRolePolicy",
"iam:simulatePrincipalPolicy",
"iam:updateAccessKey",
"iam:updateAssumeRolePolicy",
"iam:getAccountSummary",
"iam:getCredentialReport",
"iam:getPolicy",
"iam:getPolicyVersion",
"iam:getUser",
"iam:listAccessKeys",
"iam:listAttachedRolePolicies",
"iam:listAttachedUserPolicies",
"iam:listAttachedGroupPolicies",
"iam:listEntitiesForPolicy",
"iam:listPolicies",
"iam:listRoles",
"iam:listUserPolicies",
"iam:ListGroupPolicies",
"iam:ListGroupsForUser",
"iam:ListVirtualMFADevices",
"iam:listAccountAliases",
"iam:UpdateAccountPasswordPolicy"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"Cloudwatch:describeAlarms",
"Cloudwatch:PutMetricAlarm"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"cloudtrail:listTags",
"cloudtrail:getTrailStatus",
"cloudtrail:describeTrails",
"cloudtrail:GetEventSelectors",
"cloudtrail:stopLogging",
"cloudtrail:CreateTrail",
"cloudtrail:DeleteTrail",
"cloudtrail:StartLogging",
"cloudtrail:UpdateTrail"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"logs:describeMetricFilters",
"logs:DescribeLogGroups",
"logs:PutMetricFilter",
"logs:DeleteMetricFilter",
"logs:CreateLogGroup"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"sns:listSubscriptionsByTopic",
"sns:getTopicAttributes",
"sns:createTopic",
"sns:subscribe",
"sns:getTopicAttributes",
"sns:deleteTopic"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"config:describeConfigurationRecorders",
"config:describeConfigurationRecorderStatus",
"config:putConfigurationRecorder",
"config:startConfigurationRecorder",
"config:putDeliveryChannel",
"config:describeDeliveryChannels"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"ec2:describeInstances",
"ec2:describeSecurityGroups",
"ec2:describeSnapshots",
"ec2:DescribeVolumes",
"ec2:DescribeVpcs",
"ec2:DescribeFlowLogs",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:RevokeSecurityGroupIngress",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:RevokeSecurityGroupEgress"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"es:ListTags",
"es:updateElasticsearchDomainConfig",
"es:describeElasticsearchDomainConfig",
"es:listDomainNames"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeLoadBalancerAttributes",
"elasticloadbalancing:DescribeTags"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"rds:DescribeEventSubscriptions",
"rds:describeDBInstances",
"rds:listTagsForResource",
"rds:ModifyDBInstance"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"organizations:ListAccounts"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"ssm:describeInstanceInformation",
"ssm:getCommandInvocation",
"ssm:sendCommand"
],
"Resource": [
"*"
]
}
]
}

Use Cases and Permissions

Below are the minimum permissions required for BMC Helix Cloud Security Compliance and Remediation use cases to work.

