Appendix A: Amazon Policy Usage
Communication between AWS and FortiCWP requires granting FortiCWP with permissions to access AWS account resource configuration settings. The method is done through creating custom policy on AWS in JSON format in AWS for .
Below are lists of the AWS services/policies used and the corresponding reasoning to be used in FortiCWP.
FortiCWP Basic Permission
Service | Policy in JSON Format | Permission Purpose |
RDS |
"rds:Describe*" "rds:DownloadDBLogFilePortion" "rds:ListTagsForResource" |
1. FortiCWP Resource List 2. RDS profile 3. RDS Topology 4. RDS Risk assessment |
"rds:ModifyDBInstance" | 1. Allow autofix feature of RDS Risk assessment policy "RDS instances should not be publicly accessible". | |
EFS | "elasticfilesystem:Describe*" |
1. FortiCWP Resource List 2. EFS profile 3. EFS Risk assessment |
ELB | "elasticloadbalancing:Describe*" |
1. FortiCWP Resource List 2. Listener, Load Balancer, Target Group profile 3. ELB Topology 4. ELB Risk assessment |
"elasticloadbalancing:ModifyLoadBalancer Attributes" | 1. Allow autofix feature of ELB Risk assessment policy "ELB/ALB deletion protection should be enabled". | |
Certificate Manager |
"acm:List*" "acm:Describe*" |
1. FortiCWP Resource List 2. ACM Certificate profile 3. ACM Certificate Risk assessment |
CloudFront |
"cloudfront:List*" "cloudfront:Get*" |
1. FortiCWP Resource List 2. CloudFront profile 3. CloudFront Risk assessment |
"cloudfront:UpdateDistribution" | 1. Allow autofix feature of CloudFront Risk assessment policy "CloudFront should use secure ciphers for distribution". | |
EKS |
"eks:ListUpdates" "eks:DescribeUpdate" "eks:DescribeCluster" "eks:ListClusters" |
1. FortiCWP Resource List 2. EKS profile 3. EKS Topology |
KMS |
"kms:List*" "kms:Describe*" "kms:Get*" |
1. FortiCWP Resource List 2. KMS Key profile 3. KMS Risk assessment |
"kms:EnableKeyRotation" | 1. Allow autofix feature of KMS Risk assessment policy "KMS key rotation should be enabled". | |
Lambda |
"lambda:List*" "lambda:GetPolicy" |
1. FortiCWP Resource List 2. Lambda profile 3. Lambda Risk assessment |
SQS |
"sqs:ReceiveMessage" "sqs:GetQueueUrl" "sqs:GetQueueAttributes" "sqs:ListQueueTags" "sqs:ListQueues" "sqs:ListDeadLetterSourceQueues" |
1. FortiCWP Resource List 2. SQS profile 3. SQS Risk assessment |
"sqs:TagQueue" "sqs:UntagQueue" "sqs:ChangeMessageVisibility "sqs:ChangeMessageVisibilityBatch" "sqs:CreateQueue" "sqs:DeleteMessage" "sqs:DeleteMessageBatch" "sqs:DeleteQueue" "sqs:PurgeQueue" "sqs:SendMessage" "sqs:SendMessageBatch" "sqs:SetQueueAttributes" |
1. FortiCWP Notification’s integration with AWS SQS service | |
IAM |
"iam:List*" "iam:SimulateCustomPolicy" "iam:GenerateCredentialReport" "iam:Get*" "iam:SimulatePrincipalPolicy" |
1. FortiCWP Resource List 2. IAM profile 3. IAM Risk assessment |
"iam:UpdateAccountPasswordPolicy" | 1. Allow autofix feature of Redshift Risk assessment policy "Password requirements should be enforced". | |
Redshift | "redshift:Describe*" |
1. FortiCWP Resource List 2. Redshift profile 3. Redshift Risk assessment |
"redshift:Describe*" "redshift:ModifyClusterParameterGroup" |
1. Allow autofix feature of Redshift Risk assessment policy "Redshift database should use SSL for connections". | |
Elastic Container Service | "ecs:Describe*" "ecs:List*" |
1. FortiCWP Resource List 2. ECS profile 3. ECS Topology |
EC2 |
"ec2:Describe* "ec2:SearchTransitGatewayRoutes "ec2:GetTransitGatewayAttachmentPropagations "ec2:GetTransitGatewayRouteTablePropagations "ec2:GetTransitGatewayRouteTableAssociations" |
1. FortiCWP Resource List 2. VPC, Route Table, Subnet, Network ACL, Security Group, Machine Image(AMI), EC2, EBS volume, EBS snapshot profile 3. VPC, Subnet, Network ACL, Security Group, EC2 Topology 4. VPC, Subnet, Security Group, AMI, EC2, EBS Risk assessment |
"ec2:ModifySnapshotAttribute" "ec2:RevokeSecurityGroupEgress "ec2:RevokeSecurityGroupIngress" |
1. Allow autofix feature of EBS Risk assessment policy "EBS snapshots should not be publicly accessible". 2. Allow autofix feature of Security Group Risk assessment policy "Default Security Group should block all inbound traffic". |
|
CloudWatch Logs |
"logs:Get*" "logs:Describe*" "logs:FilterLogEvents" |
1. Feature "Traffic" on FortiCWP |
Glacier |
"glacier:ListVaults" "glacier:GetVaultAccessPolicy" |
1. FortiCWP Resource List 2. Glacier profile 3. Glacier Risk assessment |
CloudFormation |
"cloudformation:ListStack*" "cloudformation:GetTemplate" "cloudformation:DescribeStack*" |
1. FortiCWP Resource List 2. CloudFormation profile 3. CloudFormation Risk assessment |
S3 |
"s3:GetBucket*" "s3:GetReplicationConfiguration" "s3:GetLifecycleConfiguration" "s3:GetInventoryConfiguration" "s3:ListBucket" "s3:ListBucketMultipartUploads "s3:GetAccountPublicAccessBlock" "s3:ListAllMyBuckets" "s3:GetObjectVersion" "s3:GetObjectVersionTagging" "s3:GetObjectAcl" "s3:GetObjectVersionAcl" "s3:HeadBucket" "s3:ListMultipartUploadParts" "s3:GetObject" "s3:GetAnalyticsConfiguration "s3:GetObjectVersionForReplication" "s3:ListBucketByTags" "s3:ListBucketVersions" "s3:GetAccelerateConfiguration" "s3:GetObjectVersionTorrent" "s3:GetEncryptionConfiguration" "s3:GetObjectTagging" "s3:GetMetricsConfiguration" "s3:GetObjectTorrent" |
1. FortiCWP Resource List 2. S3 bucket profile 3. S3 Risk assessment 4. Feature "Buckets" on FortiCWP |
"s3:PutBucketVersioning" "s3:PutBucketAcl" "s3:PutBucketPolicy" "s3:PutObjectAcl" "s3:PutObjectVersionAcl" |
1. Allow autofix feature of S3 Risk assessment policy "S3 buckets should not be publicly available". | |
Pinpoint Email /SES |
"ses:List*" "ses:Get*" |
1. FortiCWP Resource List 2. SES profile 3. SES Risk assessment |
CloudTrail |
"cloudtrail:GetTrailStatus" "cloudtrail:LookupEvents" "cloudtrail:DescribeTrails" "cloudtrail:ListTags" "cloudtrail:GetEventSelectors" |
1. FortiCWP Resource List 2. CloudTrail profile 3. CloudTrail Risk assessment 4. Feature "Activity" on FortiCWP |
"cloudtrail:StartLogging" "cloudtrail:UpdateTrail" |
1. Allow autofix feature of CloudTrail Risk assessment policy "CloudTrail bucket should not be publicly accessible". | |
Elasticsearch Service |
"es:List*" "es:Describe*" |
1. FortiCWP Resource List 2. ElasticSearch profile 3. ElasticSearch Risk assessment |
Route 53 |
"route53:ListTrafficPolicyVersions" "route53:GetHealthCheck" "route53:ListHostedZonesByName" "route53:GetHostedZoneCount" "route53:GetHealthCheckLastFailureReason" "route53:ListVPCAssociationAuthorizations" "route53:GetReusableDelegationSetLimit" "route53:ListTagsForResources" "route53:GetAccountLimit" "route53:GetGeoLocation" "route53:GetTrafficPolicy" "route53:ListQueryLoggingConfigs" "route53:GetCheckerIpRanges" "route53:ListGeoLocations" "route53:GetTrafficPolicyInstance" "route53:ListHostedZones" "route53:ListTagsForResource" "route53:ListHealthChecks" "route53:GetHostedZone" "route53:ListResourceRecordSets" "route53:GetHealthCheckCount" "route53:ListReusableDelegationSets" "route53:ListTrafficPolicyInstancesByHostedZone" "route53:GetHostedZoneLimit "route53:ListTrafficPolicyInstances" "route53:GetTrafficPolicyInstanceCount" "route53:GetChange" "route53:ListTrafficPolicies" "route53:GetQueryLoggingConfig" "route53:GetHealthCheckStatus" "route53:GetReusableDelegationSet" "route53:ListTrafficPolicyInstancesByPolicy" |
1. FortiCWP Resource List 2. Route53 profile 3. Route53 Risk assessment |
SNS |
"sns:Get*" "sns:*" |
1. FortiCWP Resource List 2. SQS profile 3. SQS Risk assessment |
"sns:*" | 1. FortiCWP Notification’s integration with AWS SNS service | |
CloudWatch | "cloudwatch:Describe*" | 3. CloudWatch Risk assessment |
FortiCWP Integration Permission
Service | Policy in JSON Format | Permission Purpose |
SecurityHub | "securityhub:*" | 1. FortiCWP Integration Alerts for SecurityHub |
Inspector | "inspector:*" | 1. FortiCWP Integration Alerts for Inspector |
GuardDuty | "guardduty:*" | 1. FortiCWP Integration Alerts for GuardDuty |