Fortinet black logo

Online Help

Home FortiCNP 22.3.a Online Help

Appendix A - Cloud Protection Amazon Policy Usage

22.3.a
22.4.a
22.3.b
22.3.a
Copy Link
Copy Doc ID cf00dcb1-0886-11ed-bb32-fa163e15d75b:262777

Appendix A - Cloud Protection Amazon Policy Usage

Communication between AWS and FortiCNP requires granting FortiCNP with permissions to access AWS account resource configuration settings. The method is done through creating custom policy on AWS in JSON format in AWS for .

Below are lists of the AWS services/policies used and the corresponding reasoning to be used in FortiCNP.

FortiCNP Basic Permission

Service Policy in JSON Format Permission Purpose
RDS

"rds:Describe*"

"rds:DownloadDBLogFilePortion"

"rds:ListTagsForResource"

1. FortiCNP Resource List

2. RDS profile

3. RDS Topology

4. RDS Risk assessment
"rds:ModifyDBInstance" 1. Allow autofix feature of RDS Risk assessment policy "RDS instances should not be publicly accessible".
EFS "elasticfilesystem:Describe*"

1. FortiCNP Resource List

2. EFS profile

3. EFS Risk assessment
ELB "elasticloadbalancing:Describe*"

1. FortiCNP Resource List

2. Listener, Load Balancer, Target Group profile

3. ELB Topology

4. ELB Risk assessment
"elasticloadbalancing:ModifyLoadBalancer Attributes" 1. Allow autofix feature of ELB Risk assessment policy "ELB/ALB deletion protection should be enabled".
Certificate Manager

"acm:List*"

"acm:Describe*"

1. FortiCNP Resource List

2. ACM Certificate profile

3. ACM Certificate Risk assessment
CloudFront

"cloudfront:List*"

"cloudfront:Get*"

1. FortiCNP Resource List

2. CloudFront profile

3. CloudFront Risk assessment
"cloudfront:UpdateDistribution" 1. Allow autofix feature of CloudFront Risk assessment policy "CloudFront should use secure ciphers for distribution".
EKS

"eks:ListUpdates"

"eks:DescribeUpdate"

"eks:DescribeCluster"

"eks:ListClusters"

1. FortiCNP Resource List

2. EKS profile

3. EKS Topology
KMS

"kms:List*"

"kms:Describe*"

"kms:Get*"

1. FortiCNP Resource List

2. KMS Key profile

3. KMS Risk assessment
"kms:EnableKeyRotation" 1. Allow autofix feature of KMS Risk assessment policy "KMS key rotation should be enabled".
Lambda

"lambda:List*"

"lambda:GetPolicy"

1. FortiCNP Resource List

2. Lambda profile

3. Lambda Risk assessment
SQS

"sqs:ReceiveMessage"

"sqs:GetQueueUrl"

"sqs:GetQueueAttributes"

"sqs:ListQueueTags"

"sqs:ListQueues"

"sqs:ListDeadLetterSourceQueues"

1. FortiCNP Resource List

2. SQS profile

3. SQS Risk assessment

"sqs:TagQueue"

"sqs:UntagQueue"

"sqs:ChangeMessageVisibility

"sqs:ChangeMessageVisibilityBatch"

"sqs:CreateQueue"

"sqs:DeleteMessage"

"sqs:DeleteMessageBatch"

"sqs:DeleteQueue"

"sqs:PurgeQueue"

"sqs:SendMessage"

"sqs:SendMessageBatch"

"sqs:SetQueueAttributes"

 1. FortiCNP Notification’s integration with AWS SQS service
IAM

"iam:List*"

"iam:SimulateCustomPolicy"

"iam:GenerateCredentialReport"

"iam:Get*"

"iam:SimulatePrincipalPolicy"

1. FortiCNP Resource List

2. IAM profile

3. IAM Risk assessment
"iam:UpdateAccountPasswordPolicy" 1. Allow autofix feature of Redshift Risk assessment policy "Password requirements should be enforced".
Redshift "redshift:Describe*"

1. FortiCNP Resource List

2. Redshift profile

3. Redshift Risk assessment

"redshift:Describe*"

