Customizing your configuration integration
You can customize your configuration integration to deny access to certain regions or resources so that they will not be scanned.
The following IAM policies are considered for effective permissions:
-
Organizational policies (SCP, RCP)
-
Identity policies (attached, inline, boundary)
We recommend placing them under identity policies. Organizational policies require administrator account integration. If the administrator account (management or delegated) is not part of the integrations, FortiCNAPP cannot collect these policies.
Use these examples as a foundation for creating your own custom policies.
The following example shows a policy that denies access to certain APIs in certain regions. To use this, you would attach it as a custom policy to the cross-account IAM role provided for this integration.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": [
"appflow:ListConnectors",
"appconfig:GetDeployment"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:RequestedRegion": [
"us-east-1",
"us-east-2"
]
}
}
}
]
}
The following example shows how to deny access to certain APIs across all regions.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": [
"appflow:ListConnectors",
"appconfig:GetDeployment"
],
"Resource": "*"
}
]
}
For resources that encountered errors during configuration collection, the errorType in policy evauations will now show as CSPAccessNotAvailableError, where applicable. Specifically, in cases that were previously reported as CSPAccessDeniedError.
CSPAccessDeniedError can still get reported for some resources. This happens when the decision to collect turns out to be incorrect due to insufficient or outdated information available to the configuration collector (scanner).