Fortinet black logo

online help

Appendix A: Amazon Policy Usage

Copy Link
Copy Doc ID 317ac0d2-6ad6-11ea-9384-00505692583a:262777

Appendix A: Amazon Policy Usage

Communication between AWS and FortiCWP requires granting FortiCWP with permissions to access AWS account resource configuration settings. The method is done through creating custom policy on AWS in JSON format in AWS for Policy Creation.

Below are lists of the AWS services/policies used and the corresponding reasoning to be used in FortiCWP.

FortiCWP Basic Permission

Service Policy in JSON Format Permission Purpose
RDS

"rds:Describe*"

"rds:DownloadDBLogFilePortion"

"rds:ListTagsForResource"

1. FortiCWP Resource List

2. RDS profile

3. RDS Topology

4. RDS Risk assessment

"rds:ModifyDBInstance" 1. Allow autofix feature of RDS Risk assessment policy "RDS instances should not be publicly accessible".
EFS "elasticfilesystem:Describe*"

1. FortiCWP Resource List

2. EFS profile

3. EFS Risk assessment

ELB "elasticloadbalancing:Describe*"

1. FortiCWP Resource List

2. Listener, Load Balancer, Target Group profile

3. ELB Topology

4. ELB Risk assessment

"elasticloadbalancing:ModifyLoadBalancer Attributes" 1. Allow autofix feature of ELB Risk assessment policy "ELB/ALB deletion protection should be enabled".
Certificate Manager

"acm:List*"

"acm:Describe*"

1. FortiCWP Resource List

2. ACM Certificate profile

3. ACM Certificate Risk assessment

CloudFront

"cloudfront:List*"

"cloudfront:Get*"

1. FortiCWP Resource List

2. CloudFront profile

3. CloudFront Risk assessment

"cloudfront:UpdateDistribution" 1. Allow autofix feature of CloudFront Risk assessment policy "CloudFront should use secure ciphers for distribution".
EKS

"eks:ListUpdates"

"eks:DescribeUpdate"

"eks:DescribeCluster"

"eks:ListClusters"

1. FortiCWP Resource List

2. EKS profile

3. EKS Topology

KMS

"kms:List*"

"kms:Describe*"

"kms:Get*"

1. FortiCWP Resource List

2. KMS Key profile

3. KMS Risk assessment

"kms:EnableKeyRotation" 1. Allow autofix feature of KMS Risk assessment policy "KMS key rotation should be enabled".
Lambda

"lambda:List*"

"lambda:GetPolicy"

1. FortiCWP Resource List

2. Lambda profile

3. Lambda Risk assessment

SQS

"sqs:ReceiveMessage"

"sqs:GetQueueUrl"

"sqs:GetQueueAttributes"

"sqs:ListQueueTags"

"sqs:ListQueues"

"sqs:ListDeadLetterSourceQueues"

1. FortiCWP Resource List

2. SQS profile

3. SQS Risk assessment

"sqs:TagQueue"

"sqs:UntagQueue"

"sqs:ChangeMessageVisibility

"sqs:ChangeMessageVisibilityBatch"

"sqs:CreateQueue"

"sqs:DeleteMessage"

"sqs:DeleteMessageBatch"

"sqs:DeleteQueue"

"sqs:PurgeQueue"

"sqs:SendMessage"

"sqs:SendMessageBatch"

"sqs:SetQueueAttributes"

1. FortiCWP Notification’s integration with AWS SQS service
IAM

"iam:List*"

"iam:SimulateCustomPolicy"

"iam:GenerateCredentialReport"

"iam:Get*"

"iam:SimulatePrincipalPolicy"

1. FortiCWP Resource List

2. IAM profile

3. IAM Risk assessment

"iam:UpdateAccountPasswordPolicy" 1. Allow autofix feature of Redshift Risk assessment policy "Password requirements should be enforced".
Redshift "redshift:Describe*"

1. FortiCWP Resource List

2. Redshift profile

3. Redshift Risk assessment

"redshift:Describe*"

"redshift:ModifyClusterParameterGroup"