"redshift:ModifyClusterParameterGroup"

 1. Allow autofix feature of Redshift Risk assessment policy "Redshift database should use SSL for connections".
Elastic Container Service "ecs:Describe*" "ecs:List*"

1. FortiCNP Resource List

2. ECS profile

3. ECS Topology
EC2

"ec2:Describe*

"ec2:SearchTransitGatewayRoutes

"ec2:GetTransitGatewayAttachmentPropagations

"ec2:GetTransitGatewayRouteTablePropagations

"ec2:GetTransitGatewayRouteTableAssociations"

1. FortiCNP Resource List

2. VPC, Route Table, Subnet, Network ACL, Security Group, Machine Image(AMI), EC2, EBS volume, EBS snapshot profile

3. VPC, Subnet, Network ACL, Security Group, EC2 Topology

4. VPC, Subnet, Security Group, AMI, EC2, EBS Risk assessment

"ec2:ModifySnapshotAttribute"

"ec2:RevokeSecurityGroupEgress

"ec2:RevokeSecurityGroupIngress"

1. Allow autofix feature of EBS Risk assessment policy "EBS snapshots should not be publicly accessible".

2. Allow autofix feature of Security Group Risk assessment policy "Default Security Group should block all inbound traffic".
CloudWatch Logs

"logs:Get*"

"logs:Describe*"

"logs:FilterLogEvents"

 1. Feature "Traffic" on FortiCNP
Glacier

"glacier:ListVaults"

"glacier:GetVaultAccessPolicy"

1. FortiCNP Resource List

2. Glacier profile

3. Glacier Risk assessment
CloudFormation

"cloudformation:ListStack*"

"cloudformation:GetTemplate"

"cloudformation:DescribeStack*"

1. FortiCNP Resource List

2. CloudFormation profile

3. CloudFormation Risk assessment
S3

"s3:GetBucket*"

"s3:GetReplicationConfiguration"

"s3:GetLifecycleConfiguration"

"s3:GetInventoryConfiguration"

"s3:ListBucket"

"s3:ListBucketMultipartUploads

"s3:GetAccountPublicAccessBlock"

"s3:ListAllMyBuckets"

"s3:GetObjectVersion"

"s3:GetObjectVersionTagging"

"s3:GetObjectAcl"

"s3:GetObjectVersionAcl"

"s3:HeadBucket"

"s3:ListMultipartUploadParts"

"s3:GetObject"

"s3:GetAnalyticsConfiguration

"s3:GetObjectVersionForReplication"

"s3:ListBucketByTags"

"s3:ListBucketVersions"

"s3:GetAccelerateConfiguration"

"s3:GetObjectVersionTorrent"

"s3:GetEncryptionConfiguration"

"s3:GetObjectTagging"

"s3:GetMetricsConfiguration"

"s3:GetObjectTorrent"

1. FortiCNP Resource List

2. S3 bucket profile

3. S3 Risk assessment

4. Feature "Buckets" on FortiCNP

"s3:PutBucketVersioning"

"s3:PutBucketAcl"

"s3:PutBucketPolicy"

"s3:PutObjectAcl"

"s3:PutObjectVersionAcl"

 1. Allow autofix feature of S3 Risk assessment policy "S3 buckets should not be publicly available".
Pinpoint Email /SES

"ses:List*"

"ses:Get*"

1. FortiCNP Resource List

2. SES profile

3. SES Risk assessment
CloudTrail

"cloudtrail:GetTrailStatus"

"cloudtrail:LookupEvents"

"cloudtrail:DescribeTrails"

"cloudtrail:ListTags"

"cloudtrail:GetEventSelectors"

1. FortiCNP Resource List

2. CloudTrail profile

3. CloudTrail Risk assessment

4. Feature "Activity" on FortiCNP

"cloudtrail:StartLogging"

"cloudtrail:UpdateTrail"

 1. Allow autofix feature of CloudTrail Risk assessment policy "CloudTrail bucket should not be publicly accessible".
Elasticsearch Service

"es:List*"

"es:Describe*"

