AWS Permission and Resource Requirements
There are some AWS permissions and resources required to be created during AWS Cloud Formation for adding the AWS account to FortiCWP.
List of permissions and resources created during CloudFormation:
- FortiCWP S3 Bucket
- FortiCWP Basic Permission Policy
- FortiCWP Integration Permission Policy
- FortiCWP AutoFix Permission Policy (Optional)
- FortiCWP Notification Permission Policy (Optional)
- FortiCWP External ID Permission Policy (Temporary)
- FortiCWP Temporary Permission Policy (Temporary)
- FortiCWP Organization Permission Policy (AWS Organization only)
- FortiCWP Cloud Trail
- FortiCWP IAM Role
FortiCWP S3 bucket is created and configured to store AWS Cloud Trail logs. All permission policies are created and attached to the FortiCWP IAM Role.
Basic Permission Policy and Integration Policy are read-only AWS permissions that need to be created for basic functionality and integration between FortiCWP and AWS.
AutoFix permission Policy and Notification Permission Policy are optional permissions that are used to remediate security vulnerabilities and send notification via AWS SNS and AWS SQS.
FortiCWP External ID Permission Policy and FortiCWP Temporary Permission Policy are only created during CloudFormation, and are removed after the AWS account is successfully added to FortiCWP.
Below are each type of AWS permission policy created with details.
Basic Permissions (required)
This permission list is mandatory for adding AWS accounts to FortriCWP. This includes the permissions related to AWS S3, CloudTrail, CloudFormation, IAM User Permissions and EC2.
Permission Detail
"acm:Describe*",
"acm:List*",
"appstream:Describe*",
"autoscaling:Describe*",
"cloudformation:DescribeStack*",
"cloudformation:GetTemplate",
"cloudformation:ListStack*",
"cloudfront:Get*",
"cloudfront:List*",
"cloudsearch:Describe*",
"cloudtrail:DescribeTrails",
"cloudtrail:GetEventSelectors",
"cloudtrail:GetTrailStatus",
"cloudtrail:ListTags",
"cloudtrail:LookupEvents",
"cloudwatch:Describe*",
"codedeploy:Batch*",
"codedeploy:Get*",
"codedeploy:List*",
"config:Deliver*",
"config:Describe*",
"config:Get*",
"datapipeline:DescribeObjects",
"datapipeline:DescribePipelines",
"datapipeline:EvaluateExpression",
"datapipeline:GetPipelineDefinition",
"datapipeline:ListPipelines",
"datapipeline:QueryObjects",
"datapipeline:ValidatePipelineDefinition",
"dax:BatchGetItem",
"dax:ConditionCheckItem",
"dax:DescribeClusters",
"dax:DescribeDefaultParameters",
"dax:DescribeEvents",
"dax:DescribeParameterGroups",
"dax:DescribeParameters",
"dax:DescribeSubnetGroups",
"dax:GetItem",
"dax:ListTags",
"dax:Query",
"dax:Scan",
"directconnect:Describe*",
"ds:Describe*",
"dynamodb:DescribeTable",
"dynamodb:ListTables",
"ec2:Describe*",
"ec2:GetTransitGatewayAttachmentPropagations",
"ec2:GetTransitGatewayRouteTableAssociations",
"ec2:GetTransitGatewayRouteTablePropagations",
"ec2:SearchTransitGatewayRoutes",
"ecs:Describe*",
"ecs:List*",
"eks:DescribeCluster",
"eks:DescribeUpdate",
"eks:ListClusters",
"eks:ListUpdates",
"elasticache:Describe*",
