- CheckMates
- :
- Products
- :
- CloudMates Products
- :
- CNAPP
- :
- Re: Onboarding AWS Organizations to CSPM
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Onboarding AWS Organizations to CSPM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do I have enough permissions for the ReadOnly policy in AWS?
I'm getting a missing permission error in the WebUI. There is also a difference with the JSON specified for onboarding.
"Sid": "Dome9ReadOnly",
"Action": [
"apigateway:GET",
"athena:GetQueryExecution",
"athena:GetWorkGroup",
"backup:ListBackupVaults",
"cognito-identity:DescribeIdentityPool",
"cognito-idp:DescribeUserPool",
"cognito-idp:DescribeRiskConfiguration",
"dynamodb:ListTagsOfResource",
"ec2:SearchTransitGatewayRoutes",
"elasticfilesystem:Describe*",
"elasticache:ListTagsForResource",
"es:ListTags",
"eks:DescribeNodegroup",
"eks:ListNodegroups",
"glue:GetConnections",
"glue:GetSecurityConfigurations",
"kafka:ListClusters",
"kinesis:List*",
"kinesis:Describe*",
"kinesisvideo:Describe*",
"kinesisvideo:List*",
"logs:Get*",
"logs:FilterLogEvents",
"logs:ListLogDeliveries",
"mq:DescribeBroker",
"mq:ListBrokers",
"network-firewall:DescribeFirewall",
"network-firewall:DescribeLoggingConfiguration",
"network-firewall:ListFirewalls",
"personalize:DescribeDatasetGroup",
"personalize:ListDatasetGroups",
"s3:List*",
"secretsmanager:DescribeSecret",
"sns:ListSubscriptions",
"sns:ListTagsForResource",
"sns:GetPlatformApplicationAttributes",
"sns:ListPlatformApplications",
"states:DescribeStateMachine",
"transcribe:Get*",
"transcribe:List*",
"translate:GetTerminology",
"waf-regional:ListResourcesForWebACL",
"wafv2:ListWebACLs",
"wafv2:ListResourcesForWebACL",
"eks:ListFargateProfiles",
"eks:DescribeFargateProfile"
],
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Did you add the SecurityAudit’ (AWS managed policy) to the role ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry, I'm taking about yaml of CloudFormation.
https://github.com/dome9/onboarding-scripts/tree/master/AWS/cloudformation
I think ReadOnly policy does not have enough permissions.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
You are correct, on the given repo the readonly policy is outdated.
I have created a new repo that will always have the most updated readonly policy - https://github.com/dome9/policies
We are changing the concept of onboarding so there will be many improvements in the near months.
Thanks,
Guy Shteinberg