1. FortiCNP Resource List

2. ElasticSearch profile

3. ElasticSearch Risk assessment
Route 53

"route53:ListTrafficPolicyVersions"

"route53:GetHealthCheck"

"route53:ListHostedZonesByName"

"route53:GetHostedZoneCount"

"route53:GetHealthCheckLastFailureReason"

"route53:ListVPCAssociationAuthorizations"

"route53:GetReusableDelegationSetLimit"

"route53:ListTagsForResources"

"route53:GetAccountLimit"

"route53:GetGeoLocation"

"route53:GetTrafficPolicy"

"route53:ListQueryLoggingConfigs"

"route53:GetCheckerIpRanges"

"route53:ListGeoLocations"

"route53:GetTrafficPolicyInstance"

"route53:ListHostedZones"

"route53:ListTagsForResource"

"route53:ListHealthChecks"

"route53:GetHostedZone"

"route53:ListResourceRecordSets"

"route53:GetHealthCheckCount"

"route53:ListReusableDelegationSets"

"route53:ListTrafficPolicyInstancesByHostedZone"

"route53:GetHostedZoneLimit

"route53:ListTrafficPolicyInstances"

"route53:GetTrafficPolicyInstanceCount"

"route53:GetChange"

"route53:ListTrafficPolicies"

"route53:GetQueryLoggingConfig"

"route53:GetHealthCheckStatus"

"route53:GetReusableDelegationSet"

"route53:ListTrafficPolicyInstancesByPolicy"

1. FortiCNP Resource List

2. Route53 profile

3. Route53 Risk assessment
SNS

"sns:Get*"

"sns:*"

1. FortiCNP Resource List

2. SQS profile

3. SQS Risk assessment
"sns:*" 1. FortiCNP Notification’s integration with AWS SNS service
CloudWatch "cloudwatch:Describe*" 3. CloudWatch Risk assessment

FortiCNP Integration Permission

Service Policy in JSON Format Permission Purpose
SecurityHub "securityhub:*" 1. FortiCNP Integration Alerts for SecurityHub
Inspector "inspector:*" 1. FortiCNP Integration Alerts for Inspector
GuardDuty "guardduty:*" 1. FortiCNP Integration Alerts for GuardDuty

Previous
Next

Appendix A - Cloud Protection Amazon Policy Usage

Communication between AWS and FortiCNP requires granting FortiCNP with permissions to access AWS account resource configuration settings. The method is done through creating custom policy on AWS in JSON format in AWS for .

Below are lists of the AWS services/policies used and the corresponding reasoning to be used in FortiCNP.

FortiCNP Basic Permission

Service Policy in JSON Format Permission Purpose
RDS

"rds:Describe*"

"rds:DownloadDBLogFilePortion"

"rds:ListTagsForResource"

1. FortiCNP Resource List

2. RDS profile

3. RDS Topology

4. RDS Risk assessment
"rds:ModifyDBInstance" 1. Allow autofix feature of RDS Risk assessment policy "RDS instances should not be publicly accessible".
EFS "elasticfilesystem:Describe*"

1. FortiCNP Resource List

2. EFS profile

3. EFS Risk assessment
ELB "elasticloadbalancing:Describe*"

1. FortiCNP Resource List

2. Listener, Load Balancer, Target Group profile

3. ELB Topology

4. ELB Risk assessment
"elasticloadbalancing:ModifyLoadBalancer Attributes" 1. Allow autofix feature of ELB Risk assessment policy "ELB/ALB deletion protection should be enabled".
Certificate Manager

"acm:List*"

"acm:Describe*"

1. FortiCNP Resource List

2. ACM Certificate profile

3. ACM Certificate Risk assessment
CloudFront

"cloudfront:List*"

"cloudfront:Get*"

1. FortiCNP Resource List

2. CloudFront profile

3. CloudFront Risk assessment
"cloudfront:UpdateDistribution" 1. Allow autofix feature of CloudFront Risk assessment policy "CloudFront should use secure ciphers for distribution".
EKS

"eks:ListUpdates"

"eks:DescribeUpdate"

"eks:DescribeCluster"

"eks:ListClusters"

