Views:
Review the permissions required to deploy resources and the permissions granted when connecting AWS accounts to Trend Vision One.

AWS Required Permissions

Feature
Required permissions
Description
Core Features
  • iam:GetRole
  • iam:GetRolePolicy
  • iam:ListAccountAliases
  • iam:ListRolePolicies
  • iam:ListRoleTags
  • iam:ListRoles iam:ListAttachedRolePolicies
  • iam:GetPolicy
  • iam:GetPolicyVersion cloudformation:GetTemplate
  • cloudformation:ListStackResources
  • cloudformation:ListStackInstances
  • ssm:PutParameter
These permissions are required to connect AWS cloud accounts to Trend Vision One.
Server & Workload Protection
  • ec2:DescribeImages
  • ec2:DescribeInstances
  • ec2:DescribeRegions
  • ec2:DescribeSubnets
  • ec2:DescribeTags
  • ec2:DescribeVpcs
  • ec2:DescribeAvailabilityZones
  • ec2:DescribeSecurityGroups
  • workspaces:DescribeWorkspaces
  • workspaces:DescribeWorkspaceDirectories
  • workspaces:DescribeWorkspaceBundles
  • workspaces:DescribeTags
  • iam:ListAccountAliases
  • iam:GetRole
  • iam:GetRolePolicy
These permissions are required to view Amazon AWS EC2 and Workspace instances in Server & Workload Protection.
For more information, see Server & Workload Protection.
Cloud Security Posture (included in Core Features)
  • acm:DescribeCertificate
  • acm:ListCertificates
  • acm:ListTagsForCertificate
  • apigateway:GET
  • autoscaling:DescribeAccountLimits
  • autoscaling:DescribeAutoScalingGroups
  • autoscaling:DescribeAutoScalingInstances
  • autoscaling:DescribeLaunchConfigurations
  • autoscaling:DescribeLoadBalancerTargetGroups
  • autoscaling:DescribeLoadBalancers
  • autoscaling:DescribeNotificationConfigurations
  • autoscaling:DescribeTags
  • cloudformation:DescribeAccountLimits
  • cloudformation:DescribeStackDriftDetectionStatus
  • cloudformation:DescribeStacks
  • cloudformation:DetectStackDrift
  • cloudformation:GetStackPolicy
  • cloudformation:ListStacks
  • cloudfront:GetDistribution
  • cloudfront:ListTagsForResource
  • cloudfront:ListDistributions
  • cloudtrail:DescribeTrails
  • cloudtrail:GetTrailStatus
  • cloudtrail:GetEventSelectors
  • cloudtrail:ListTags
  • cloudwatch:DescribeAlarms
  • cloudwatch:DescribeAlarmsForMetric
  • cloudwatch:GetMetricStatistics
  • cloudwatch:GetMetricData
  • cloudwatch:ListMetrics
  • config:DescribeComplianceByConfigRule
  • config:DescribeConfigRules
  • config:DescribeConfigurationRecorderStatus
  • config:DescribeConfigurationRecorders
  • config:DescribeDeliveryChannelStatus
  • config:DescribeDeliveryChannels
  • config:GetComplianceDetailsByConfigRule
  • config:GetResourceConfigHistory
  • config:ListTagsForResource
  • dynamodb:DescribeContinuousBackups
  • dynamodb:DescribeLimits
  • dynamodb:DescribeTable
  • dynamodb:ListBackups
  • dynamodb:ListTables
  • dynamodb:ListTagsOfResource
  • ec2:DescribeAccountAttributes
  • ec2:DescribeAddresses
  • ec2:DescribeEgressOnlyInternetGateways
  • ec2:DescribeFlowLogs
  • ec2:DescribeImages
  • ec2:DescribeInstanceAttribute
  • ec2:DescribeInstanceStatus
  • ec2:DescribeInstances
  • ec2:DescribeInternetGateways
  • ec2:DescribeKeyPairs
  • ec2:DescribeNatGateways
  • ec2:DescribeNetworkAcls
  • ec2:DescribeNetworkInterfaces
  • ec2:DescribeReservedInstances
  • ec2:DescribeRouteTables
  • ec2:DescribeSecurityGroupReferences
  • ec2:DescribeSecurityGroups
  • ec2:DescribeSnapshots
  • ec2:DescribeSnapshotAttribute