"elasticache:List*",
"elasticbeanstalk:Describe*",
"elasticfilesystem:Describe*",
"elasticloadbalancing:Describe*",
"elasticmapreduce:DescribeCluster",
"elasticmapreduce:DescribeEditor",
"elasticmapreduce:DescribeSecurityConfiguration",
"elasticmapreduce:DescribeStep",
"elasticmapreduce:List*",
"es:Describe*",
"es:List*",
"glacier:GetVaultAccessPolicy",
"glacier:ListVaults",
"iam:GenerateCredentialReport",
"iam:Get*",
"iam:List*",
"iam:SimulateCustomPolicy",
"iam:SimulatePrincipalPolicy",
"kms:Describe*",
"kms:Get*",
"kms:List*",
"lambda:GetPolicy",
"lambda:List*",
"logs:Describe*",
"logs:FilterLogEvents",
"logs:Get*",
"rds:Describe*",
"rds:DownloadDBLogFilePortion",
"rds:ListTagsForResource",
"redshift:Describe*",
"route53:GetAccountLimit",
"route53:GetChange",
"route53:GetCheckerIpRanges",
"route53:GetGeoLocation",
"route53:GetHealthCheck",
"route53:GetHealthCheckCount",
"route53:GetHealthCheckLastFailureReason",
"route53:GetHealthCheckStatus",
"route53:GetHostedZone",
"route53:GetHostedZoneCount",
"route53:GetHostedZoneLimit",
"route53:GetQueryLoggingConfig",
"route53:GetReusableDelegationSet",
"route53:GetReusableDelegationSetLimit",
"route53:GetTrafficPolicy",
"route53:GetTrafficPolicyInstance",
"route53:GetTrafficPolicyInstanceCount",
"route53:ListGeoLocations",
"route53:ListHealthChecks",
"route53:ListHostedZones",
"route53:ListHostedZonesByName",
"route53:ListQueryLoggingConfigs",
"route53:ListResourceRecordSets",
"route53:ListReusableDelegationSets",
"route53:ListTagsForResource",
"route53:ListTagsForResources",
"route53:ListTrafficPolicies",
"route53:ListTrafficPolicyInstances",
"route53:ListTrafficPolicyInstancesByHostedZone",
"route53:ListTrafficPolicyInstancesByPolicy",
"route53:ListTrafficPolicyVersions",
"route53:ListVPCAssociationAuthorizations",
"route53domains:CheckDomainAvailability",
"route53domains:GetContactReachabilityStatus",
"route53domains:GetDomainDetail",
"route53domains:GetDomainSuggestions",
"route53domains:GetOperationDetail",
"route53domains:ListDomains",
"route53domains:ListOperations",
"route53domains:ListTagsForDomain",
"s3:GetAccelerateConfiguration",
"s3:GetAccountPublicAccessBlock",
"s3:GetAnalyticsConfiguration",
"s3:GetBucket*",
"s3:GetEncryptionConfiguration",
"s3:GetInventoryConfiguration",
"s3:GetLifecycleConfiguration",
"s3:GetMetricsConfiguration",
"s3:GetObject",
"s3:GetObjectAcl",
"s3:GetObjectTagging",
"s3:GetObjectTorrent",
"s3:GetObjectVersion",
"s3:GetObjectVersionAcl",
"s3:GetObjectVersionForReplication",
"s3:GetObjectVersionTagging",
"s3:GetObjectVersionTorrent",
"s3:GetReplicationConfiguration",
"s3:ListAllMyBuckets",
"s3:ListBucket",
"s3:ListBucketMultipartUploads",
"s3:ListBucketVersions",
"s3:ListMultipartUploadParts",
"sdb:DomainMetadata",
"sdb:ListDomains",
"ses:Get*",
"ses:List*",
"tag:GetResources",
"tag:GetTagKeys",
"waf:Get*",
"waf:List*",
"workspaces:Describe*"
Integration Permissions (required)
This permission is also mandatory, it includes the permissions required for fetching data regarding the integration alerts in FortiCWP such as AWS Guard Duty, AWS Inspector service.