1. FortiCNP Resource List

2. EKS profile

3. EKS Topology
KMS

"kms:List*"

"kms:Describe*"

"kms:Get*"

1. FortiCNP Resource List

2. KMS Key profile

3. KMS Risk assessment
"kms:EnableKeyRotation" 1. Allow autofix feature of KMS Risk assessment policy "KMS key rotation should be enabled".
Lambda

"lambda:List*"

"lambda:GetPolicy"

1. FortiCNP Resource List

2. Lambda profile

3. Lambda Risk assessment
SQS

"sqs:ReceiveMessage"

"sqs:GetQueueUrl"

"sqs:GetQueueAttributes"

"sqs:ListQueueTags"

"sqs:ListQueues"

"sqs:ListDeadLetterSourceQueues"

1. FortiCNP Resource List

2. SQS profile

3. SQS Risk assessment

"sqs:TagQueue"

"sqs:UntagQueue"

"sqs:ChangeMessageVisibility

"sqs:ChangeMessageVisibilityBatch"

"sqs:CreateQueue"

"sqs:DeleteMessage"

"sqs:DeleteMessageBatch"

"sqs:DeleteQueue"

"sqs:PurgeQueue"

"sqs:SendMessage"

"sqs:SendMessageBatch"

"sqs:SetQueueAttributes"

 1. FortiCNP Notification’s integration with AWS SQS service
IAM

"iam:List*"

"iam:SimulateCustomPolicy"

"iam:GenerateCredentialReport"

"iam:Get*"

"iam:SimulatePrincipalPolicy"

1. FortiCNP Resource List

2. IAM profile

3. IAM Risk assessment
"iam:UpdateAccountPasswordPolicy" 1. Allow autofix feature of Redshift Risk assessment policy "Password requirements should be enforced".
Redshift "redshift:Describe*"

1. FortiCNP Resource List

2. Redshift profile

3. Redshift Risk assessment

"redshift:Describe*"

"redshift:ModifyClusterParameterGroup"

 1. Allow autofix feature of Redshift Risk assessment policy "Redshift database should use SSL for connections".
Elastic Container Service "ecs:Describe*" "ecs:List*"

1. FortiCNP Resource List

2. ECS profile

3. ECS Topology
EC2

"ec2:Describe*

"ec2:SearchTransitGatewayRoutes

"ec2:GetTransitGatewayAttachmentPropagations

"ec2:GetTransitGatewayRouteTablePropagations

"ec2:GetTransitGatewayRouteTableAssociations"

1. FortiCNP Resource List

2. VPC, Route Table, Subnet, Network ACL, Security Group, Machine Image(AMI), EC2, EBS volume, EBS snapshot profile

3. VPC, Subnet, Network ACL, Security Group, EC2 Topology

4. VPC, Subnet, Security Group, AMI, EC2, EBS Risk assessment

"ec2:ModifySnapshotAttribute"

"ec2:RevokeSecurityGroupEgress

"ec2:RevokeSecurityGroupIngress"

1. Allow autofix feature of EBS Risk assessment policy "EBS snapshots should not be publicly accessible".

2. Allow autofix feature of Security Group Risk assessment policy "Default Security Group should block all inbound traffic".
CloudWatch Logs

"logs:Get*"

"logs:Describe*"

"logs:FilterLogEvents"

 1. Feature "Traffic" on FortiCNP
Glacier

"glacier:ListVaults"

"glacier:GetVaultAccessPolicy"

1. FortiCNP Resource List

2. Glacier profile

3. Glacier Risk assessment
CloudFormation

"cloudformation:ListStack*"

"cloudformation:GetTemplate"

"cloudformation:DescribeStack*"

1. FortiCNP Resource List

2. CloudFormation profile

3. CloudFormation Risk assessment
S3

"s3:GetBucket*"

"s3:GetReplicationConfiguration"

"s3:GetLifecycleConfiguration"

"s3:GetInventoryConfiguration"

"s3:ListBucket"

"s3:ListBucketMultipartUploads

"s3:GetAccountPublicAccessBlock"

"s3:ListAllMyBuckets"