1. Allow autofix feature of Redshift Risk assessment policy "Redshift database should use SSL for connections".
Elastic Container Service "ecs:Describe*" "ecs:List*"

1. FortiCWP Resource List

2. ECS profile

3. ECS Topology

EC2

"ec2:Describe*

"ec2:SearchTransitGatewayRoutes

"ec2:GetTransitGatewayAttachmentPropagations

"ec2:GetTransitGatewayRouteTablePropagations

"ec2:GetTransitGatewayRouteTableAssociations"

1. FortiCWP Resource List

2. VPC, Route Table, Subnet, Network ACL, Security Group, Machine Image(AMI), EC2, EBS volume, EBS snapshot profile

3. VPC, Subnet, Network ACL, Security Group, EC2 Topology

4. VPC, Subnet, Security Group, AMI, EC2, EBS Risk assessment

"ec2:ModifySnapshotAttribute"

"ec2:RevokeSecurityGroupEgress

"ec2:RevokeSecurityGroupIngress"

1. Allow autofix feature of EBS Risk assessment policy "EBS snapshots should not be publicly accessible".

2. Allow autofix feature of Security Group Risk assessment policy "Default Security Group should block all inbound traffic".

CloudWatch Logs

"logs:Get*"

"logs:Describe*"

"logs:FilterLogEvents"

1. Feature "Traffic" on FortiCWP
Glacier

"glacier:ListVaults"

"glacier:GetVaultAccessPolicy"

1. FortiCWP Resource List

2. Glacier profile

3. Glacier Risk assessment

CloudFormation

"cloudformation:ListStack*"

"cloudformation:GetTemplate"

"cloudformation:DescribeStack*"

1. FortiCWP Resource List

2. CloudFormation profile

3. CloudFormation Risk assessment

S3

"s3:GetBucket*"

"s3:GetReplicationConfiguration"

"s3:GetLifecycleConfiguration"

"s3:GetInventoryConfiguration"

"s3:ListBucket"

"s3:ListBucketMultipartUploads

"s3:GetAccountPublicAccessBlock"

"s3:ListAllMyBuckets"

"s3:GetObjectVersion"

"s3:GetObjectVersionTagging"

"s3:GetObjectAcl"

"s3:GetObjectVersionAcl"

"s3:HeadBucket"

"s3:ListMultipartUploadParts"

"s3:GetObject"

"s3:GetAnalyticsConfiguration

"s3:GetObjectVersionForReplication"

"s3:ListBucketByTags"

"s3:ListBucketVersions"

"s3:GetAccelerateConfiguration"

"s3:GetObjectVersionTorrent"

"s3:GetEncryptionConfiguration"

"s3:GetObjectTagging"

"s3:GetMetricsConfiguration"

"s3:GetObjectTorrent"

1. FortiCWP Resource List

2. S3 bucket profile

3. S3 Risk assessment

4. Feature "Buckets" on FortiCWP

"s3:PutBucketVersioning"

"s3:PutBucketAcl"

"s3:PutBucketPolicy"

"s3:PutObjectAcl"

"s3:PutObjectVersionAcl"

1. Allow autofix feature of S3 Risk assessment policy "S3 buckets should not be publicly available".
Pinpoint Email /SES

"ses:List*"

"ses:Get*"

1. FortiCWP Resource List

2. SES profile

3. SES Risk assessment

CloudTrail

"cloudtrail:GetTrailStatus"

"cloudtrail:LookupEvents"

"cloudtrail:DescribeTrails"

"cloudtrail:ListTags"

"cloudtrail:GetEventSelectors"

1. FortiCWP Resource List

2. CloudTrail profile

3. CloudTrail Risk assessment

4. Feature "Activity" on FortiCWP

"cloudtrail:StartLogging"

"cloudtrail:UpdateTrail"

1. Allow autofix feature of CloudTrail Risk assessment policy "CloudTrail bucket should not be publicly accessible".
Elasticsearch Service

"es:List*"

"es:Describe*"

1. FortiCWP Resource List

2. ElasticSearch profile

3. ElasticSearch Risk assessment

Route 53

"route53:ListTrafficPolicyVersions"

