Create a Post
Stuart_Green1
Employee
Employee

Onboarding AWS Organizations to CSPM

4 Replies
Ken1
Explorer

Do I have enough permissions for the ReadOnly policy in AWS?
I'm getting a missing permission error in the WebUI. There is also a difference with the JSON specified for onboarding.

"Sid": "Dome9ReadOnly",
"Action": [
"apigateway:GET",
"athena:GetQueryExecution",
"athena:GetWorkGroup",
"backup:ListBackupVaults",
"cognito-identity:DescribeIdentityPool",
"cognito-idp:DescribeUserPool",
"cognito-idp:DescribeRiskConfiguration",
"dynamodb:ListTagsOfResource",
"ec2:SearchTransitGatewayRoutes",
"elasticfilesystem:Describe*",
"elasticache:ListTagsForResource",
"es:ListTags",
"eks:DescribeNodegroup",
"eks:ListNodegroups",
"glue:GetConnections",
"glue:GetSecurityConfigurations",
"kafka:ListClusters",
"kinesis:List*",
"kinesis:Describe*",
"kinesisvideo:Describe*",
"kinesisvideo:List*",
"logs:Get*",
"logs:FilterLogEvents",
"logs:ListLogDeliveries",
"mq:DescribeBroker",
"mq:ListBrokers",
"network-firewall:DescribeFirewall",
"network-firewall:DescribeLoggingConfiguration",
"network-firewall:ListFirewalls",
"personalize:DescribeDatasetGroup",
"personalize:ListDatasetGroups",
"s3:List*",
"secretsmanager:DescribeSecret",
"sns:ListSubscriptions",
"sns:ListTagsForResource",
"sns:GetPlatformApplicationAttributes",
"sns:ListPlatformApplications",
"states:DescribeStateMachine",
"transcribe:Get*",
"transcribe:List*",
"translate:GetTerminology",
"waf-regional:ListResourcesForWebACL",
"wafv2:ListWebACLs",
"wafv2:ListResourcesForWebACL",
"eks:ListFargateProfiles",
"eks:DescribeFargateProfile"
],

0 Kudos
Shay_Levin
Admin
Admin

Did you add the SecurityAudit’ (AWS managed policy) to the role ?

0 Kudos
Ken1
Explorer

Sorry, I'm taking about yaml of CloudFormation.

https://github.com/dome9/onboarding-scripts/tree/master/AWS/cloudformation

I think ReadOnly policy does not have enough permissions.

0 Kudos
Guyshteinberg
Employee
Employee

Hello,

 

You are correct, on the given repo the readonly policy is outdated.

I have created a new repo that will always have the most updated readonly policy - https://github.com/dome9/policies

We are changing the concept of onboarding so there will be many improvements in the near months.

 

Thanks,

Guy Shteinberg