  • ec2:DescribeSubnets
  • ec2:DescribeTags
  • ec2:DescribeTransitGatewayPeeringAttachments
  • ec2:SearchTransitGatewayRoutes
  • ec2:DescribeTransitGatewayRouteTables
  • ec2:DescribeTransitGateways
  • ec2:DescribeTransitGatewayAttachments
  • ec2:DescribeVolumes
  • ec2:DescribeVpcAttribute
  • ec2:DescribeVpcEndpoints
  • ec2:DescribeVpcEndpointConnections
  • ec2:DescribeVpcEndpointServices
  • ec2:DescribeVpcPeeringConnections
  • ec2:DescribeVpcs
  • ec2:DescribeVpnConnections
  • ec2:DescribeVpnGateways
  • ec2:GetEbsEncryptionByDefault
  • elasticfilesystem:DescribeFileSystems
  • elasticfilesystem:DescribeTags
  • elasticmapreduce:DescribeCluster
  • elasticmapreduce:ListClusters
  • elasticmapreduce:ListInstances
  • elasticmapreduce:GetBlockPublicAccessConfiguration
  • es:DescribeElasticsearchDomain
  • es:DescribeElasticsearchDomainConfig
  • es:DescribeElasticsearchDomains
  • es:DescribeElasticsearchInstanceTypeLimits
  • es:DescribeReservedElasticsearchInstanceOfferings
  • es:DescribeReservedElasticsearchInstances
  • es:ListDomainNames
  • es:ListElasticsearchInstanceTypes
  • es:ListElasticsearchVersions
  • es:ListTags
  • elasticache:DescribeCacheClusters
  • elasticache:DescribeReplicationGroups
  • elasticache:DescribeReservedCacheNodes
  • elasticache:ListTagsForResource
  • elasticloadbalancing:DescribeListeners
  • elasticloadbalancing:DescribeLoadBalancerAttributes
  • elasticloadbalancing:DescribeLoadBalancerPolicies
  • elasticloadbalancing:DescribeLoadBalancers
  • elasticloadbalancing:DescribeTags
  • elasticloadbalancing:DescribeTargetGroups
  • elasticloadbalancing:DescribeTargetHealth
  • iam:GenerateCredentialReport
  • elasticloadbalancing:DescribeRules
  • iam:GetAccessKeyLastUsed
  • iam:GetAccountPasswordPolicy
  • iam:GetAccountSummary
  • iam:GetCredentialReport
  • iam:GetGroup
  • iam:GetGroupPolicy
  • iam:GetLoginProfile
  • iam:GetOpenIDConnectProvider
  • iam:GetPolicy
  • iam:GetPolicyVersion
  • iam:GetRole
  • iam:GetRolePolicy
  • iam:GetSAMLProvider
  • iam:GetServerCertificate
  • iam:GetUser
  • iam:GetUserPolicy
  • iam:ListAccessKeys
  • iam:ListAccountAliases
  • iam:ListAttachedGroupPolicies
  • iam:ListAttachedRolePolicies
  • iam:ListAttachedUserPolicies
  • iam:ListEntitiesForPolicy
  • iam:ListGroupPolicies
  • iam:ListGroups
  • iam:ListInstanceProfiles
  • iam:ListInstanceProfilesForRole
  • iam:ListMFADevices
  • iam:ListOpenIDConnectProviders
  • iam:ListPolicies
  • iam:ListPolicyTags
  • iam:ListPolicyVersions
  • iam:ListRolePolicies
  • iam:ListRoleTags
  • iam:ListRoles
  • iam:ListSAMLProviders
  • iam:ListSSHPublicKeys
  • iam:ListServerCertificates
  • iam:ListUserPolicies
  • iam:ListUserTags
  • iam:ListUsers
  • iam:ListVirtualMFADevices
  • kms:DescribeKey
  • kms:GetKeyPolicy
  • kms:GetKeyRotationStatus
  • kms:ListAliases
  • kms:ListGrants
  • kms:ListKeyPolicies
  • kms:ListKeys
  • kms:ListResourceTags
  • lambda:GetAccountSettings
  • lambda:GetFunction
  • lambda:GetFunctionConfiguration
  • lambda:GetPolicy
  • lambda:ListEventSourceMappings
  • lambda:ListFunctions
  • lambda:ListTags
  • lambda:ListLayers
  • logs:DescribeLogGroups
  • logs:DescribeMetricFilters
  • rds:DescribeAccountAttributes
  • rds:DescribeDBClusters
  • rds:DescribeDBClusterParameters
  • rds:DescribeDBClusterParameterGroups
  • rds:DescribeDBInstances
  • rds:DescribeDBSecurityGroups
  • rds:DescribeDBSnapshotAttributes