"route53:GetHealthCheck"

"route53:ListHostedZonesByName"

"route53:GetHostedZoneCount"

"route53:GetHealthCheckLastFailureReason"

"route53:ListVPCAssociationAuthorizations"

"route53:GetReusableDelegationSetLimit"

"route53:ListTagsForResources"

"route53:GetAccountLimit"

"route53:GetGeoLocation"

"route53:GetTrafficPolicy"

"route53:ListQueryLoggingConfigs"

"route53:GetCheckerIpRanges"

"route53:ListGeoLocations"

"route53:GetTrafficPolicyInstance"

"route53:ListHostedZones"

"route53:ListTagsForResource"

"route53:ListHealthChecks"

"route53:GetHostedZone"

"route53:ListResourceRecordSets"

"route53:GetHealthCheckCount"

"route53:ListReusableDelegationSets"

"route53:ListTrafficPolicyInstancesByHostedZone"

"route53:GetHostedZoneLimit

"route53:ListTrafficPolicyInstances"

"route53:GetTrafficPolicyInstanceCount"

"route53:GetChange"

"route53:ListTrafficPolicies"

"route53:GetQueryLoggingConfig"

"route53:GetHealthCheckStatus"

"route53:GetReusableDelegationSet"

"route53:ListTrafficPolicyInstancesByPolicy"

1. FortiCWP Resource List

2. Route53 profile

3. Route53 Risk assessment

SNS

"sns:Get*"

"sns:*"

1. FortiCWP Resource List

2. SQS profile

3. SQS Risk assessment

"sns:*" 1. FortiCWP Notification’s integration with AWS SNS service
CloudWatch "cloudwatch:Describe*" 3. CloudWatch Risk assessment

FortiCWP Integration Permission

Service Policy in JSON Format Permission Purpose
SecurityHub "securityhub:*" 1. FortiCASB Integration Alerts for SecurityHub
Inspector "inspector:*" 1. FortiCASB Integration Alerts for Inspector
GuardDuty "guardduty:*" 1. FortiCASB Integration Alerts for GuardDuty

Appendix A: Amazon Policy Usage

Communication between AWS and FortiCWP requires granting FortiCWP with permissions to access AWS account resource configuration settings. The method is done through creating custom policy on AWS in JSON format in AWS for Policy Creation.

Below are lists of the AWS services/policies used and the corresponding reasoning to be used in FortiCWP.

FortiCWP Basic Permission

Service Policy in JSON Format Permission Purpose
RDS

"rds:Describe*"

"rds:DownloadDBLogFilePortion"

"rds:ListTagsForResource"

1. FortiCWP Resource List

2. RDS profile

3. RDS Topology

4. RDS Risk assessment

"rds:ModifyDBInstance" 1. Allow autofix feature of RDS Risk assessment policy "RDS instances should not be publicly accessible".
EFS "elasticfilesystem:Describe*"

1. FortiCWP Resource List

2. EFS profile

3. EFS Risk assessment

ELB "elasticloadbalancing:Describe*"

1. FortiCWP Resource List

2. Listener, Load Balancer, Target Group profile

3. ELB Topology

4. ELB Risk assessment

"elasticloadbalancing:ModifyLoadBalancer Attributes" 1. Allow autofix feature of ELB Risk assessment policy "ELB/ALB deletion protection should be enabled".
Certificate Manager

"acm:List*"

"acm:Describe*"

1. FortiCWP Resource List

2. ACM Certificate profile

3. ACM Certificate Risk assessment

CloudFront

"cloudfront:List*"

"cloudfront:Get*"

1. FortiCWP Resource List

2. CloudFront profile

3. CloudFront Risk assessment

"cloudfront:UpdateDistribution" 1. Allow autofix feature of CloudFront Risk assessment policy "CloudFront should use secure ciphers for distribution".
EKS

"eks:ListUpdates"

"eks:DescribeUpdate"

"eks:DescribeCluster"

"eks:ListClusters"

1. FortiCWP Resource List

2. EKS profile

3. EKS Topology

KMS

"kms:List*"

