Skip to end of metadata
Go to start of metadata

You are viewing an old version of this content. View the current version.

Compare with Current View Version History

« Previous Version 2 Next »

As part of the SaaS deployment, AUTOMATE+ streamlines the enablement and configuration of a number of native AWS services, detailed here.

In order to deploy, configure & integrate with the relevant AWS services, the SaaS service requires a Cross Account Role, in turn the service provides the ability for the platform to provide security visibility, co-ordinate 1-click remediation and/or self healing & integrate with the AWS Well-Architected Tool.

The cross account role is created at first with additional temporary permissions (while the Cloud Formation stacks are running) due to the deployment functions taking place, and then after less than 30 minutes, the cross account role is hardened to least-permissive principals.

Should you have any additional questions relating to the role configuration, permissions or requirements, please contact 6pillars at support@6pillars.ai.

AWS cross account role permissions:

Post Deployment Permissions

AUTOMATE+ (read-only)

6pillars-read-only-access
"events:ListRules",
"securityhub:UpdateStandardsControl",
"securityhub:DescribeStandardsControls",
"securityhub:GetEnabledStandards",
"securityhub:GetFindings",
"wellarchitected:CreateWorkload",
"wellarchitected:UpdateAnswer",
"wellarchitected:CreateMilestone",
"wellarchitected:DeleteWorkload",
"wellarchitected:List*",
"wellarchitected:Get*"

6pillars-security-hub-integration-access
"securityhub:EnableImportFindingsForProduct",
"securityhub:BatchImportFindings",
"securityhub:GetInsights",
"securityhub:ListMembers"

6pillars-support-control-access
"support:DescribeSeverityLevels",

AUTOMATE+ (with remediation functionality)

6pillars-access
"events:DescribeRule",
"events:DisableRule",
"events:EnableRule",
"events:ListRules",
"states:StartExecution"

6pillars-drs-control-access
"ec2:DescribeInstances",
"drs:DescribeSourceServers",
"drs:GetReplicationConfiguration",
"drs:DescribeJobs",
"drs:DescribeRecoverySnapshots",
"drs:StartRecovery"

6pillars-read-only-access
"securityhub:UpdateStandardsControl",
"securityhub:DescribeStandardsControls",
"securityhub:GetEnabledStandards",
"securityhub:GetFindings",
"wellarchitected:CreateWorkload",
"wellarchitected:UpdateAnswer",
"wellarchitected:CreateMilestone",
"wellarchitected:DeleteWorkload",
"wellarchitected:List*",
"wellarchitected:Get*"

6pillars-security-hub-integration-access
"securityhub:EnableImportFindingsForProduct",
"securityhub:BatchImportFindings",
"securityhub:GetInsights",
"securityhub:ListMembers"

6pillars-support-control-access
"support:DescribeSeverityLevels",

⦿ Temporary Permissions - During Deployment only (approx 15-30 mins)

AUTOMATE+ (Read Only deployment)

6pillars-deploy-access
"cloudformation:CreateStack",
"cloudformation:DescribeChangeSet",
"cloudformation:DescribeStacks",
"config:DeleteConfigurationRecorder",
"config:DeleteDeliveryChannel",
"config:DescribeConfigurationRecorders",
"config:DescribeDeliveryChannels",
"config:GetResourceConfigHistory",
"config:ListDiscoveredResources",
"config:PutConfigurationRecorder",
"config:PutDeliveryChannel",
"config:StartConfigurationRecorder",
"events:DeleteRule",
"events:DescribeRule",
"events:PutRule",
"events:PutTargets",
"events:RemoveTargets",
"iam:AttachRolePolicy",
"iam:CreateRole",
"iam:CreateServiceLinkedRole",
"iam:DeleteRole",
"iam:DeleteRolePolicy",
"iam:DetachRolePolicy",
"iam:GetRole",
"iam:GetRolePolicy",
"iam:PassRole",
"iam:PutRolePolicy",
"kms:CreateAlias",
"kms:CreateKey",
"kms:DescribeKey",
"kms:EnableKeyRotation",
"kms:PutKeyPolicy",
"lambda:CreateFunction",
"lambda:DeleteFunction",
"lambda:GetFunction",
"lambda:GetFunctionCodeSigningConfig",
"lambda:InvokeFunction",
"s3:CreateBucket",
"s3:DeleteBucketPolicy",
"s3:GetBucketPolicy",
"s3:PutBucketPolicy",
"s3:PutBucketPublicAccessBlock",
"s3:PutEncryptionConfiguration",
"securityhub:BatchEnableStandards",
"securityhub:BatchUpdateFindings",
"securityhub:CreateActionTarget",
"securityhub:DeleteActionTarget",
"securityhub:DescribeActionTargets",
"securityhub:DescribeStandards",
"securityhub:EnableSecurityHub",
"sns:AddPermission",
"sns:ConfirmSubscription",
"sns:CreateTopic",
"sns:DeleteTopic",
"sns:GetSubscriptionAttributes",
"sns:GetTopicAttributes",
"sns:List*",
"sns:SetSubscriptionAttributes",
"sns:SetTopicAttributes",
"sns:Subscribe",
"sts:AssumeRole"