  • rds:DescribeDBSnapshots
  • rds:DescribeDBParameters
  • rds:DescribeEvents
  • rds:DescribeEventSubscriptions
  • rds:DescribeReservedDBInstances
  • rds:ListTagsForResource
  • redshift:DescribeClusterParameterGroups
  • redshift:DescribeClusterParameters
  • redshift:DescribeClusters
  • redshift:DescribeLoggingStatus
  • redshift:DescribeReservedNodes
  • redshift:DescribeTags
  • route53:GetDNSSEC
  • route53:GetGeoLocation
  • route53:ListHostedZones
  • route53:ListResourceRecordSets
  • route53:ListTagsForResource
  • route53domains:ListDomains
  • route53domains:ListTagsForDomain
  • ses:GetIdentityDkimAttributes
  • ses:GetIdentityPolicies
  • ses:GetIdentityVerificationAttributes
  • ses:ListIdentities
  • ses:ListIdentityPolicies
  • sns:GetTopicAttributes
  • sns:ListTopics
  • sns:ListSubscriptionsByTopic
  • sns:ListTagsForResource
  • sqs:GetQueueAttributes
  • sqs:ListQueues
  • sqs:ListQueueTags
  • tag:GetResources
  • tag:GetTagKeys
  • tag:GetTagValues
  • access-analyzer:ListAnalyzers
  • access-analyzer:ListFindings
  • application-autoscaling:DescribeScalableTargets
  • application-autoscaling:DescribeScalingActivities
  • application-autoscaling:DescribeScalingPolicies
  • application-autoscaling:DescribeScheduledActions
  • athena:GetQueryExecution
  • athena:ListQueryExecutions
  • athena:ListTagsForResource
  • backup:DescribeBackupVault
  • backup:ListBackupVaults
  • backup:ListRecoveryPointsByResource
  • backup:GetBackupVaultAccessPolicy
  • ce:GetAnomalies
  • ce:GetAnomalyMonitors
  • dax:DescribeClusters
  • dax:ListTags
  • dms:DescribeReplicationInstances
  • dms:ListTagsForResource
  • ds:DescribeDirectories
  • ds:ListTagsForResource
  • elasticbeanstalk:DescribeConfigurationSettings
  • elasticbeanstalk:DescribeEnvironments
  • ecr:DescribeRepositories
  • ecr:GetRepositoryPolicy
  • ecr:GetLifecyclePolicy
  • ecr:DescribeImages
  • eks:DescribeCluster
  • eks:ListClusters
  • events:DescribeEventBus
  • events:ListRules
  • events:DescribeRule
  • firehose:DescribeDeliveryStream
  • firehose:ListDeliveryStreams
  • kafka:DescribeCluster
  • kafka:ListClusters
  • kafka:ListNodes
  • mq:DescribeBroker
  • mq:ListBrokers
  • glue:GetDataCatalogEncryptionSettings
  • glue:GetSecurityConfiguration
  • glue:GetSecurityConfigurations
  • glue:GetDatabases
  • guardduty:GetDetector
  • guardduty:GetFindings
  • guardduty:ListDetectors
  • guardduty:ListFindings
  • health:DescribeAffectedEntities
  • health:DescribeEventDetails
  • health:DescribeEvents
  • inspector:DescribeFindings
  • inspector:DescribeAssessmentRuns
  • inspector:DescribeAssessmentTemplates
  • inspector:DescribeExclusions
  • inspector:ListFindings
  • inspector:ListAssessmentRuns
  • inspector:ListAssessmentTemplates
  • inspector:ListExclusions
  • kinesis:DescribeStream
  • kinesis:ListStreams
  • kinesis:ListTagsForStream
  • organizations:DescribeAccount
  • organizations:DescribeCreateAccountStatus
  • organizations:DescribeHandshake
  • organizations:DescribeOrganization
  • organizations:DescribeOrganizationalUnit
  • organizations:DescribePolicy
  • organizations:ListAWSServiceAccessForOrganization
  • organizations:ListAccounts
  • organizations:ListAccountsForParent
  • organizations:ListChildren
  • organizations:ListCreateAccountStatus
  • organizations:ListHandshakesForAccount
  • organizations:ListHandshakesForOrganization
  • organizations:ListOrganizationalUnitsForParent