"kms:Describe*"

"kms:Get*"

1. FortiCWP Resource List

2. KMS Key profile

3. KMS Risk assessment

"kms:EnableKeyRotation" 1. Allow autofix feature of KMS Risk assessment policy "KMS key rotation should be enabled".
Lambda

"lambda:List*"

"lambda:GetPolicy"

1. FortiCWP Resource List

2. Lambda profile

3. Lambda Risk assessment

SQS

"sqs:ReceiveMessage"

"sqs:GetQueueUrl"

"sqs:GetQueueAttributes"

"sqs:ListQueueTags"

"sqs:ListQueues"

"sqs:ListDeadLetterSourceQueues"

1. FortiCWP Resource List

2. SQS profile

3. SQS Risk assessment

"sqs:TagQueue"

"sqs:UntagQueue"

"sqs:ChangeMessageVisibility

"sqs:ChangeMessageVisibilityBatch"

"sqs:CreateQueue"

"sqs:DeleteMessage"

"sqs:DeleteMessageBatch"

"sqs:DeleteQueue"

"sqs:PurgeQueue"

"sqs:SendMessage"

"sqs:SendMessageBatch"

"sqs:SetQueueAttributes"

1. FortiCWP Notification’s integration with AWS SQS service
IAM

"iam:List*"

"iam:SimulateCustomPolicy"

"iam:GenerateCredentialReport"

"iam:Get*"

"iam:SimulatePrincipalPolicy"

1. FortiCWP Resource List

2. IAM profile

3. IAM Risk assessment

"iam:UpdateAccountPasswordPolicy" 1. Allow autofix feature of Redshift Risk assessment policy "Password requirements should be enforced".
Redshift "redshift:Describe*"

1. FortiCWP Resource List

2. Redshift profile

3. Redshift Risk assessment

"redshift:Describe*"

"redshift:ModifyClusterParameterGroup"

1. Allow autofix feature of Redshift Risk assessment policy "Redshift database should use SSL for connections".
Elastic Container Service "ecs:Describe*" "ecs:List*"

1. FortiCWP Resource List

2. ECS profile

3. ECS Topology

EC2

"ec2:Describe*

"ec2:SearchTransitGatewayRoutes

"ec2:GetTransitGatewayAttachmentPropagations

"ec2:GetTransitGatewayRouteTablePropagations

"ec2:GetTransitGatewayRouteTableAssociations"

1. FortiCWP Resource List

2. VPC, Route Table, Subnet, Network ACL, Security Group, Machine Image(AMI), EC2, EBS volume, EBS snapshot profile

3. VPC, Subnet, Network ACL, Security Group, EC2 Topology

4. VPC, Subnet, Security Group, AMI, EC2, EBS Risk assessment

"ec2:ModifySnapshotAttribute"

"ec2:RevokeSecurityGroupEgress

"ec2:RevokeSecurityGroupIngress"

1. Allow autofix feature of EBS Risk assessment policy "EBS snapshots should not be publicly accessible".

2. Allow autofix feature of Security Group Risk assessment policy "Default Security Group should block all inbound traffic".

CloudWatch Logs

"logs:Get*"

"logs:Describe*"

"logs:FilterLogEvents"

1. Feature "Traffic" on FortiCWP
Glacier

"glacier:ListVaults"

"glacier:GetVaultAccessPolicy"

1. FortiCWP Resource List

2. Glacier profile

3. Glacier Risk assessment

CloudFormation

"cloudformation:ListStack*"

"cloudformation:GetTemplate"

"cloudformation:DescribeStack*"

1. FortiCWP Resource List

2. CloudFormation profile

3. CloudFormation Risk assessment

S3

"s3:GetBucket*"

"s3:GetReplicationConfiguration"

"s3:GetLifecycleConfiguration"

"s3:GetInventoryConfiguration"

"s3:ListBucket"

"s3:ListBucketMultipartUploads

"s3:GetAccountPublicAccessBlock"

"s3:ListAllMyBuckets"

"s3:GetObjectVersion"