6pillars-read-only-access
"events:ListRules",
"securityhub:UpdateStandardsControl",
"securityhub:DescribeStandardsControls",
"securityhub:GetEnabledStandards",
"securityhub:GetFindings",
"wellarchitected:CreateWorkload",
"wellarchitected:UpdateAnswer",
"wellarchitected:CreateMilestone",
"wellarchitected:DeleteWorkload",
"wellarchitected:List*",
"wellarchitected:Get*"

6pillars-security-hub-integration-access
"securityhub:EnableImportFindingsForProduct",
"securityhub:BatchImportFindings",
"securityhub:GetInsights",
"securityhub:ListMembers"

6pillars-support-control-access
"support:DescribeSeverityLevels",

AUTOMATE+ (with remediation functionality)

6pillars-access
"events:DescribeRule",
"events:DisableRule",
"events:EnableRule",
"events:ListRules",
"states:StartExecution"

6pillars-deploy-access
"securityhub:CreateActionTarget",
"securityhub:DeleteActionTarget",
"securityhub:DescribeActionTargets",
"securityhub:BatchUpdateFindings",
"securityhub:EnableSecurityHub",
"securityhub:DescribeStandards",
"securityhub:BatchEnableStandards",
"logs:CreateLogDelivery",
"logs:GetLogDelivery",
"logs:UpdateLogDelivery",
"logs:DeleteLogDelivery",
"logs:ListLogDeliveries",
"logs:PutResourcePolicy",
"logs:DescribeResourcePolicies",
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents",
"logs:DescribeLogGroups",
"logs:DescribeLogStreams",
"logs:PutMetricFilter",
"logs:PutRetentionPolicy",
"logs:GetLogEvents",
"sts:AssumeRole",
"sts:GetCallerIdentity",
"states:StartExecution",
"states:CreateStateMachine",
"states:DescribeStateMachine",
"states:TagResource",
"ssm:GetParameter",
"ssm:GetParameters",
"ssm:PutParameter",
"ssm:DescribeAutomationExecutions",
"ssm:DescribeDocument",
"ssm:StartAutomationExecution",
"ssm:GetAutomationExecution",
"ssm:DescribeAutomationStepExecutions",
"ssm:DeleteParameter",
"ssm:CreateActivation",
"ssm:CreateAssociation",
"ssm:CreateDocument",
"ssm:DeleteActivation",
"ssm:DeleteAssociation",
"ssm:DeleteDocument",
"ssm:Describe*",
"ssm:Get*",
"ssm:List*",
"cloudwatch:PutMetricData",
"cloudwatch:PutMetricAlarm",
"iam:GetPolicy",
"iam:ListEntitiesForPolicy",
"iam:DetachUserPolicy",
"iam:DetachGroupPolicy",
"iam:AttachGroupPolicy",
"iam:GetGroup",
"iam:CreateGroup",
"iam:AddUserToGroup",
"iam:GetRole",
"iam:PassRole",
"iam:CreateRole",
"iam:AttachRolePolicy",
"iam:TagRole",
"iam:UpdateAccessKey",
"iam:ListAccessKeys",
"iam:GetAccessKeyLastUsed",
"iam:GetUser",
"iam:GetLoginProfile",
"iam:DeleteLoginProfile",
"iam:UpdateAccountPasswordPolicy",
"iam:GetAccountPasswordPolicy",
"iam:DeleteRolePolicy",
"iam:DetachRolePolicy",
"iam:GetRolePolicy",
"iam:PutRolePolicy",
"iam:DeleteRole",
"iam:CreateServiceLinkedRole",
"iam:CreatePolicy",
"cloudtrail:CreateTrail",
"cloudtrail:UpdateTrail",
"cloudtrail:GetTrail",
"cloudtrail:StartLogging",
"s3:GetBucketPolicy",
"s3:CreateBucket",
"s3:PutEncryptionConfiguration",
"s3:PutBucketLogging",
"s3:PutBucketAcl",
"s3:PutBucketPolicy",
"s3:PutBucketPublicAccessBlock",
"s3:GetBucketPublicAccessBlock",
"s3:PutAccountPublicAccessBlock",
"s3:GetAccountPublicAccessBlock",
"s3:DeleteBucketPolicy",
"sns:CreateTopic",
"sns:SetTopicAttributes",
"sns:GetTopicAttributes",
"sns:AddPermission",
"sns:DeleteTopic",
"sns:ConfirmSubscription",
"sns:GetSubscriptionAttributes",
"sns:List*",
"sns:SetSubscriptionAttributes",
"sns:Subscribe",
"autoscaling:UpdateAutoScalingGroup",
"autoscaling:DescribeAutoScalingGroups",
"config:PutConfigurationRecorder",
"config:PutDeliveryChannel",
"config:DescribeConfigurationRecorders",
"config:StartConfigurationRecorder",
"config:ListDiscoveredResources",
"config:GetResourceConfigHistory",
"config:DeleteDeliveryChannel",
"config:DeleteConfigurationRecorder",
"config:DescribeDeliveryChannels",
"ec2:CreateFlowLogs",
"ec2:ModifySnapshotAttribute",
"ec2:DescribeSnapshots",
"ec2:DescribeSecurityGroupReferences",
"ec2:DescribeSecurityGroups",
"ec2:UpdateSecurityGroupRuleDescriptionsEgress",
"ec2:UpdateSecurityGroupRuleDescriptionsIngress",
"ec2:RevokeSecurityGroupIngress",
"ec2:RevokeSecurityGroupEgress",
"ec2:EnableEBSEncryptionByDefault",
"ec2:GetEbsEncryptionByDefault",
"rds:ModifyDBSnapshotAttribute",
"rds:ModifyDBClusterSnapshotAttribute",
"rds:DescribeDBClusters",
"rds:ModifyDBCluster",
"rds:ModifyDBInstance",
"rds:DescribeDBInstances",
"rds:CopyDBSnapshot",
"rds:CopyDBClusterSnapshot",
"rds:DescribeDBSnapshots",
"rds:DescribeDBClusterSnapshots",
"rds:DeleteDBSnapshot",
"rds:DeleteDBClusterSnapshots",
"lambda:GetPolicy",
"lambda:InvokeFunction",
"lambda:RemovePermission",
"lambda:GetFunction",
"lambda:GetFunctionCodeSigningConfig",
"lambda:CreateFunction",
"lambda:DeleteFunction",
"lambda:PublishLayerVersion",
"lambda:DeleteLayerVersion",
"lambda:GetLayerVersion",
"kms:EnableKeyRotation",
"kms:GetKeyRotationStatus",
"kms:Encrypt",
"kms:Decrypt",
"kms:GenerateDataKey",
"kms:CreateKey",
"kms:PutKeyPolicy",
"kms:DescribeKey",
"kms:CreateAlias",
"kms:DeleteAlias",
"kms:ListKeys",
"kms:ListAliases",
"cloudformation:CreateStack",
"cloudformation:DescribeChangeSet",
"cloudformation:DescribeStacks",
"events:PutRule",
"events:RemoveTargets",
"events:DescribeRule",
"events:PutTargets",
"events:DeleteRule",
"servicecatalog:SearchProducts",
"servicecatalog:ListLaunchPaths",
"servicecatalog:ListProvisioningArtifacts",
"servicecatalog:ProvisionProduct",
"servicecatalog:DescribeProvisionedProduct",
"sqs:GetQueueAttributes",
"sqs:List*",
"codeBuild:BatchGetProjects",
"codeBuild:UpdateProject",
"redshift:ModifyCluster",
"redshift:DescribeClusters",
"redshift:DescribeLoggingStatus",
"redshift:EnableLogging",
"lambda:PutFunctionConcurrency"