  • organizations:ListParents
  • organizations:ListPolicies
  • organizations:ListPoliciesForTarget
  • organizations:ListRoots
  • organizations:ListTargetsForPolicy
  • route53domains:GetDomainDetail
  • s3:GetAccelerateConfiguration
  • s3:GetAccountPublicAccessBlock
  • s3:GetBucketAcl
  • s3:GetBucketLocation
  • s3:GetBucketLogging
  • s3:GetBucketObjectLockConfiguration
  • s3:GetBucketPolicy
  • s3:GetBucketPolicyStatus
  • s3:GetBucketPublicAccessBlock
  • s3:GetBucketTagging
  • s3:GetBucketVersioning
  • s3:GetBucketWebsite
  • s3:GetEncryptionConfiguration
  • s3:GetLifecycleConfiguration
  • s3:ListBucket
  • 3:ListAllMyBuckets
  • securityhub:GetEnabledStandards
  • securityhub:GetFindings
  • securityhub:GetInsightResults
  • securityhub:GetInsights
  • securityhub:GetMasterAccount
  • securityhub:GetMembers
  • securityhub:ListEnabledProductsForImport
  • securityhub:ListInvitations
  • securityhub:ListMembers
  • servicequotas:ListServiceQuotas
  • sagemaker:DescribeNotebookInstance
  • sagemaker:ListNotebookInstances
  • sagemaker:ListTags
  • sagemaker:DescribeDomain
  • sagemaker:ListDomains
  • sagemaker:ListModels
  • sagemaker:DescribeModel
  • sagemaker:ListEndpoints
  • sagemaker:DescribeEndpoint
  • sagemaker:ListImages
  • sagemaker:ListClusters
  • sagemaker:DescribeCluster
  • sagemaker:ListClusterNodes
  • sagemaker:DescribeClusterNode
  • sagemaker:DescribeImageVersion
  • secretsmanager:DescribeSecret
  • secretsmanager:ListSecrets
  • shield:DescribeSubscription
  • ssm:DescribeParameters
  • ssm:DescribeSessions
  • ssm:DescribeInstanceInformation
  • storagegateway:DescribeNFSFileShares
  • storagegateway:DescribeSMBFileShares
  • storagegateway:DescribeTapes
  • storagegateway:ListFileShares
  • storagegateway:ListTagsForResource
  • storagegateway:ListTapes
  • transfer:DescribeServer
  • transfer:ListServers
  • xray:GetEncryptionConfig
  • waf:GetWebACL
  • waf:ListWebACLs
  • wafv2:GetWebACL
  • wafv2:ListWebACLs
  • workspaces:DescribeTags
  • workspaces:DescribeWorkspaces
  • workspaces:DescribeWorkspacesConnectionStatus
  • support:DescribeSeverityLevels
  • support:DescribeTrustedAdvisorChecks
  • support:DescribeTrustedAdvisorCheckResult
  • support:DescribeTrustedAdvisorCheckRefreshStatuses
  • support:RefreshTrustedAdvisorCheck
  • comprehend:ListKeyPhrasesDetectionJobs
  • comprehend:ListSentimentDetectionJobs
  • comprehend:ListTopicsDetectionJobs
  • comprehend:ListEntitiesDetectionJobs
  • comprehend:ListDocumentClassificationJobs
  • comprehend:ListDominantLanguageDetectionJobs
  • wellarchitected:ListWorkloads
  • wellarchitected:GetWorkload
  • ecs:DescribeTaskDefinition
  • ecs:ListTaskDefinitions
  • compute-optimizer:GetAutoScalingGroupRecommendations
  • compute-optimizer:GetEC2InstanceRecommendations
  • ecs:ListClusters
  • ecs:ListServices
  • ecs:DescribeServices
  • ecs:ListContainerInstances
  • ecs:DescribeContainerInstances
  • config:SelectResourceConfig
  • iam:GetAccountAuthorizationDetails
  • lambda:ListFunctionUrlConfigs
  • rds:DescribeDBParameterGroups
  • firehose:ListTagsForDeliveryStream
  • inspector:DescribeAssessmentTargets
  • inspector:DescribeResourceGroups
  • inspector:ListAssessmentTargets
  • inspector:PreviewAgents
  • macie2:GetClassificationExportConfiguration
  • macie2:GetFindingStatistics
  • macie2:ListClassificationJobs
  • securityhub:DescribeHub
  • ecs:DescribeClusters
