Appendix A: Amazon Policy Usage
Communication between AWS and FortiCASB requires granting FortiCASB with permissions to access AWS account resource configuration settings. The method is done through creating custom policy on AWS in JSON format in AWS for .
Below are lists of the AWS services/policies used and the corresponding reasoning to be used in FortiCASB.
FortiCASB Basic Permission
| Service | Policy in JSON Format | Permission Purpose |
| RDS |
"rds:Describe*" "rds:DownloadDBLogFilePortion" "rds:ListTagsForResource" |
1. FortiCASB Resource List 2. RDS profile 3. RDS Topology 4. RDS Risk assessment |
| "rds:ModifyDBInstance" | 1. Allow autofix feature of RDS Risk assessment policy "RDS instances should not be publicly accessible". | |
| EFS | "elasticfilesystem:Describe*" |
1. FortiCASB Resource List 2. EFS profile 3. EFS Risk assessment |
| ELB | "elasticloadbalancing:Describe*" |
1. FortiCASB Resource List 2. Listener, Load Balancer, Target Group profile 3. ELB Topology 4. ELB Risk assessment |
| "elasticloadbalancing:ModifyLoadBalancer Attributes" | 1. Allow autofix feature of ELB Risk assessment policy "ELB/ALB deletion protection should be enabled". | |
| Certificate Manager |
"acm:List*" "acm:Describe*" |
1. FortiCASB Resource List 2. ACM Certificate profile 3. ACM Certificate Risk assessment |
| CloudFront |
"cloudfront:List*" "cloudfront:Get*" |
1. FortiCASB Resource List 2. CloudFront profile 3. CloudFront Risk assessment |
| "cloudfront:UpdateDistribution" | 1. Allow autofix feature of CloudFront Risk assessment policy "CloudFront should use secure ciphers for distribution". | |
| EKS |
"eks:ListUpdates" "eks:DescribeUpdate" "eks:DescribeCluster" "eks:ListClusters" |
1. FortiCASB Resource List 2. EKS profile 3. EKS Topology |
| KMS |
"kms:List*" "kms:Describe*" "kms:Get*" |
1. FortiCASB Resource List 2. KMS Key profile 3. KMS Risk assessment |
| "kms:EnableKeyRotation" | 1. Allow autofix feature of KMS Risk assessment policy "KMS key rotation should be enabled". | |
| Lambda |
"lambda:List*" "lambda:GetPolicy" |
1. FortiCASB Resource List 2. Lambda profile 3. Lambda Risk assessment |
| SQS |
"sqs:ReceiveMessage" "sqs:GetQueueUrl" "sqs:GetQueueAttributes" "sqs:ListQueueTags" "sqs:ListQueues" "sqs:ListDeadLetterSourceQueues" |
1. FortiCASB Resource List 2. SQS profile 3. SQS Risk assessment |
|
"sqs:TagQueue" "sqs:UntagQueue" "sqs:ChangeMessageVisibility "sqs:ChangeMessageVisibilityBatch" "sqs:CreateQueue" "sqs:DeleteMessage" "sqs:DeleteMessageBatch" "sqs:DeleteQueue" "sqs:PurgeQueue" "sqs:SendMessage" "sqs:SendMessageBatch" "sqs:SetQueueAttributes" |
1. FortiCASB Notification’s integration with AWS SQS service | |
| IAM |
"iam:List*" "iam:SimulateCustomPolicy" "iam:GenerateCredentialReport" "iam:Get*" "iam:SimulatePrincipalPolicy" |
1. FortiCASB Resource List 2. IAM profile 3. IAM Risk assessment |
| "iam:UpdateAccountPasswordPolicy" | 1. Allow autofix feature of Redshift Risk assessment policy "Password requirements should be enforced". | |
| Redshift | "redshift:Describe*" |
1. FortiCASB Resource List 2. Redshift profile 3. Redshift Risk assessment |
|
"redshift:Describe*" "redshift:ModifyClusterParameterGroup" |
1. Allow autofix feature of Redshift Risk assessment policy "Redshift database should use SSL for connections". | |
| Elastic Container Service | "ecs:Describe*" "ecs:List*" |
1. FortiCASB Resource List 2. ECS profile 3. ECS Topology |
| EC2 |
"ec2:Describe* "ec2:SearchTransitGatewayRoutes "ec2:GetTransitGatewayAttachmentPropagations "ec2:GetTransitGatewayRouteTablePropagations "ec2:GetTransitGatewayRouteTableAssociations" |
1. FortiCASB Resource List 2. VPC, Route Table, Subnet, Network ACL, Security Group, Machine Image(AMI), EC2, EBS volume, EBS snapshot profile 3. VPC, Subnet, Network ACL, Security Group, EC2 Topology 4. VPC, Subnet, Security Group, AMI, EC2, EBS Risk assessment |
