AMA: AWS Permissions

circle
circle

AMA is an ongoing series published each Thursday, highlighting questions the community has asked in our support and how-to channels on Slack. If you haven't already done so, please join us on Slack 

"Can someone tell me exactly what permissions are needed for AWS. Reading through the github docs it looks as if JupiterOne doesn't supports LightSail. We are not currently using ec2 instances."

--Question from Cody on the J1 Community Slack

 

Answer from George Tang, Principal Security Architect

Hi Cody. The standard AWS Security Audit IAM policy is required, along with the following read-only permissions:

 
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Resource": "*",
"Action": [
"access-analyzer:List*",
"batch:Describe*",
"batch:List*",
"cloudhsm:DescribeBackups",
"cloudhsm:DescribeClusters",
"cloudhsm:ListTags",
"cloudwatch:GetMetricData",
"cloudwatch:List*",
"dynamodb:Describe*",
"dynamodb:List*",
"ecr:Describe*",
"ecr:GetLifecyclePolicy",
"ecr:GetRepositoryPolicy",
"ecr:List*",
"elasticache:List*",
"elasticfilesystem:Describe*",
"elasticmapreduce:List*",
"es:List*",
"kinesis:Describe*",
"kinesis:List*",
"lambda:GetFunction",
"macie2:GetFindings",
"macie2:ListFindings",
"s3:GetObjectRetention",
"s3:GetObjectLegalHold",
"s3:Get*Configuration",
"shield:GetSubscriptionState",
"sns:GetTopicAttributes",
"sns:GetSubscriptionAttributes",
"sns:ListTopics",
"sns:ListSubscriptions",
"sns:ListTagsForResource",
"waf:List*",
"waf:Get*",
"waf-regional:List*",
"waf-regional:Get*",
"workspaces:List*"
]
},
{
"Effect": "Allow",
"Action": ["apigateway:GET"],
"Resource": ["arn:aws:apigateway:*::/*"]
}
]
}

You can find the full documentation here: https://github.com/JupiterOne/jupiterone-aws-cloudformation. 
 
We don't ingest Lightsail but can get that formally prioritized on our roadmap if this is deemed critical. We just need to understand priority/timing + specific use case, i.e., what data do you want ingested from Lightsail to be able to answer what questions in JupiterOne?

Articles in this Series

  1. AMA: JupiterOne and PagerDuty WebHooks
  2. AMA: Export YAML Files for Vendors Pulled from SSO Providers
  3. AMA: Map Controls and Frameworks Relationships
  4. AMA: How to Track Professional Associations, Security Forums, and Threat Intel Sources
  5. AMA: Find AWS Instances by their Private IP Address
  6. AMA: SSO Integrated Authentication, Move to Another Role
  7. AMA: send-mail action to map two properties
  8. AMA: Setup the Policy Accept Button
  9. AMA: Match a blank field in J1QL
  10. AMA: Track and Alert Using Firewall Rules Matrix
  11. AMA: AWS Roles not used for 90 days, and date related queries
  12. AMA: Manage Alerts for Jira through J1 Terraform Provider
  13. AMA: Filter Results from Specific AWS Accounts
  14. AMA: Iterate and return total count of iam users per account
  15. AMA: Search for security groups by tag
  16. AMA: Identify S3 Buckets Open to Cross-Account Attacks
  17. AMA: Resources for J1 DevOps Use Cases
  18. AMA: Sub-Queries in J1QL
  19. AMA: What permissions are needed for AWS

Resources for this AMA

avatar

Posted By JupiterOne Team

The JupiterOne Team is a diverse set of engineers and developers who are working on the next generation of cyber asset visibility and monitoring.

To hear more from the JupiterOne Team, get our newsletter. No spam, just the good stuff once or twice a month. Sign up below.

PREVIOUS ARTICLE