Versions Compared

Version Old Version 1 New Version 2
Changes made by

Paul Tompkins (Unlicensed)

Paul Tompkins (Unlicensed)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

As part of the SaaS deployment, AUTOMATE+ streamlines the enablement and configuration of a number of native AWS services, detailed here.

...

AWS cross account role permissions:

Post Deployment Permissions

AUTOMATE+ (read-only)

6pillars-read-only-access
"events:ListRules",
"securityhub:UpdateStandardsControl",
"securityhub:DescribeStandardsControls",
"securityhub:GetEnabledStandards",
"securityhub:GetFindings",
"wellarchitected:CreateWorkload",
"wellarchitected:UpdateAnswer",
"wellarchitected:CreateMilestone",
"wellarchitected:DeleteWorkload",
"wellarchitected:List*",
"wellarchitected:Get*"

...

6pillars-support-control-access
"support:DescribeSeverityLevels",

AUTOMATE+ (with remediation functionality)

6pillars-access
"events:DescribeRule",
"events:DisableRule",
"events:EnableRule",
"events:ListRules",
"states:StartExecution"

...

⦿ Temporary Permissions - During Deployment only (approx 15-30 mins)

●AUTOMATEAUTOMATE+ (Read Only deployment)

6pillars-deploy-access
"cloudformation:CreateStack",
"cloudformation:DescribeChangeSet",
"cloudformation:DescribeStacks",
"config:DeleteConfigurationRecorder",
"config:DeleteDeliveryChannel",
"config:DescribeConfigurationRecorders",
"config:DescribeDeliveryChannels",
"config:GetResourceConfigHistory",
"config:ListDiscoveredResources",
"config:PutConfigurationRecorder",
"config:PutDeliveryChannel",
"config:StartConfigurationRecorder",
"events:DeleteRule",
"events:DescribeRule",
"events:PutRule",
"events:PutTargets",
"events:RemoveTargets",
"iam:AttachRolePolicy",
"iam:CreateRole",
"iam:CreateServiceLinkedRole",
"iam:DeleteRole",
"iam:DeleteRolePolicy",
"iam:DetachRolePolicy",
"iam:GetRole",
"iam:GetRolePolicy",
"iam:PassRole",
"iam:PutRolePolicy",
"kms:CreateAlias",
"kms:CreateKey",
"kms:DescribeKey",
"kms:EnableKeyRotation",
"kms:PutKeyPolicy",
"lambda:CreateFunction",
"lambda:DeleteFunction",
"lambda:GetFunction",
"lambda:GetFunctionCodeSigningConfig",
"lambda:InvokeFunction",
"s3:CreateBucket",
"s3:DeleteBucketPolicy",
"s3:GetBucketPolicy",
"s3:PutBucketPolicy",
"s3:PutBucketPublicAccessBlock",
"s3:PutEncryptionConfiguration",
"securityhub:BatchEnableStandards",
"securityhub:BatchUpdateFindings",
"securityhub:CreateActionTarget",
"securityhub:DeleteActionTarget",
"securityhub:DescribeActionTargets",
"securityhub:DescribeStandards",
"securityhub:EnableSecurityHub",
"sns:AddPermission",
"sns:ConfirmSubscription",
"sns:CreateTopic",
"sns:DeleteTopic",
"sns:GetSubscriptionAttributes",
"sns:GetTopicAttributes",
"sns:List*",
"sns:SetSubscriptionAttributes",
"sns:SetTopicAttributes",
"sns:Subscribe",
"sts:AssumeRole"

...

6pillars-support-control-access
"support:DescribeSeverityLevels",

●AUTOMATEAUTOMATE+ (with remediation functionality)

6pillars-access
"events:DescribeRule",
"events:DisableRule",
"events:EnableRule",
"events:ListRules",
"states:StartExecution"

...