AWSアカウントに必要な権限 · Customer Self-Service

ビュー:

リソースをデプロイするために必要な権限と、AWSアカウントをTrend Vision Oneに接続する際に付与される権限を確認してください。

AWSに必要な権限

機能

必要な権限

説明

主な機能

iam:GetRole
iam:GetRolePolicy
iam:ListAccountAliases
iam:ListRolePolicies
iam:ListRoleTags
iam:ListRoles iam:ListAttachedRolePolicies
iam:GetPolicy
iam:GetPolicyVersion cloudformation:GetTemplate
cloudformation:ListStackResources
cloudformation:ListStackInstances
ssm:PutParameter

これらの権限はAWSクラウドアカウントをTrend Vision Oneに接続するために必要です。

Server & Workload Protection

ec2:DescribeImages
ec2:DescribeInstances
ec2:DescribeRegions
ec2:DescribeSubnets
ec2:DescribeTags
ec2:DescribeVpcs
ec2:DescribeAvailabilityZones
ec2:DescribeSecurityGroups
workspaces:DescribeWorkspaces
workspaces:DescribeWorkspaceDirectories
workspaces:DescribeWorkspaceBundles
workspaces:DescribeTags
iam:ListAccountAliases
iam:GetRole
iam:GetRolePolicy

これらの権限は、Server & Workload ProtectionでAmazon AWS EC2およびWorkspaceインスタンスを表示するために必要です。

詳細については、Server & Workload Protectionを参照してください。

Cloud Security Posture (コア機能に含まれています)