  • ecs:ListTagsForResource
  • appflow:DescribeFlow
  • appflow:ListFlows
  • bedrock:ListAgents
  • bedrock:GetAgent
  • bedrock:ListGuardrails
  • bedrock:GetGuardrail
  • bedrock:ListCustomModels
  • bedrock:GetCustomModel
  • bedrock:ListFoundationModels
  • bedrock:ListTagsForResource
  • bedrock:ListDataSources
  • bedrock:GetDataSource
  • bedrock:ListKnowledgeBases
  • bedrock:GetKnowledgeBase
  • bedrock:ListAgentActionGroups
  • bedrock:GetAgentActionGroup
  • bedrock:ListAgentKnowledgeBases
  • bedrock:GetAgentKnowledgeBase
  • bedrock:ListImportedModels
  • bedrock:GetImportedModel
  • aoss:ListCollections
  • aoss:ListTagsForResource
  • elasticache:DescribeServerlessCaches
  • inspector2:ListFindings
 
Container Protection for Amazon ECS
Runtime Scanning:
  • sqs:SendMessage
This permission is required by Container Security to enable Runtime Vulnerability Scanning on Amazon ECS clusters.
This permission allows Runtime Scanning to send an SQS message, which triggers vulnerability scans on the running container images.
Runtime Security:
  • ecs:DescribeServices
  • ecs:DeleteService
  • ecs:UpdateService
  • ecs:CreateService
  • ecs:TagResource
  • ecs:UntagResource
  • ssm:PutParameter
  • ssm:DeleteParameters
  • ssm:AddTagsToResource
  • ssm:RemoveTagsFromResource
  • iam:PassRole
These permissions are required by Container Security to enable Runtime Security on Amazon ECS clusters.
These permissions allow Runtime Security to:
  • perform create/read/update/delete actions on trendmicro-scout services, which run in ECS to provide runtime security.
  • perform create/read/update/delete actions on SSM parameters with V1CS/* in the name to manage API keys, regional Trend Vision One Container Security domain names, and proxy settings.
  • allow the trendmicro-scout ECS service to run (iam:PassRole).
ECS Response:
  • ecs:StopTask
This permission is required by Container Security to enable container response actions on Amazon ECS Clusters.
The Response Management app uses the ecs:StopTask permission to allow you to stop any tasks in your clusters. This feature is available in Workflow and AutomationResponse Management.
Agentless Vulnerability & Threat Detection
AppConfig Management Actions:
  • appconfig:CreateApplication
  • appconfig:CreateConfigurationProfile
  • appconfig:CreateDeploymentStrategy
  • appconfig:CreateEnvironment
  • appconfig:CreateHostedConfigurationVersion
  • appconfig:StartDeployment
  • appconfig:StopDeployment
  • appconfig:GetApplication
  • appconfig:GetConfigurationProfile
  • appconfig:GetDeployment
  • appconfig:GetEnvironment
  • appconfig:GetHostedConfigurationVersion
  • appconfig:GetLatestConfiguration
  • appconfig:ListHostedConfigurationVersions
  • appconfig:ListTagsForResource
  • appconfig:DeleteApplication
  • appconfig:DeleteConfigurationProfile
  • appconfig:DeleteDeploymentStrategy
  • appconfig:DeleteEnvironment
  • appconfig:DeleteHostedConfigurationVersion
  • appconfig:TagResource
  • appconfig:StartConfigurationSession
  • appconfig:UntagResource
  • appconfig:UpdateApplication
  • appconfig:UpdateDeploymentStrategy
  • appconfig:UpdateConfigurationProfile
  • appconfig:UpdateEnvironment
Agentless Vulnerability & Threat Detection is a serverless function enabled in your connected cloud accounts. The function scans supported cloud resources for vulnerabilities and malware without impact to other resources or running applications.