"s3:GetObjectVersionTagging"

"s3:GetObjectAcl"

"s3:GetObjectVersionAcl"

"s3:HeadBucket"

"s3:ListMultipartUploadParts"

"s3:GetObject"

"s3:GetAnalyticsConfiguration

"s3:GetObjectVersionForReplication"

"s3:ListBucketByTags"

"s3:ListBucketVersions"

"s3:GetAccelerateConfiguration"

"s3:GetObjectVersionTorrent"

"s3:GetEncryptionConfiguration"

"s3:GetObjectTagging"

"s3:GetMetricsConfiguration"

"s3:GetObjectTorrent"

1. FortiCWP Resource List

2. S3 bucket profile

3. S3 Risk assessment

4. Feature "Buckets" on FortiCWP

"s3:PutBucketVersioning"

"s3:PutBucketAcl"

"s3:PutBucketPolicy"

"s3:PutObjectAcl"

"s3:PutObjectVersionAcl"

1. Allow autofix feature of S3 Risk assessment policy "S3 buckets should not be publicly available".
Pinpoint Email /SES

"ses:List*"

"ses:Get*"

1. FortiCWP Resource List

2. SES profile

3. SES Risk assessment

CloudTrail

"cloudtrail:GetTrailStatus"

"cloudtrail:LookupEvents"

"cloudtrail:DescribeTrails"

"cloudtrail:ListTags"

"cloudtrail:GetEventSelectors"

1. FortiCWP Resource List

2. CloudTrail profile

3. CloudTrail Risk assessment

4. Feature "Activity" on FortiCWP

"cloudtrail:StartLogging"

"cloudtrail:UpdateTrail"

1. Allow autofix feature of CloudTrail Risk assessment policy "CloudTrail bucket should not be publicly accessible".
Elasticsearch Service

"es:List*"

"es:Describe*"

1. FortiCWP Resource List

2. ElasticSearch profile

3. ElasticSearch Risk assessment

Route 53

"route53:ListTrafficPolicyVersions"

"route53:GetHealthCheck"

"route53:ListHostedZonesByName"

"route53:GetHostedZoneCount"

"route53:GetHealthCheckLastFailureReason"

"route53:ListVPCAssociationAuthorizations"

"route53:GetReusableDelegationSetLimit"

"route53:ListTagsForResources"

"route53:GetAccountLimit"

"route53:GetGeoLocation"

"route53:GetTrafficPolicy"

"route53:ListQueryLoggingConfigs"

"route53:GetCheckerIpRanges"

"route53:ListGeoLocations"

"route53:GetTrafficPolicyInstance"

"route53:ListHostedZones"

"route53:ListTagsForResource"

"route53:ListHealthChecks"

"route53:GetHostedZone"

"route53:ListResourceRecordSets"

"route53:GetHealthCheckCount"

"route53:ListReusableDelegationSets"

"route53:ListTrafficPolicyInstancesByHostedZone"

"route53:GetHostedZoneLimit

"route53:ListTrafficPolicyInstances"

"route53:GetTrafficPolicyInstanceCount"

"route53:GetChange"

"route53:ListTrafficPolicies"

"route53:GetQueryLoggingConfig"

"route53:GetHealthCheckStatus"

"route53:GetReusableDelegationSet"

"route53:ListTrafficPolicyInstancesByPolicy"

1. FortiCWP Resource List

2. Route53 profile

3. Route53 Risk assessment

SNS

"sns:Get*"

"sns:*"

1. FortiCWP Resource List

2. SQS profile

3. SQS Risk assessment

"sns:*" 1. FortiCWP Notification’s integration with AWS SNS service
CloudWatch "cloudwatch:Describe*" 3. CloudWatch Risk assessment

FortiCWP Integration Permission

Service Policy in JSON Format Permission Purpose
SecurityHub "securityhub:*" 1. FortiCASB Integration Alerts for SecurityHub
Inspector "inspector:*" 1. FortiCASB Integration Alerts for Inspector
GuardDuty "guardduty:*" 1. FortiCASB Integration Alerts for GuardDuty