Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Stuart_Green1
Employee
Employee

Onboarding AWS Organizations to CSPM

4 Replies
Ken1
Participant

Do I have enough permissions for the ReadOnly policy in AWS?
I'm getting a missing permission error in the WebUI. There is also a difference with the JSON specified for onboarding.

"Sid": "Dome9ReadOnly",
"Action": [
"apigateway:GET",
"athena:GetQueryExecution",
"athena:GetWorkGroup",
"backup:ListBackupVaults",
"cognito-identity:DescribeIdentityPool",
"cognito-idp:DescribeUserPool",
"cognito-idp:DescribeRiskConfiguration",
"dynamodb:ListTagsOfResource",
"ec2:SearchTransitGatewayRoutes",
"elasticfilesystem:Describe*",
"elasticache:ListTagsForResource",
"es:ListTags",
"eks:DescribeNodegroup",
"eks:ListNodegroups",
"glue:GetConnections",
"glue:GetSecurityConfigurations",
"kafka:ListClusters",
"kinesis:List*",
"kinesis:Describe*",
"kinesisvideo:Describe*",
"kinesisvideo:List*",
"logs:Get*",
"logs:FilterLogEvents",
"logs:ListLogDeliveries",
"mq:DescribeBroker",
"mq:ListBrokers",
"network-firewall:DescribeFirewall",
"network-firewall:DescribeLoggingConfiguration",
"network-firewall:ListFirewalls",
"personalize:DescribeDatasetGroup",
"personalize:ListDatasetGroups",
"s3:List*",
"secretsmanager:DescribeSecret",
"sns:ListSubscriptions",
"sns:ListTagsForResource",
"sns:GetPlatformApplicationAttributes",
"sns:ListPlatformApplications",
"states:DescribeStateMachine",
"transcribe:Get*",
"transcribe:List*",
"translate:GetTerminology",
"waf-regional:ListResourcesForWebACL",
"wafv2:ListWebACLs",
"wafv2:ListResourcesForWebACL",
"eks:ListFargateProfiles",
"eks:DescribeFargateProfile"
],

0 Kudos
Shay_Levin
Admin
Admin

Did you add the SecurityAudit’ (AWS managed policy) to the role ?

0 Kudos
Ken1
Participant

Sorry, I'm taking about yaml of CloudFormation.

https://github.com/dome9/onboarding-scripts/tree/master/AWS/cloudformation

I think ReadOnly policy does not have enough permissions.

0 Kudos
Guyshteinberg
Employee
Employee

Hello,

 

You are correct, on the given repo the readonly policy is outdated.

I have created a new repo that will always have the most updated readonly policy - https://github.com/dome9/policies

We are changing the concept of onboarding so there will be many improvements in the near months.

 

Thanks,

Guy Shteinberg

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.