This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
StuartGreen
Employee
Employee
‎2021-02-23 02:03 AM

Onboarding AWS Organizations to CSPM

(view in My Videos)

 

Resources:

https://github.com/dome9/onboarding-scripts

4 Replies
Ken1
Participant
‎2021-08-02 07:22 PM

Do I have enough permissions for the ReadOnly policy in AWS?
I'm getting a missing permission error in the WebUI. There is also a difference with the JSON specified for onboarding.

"Sid": "Dome9ReadOnly",
"Action": [
"apigateway:GET",
"athena:GetQueryExecution",
"athena:GetWorkGroup",
"backup:ListBackupVaults",
"cognito-identity:DescribeIdentityPool",
"cognito-idp:DescribeUserPool",
"cognito-idp:DescribeRiskConfiguration",
"dynamodb:ListTagsOfResource",
"ec2:SearchTransitGatewayRoutes",
"elasticfilesystem:Describe*",
"elasticache:ListTagsForResource",
"es:ListTags",
"eks:DescribeNodegroup",
"eks:ListNodegroups",
"glue:GetConnections",
"glue:GetSecurityConfigurations",
"kafka:ListClusters",
"kinesis:List*",
"kinesis:Describe*",
"kinesisvideo:Describe*",
"kinesisvideo:List*",
"logs:Get*",
"logs:FilterLogEvents",
"logs:ListLogDeliveries",
"mq:DescribeBroker",
"mq:ListBrokers",
"network-firewall:DescribeFirewall",
"network-firewall:DescribeLoggingConfiguration",
"network-firewall:ListFirewalls",
"personalize:DescribeDatasetGroup",
"personalize:ListDatasetGroups",
"s3:List*",
"secretsmanager:DescribeSecret",
"sns:ListSubscriptions",
"sns:ListTagsForResource",
"sns:GetPlatformApplicationAttributes",
"sns:ListPlatformApplications",
"states:DescribeStateMachine",
"transcribe:Get*",
"transcribe:List*",
"translate:GetTerminology",
"waf-regional:ListResourcesForWebACL",
"wafv2:ListWebACLs",
"wafv2:ListResourcesForWebACL",
"eks:ListFargateProfiles",
"eks:DescribeFargateProfile"
],

0 Kudos
Shay_Levin
Admin
Admin
‎2021-08-12 02:33 AM
In response to Ken1

Did you add the SecurityAudit’ (AWS managed policy) to the role ?

0 Kudos
Ken1
Participant
‎2021-09-28 05:46 PM
In response to Shay_Levin

Sorry, I'm taking about yaml of CloudFormation.

https://github.com/dome9/onboarding-scripts/tree/master/AWS/cloudformation

I think ReadOnly policy does not have enough permissions.

0 Kudos
Guyshteinberg
Employee
Employee
‎2021-10-04 11:02 PM
In response to Ken1

Hello,

 

You are correct, on the given repo the readonly policy is outdated.

I have created a new repo that will always have the most updated readonly policy - https://github.com/dome9/policies

We are changing the concept of onboarding so there will be many improvements in the near months.

 

Thanks,

Guy Shteinberg

UPCOMING CLOUDMATES EVENTS
    All CloudMates Events