6pillars-drs-control-access
"ec2:DescribeInstances",
"drs:DescribeSourceServers",
"drs:GetReplicationConfiguration",
"drs:DescribeJobs",
"drs:DescribeRecoverySnapshots",
"drs:StartRecovery"

6pillars-playbook-access-cross-account
"arn:aws:s3:::5pillars-uat-playbooks-reference/*",
"arn:aws:s3:::5pillars-uat-playbooks-ap-southeast-2/*",
"arn:aws:s3:::5pillars-uat-playbooks-ap-southeast-1/*",
"arn:aws:s3:::5pillars-uat-playbooks-ap-south-1/*",
"arn:aws:s3:::5pillars-uat-playbooks-ap-northeast-1/*",
"arn:aws:s3:::5pillars-uat-playbooks-us-east-1/*",
"arn:aws:s3:::5pillars-uat-playbooks-us-east-2/*",
"arn:aws:s3:::5pillars-uat-playbooks-us-west-1/*",
"arn:aws:s3:::5pillars-uat-playbooks-us-west-2/*"

6pillars-read-only-access
"securityhub:UpdateStandardsControl",
"securityhub:DescribeStandardsControls",
"securityhub:GetEnabledStandards",
"securityhub:GetFindings",
"wellarchitected:CreateWorkload",
"wellarchitected:UpdateAnswer",
"wellarchitected:CreateMilestone",
"wellarchitected:DeleteWorkload",
"wellarchitected:List*",
"wellarchitected:Get*"

6pillars-security-hub-integration-access
"securityhub:EnableImportFindingsForProduct",
"securityhub:BatchImportFindings",
"securityhub:GetInsights",
"securityhub:ListMembers"

6pillars-support-control-access
"support:DescribeSeverityLevels",

  • No labels