CloudFormation Operations:
  • cloudformation:CancelUpdateStack
  • cloudformation:ContinueUpdateRollback
  • cloudformation:CreateChangeSet
  • cloudformation:CreateStack
  • cloudformation:DeleteChangeSet
  • cloudformation:DeleteStack
  • cloudformation:ExecuteChangeSet
  • cloudformation:RecordHandlerProgress
  • cloudformation:RollbackStack
  • cloudformation:SignalResource
  • cloudformation:UpdateStack
  • cloudformation:TagResource
  • cloudformation:DescribeStacks
  • cloudformation:DescribeStackEvents
  • cloudformation:DescribeStackResource
  • cloudformation:ListStackResources
  • cloudformation:UntagResource
Lambda Function Management:
  • lambda:ListFunctions
  • lambda:ListTags
  • lambda:UpdateFunctionCode
  • lambda:UpdateFunctionConfiguration
  • lambda:CreateFunction
  • lambda:TagResource
  • lambda:DeleteFunction
  • lambda:GetFunction
  • lambda:GetFunctionCodeSigningConfig
  • lambda:GetFunctionConfiguration
  • lambda:AddPermission
  • lambda:RemovePermission
  • lambda:InvokeFunction
  • lambda:UntagResource
  • lambda:DeleteLayerVersion
  • lambda:PublishLayerVersion
  • lambda:GetLayerVersion
  • lambda:CreateEventSourceMapping
  • lambda:GetEventSourceMapping
  • lambda:DeleteEventSourceMapping
  • lambda:UpdateEventSourceMapping
Storage Operations Actions:
  • s3:GetObject
  • s3:DeleteObject
  • s3:DeleteObjectVersion
  • s3:GetObjectVersion
  • s3:ListBucket
  • s3:ListBucketVersions
  • s3:PutLifecycleConfiguration
  • s3:GetObjectTagging
  • s3:PutObject
  • s3:PutObjectTagging
  • s3:GetBucketNotification
  • s3:PutBucketNotification
  • s3:GetBucketLocation
Messaging and Queueing Actions:
  • sqs:SetQueueAttributes
  • sqs:GetQueueUrl
  • sqs:GetQueueAttributes
  • sqs:DeleteQueue
  • sqs:CreateQueue
  • sqs:TagQueue
  • sqs:ReceiveMessage
  • sqs:DeleteMessage
  • sqs:SendMessage
  • sqs:UntagQueue
Secrets and Parameters Actions:
  • secretsmanager:DeleteSecret
  • secretsmanager:DescribeSecret
  • secretsmanager:ReplicateSecretToRegions
  • secretsmanager:RemoveRegionsFromReplication
  • secretsmanager:CreateSecret
  • secretsmanager:PutSecretValue
  • secretsmanager:GetSecretValue
  • secretsmanager:UpdateSecret
  • secretsmanager:UpdateSecretVersionStage
  • secretsmanager:TagResource
  • secretsmanager:UntagResource
  • ssm:AddTagsToResource
  • ssm:DeleteParameter
  • ssm:GetParameter
  • ssm:GetParameters
  • ssm:RemoveTagsFromResource
  • ssm:PutParameter
Logging and Monitoring Actions:
  • logs:DeleteLogGroup
  • logs:CreateLogStream
  • logs:PutLogEvents
  • logs:PutRetentionPolicy
  • logs:StartQuery
  • logs:TagResource
  • logs:ListTagsForResource
  • logs:UntagResource
  • logs:GetQueryResults
  • logs:DescribeLogGroups
  • cloudwatch:PutMetricData
  • cloudwatch:GetMetricStatistics
Resource Scanning Capabilities Actions:
  • ebs:ListSnapshotBlocks
  • ebs:GetSnapshotBlock
  • ec2:CreateTags
  • ec2:DeleteSnapshot
  • ec2:DeleteTags
  • ec2:CreateSnapshot
  • ec2:DescribeVolumes
  • ec2:DescribeSnapshots
  • ec2:DescribeInstances
  • ec2:DescribeImages
  • ecr:DescribeImages
  • ecr:DescribeRepositories
  • ecr:BatchGetImage
  • ecr:GetDownloadUrlForLayer
  • ec2:DescribeFlowLogs
  • ec2:DescribeVpcs
State Machine Operations Actions:
  • states:CreateStateMachine
  • states:TagResource
  • states:DescribeStateMachine
  • states:DeleteStateMachine
  • states:UpdateStateMachine
  • states:UntagResource
  • states:StartExecution
  • states:ListExecutions
Events and Scheduling Actions:
  • events:PutRule
  • events:RemoveTargets
  • events:DescribeRule
  • events:DeleteRule
  • events:ListTargetsByRule
  • events:PutTargets
Cost Management Actions:
  • ce:GetCostAndUsage
IAM Role Management Actions:
  • iam:PassRole
  • iam:GetRole
Cloud Detections for AWS CloudTrail
  • lambda:ListTags
Collect CloudTrail files in an S3 bucket and forward them to gain insights into user actions and resource activities within this AWS account.
