AWS Permissions

To allow SecureCloud to monitor AWS accounts you have added in the Account Manager, you must grant the appropriate permissions. There are three different ways you can give SecureCloud access to your AWS account:

  • Use the security credentials (access key id and secret) of a user in the account having the required permissions.
  • Give access to a user in another account via a role. Before using this option you must create a role in your AWS account and give the required permissions to the other account. You can optionally specify the requirement of an external key. MFA is not supported in SecureCloud.
  • Give access to Tufin's own AWS account, via a role. Before using this option you must create a role in your AWS account and give the required permissions to the AWS account number 977996679567.

Whichever of the above methods you choose, the authorized user or role accounts must have one of the following permissions settings. The settings are listed from the most permissive to the least. Additional permissions may be required in the future if new functionality is added.

  1. Predefined policy ReadOnlyAccess (the most permissive setting)

  2. Predefined policy SecurityAudit plus the following custom policy for AWS network firewalls and AWS transit gateways:

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "Statement1",
                "Effect": "Allow",
                "Action": [
                    "network-firewall:Describe*",
    	         "network-firewall:List*",
    	         "ec2:Search*"
                ],
                "Resource": "*"
            }
        ]
    }
  3. Custom policy 2

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "Statement1",
                "Effect": "Allow",
                "Action": [
                   "autoscaling:Describe*",
    		"ec2:Describe*",
    		"ec2:Search*",
    		"eks:Describe*",
    		"eks:List*",
                   "elasticloadbalancing:Describe*",
                   "iam:List*",
                   "iam:Get*",
                   "iam:Generate*",
    		"inspector2:List*",
                   "s3:Get*",
                   "s3:List*",
                   "cloudtrail:Describe*",
                   "network-firewall:Describe*",
                   "network-firewall:List*",
                   "rds:Describe*"
                ],
                "Resource": "*"
            }
        ]
    }
  4. Custom policy 3 (the least permissive setting)

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "Statement1",
                "Effect": "Allow",
                "Action": [
                   "ec2:DescribeFlowLogs",
    		"ec2:DescribeInstances",
    		"ec2:DescribeNetworkInterfaces",		
                   "ec2:DescribeRegions",
                   "ec2:DescribeRouteTables",
    		"ec2:DescribeSecurityGroups",
    	        "ec2:DescribeSecurityGroupRules",
                   "ec2:DescribeSubnets",
    	        "ec2:DescribeTransitGatewayAttachments",
    	        "ec2:DescribeTransitGatewayPeeringAttachments",
    	        "ec2:DescribeTransitGatewayRouteTables",
    	        "ec2:DescribeTransitGatewayVpcAttachments",
    	        "ec2:DescribeTransitGateways",
    		"ec2:DescribeVpcs",
    		"ec2:DescribeVpcPeeringConnections",
    		"ec2:DescribeVpcEndpointConnections",
    		"ec2:DescribeVpcEndpoints",
    	        "ec2:SearchTransitGatewayRoutes",
    		"ek2:DescribeCluster",
    		"ek2:ListClusters",
    		"ek2:ListNodegroup",
                   "elasticloadbalancing:DescribeLoadBalancers",
                   "elasticloadbalancing:DescribeListeners",
                   "elasticloadbalancing:DescribeTargetHealth",
                   "elasticloadbalancing:DescribeTargetGroups",
                   "iam:ListInstanceProfiles",
                   "iam:GetAccountAuthorizationDetails",
                   "iam:GetAccountPasswordPolicy",
                   "iam:GenerateCredentialReport",
                   "iam:GetCredentialReport",
                   "iam:GetAccountSummary",
                   "iam:ListVirtualMFADevices",
    		"inspector2"ListFindings",
                   "s3:GetBucketTagging",
                   "s3:GetBucketWebsite",
                   "s3:GetBucketLogging",
                   "s3:GetBucketVersioning",
                   "s3:GetBucketAcl",
                   "s3:GetBucketPolicy",
                   "s3:GetEncryptionConfiguration",
                   "s3:ListAllMyBuckets",
    		"s3:ListObjects",
                   "s3:GetBucketLocation",
                   "cloudtrail:DescribeTrails",
                   "network-firewall:DescribeRuleGroup",
                   "network-firewall:ListTagsForResource",
                   "network-firewall:DescribeFirewallPolicy",
                   "network-firewall:DescribeLoggingConfiguration",
                   "network-firewall:ListFirewalls",
                   "network-firewall:DescribeResourcePolicy",
                   "network-firewall:DescribeFirewall",
                   "network-firewall:ListFirewallPolicies",
                   "network-firewall:ListRuleGroups",
                   "rds:DescribeDBInstances"
                ],
                "Resource": "*"
            }
        ]
    }
  5. In addition, for flow logs integration, add the following permission:

    "s3:getObject"