AWS Services involved	Permissions needed for Compliance	Permissions needed for Remediation
S3	"s3:ListAllMyBuckets", "s3:GetBucketLogging", "s3:GetBucketAcl", "s3:GetBucketPolicy", "s3:GetBucketLocation", "s3:GetEncryptionConfiguration"	"s3:ListAllMyBuckets", "s3:GetBucketLogging", "s3:GetBucketPolicy", "s3:PutBucketLogging", "s3:PutBucketPolicy", "s3:GetBucketLocation", "s3:createBucket", "s3:getBucketAcl", "s3:PutBucketAcl", "s3:GetBucketTagging", "s3:ListBucket", "s3:GetEncryptionConfiguration"
ES	"es:ListTags", "es:describeElasticsearchDomainConfig", "es:listDomainNames"	"es:listTags", "es:describeElasticsearchDomainConfig", "es:listDomainNames", "es:updateElasticsearchDomainConfig"
Cloud Trail	"cloudtrail:listTags", "cloudtrail:getTrailStatus", "cloudtrail:describeTrails", "cloudtrail:GetEventSelectors"	"cloudtrail:listTags", "cloudtrail:getTrailStatus", "cloudtrail:describeTrails", "cloudtrail:UpdateTrail", "cloudtrail:StartLogging", "cloudtrail:stopLogging", "cloudtrail:CreateTrail", "cloudtrail:DeleteTrail", "cloudtrail:GetEventSelectors" "logs:describeMetricFilters"
IAM	"iam:generateCredentialReport", "iam:getAccountPasswordPolicy", "iam:getAccountSummary", "iam:getCredentialReport", "iam:getPolicy", "iam:getPolicyVersion", "iam:getUser", "iam:listAccessKeys", "iam:listAttachedRolePolicies", "iam:listAttachedUserPolicies", "iam:listAttachedGroupPolicies", "iam:listEntitiesForPolicy", "iam:listPolicies", "iam:listRoles", "iam:listUserPolicies", "iam:ListGroupPolicies", "iam:ListVirtualMFADevices", "iam:ListGroupsForUser"	"iam:generateCredentialReport", "iam:getAccountPasswordPolicy", "iam:getAccountSummary", "iam:getCredentialReport", "iam:getPolicy", "iam:getPolicyVersion", "iam:getUser", "iam:listAccessKeys", "iam:listAttachedRolePolicies", "iam:listAttachedUserPolicies", "iam:listAttachedGroupPolicies", "iam:listEntitiesForPolicy", "iam:listPolicies", "iam:ListRolePolicies", "iam:ListGroupPolicies", "iam:listRoles", "iam:PassRole", "iam:DeleteRolePolicy", "iam:listUserPolicies", "iam:ListGroupsForUser", "iam:addUserToGroup", "iam:attachGroupPolicy", "iam:attachRolePolicy", "iam:createAccessKey", "iam:createGroup", "iam:createRole", "iam:deleteAccessKey", "iam:deleteLoginProfile", "iam:deleteUserPolicy", "iam:detachGroupPolicy", "iam:detachRolePolicy", "iam:detachUserPolicy", "iam:DeleteRole", "iam:getGroup", "iam:getRole", "iam:getUserPolicy", "iam:putGroupPolicy", "iam:putRolePolicy", "iam:simulatePrincipalPolicy", "iam:updateAccessKey", "iam:UpdateAccountPasswordPolicy" "iam:ListVirtualMFADevices", "iam:updateAssumeRolePolicy", "iam:listAccountAliases"
Cloud Watch	"Cloudwatch:describeAlarms" "Cloudwatch:GetMetricData", "Cloudwatch:ListMetrics"	"Cloudwatch:describeAlarms", "Cloudwatch:PutMetricAlarm"
Cloud Watch Logs	"cloudwatchlogs:describeMetricFilters"
RDS	"rds:DescribeEventSubscriptions", "rds:describeDBInstances", "rds:listTagsForResource"	"rds:describeDBInstances", "rds:listTagsForResource", "rds:DescribeEventSubscriptions" "rds:ModifyDBInstance"
KMS	"kms:DescribeKey", "kms:ListKeys", "kms:ListAliases",	"kms:DescribeKey", "kms:EnableKeyRotation", "kms:ListKeys", "kms:ListAliases", "kms:DisableKeyRotation" "kms:GetKeyRotationStatus", "kms:ListResourceTags" "kms:CreateKey"
SNS	"sns:listSubscriptionsByTopic"	"sns:listSubscriptionsByTopic", "sns:getTopicAttributes", "sns:createTopic", "sns:subscribe", "sns:getTopicAttributes", "sns:deleteTopic"
configService	"config:describeConfigurationRecorders", "config:describeConfigurationRecorderStatus", "config:describeDeliveryChannels"	"config:describeConfigurationRecorders", "config:describeConfigurationRecorderStatus", "config:describeDeliveryChannels", "config:putConfigurationRecorder", "config:startConfigurationRecorder", "config:putDeliveryChannel"
EC2	"ec2:describeInstances", "ec2:describeSecurityGroups", "ec2:describeSnapshots", "ec2:DescribeVolumes", "ec2:DescribeVpcs", "ec2:DescribeFlowLogs"	"ec2:describeInstances", "ec2:describeSecurityGroups", "ec2:describeSnapshots", "ec2:DescribeVolumes", "ec2:DescribeVpcs", "ec2:DescribeFlowLogs", "ec2:AuthorizeSecurityGroupIngress", "ec2:RevokeSecurityGroupIngress", "ec2:AuthorizeSecurityGroupEgress", "ec2:RevokeSecurityGroupEgress"
Elastic Load Balancer	"elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeLoadBalancerAttributes", "elasticloadbalancing:DescribeTags"	"elasticloadbalancing:DescribeLoadBalancers","elasticloadbalancing:DescribeLoadBalancerAttributes", "elasticloadbalancing:DescribeTags"
Logs	"logs:describeMetricFilters" "cloudwatchlogs:describeMetricFilters"	"logs:DescribeLogGroups", "logs:DescribeMetricFilters", "logs:PutMetricFilter", "logs:DeleteMetricFilter", "logs:CreateLogGroup"
Organisations		"organizations:ListAccounts"
SSM	"ssm:describeInstanceInformation", "ssm:getCommandInvocation", "ssm:sendCommand"	"ssm:describeInstanceInformation", "ssm:getCommandInvocation", "ssm:sendCommand"

If you select Cost on Minimum Permission for AWS Cloud Connector, please refer to this Page.

Minimum Permissions for AWS Connector

Creating custom IAM policies:

Compliance JSON

Compliance and Remediation JSON

Use Cases and Permissions

On this page