|
"ec2:ModifySnapshotAttribute" "ec2:RevokeSecurityGroupEgress "ec2:RevokeSecurityGroupIngress" |
1. Allow autofix feature of EBS Risk assessment policy "EBS snapshots should not be publicly accessible". 2. Allow autofix feature of Security Group Risk assessment policy "Default Security Group should block all inbound traffic". |
|
| CloudWatch Logs |
"logs:Get*" "logs:Describe*" "logs:FilterLogEvents" |
1. Feature "Traffic" on FortiCASB |
| Glacier |
"glacier:ListVaults" "glacier:GetVaultAccessPolicy" |
1. FortiCASB Resource List 2. Glacier profile 3. Glacier Risk assessment |
| CloudFormation |
"cloudformation:ListStack*" "cloudformation:GetTemplate" "cloudformation:DescribeStack*" |
1. FortiCASB Resource List 2. CloudFormation profile 3. CloudFormation Risk assessment |
| S3 |
"s3:GetBucket*" "s3:GetReplicationConfiguration" "s3:GetLifecycleConfiguration" "s3:GetInventoryConfiguration" "s3:ListBucket" "s3:ListBucketMultipartUploads "s3:GetAccountPublicAccessBlock" "s3:ListAllMyBuckets" "s3:GetObjectVersion" "s3:GetObjectVersionTagging" "s3:GetObjectAcl" "s3:GetObjectVersionAcl" "s3:HeadBucket" "s3:ListMultipartUploadParts" "s3:GetObject" "s3:GetAnalyticsConfiguration "s3:GetObjectVersionForReplication" "s3:ListBucketByTags" "s3:ListBucketVersions" "s3:GetAccelerateConfiguration" "s3:GetObjectVersionTorrent" "s3:GetEncryptionConfiguration" "s3:GetObjectTagging" "s3:GetMetricsConfiguration" "s3:GetObjectTorrent" |
1. FortiCASB Resource List 2. S3 bucket profile 3. S3 Risk assessment 4. Feature "Buckets" on FortiCASB |
|
"s3:PutBucketVersioning" "s3:PutBucketAcl" "s3:PutBucketPolicy" "s3:PutObjectAcl" "s3:PutObjectVersionAcl" |
1. Allow autofix feature of S3 Risk assessment policy "S3 buckets should not be publicly available". | |
| Pinpoint Email /SES |
"ses:List*" "ses:Get*" |
1. FortiCASB Resource List 2. SES profile 3. SES Risk assessment |
| CloudTrail |
"cloudtrail:GetTrailStatus" "cloudtrail:LookupEvents" "cloudtrail:DescribeTrails" "cloudtrail:ListTags" "cloudtrail:GetEventSelectors" |
1. FortiCASB Resource List 2. CloudTrail profile 3. CloudTrail Risk assessment 4. Feature "Activity" on FortiCASB |
|
"cloudtrail:StartLogging" "cloudtrail:UpdateTrail" |
1. Allow autofix feature of CloudTrail Risk assessment policy "CloudTrail bucket should not be publicly accessible". | |
| Elasticsearch Service |
"es:List*" "es:Describe*" |
1. FortiCASB Resource List 2. ElasticSearch profile 3. ElasticSearch Risk assessment |
| Route 53 |
"route53:ListTrafficPolicyVersions" "route53:GetHealthCheck" "route53:ListHostedZonesByName" "route53:GetHostedZoneCount" "route53:GetHealthCheckLastFailureReason" "route53:ListVPCAssociationAuthorizations" "route53:GetReusableDelegationSetLimit" "route53:ListTagsForResources" "route53:GetAccountLimit" "route53:GetGeoLocation" "route53:GetTrafficPolicy" "route53:ListQueryLoggingConfigs" "route53:GetCheckerIpRanges" "route53:ListGeoLocations" "route53:GetTrafficPolicyInstance" "route53:ListHostedZones" "route53:ListTagsForResource" "route53:ListHealthChecks" "route53:GetHostedZone" "route53:ListResourceRecordSets" "route53:GetHealthCheckCount" "route53:ListReusableDelegationSets" "route53:ListTrafficPolicyInstancesByHostedZone" "route53:GetHostedZoneLimit "route53:ListTrafficPolicyInstances" "route53:GetTrafficPolicyInstanceCount" "route53:GetChange" "route53:ListTrafficPolicies" "route53:GetQueryLoggingConfig" "route53:GetHealthCheckStatus" "route53:GetReusableDelegationSet" "route53:ListTrafficPolicyInstancesByPolicy" |
1. FortiCASB Resource List 2. Route53 profile 3. Route53 Risk assessment |
| SNS |
"sns:Get*" "sns:*" |
1. FortiCASB Resource List 2. SQS profile 3. SQS Risk assessment |
| "sns:*" | 1. FortiCASB Notification’s integration with AWS SNS service | |
| CloudWatch | "cloudwatch:Describe*" | 3. CloudWatch Risk assessment |