Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Missing permissions in deepwatch-mdr-role #43

Open
ZacharyWallace opened this issue Apr 3, 2024 · 0 comments
Open

Missing permissions in deepwatch-mdr-role #43

ZacharyWallace opened this issue Apr 3, 2024 · 0 comments
Assignees

Comments

@ZacharyWallace
Copy link
Collaborator

Since the migration from the ABI templates to the SRA templates various changes in how the Cloudtrail bucket is implemented causes issues with the policy on the role created for cross-account assumption, including the following:

  • Versioning is enabled: s3:GetObjectVersion is needed
  • KMS-encrypted bucket objects: kms:Decrypt needed on IAM policy and key policy similar to below required on the KMS key used for encryption
  "Sid": "Allow use of the key",
  "Effect": "Allow",
  "Principal": {"AWS": [
    "arn:aws:iam::0123456789:role/deepwatch-mdr-role" 
  ]},
  "Action": [
    "kms:Encrypt",
    "kms:Decrypt",
    "kms:ReEncrypt*",
    "kms:GenerateDataKey*",
    "kms:DescribeKey"
  ],
  "Resource": "$KMS-ARN"
}

Additional reports of permissions potentially being needed: sqs:ChangeMessageVisibility & s3:ListBucket

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants