AWS accounts required permissions | Trend Micro Service Central

Views:

Review the permissions required to deploy resources and the permissions granted when connecting AWS accounts to Trend Vision One.

AWS Required Permissions

Feature

Required permissions

Description

Core Features

iam:GetRole
iam:GetRolePolicy
iam:ListAccountAliases
iam:ListRolePolicies
iam:ListRoleTags
iam:ListRoles iam:ListAttachedRolePolicies
iam:GetPolicy
iam:GetPolicyVersion cloudformation:GetTemplate
cloudformation:ListStackResources
cloudformation:ListStackInstances
ssm:PutParameter

These permissions are required to connect AWS cloud accounts to Trend Vision One.

Server & Workload Protection

ec2:DescribeImages
ec2:DescribeInstances
ec2:DescribeRegions
ec2:DescribeSubnets
ec2:DescribeTags
ec2:DescribeVpcs
ec2:DescribeAvailabilityZones
ec2:DescribeSecurityGroups
workspaces:DescribeWorkspaces
workspaces:DescribeWorkspaceDirectories
workspaces:DescribeWorkspaceBundles
workspaces:DescribeTags
iam:ListAccountAliases
iam:GetRole
iam:GetRolePolicy

These permissions are required to view Amazon AWS EC2 and Workspace instances in Server & Workload Protection.

For more information, see Server & Workload Protection.

Cloud Security Posture (included in Core Features)

acm:DescribeCertificate
acm:ListCertificates
acm:ListTagsForCertificate
apigateway:GET
autoscaling:DescribeAccountLimits
autoscaling:DescribeAutoScalingGroups
autoscaling:DescribeAutoScalingInstances
autoscaling:DescribeLaunchConfigurations
autoscaling:DescribeLoadBalancerTargetGroups
autoscaling:DescribeLoadBalancers
autoscaling:DescribeNotificationConfigurations
autoscaling:DescribeTags
cloudformation:DescribeAccountLimits
cloudformation:DescribeStackDriftDetectionStatus
cloudformation:DescribeStacks
cloudformation:DetectStackDrift
cloudformation:GetStackPolicy
cloudformation:ListStacks
cloudfront:GetDistribution
cloudfront:ListTagsForResource
cloudfront:ListDistributions
cloudtrail:DescribeTrails
cloudtrail:GetTrailStatus
cloudtrail:GetEventSelectors
cloudtrail:ListTags
cloudwatch:DescribeAlarms
cloudwatch:DescribeAlarmsForMetric
cloudwatch:GetMetricStatistics
cloudwatch:GetMetricData
cloudwatch:ListMetrics
config:DescribeComplianceByConfigRule
config:DescribeConfigRules
config:DescribeConfigurationRecorderStatus
config:DescribeConfigurationRecorders
config:DescribeDeliveryChannelStatus
config:DescribeDeliveryChannels
config:GetComplianceDetailsByConfigRule
config:GetResourceConfigHistory
config:ListTagsForResource
dynamodb:DescribeContinuousBackups
dynamodb:DescribeLimits
dynamodb:DescribeTable
dynamodb:ListBackups
dynamodb:ListTables
dynamodb:ListTagsOfResource
ec2:DescribeAccountAttributes
ec2:DescribeAddresses
ec2:DescribeEgressOnlyInternetGateways
ec2:DescribeFlowLogs
ec2:DescribeImages
ec2:DescribeInstanceAttribute
ec2:DescribeInstanceStatus
ec2:DescribeInstances
ec2:DescribeInternetGateways
ec2:DescribeKeyPairs
ec2:DescribeNatGateways
ec2:DescribeNetworkAcls
ec2:DescribeNetworkInterfaces
ec2:DescribeReservedInstances
ec2:DescribeRouteTables
ec2:DescribeSecurityGroupReferences
ec2:DescribeSecurityGroups
ec2:DescribeSnapshots
ec2:DescribeSnapshotAttribute
ec2:DescribeSubnets
ec2:DescribeTags
ec2:DescribeTransitGatewayPeeringAttachments
ec2:SearchTransitGatewayRoutes
ec2:DescribeTransitGatewayRouteTables
ec2:DescribeTransitGateways
ec2:DescribeTransitGatewayAttachments
ec2:DescribeVolumes
ec2:DescribeVpcAttribute
ec2:DescribeVpcEndpoints
ec2:DescribeVpcEndpointConnections
ec2:DescribeVpcEndpointServices
ec2:DescribeVpcPeeringConnections
ec2:DescribeVpcs
ec2:DescribeVpnConnections
ec2:DescribeVpnGateways
ec2:GetEbsEncryptionByDefault
elasticfilesystem:DescribeFileSystems
elasticfilesystem:DescribeTags
elasticmapreduce:DescribeCluster
elasticmapreduce:ListClusters
elasticmapreduce:ListInstances
elasticmapreduce:GetBlockPublicAccessConfiguration
es:DescribeElasticsearchDomain
es:DescribeElasticsearchDomainConfig
es:DescribeElasticsearchDomains
es:DescribeElasticsearchInstanceTypeLimits
es:DescribeReservedElasticsearchInstanceOfferings
es:DescribeReservedElasticsearchInstances
es:ListDomainNames
es:ListElasticsearchInstanceTypes
es:ListElasticsearchVersions
es:ListTags
elasticache:DescribeCacheClusters
elasticache:DescribeReplicationGroups
elasticache:DescribeReservedCacheNodes
elasticache:ListTagsForResource
elasticloadbalancing:DescribeListeners
elasticloadbalancing:DescribeLoadBalancerAttributes
elasticloadbalancing:DescribeLoadBalancerPolicies
elasticloadbalancing:DescribeLoadBalancers
elasticloadbalancing:DescribeTags
elasticloadbalancing:DescribeTargetGroups
elasticloadbalancing:DescribeTargetHealth
iam:GenerateCredentialReport
elasticloadbalancing:DescribeRules
iam:GetAccessKeyLastUsed
iam:GetAccountPasswordPolicy
iam:GetAccountSummary
iam:GetCredentialReport
iam:GetGroup
iam:GetGroupPolicy
iam:GetLoginProfile
iam:GetOpenIDConnectProvider
iam:GetPolicy
iam:GetPolicyVersion
iam:GetRole
iam:GetRolePolicy
iam:GetSAMLProvider
iam:GetServerCertificate
iam:GetUser
iam:GetUserPolicy
iam:ListAccessKeys
iam:ListAccountAliases
iam:ListAttachedGroupPolicies
iam:ListAttachedRolePolicies
iam:ListAttachedUserPolicies
iam:ListEntitiesForPolicy
iam:ListGroupPolicies
iam:ListGroups
iam:ListInstanceProfiles
iam:ListInstanceProfilesForRole
iam:ListMFADevices
iam:ListOpenIDConnectProviders
iam:ListPolicies
iam:ListPolicyTags
iam:ListPolicyVersions
iam:ListRolePolicies
iam:ListRoleTags
iam:ListRoles
iam:ListSAMLProviders
iam:ListSSHPublicKeys
iam:ListServerCertificates
iam:ListUserPolicies
iam:ListUserTags
iam:ListUsers
iam:ListVirtualMFADevices
kms:DescribeKey
kms:GetKeyPolicy
kms:GetKeyRotationStatus
kms:ListAliases
kms:ListGrants
kms:ListKeyPolicies
kms:ListKeys
kms:ListResourceTags
lambda:GetAccountSettings
lambda:GetFunction
lambda:GetFunctionConfiguration
lambda:GetPolicy
lambda:ListEventSourceMappings
lambda:ListFunctions
lambda:ListTags
lambda:ListLayers
logs:DescribeLogGroups
logs:DescribeMetricFilters
rds:DescribeAccountAttributes
rds:DescribeDBClusters
rds:DescribeDBClusterParameters
rds:DescribeDBClusterParameterGroups
rds:DescribeDBInstances
rds:DescribeDBSecurityGroups
rds:DescribeDBSnapshotAttributes
rds:DescribeDBSnapshots
rds:DescribeDBParameters
rds:DescribeEvents
rds:DescribeEventSubscriptions
rds:DescribeReservedDBInstances
rds:ListTagsForResource
redshift:DescribeClusterParameterGroups
redshift:DescribeClusterParameters
redshift:DescribeClusters
redshift:DescribeLoggingStatus
redshift:DescribeReservedNodes
redshift:DescribeTags
route53:GetDNSSEC
route53:GetGeoLocation
route53:ListHostedZones
route53:ListResourceRecordSets
route53:ListTagsForResource
route53domains:ListDomains
route53domains:ListTagsForDomain
ses:GetIdentityDkimAttributes
ses:GetIdentityPolicies
ses:GetIdentityVerificationAttributes
ses:ListIdentities
ses:ListIdentityPolicies
sns:GetTopicAttributes
sns:ListTopics
sns:ListSubscriptionsByTopic
sns:ListTagsForResource
sqs:GetQueueAttributes
sqs:ListQueues
sqs:ListQueueTags
tag:GetResources
tag:GetTagKeys
tag:GetTagValues
access-analyzer:ListAnalyzers
access-analyzer:ListFindings
application-autoscaling:DescribeScalableTargets
application-autoscaling:DescribeScalingActivities
application-autoscaling:DescribeScalingPolicies
application-autoscaling:DescribeScheduledActions
athena:GetQueryExecution
athena:ListQueryExecutions
athena:ListTagsForResource
backup:DescribeBackupVault
backup:ListBackupVaults
backup:ListRecoveryPointsByResource
backup:GetBackupVaultAccessPolicy
ce:GetAnomalies
ce:GetAnomalyMonitors
dax:DescribeClusters
dax:ListTags
dms:DescribeReplicationInstances
dms:ListTagsForResource
ds:DescribeDirectories
ds:ListTagsForResource
elasticbeanstalk:DescribeConfigurationSettings
elasticbeanstalk:DescribeEnvironments
ecr:DescribeRepositories
ecr:GetRepositoryPolicy
ecr:GetLifecyclePolicy
ecr:DescribeImages
eks:DescribeCluster
eks:ListClusters
events:DescribeEventBus
events:ListRules
events:DescribeRule
firehose:DescribeDeliveryStream
firehose:ListDeliveryStreams
kafka:DescribeCluster
kafka:ListClusters
kafka:ListNodes
mq:DescribeBroker
mq:ListBrokers
glue:GetDataCatalogEncryptionSettings
glue:GetSecurityConfiguration
glue:GetSecurityConfigurations
glue:GetDatabases
guardduty:GetDetector
guardduty:GetFindings
guardduty:ListDetectors
guardduty:ListFindings
health:DescribeAffectedEntities
health:DescribeEventDetails
health:DescribeEvents
inspector:DescribeFindings
inspector:DescribeAssessmentRuns
inspector:DescribeAssessmentTemplates
inspector:DescribeExclusions
inspector:ListFindings
inspector:ListAssessmentRuns
inspector:ListAssessmentTemplates
inspector:ListExclusions
kinesis:DescribeStream
kinesis:ListStreams
kinesis:ListTagsForStream
organizations:DescribeAccount
organizations:DescribeCreateAccountStatus
organizations:DescribeHandshake
organizations:DescribeOrganization
organizations:DescribeOrganizationalUnit
organizations:DescribePolicy
organizations:ListAWSServiceAccessForOrganization
organizations:ListAccounts
organizations:ListAccountsForParent
organizations:ListChildren
organizations:ListCreateAccountStatus
organizations:ListHandshakesForAccount
organizations:ListHandshakesForOrganization
organizations:ListOrganizationalUnitsForParent
organizations:ListParents
organizations:ListPolicies
organizations:ListPoliciesForTarget
organizations:ListRoots
organizations:ListTargetsForPolicy
route53domains:GetDomainDetail
s3:GetAccelerateConfiguration
s3:GetAccountPublicAccessBlock
s3:GetBucketAcl
s3:GetBucketLocation
s3:GetBucketLogging
s3:GetBucketObjectLockConfiguration
s3:GetBucketPolicy
s3:GetBucketPolicyStatus
s3:GetBucketPublicAccessBlock
s3:GetBucketTagging
s3:GetBucketVersioning
s3:GetBucketWebsite
s3:GetEncryptionConfiguration
s3:GetLifecycleConfiguration
s3:ListBucket
3:ListAllMyBuckets
securityhub:GetEnabledStandards
securityhub:GetFindings
securityhub:GetInsightResults
securityhub:GetInsights
securityhub:GetMasterAccount
securityhub:GetMembers
securityhub:ListEnabledProductsForImport
securityhub:ListInvitations
securityhub:ListMembers
servicequotas:ListServiceQuotas
sagemaker:DescribeNotebookInstance
sagemaker:ListNotebookInstances
sagemaker:ListTags
sagemaker:DescribeDomain
sagemaker:ListDomains
sagemaker:ListModels
sagemaker:DescribeModel
sagemaker:ListEndpoints
sagemaker:DescribeEndpoint
sagemaker:ListImages
sagemaker:ListClusters
sagemaker:DescribeCluster
sagemaker:ListClusterNodes
sagemaker:DescribeClusterNode
sagemaker:DescribeImageVersion
secretsmanager:DescribeSecret
secretsmanager:ListSecrets
shield:DescribeSubscription
ssm:DescribeParameters
ssm:DescribeSessions
ssm:DescribeInstanceInformation
storagegateway:DescribeNFSFileShares
storagegateway:DescribeSMBFileShares
storagegateway:DescribeTapes
storagegateway:ListFileShares
storagegateway:ListTagsForResource
storagegateway:ListTapes
transfer:DescribeServer
transfer:ListServers
xray:GetEncryptionConfig
waf:GetWebACL
waf:ListWebACLs
wafv2:GetWebACL
wafv2:ListWebACLs
workspaces:DescribeTags
workspaces:DescribeWorkspaces
workspaces:DescribeWorkspacesConnectionStatus
support:DescribeSeverityLevels
support:DescribeTrustedAdvisorChecks
support:DescribeTrustedAdvisorCheckResult
support:DescribeTrustedAdvisorCheckRefreshStatuses
support:RefreshTrustedAdvisorCheck
comprehend:ListKeyPhrasesDetectionJobs
comprehend:ListSentimentDetectionJobs
comprehend:ListTopicsDetectionJobs
comprehend:ListEntitiesDetectionJobs
comprehend:ListDocumentClassificationJobs
comprehend:ListDominantLanguageDetectionJobs
wellarchitected:ListWorkloads
wellarchitected:GetWorkload
ecs:DescribeTaskDefinition
ecs:ListTaskDefinitions
compute-optimizer:GetAutoScalingGroupRecommendations
compute-optimizer:GetEC2InstanceRecommendations
ecs:ListClusters
ecs:ListServices
ecs:DescribeServices
ecs:ListContainerInstances
ecs:DescribeContainerInstances
config:SelectResourceConfig
iam:GetAccountAuthorizationDetails
lambda:ListFunctionUrlConfigs
rds:DescribeDBParameterGroups
firehose:ListTagsForDeliveryStream
inspector:DescribeAssessmentTargets
inspector:DescribeResourceGroups
inspector:ListAssessmentTargets
inspector:PreviewAgents
macie2:GetClassificationExportConfiguration
macie2:GetFindingStatistics
macie2:ListClassificationJobs
securityhub:DescribeHub
ecs:DescribeClusters
ecs:ListTagsForResource
appflow:DescribeFlow
appflow:ListFlows
bedrock:ListAgents
bedrock:GetAgent
bedrock:ListGuardrails
bedrock:GetGuardrail
bedrock:ListCustomModels
bedrock:GetCustomModel
bedrock:ListFoundationModels
bedrock:ListTagsForResource
bedrock:ListDataSources
bedrock:GetDataSource
bedrock:ListKnowledgeBases
bedrock:GetKnowledgeBase
bedrock:ListAgentActionGroups
bedrock:GetAgentActionGroup
bedrock:ListAgentKnowledgeBases
bedrock:GetAgentKnowledgeBase
bedrock:ListImportedModels
bedrock:GetImportedModel
aoss:ListCollections
aoss:ListTagsForResource
elasticache:DescribeServerlessCaches
inspector2:ListFindings

Container Protection for Amazon ECS

Runtime Scanning:

sqs:SendMessage

This permission is required by Container Security to enable Runtime Vulnerability Scanning on Amazon ECS clusters.

This permission allows Runtime Scanning to send an SQS message, which triggers vulnerability scans on the running container images.

Runtime Security:

ecs:DescribeServices
ecs:DeleteService
ecs:UpdateService
ecs:CreateService
ecs:TagResource
ecs:UntagResource
ssm:PutParameter
ssm:DeleteParameters
ssm:AddTagsToResource
ssm:RemoveTagsFromResource
iam:PassRole

These permissions are required by Container Security to enable Runtime Security on Amazon ECS clusters.

These permissions allow Runtime Security to:

perform create/read/update/delete actions on trendmicro-scout services, which run in ECS to provide runtime security.
perform create/read/update/delete actions on SSM parameters with V1CS/* in the name to manage API keys, regional Trend Vision One Container Security domain names, and proxy settings.
allow the trendmicro-scout ECS service to run (iam:PassRole).

ECS Response:

ecs:StopTask

This permission is required by Container Security to enable container response actions on Amazon ECS Clusters.

The Response Management app uses the ecs:StopTask permission to allow you to stop any tasks in your clusters. This feature is available in Workflow and Automation → Response Management.

For more information, see Container response actions (Isolate/Resume, Terminate).

Agentless Vulnerability & Threat Detection

AppConfig Management Actions:

appconfig:CreateApplication
appconfig:CreateConfigurationProfile
appconfig:CreateDeploymentStrategy
appconfig:CreateEnvironment
appconfig:CreateHostedConfigurationVersion
appconfig:StartDeployment
appconfig:StopDeployment
appconfig:GetApplication
appconfig:GetConfigurationProfile
appconfig:GetDeployment
appconfig:GetEnvironment
appconfig:GetHostedConfigurationVersion
appconfig:GetLatestConfiguration
appconfig:ListHostedConfigurationVersions
appconfig:ListTagsForResource
appconfig:DeleteApplication
appconfig:DeleteConfigurationProfile
appconfig:DeleteDeploymentStrategy
appconfig:DeleteEnvironment
appconfig:DeleteHostedConfigurationVersion
appconfig:TagResource
appconfig:StartConfigurationSession
appconfig:UntagResource
appconfig:UpdateApplication
appconfig:UpdateDeploymentStrategy
appconfig:UpdateConfigurationProfile
appconfig:UpdateEnvironment

Agentless Vulnerability & Threat Detection is a serverless function enabled in your connected cloud accounts. The function scans supported cloud resources for vulnerabilities and malware without impact to other resources or running applications.

CloudFormation Operations:

cloudformation:CancelUpdateStack
cloudformation:ContinueUpdateRollback
cloudformation:CreateChangeSet
cloudformation:CreateStack
cloudformation:DeleteChangeSet
cloudformation:DeleteStack
cloudformation:ExecuteChangeSet
cloudformation:RecordHandlerProgress
cloudformation:RollbackStack
cloudformation:SignalResource
cloudformation:UpdateStack
cloudformation:TagResource
cloudformation:DescribeStacks
cloudformation:DescribeStackEvents
cloudformation:DescribeStackResource
cloudformation:ListStackResources
cloudformation:UntagResource

Lambda Function Management:

lambda:ListFunctions
lambda:ListTags
lambda:UpdateFunctionCode
lambda:UpdateFunctionConfiguration
lambda:CreateFunction
lambda:TagResource
lambda:DeleteFunction
lambda:GetFunction
lambda:GetFunctionCodeSigningConfig
lambda:GetFunctionConfiguration
lambda:AddPermission
lambda:RemovePermission
lambda:InvokeFunction
lambda:UntagResource
lambda:DeleteLayerVersion
lambda:PublishLayerVersion
lambda:GetLayerVersion
lambda:CreateEventSourceMapping
lambda:GetEventSourceMapping
lambda:DeleteEventSourceMapping
lambda:UpdateEventSourceMapping

Storage Operations Actions:

s3:GetObject
s3:DeleteObject
s3:DeleteObjectVersion
s3:GetObjectVersion
s3:ListBucket
s3:ListBucketVersions
s3:PutLifecycleConfiguration
s3:GetObjectTagging
s3:PutObject
s3:PutObjectTagging
s3:GetBucketNotification
s3:PutBucketNotification
s3:GetBucketLocation

Messaging and Queueing Actions:

sqs:SetQueueAttributes
sqs:GetQueueUrl
sqs:GetQueueAttributes
sqs:DeleteQueue
sqs:CreateQueue
sqs:TagQueue
sqs:ReceiveMessage
sqs:DeleteMessage
sqs:SendMessage
sqs:UntagQueue

Secrets and Parameters Actions:

secretsmanager:DeleteSecret
secretsmanager:DescribeSecret
secretsmanager:ReplicateSecretToRegions
secretsmanager:RemoveRegionsFromReplication
secretsmanager:CreateSecret
secretsmanager:PutSecretValue
secretsmanager:GetSecretValue
secretsmanager:UpdateSecret
secretsmanager:UpdateSecretVersionStage
secretsmanager:TagResource
secretsmanager:UntagResource
ssm:AddTagsToResource
ssm:DeleteParameter
ssm:GetParameter
ssm:GetParameters
ssm:RemoveTagsFromResource
ssm:PutParameter

Logging and Monitoring Actions:

logs:DeleteLogGroup
logs:CreateLogStream
logs:PutLogEvents
logs:PutRetentionPolicy
logs:StartQuery
logs:TagResource
logs:ListTagsForResource
logs:UntagResource
logs:GetQueryResults
logs:DescribeLogGroups
cloudwatch:PutMetricData
cloudwatch:GetMetricStatistics

Resource Scanning Capabilities Actions:

ebs:ListSnapshotBlocks
ebs:GetSnapshotBlock
ec2:CreateTags
ec2:DeleteSnapshot
ec2:DeleteTags
ec2:CreateSnapshot
ec2:DescribeVolumes
ec2:DescribeSnapshots
ec2:DescribeInstances
ec2:DescribeImages
ecr:DescribeImages
ecr:DescribeRepositories
ecr:BatchGetImage
ecr:GetDownloadUrlForLayer
ec2:DescribeFlowLogs
ec2:DescribeVpcs

State Machine Operations Actions:

states:CreateStateMachine
states:TagResource
states:DescribeStateMachine
states:DeleteStateMachine
states:UpdateStateMachine
states:UntagResource
states:StartExecution
states:ListExecutions

Events and Scheduling Actions:

events:PutRule
events:RemoveTargets
events:DescribeRule
events:DeleteRule
events:ListTargetsByRule
events:PutTargets

Cost Management Actions:

ce:GetCostAndUsage

IAM Role Management Actions:

iam:PassRole
iam:GetRole

Cloud Detections for AWS CloudTrail

lambda:ListTags

Collect CloudTrail files in an S3 bucket and forward them to gain insights into user actions and resource activities within this AWS account.

Cloud Detections for VPC Flow Logs

AppConfig Management Actions:

appconfig:CreateApplication
appconfig:CreateConfigurationProfile
appconfig:CreateDeploymentStrategy
appconfig:CreateEnvironment
appconfig:CreateHostedConfigurationVersion
appconfig:StartDeployment
appconfig:StopDeployment
appconfig:GetApplication
appconfig:GetConfigurationProfile
appconfig:GetDeployment
appconfig:GetEnvironment
appconfig:GetHostedConfigurationVersion
appconfig:GetLatestConfiguration
appconfig:ListHostedConfigurationVersions
appconfig:ListTagsForResource
appconfig:DeleteApplication
appconfig:DeleteConfigurationProfile
appconfig:DeleteDeploymentStrategy
appconfig:DeleteEnvironment
appconfig:DeleteHostedConfigurationVersion
appconfig:TagResource
appconfig:StartConfigurationSession
appconfig:UntagResource
appconfig:UpdateApplication
appconfig:UpdateDeploymentStrategy
appconfig:UpdateConfigurationProfile
appconfig:UpdateEnvironment

AWS VPC Flow Logs integration allows Trend Vision One to access and monitor your AWS VPC Flow Logs to detected potential threats.

CloudFormation Operations:

cloudformation:CancelUpdateStack
cloudformation:ContinueUpdateRollback
cloudformation:CreateChangeSet
cloudformation:CreateStack
cloudformation:DeleteChangeSet
cloudformation:DeleteStack
cloudformation:ExecuteChangeSet
cloudformation:RecordHandlerProgress
cloudformation:RollbackStack
cloudformation:SignalResource
cloudformation:UpdateStack
cloudformation:TagResource
cloudformation:DescribeStacks
cloudformation:DescribeStackEvents
cloudformation:DescribeStackResource
cloudformation:ListStackResources
cloudformation:UntagResource