Cloud Detections for VPC Flow Logs
AppConfig Management Actions:
  • appconfig:CreateApplication
  • appconfig:CreateConfigurationProfile
  • appconfig:CreateDeploymentStrategy
  • appconfig:CreateEnvironment
  • appconfig:CreateHostedConfigurationVersion
  • appconfig:StartDeployment
  • appconfig:StopDeployment
  • appconfig:GetApplication
  • appconfig:GetConfigurationProfile
  • appconfig:GetDeployment
  • appconfig:GetEnvironment
  • appconfig:GetHostedConfigurationVersion
  • appconfig:GetLatestConfiguration
  • appconfig:ListHostedConfigurationVersions
  • appconfig:ListTagsForResource
  • appconfig:DeleteApplication
  • appconfig:DeleteConfigurationProfile
  • appconfig:DeleteDeploymentStrategy
  • appconfig:DeleteEnvironment
  • appconfig:DeleteHostedConfigurationVersion
  • appconfig:TagResource
  • appconfig:StartConfigurationSession
  • appconfig:UntagResource
  • appconfig:UpdateApplication
  • appconfig:UpdateDeploymentStrategy
  • appconfig:UpdateConfigurationProfile
  • appconfig:UpdateEnvironment
AWS VPC Flow Logs integration allows Trend Vision One to access and monitor your AWS VPC Flow Logs to detected potential threats.
CloudFormation Operations:
  • cloudformation:CancelUpdateStack
  • cloudformation:ContinueUpdateRollback
  • cloudformation:CreateChangeSet
  • cloudformation:CreateStack
  • cloudformation:DeleteChangeSet
  • cloudformation:DeleteStack
  • cloudformation:ExecuteChangeSet
  • cloudformation:RecordHandlerProgress
  • cloudformation:RollbackStack
  • cloudformation:SignalResource
  • cloudformation:UpdateStack
  • cloudformation:TagResource
  • cloudformation:DescribeStacks
  • cloudformation:DescribeStackEvents
  • cloudformation:DescribeStackResource
  • cloudformation:ListStackResources
  • cloudformation:UntagResource
Lambda Function Management:
  • lambda:ListFunctions
  • lambda:ListTags
  • lambda:UpdateFunctionCode
  • lambda:UpdateFunctionConfiguration
  • lambda:CreateFunction
  • lambda:TagResource
  • lambda:DeleteFunction
  • lambda:GetFunction
  • lambda:GetFunctionCodeSigningConfig
  • lambda:GetFunctionConfiguration
  • lambda:AddPermission
  • lambda:RemovePermission
  • lambda:InvokeFunction
  • lambda:UntagResource
  • lambda:DeleteLayerVersion
  • lambda:PublishLayerVersion
  • lambda:GetLayerVersion
  • lambda:CreateEventSourceMapping
  • lambda:GetEventSourceMapping
  • lambda:DeleteEventSourceMapping
  • lambda:UpdateEventSourceMapping
Storage Operations Actions:
  • s3:GetObject
  • s3:DeleteObject
  • s3:DeleteObjectVersion
  • s3:GetObjectVersion
  • s3:ListBucket
  • s3:ListBucketVersions
  • s3:PutLifecycleConfiguration
  • s3:GetObjectTagging
  • s3:PutObject
  • s3:PutObjectTagging
  • s3:GetBucketNotification
  • s3:PutBucketNotification
  • s3:GetBucketLocation
Messaging and Queueing Actions:
  • sqs:SetQueueAttributes
  • sqs:GetQueueUrl
  • sqs:GetQueueAttributes
  • sqs:DeleteQueue
  • sqs:CreateQueue
  • sqs:TagQueue
  • sqs:ReceiveMessage
  • sqs:DeleteMessage
  • sqs:SendMessage
  • sqs:UntagQueue