Permission Detail
"guardduty:DescribeOrganizationConfiguration",
"guardduty:DescribePublishingDestination",
"guardduty:GetDetector",
"guardduty:GetFilter",
"guardduty:GetFindings",
"guardduty:GetFindingsStatistics",
"guardduty:GetInvitationsCount",
"guardduty:GetIPSet",
"guardduty:GetMasterAccount",
"guardduty:GetMemberDetectors",
"guardduty:GetMembers",
"guardduty:GetThreatIntelSet",
"guardduty:GetUsageStatistics",
"guardduty:ListDetectors",
"guardduty:ListFilters",
"guardduty:ListFindings",
"guardduty:ListInvitations",
"guardduty:ListIPSets",
"guardduty:ListMembers",
"guardduty:ListOrganizationAdminAccounts",
"guardduty:ListPublishingDestinations",
"guardduty:ListTagsForResource",
"guardduty:ListThreatIntelSets",
"inspector:DescribeAssessmentRuns",
"inspector:DescribeAssessmentTargets",
"inspector:DescribeAssessmentTemplates",
"inspector:DescribeCrossAccountAccessRole",
"inspector:DescribeExclusions",
"inspector:DescribeFindings",
"inspector:DescribeResourceGroups",
"inspector:DescribeRulesPackages",
"inspector:GetAssessmentReport",
"inspector:GetExclusionsPreview",
"inspector:GetTelemetryMetadata",
"inspector:ListAssessmentRunAgents",
"inspector:ListAssessmentRuns",
"inspector:ListAssessmentTargets",
"inspector:ListAssessmentTemplates",
"inspector:ListEventSubscriptions",
"inspector:ListExclusions",
"inspector:ListFindings",
"inspector:ListRulesPackages",
"inspector:ListTagsForResource",
"inspector:PreviewAgents"
AutoFix Permissions (optional)
This permission list includes the minimum write permissions of the AWS resources such as AWS EC2, S3, IAM etc
Permission Detail
"cloudfront:UpdateDistribution",
"cloudtrail:StartLogging",
"cloudtrail:UpdateTrail",
"ec2:ModifySnapshotAttribute",
"ec2:RevokeSecurityGroupEgress",
"ec2:RevokeSecurityGroupIngress",
"elasticloadbalancing:ModifyLoadBalancerAttributes",
"iam:UpdateAccountPasswordPolicy",
"kms:CancelKeyDeletion",
"kms:EnableKeyRotation",
"rds:ModifyDBInstance",
"redshift:ModifyCluster",
"redshift:ModifyClusterParameterGroup",
"s3:PutBucketAcl",
"s3:PutBucketPolicy",
"s3:PutBucketVersioning",
"s3:PutObjectAcl",
"s3:PutObjectVersionAcl"
Notification Permissions (optional)
This permission is required for FortiCWP to send notifications. This consists of SQS (Simple Queue Service) and SNS (Simple Notification Service).
Permission Detail
"sns:CheckIfPhoneNumberIsOptedOut",
"sns:GetEndpointAttributes",
"sns:GetPlatformApplicationAttributes",
"sns:GetSMSAttributes",
"sns:GetSMSSandboxAccountStatus",
"sns:GetSubscriptionAttributes",
"sns:GetTopicAttributes",
"sns:ListEndpointsByPlatformApplication",
"sns:ListOriginationNumbers",
"sns:ListPhoneNumbersOptedOut",
"sns:ListPlatformApplications",
"sns:ListSMSSandboxPhoneNumbers",
"sns:ListSubscriptions",
"sns:ListSubscriptionsByTopic",
"sns:ListTagsForResource",
"sns:ListTopics",
"sqs:ChangeMessageVisibility",
"sqs:ChangeMessageVisibilityBatch",
"sqs:CreateQueue",
"sqs:DeleteMessage",
"sqs:DeleteMessageBatch",
"sqs:DeleteQueue",
"sqs:GetQueueAttributes",
"sqs:GetQueueUrl",
"sqs:ListDeadLetterSourceQueues",
"sqs:ListQueues",
"sqs:ListQueueTags",
"sqs:ReceiveMessage",
"sqs:SendMessage",
"sqs:SendMessageBatch",
"sqs:SetQueueAttributes"