"s3:GetObjectVersion"

"s3:GetObjectVersionTagging"

"s3:GetObjectAcl"

"s3:GetObjectVersionAcl"

"s3:HeadBucket"

"s3:ListMultipartUploadParts"

"s3:GetObject"

"s3:GetAnalyticsConfiguration

"s3:GetObjectVersionForReplication"

"s3:ListBucketByTags"

"s3:ListBucketVersions"

"s3:GetAccelerateConfiguration"

"s3:GetObjectVersionTorrent"

"s3:GetEncryptionConfiguration"

"s3:GetObjectTagging"

"s3:GetMetricsConfiguration"

"s3:GetObjectTorrent"

1. FortiCNP Resource List

2. S3 bucket profile

3. S3 Risk assessment

4. Feature "Buckets" on FortiCNP

"s3:PutBucketVersioning"

"s3:PutBucketAcl"

"s3:PutBucketPolicy"

"s3:PutObjectAcl"

"s3:PutObjectVersionAcl"

 1. Allow autofix feature of S3 Risk assessment policy "S3 buckets should not be publicly available".
Pinpoint Email /SES

"ses:List*"

"ses:Get*"

1. FortiCNP Resource List

2. SES profile

3. SES Risk assessment
CloudTrail

"cloudtrail:GetTrailStatus"

"cloudtrail:LookupEvents"

"cloudtrail:DescribeTrails"

"cloudtrail:ListTags"

"cloudtrail:GetEventSelectors"

1. FortiCNP Resource List

2. CloudTrail profile

3. CloudTrail Risk assessment

4. Feature "Activity" on FortiCNP

"cloudtrail:StartLogging"

"cloudtrail:UpdateTrail"

 1. Allow autofix feature of CloudTrail Risk assessment policy "CloudTrail bucket should not be publicly accessible".
Elasticsearch Service

"es:List*"

"es:Describe*"

1. FortiCNP Resource List

2. ElasticSearch profile

3. ElasticSearch Risk assessment
Route 53

"route53:ListTrafficPolicyVersions"

"route53:GetHealthCheck"

"route53:ListHostedZonesByName"

"route53:GetHostedZoneCount"

"route53:GetHealthCheckLastFailureReason"

"route53:ListVPCAssociationAuthorizations"

"route53:GetReusableDelegationSetLimit"

"route53:ListTagsForResources"

"route53:GetAccountLimit"

"route53:GetGeoLocation"

"route53:GetTrafficPolicy"

"route53:ListQueryLoggingConfigs"

"route53:GetCheckerIpRanges"

"route53:ListGeoLocations"

"route53:GetTrafficPolicyInstance"

"route53:ListHostedZones"

"route53:ListTagsForResource"

"route53:ListHealthChecks"

"route53:GetHostedZone"

"route53:ListResourceRecordSets"

"route53:GetHealthCheckCount"

"route53:ListReusableDelegationSets"

"route53:ListTrafficPolicyInstancesByHostedZone"

"route53:GetHostedZoneLimit

"route53:ListTrafficPolicyInstances"

"route53:GetTrafficPolicyInstanceCount"

"route53:GetChange"

"route53:ListTrafficPolicies"

"route53:GetQueryLoggingConfig"

"route53:GetHealthCheckStatus"

"route53:GetReusableDelegationSet"

"route53:ListTrafficPolicyInstancesByPolicy"

1. FortiCNP Resource List

2. Route53 profile

3. Route53 Risk assessment
SNS

"sns:Get*"

"sns:*"

1. FortiCNP Resource List

2. SQS profile

3. SQS Risk assessment
"sns:*" 1. FortiCNP Notification’s integration with AWS SNS service
CloudWatch "cloudwatch:Describe*" 3. CloudWatch Risk assessment

FortiCNP Integration Permission

Service Policy in JSON Format Permission Purpose
SecurityHub "securityhub:*" 1. FortiCNP Integration Alerts for SecurityHub
Inspector "inspector:*" 1. FortiCNP Integration Alerts for Inspector
GuardDuty "guardduty:*" 1. FortiCNP Integration Alerts for GuardDuty

Previous
Next