Secrets and Parameters Actions:
  • secretsmanager:DeleteSecret
  • secretsmanager:DescribeSecret
  • secretsmanager:ReplicateSecretToRegions
  • secretsmanager:RemoveRegionsFromReplication
  • secretsmanager:CreateSecret
  • secretsmanager:PutSecretValue
  • secretsmanager:GetSecretValue
  • secretsmanager:UpdateSecret
  • secretsmanager:UpdateSecretVersionStage
  • secretsmanager:TagResource
  • secretsmanager:UntagResource
  • ssm:AddTagsToResource
  • ssm:DeleteParameter
  • ssm:GetParameter
  • ssm:GetParameters
  • ssm:RemoveTagsFromResource
  • ssm:PutParameter
Logging and Monitoring Actions:
  • logs:DeleteLogGroup
  • logs:CreateLogStream
  • logs:PutLogEvents
  • logs:PutRetentionPolicy
  • logs:StartQuery
  • logs:TagResource
  • logs:ListTagsForResource
  • logs:UntagResource
  • logs:GetQueryResults
  • logs:DescribeLogGroups
  • cloudwatch:PutMetricData
  • cloudwatch:GetMetricStatistics
VPC and Network Monitoring Actions:
  • ec2:DescribeFlowLogs
  • ec2:DescribeVpcs
Events and Scheduling Actions:
  • events:PutRule
  • events:RemoveTargets
  • events:DescribeRule
  • events:DeleteRule
  • events:ListTargetsByRule
  • events:PutTargets
Cost Management Actions:
  • ce:GetCostAndUsage
IAM Role Management Actions:
  • iam:PassRole
  • iam:GetRole
  • iam:TagRole
Cloud Detections for Amazon Security Lake
  • ssm:PutParameter
  • lambda:InvokeFunction
These permissions enable Security Lake to forward and analyze logs, providing insights into [PersonType] actions and resource activities in the AWS account.
Cloud Response for AWS
  • iam:GetPolicy
  • iam:AttachGroupPolicy
  • iam:AttachUserPolicy
  • iam:AttachRolePolicy
  • iam:CreatePolicy
Cloud Response for AWS these permissions to take response actions to contain incidents within your cloud account, such as revoking access for suspicious IAM users.
Note
Note
These permissions are also required by Core Features.
File Security Storage
  • cloudformation:DescribeStackResources
  • cloudformation:DescribeStacks
  • cloudformation:ListStackInstances
  • cloudformation:ListStacks
  • lambda:GetFunctionConfiguration
  • s3:GetBucketLocation
  • s3:GetBucketNotification
  • s3:GetObject
  • s3:ListAllMyBuckets
  • s3:ListBucket
  • sqs:GetQueueAttributes
  • ssm:GetParameter
  • ssm:GetParameters
  • lambda:GetLayerVersion
These permissions are required for File Security Storage to perform anti-malware scanning on files in cloud storage services.
When a user or program uploads a file to a designated cloud storage container, File Security Storage performs a scan.
Note
Note
The scan is performed only on the added file, not on existing resources in the storage container.
Data Security Posture
  • ssm:GetParametersByPath
  • account:ListRegions
  • macie2:GetMacieSession
  • macie2:GetAutomatedDiscoveryConfiguration
  • macie2:DescribeBuckets
  • macie2:GetResourceProfile
  • macie2:ListResourceProfileDetections
  • lambda:ListTags
These permissions are required by Data Security Posture to monitor your AWS cloud assets for sensitive data.