Lambda Function Management:

lambda:ListFunctions
lambda:ListTags
lambda:UpdateFunctionCode
lambda:UpdateFunctionConfiguration
lambda:CreateFunction
lambda:TagResource
lambda:DeleteFunction
lambda:GetFunction
lambda:GetFunctionCodeSigningConfig
lambda:GetFunctionConfiguration
lambda:AddPermission
lambda:RemovePermission
lambda:InvokeFunction
lambda:UntagResource
lambda:DeleteLayerVersion
lambda:PublishLayerVersion
lambda:GetLayerVersion
lambda:CreateEventSourceMapping
lambda:GetEventSourceMapping
lambda:DeleteEventSourceMapping
lambda:UpdateEventSourceMapping

Storage Operations Actions:

s3:GetObject
s3:DeleteObject
s3:DeleteObjectVersion
s3:GetObjectVersion
s3:ListBucket
s3:ListBucketVersions
s3:PutLifecycleConfiguration
s3:GetObjectTagging
s3:PutObject
s3:PutObjectTagging
s3:GetBucketNotification
s3:PutBucketNotification
s3:GetBucketLocation

Messaging and Queueing Actions:

sqs:SetQueueAttributes
sqs:GetQueueUrl
sqs:GetQueueAttributes
sqs:DeleteQueue
sqs:CreateQueue
sqs:TagQueue
sqs:ReceiveMessage
sqs:DeleteMessage
sqs:SendMessage
sqs:UntagQueue

Secrets and Parameters Actions:

secretsmanager:DeleteSecret
secretsmanager:DescribeSecret
secretsmanager:ReplicateSecretToRegions
secretsmanager:RemoveRegionsFromReplication
secretsmanager:CreateSecret
secretsmanager:PutSecretValue
secretsmanager:GetSecretValue
secretsmanager:UpdateSecret
secretsmanager:UpdateSecretVersionStage
secretsmanager:TagResource
secretsmanager:UntagResource
ssm:AddTagsToResource
ssm:DeleteParameter
ssm:GetParameter
ssm:GetParameters
ssm:RemoveTagsFromResource
ssm:PutParameter

Logging and Monitoring Actions:

logs:DeleteLogGroup
logs:CreateLogStream
logs:PutLogEvents
logs:PutRetentionPolicy
logs:StartQuery
logs:TagResource
logs:ListTagsForResource
logs:UntagResource
logs:GetQueryResults
logs:DescribeLogGroups
cloudwatch:PutMetricData
cloudwatch:GetMetricStatistics

VPC and Network Monitoring Actions:

ec2:DescribeFlowLogs
ec2:DescribeVpcs

Events and Scheduling Actions:

events:PutRule
events:RemoveTargets
events:DescribeRule
events:DeleteRule
events:ListTargetsByRule
events:PutTargets

Cost Management Actions:

ce:GetCostAndUsage

IAM Role Management Actions:

iam:PassRole
iam:GetRole
iam:TagRole

Cloud Detections for Amazon Security Lake

ssm:PutParameter
lambda:InvokeFunction

These permissions enable Security Lake to forward and analyze logs, providing insights into [PersonType] actions and resource activities in the AWS account.

Cloud Response for AWS

iam:GetPolicy
iam:AttachGroupPolicy
iam:AttachUserPolicy
iam:AttachRolePolicy
iam:CreatePolicy

Cloud Response for AWS these permissions to take response actions to contain incidents within your cloud account, such as revoking access for suspicious IAM users.

Note

These permissions are also required by Core Features.

File Security Storage

cloudformation:DescribeStackResources
cloudformation:DescribeStacks
cloudformation:ListStackInstances
cloudformation:ListStacks
lambda:GetFunctionConfiguration
s3:GetBucketLocation
s3:GetBucketNotification
s3:GetObject
s3:ListAllMyBuckets
s3:ListBucket
sqs:GetQueueAttributes
ssm:GetParameter
ssm:GetParameters
lambda:GetLayerVersion

These permissions are required for File Security Storage to perform anti-malware scanning on files in cloud storage services.

When a user or program uploads a file to a designated cloud storage container, File Security Storage performs a scan.

Note

The scan is performed only on the added file, not on existing resources in the storage container.

Data Security Posture

ssm:GetParametersByPath
account:ListRegions
macie2:GetMacieSession
macie2:GetAutomatedDiscoveryConfiguration
macie2:DescribeBuckets
macie2:GetResourceProfile
macie2:ListResourceProfileDetections
lambda:ListTags

These permissions are required by Data Security Posture to monitor your AWS cloud assets for sensitive data.