acm:DescribeCertificate
acm:ListCertificates
acm:ListTagsForCertificate
apigateway:GET
autoscaling:DescribeAccountLimits
autoscaling:DescribeAutoScalingGroups
autoscaling:DescribeAutoScalingInstances
autoscaling:DescribeLaunchConfigurations
autoscaling:DescribeLoadBalancerTargetGroups
autoscaling:DescribeLoadBalancers
autoscaling:DescribeNotificationConfigurations
autoscaling:DescribeTags
cloudformation:DescribeAccountLimits
cloudformation:DescribeStackDriftDetectionStatus
cloudformation:DescribeStacks
cloudformation:DetectStackDrift
cloudformation:GetStackPolicy
cloudformation:ListStacks
cloudfront:GetDistribution
cloudfront:ListTagsForResource
cloudfront:ListDistributions
cloudtrail:DescribeTrails
cloudtrail:GetTrailStatus
cloudtrail:GetEventSelectors
cloudtrail:ListTags
cloudwatch:DescribeAlarms
cloudwatch:DescribeAlarmsForMetric
cloudwatch:GetMetricStatistics
cloudwatch:GetMetricData
cloudwatch:ListMetrics
config:DescribeComplianceByConfigRule
config:DescribeConfigRules
config:DescribeConfigurationRecorderStatus
config:DescribeConfigurationRecorders
config:DescribeDeliveryChannelStatus
config:DescribeDeliveryChannels
config:GetComplianceDetailsByConfigRule
config:GetResourceConfigHistory
config:ListTagsForResource
dynamodb:DescribeContinuousBackups
dynamodb:DescribeLimits
dynamodb:DescribeTable
dynamodb:ListBackups
dynamodb:ListTables
dynamodb:ListTagsOfResource
ec2:DescribeAccountAttributes
ec2:DescribeAddresses
ec2:DescribeEgressOnlyInternetGateways
ec2:DescribeFlowLogs
ec2:DescribeImages
ec2:DescribeInstanceAttribute
ec2:DescribeInstanceStatus
ec2:DescribeInstances
ec2:DescribeInternetGateways
ec2:DescribeKeyPairs
ec2:DescribeNatGateways
ec2:DescribeNetworkAcls
ec2:DescribeNetworkInterfaces
ec2:DescribeReservedInstances
ec2:DescribeRouteTables
ec2:DescribeSecurityGroupReferences
ec2:DescribeSecurityGroups
ec2:DescribeSnapshots
ec2:DescribeSnapshotAttribute
ec2:DescribeSubnets
ec2:DescribeTags
ec2:DescribeTransitGatewayPeeringAttachments
ec2:SearchTransitGatewayRoutes
ec2:DescribeTransitGatewayRouteTables
ec2:DescribeTransitGateways
ec2:DescribeTransitGatewayAttachments
ec2:DescribeVolumes
ec2:DescribeVpcAttribute
ec2:DescribeVpcEndpoints
ec2:DescribeVpcEndpointConnections
ec2:DescribeVpcEndpointServices
ec2:DescribeVpcPeeringConnections
ec2:DescribeVpcs
ec2:DescribeVpnConnections
ec2:DescribeVpnGateways
ec2:GetEbsEncryptionByDefault
elasticfilesystem:DescribeFileSystems
elasticfilesystem:DescribeTags
elasticmapreduce:DescribeCluster
elasticmapreduce:ListClusters
elasticmapreduce:ListInstances
elasticmapreduce:GetBlockPublicAccessConfiguration
es:DescribeElasticsearchDomain
es:DescribeElasticsearchDomainConfig
es:DescribeElasticsearchDomains
es:DescribeElasticsearchInstanceTypeLimits
es:DescribeReservedElasticsearchInstanceOfferings
es:DescribeReservedElasticsearchInstances
es:ListDomainNames
es:ListElasticsearchInstanceTypes
es:ListElasticsearchVersions
es:ListTags
elasticache:DescribeCacheClusters
elasticache:DescribeReplicationGroups
elasticache:DescribeReservedCacheNodes
elasticache:ListTagsForResource
elasticloadbalancing:DescribeListeners
elasticloadbalancing:DescribeLoadBalancerAttributes
elasticloadbalancing:DescribeLoadBalancerPolicies
elasticloadbalancing:DescribeLoadBalancers
elasticloadbalancing:DescribeTags
elasticloadbalancing:DescribeTargetGroups
elasticloadbalancing:DescribeTargetHealth
iam:GenerateCredentialReport
elasticloadbalancing:DescribeRules
iam:GetAccessKeyLastUsed
iam:GetAccountPasswordPolicy
iam:GetAccountSummary
iam:GetCredentialReport
iam:GetGroup
iam:GetGroupPolicy
iam:GetLoginProfile
iam:GetOpenIDConnectProvider
iam:GetPolicy
iam:GetPolicyVersion
iam:GetRole
iam:GetRolePolicy
iam:GetSAMLProvider
iam:GetServerCertificate
iam:GetUser
iam:GetUserPolicy
iam:ListAccessKeys
iam:ListAccountAliases
iam:ListAttachedGroupPolicies
iam:ListAttachedRolePolicies
iam:ListAttachedUserPolicies
iam:ListEntitiesForPolicy
iam:ListGroupPolicies
iam:ListGroups
iam:ListInstanceProfiles
iam:ListInstanceProfilesForRole
iam:ListMFADevices
iam:ListOpenIDConnectProviders
iam:ListPolicies
iam:ListPolicyTags
iam:ListPolicyVersions
iam:ListRolePolicies
iam:ListRoleTags
iam:ListRoles
iam:ListSAMLProviders
iam:ListSSHPublicKeys
iam:ListServerCertificates
iam:ListUserPolicies
iam:ListUserTags
iam:ListUsers
iam:ListVirtualMFADevices
kms:DescribeKey
kms:GetKeyPolicy
kms:GetKeyRotationStatus
kms:ListAliases
kms:ListGrants
kms:ListKeyPolicies
kms:ListKeys
kms:ListResourceTags
lambda:GetAccountSettings
lambda:GetFunction
lambda:GetFunctionConfiguration
lambda:GetPolicy
lambda:ListEventSourceMappings
lambda:ListFunctions
lambda:ListTags
lambda:ListLayers
logs:DescribeLogGroups
logs:DescribeMetricFilters
rds:DescribeAccountAttributes
rds:DescribeDBClusters
rds:DescribeDBClusterParameters
rds:DescribeDBClusterParameterGroups
rds:DescribeDBInstances
rds:DescribeDBSecurityGroups
rds:DescribeDBSnapshotAttributes
rds:DescribeDBSnapshots
rds:DescribeDBParameters
rds:DescribeEvents
rds:DescribeEventSubscriptions
rds:DescribeReservedDBInstances
rds:ListTagsForResource
redshift:DescribeClusterParameterGroups
redshift:DescribeClusterParameters
redshift:DescribeClusters
redshift:DescribeLoggingStatus
redshift:DescribeReservedNodes
redshift:DescribeTags
route53:GetDNSSEC
route53:GetGeoLocation
route53:ListHostedZones
route53:ListResourceRecordSets
route53:ListTagsForResource
route53domains:ListDomains
route53domains:ListTagsForDomain
ses:GetIdentityDkimAttributes
ses:GetIdentityPolicies
ses:GetIdentityVerificationAttributes
ses:ListIdentities
ses:ListIdentityPolicies
sns:GetTopicAttributes
sns:ListTopics
sns:ListSubscriptionsByTopic
sns:ListTagsForResource
sqs:GetQueueAttributes
sqs:ListQueues
sqs:ListQueueTags
tag:GetResources
tag:GetTagKeys
tag:GetTagValues
access-analyzer:ListAnalyzers
access-analyzer:ListFindings
application-autoscaling:DescribeScalableTargets
application-autoscaling:DescribeScalingActivities
application-autoscaling:DescribeScalingPolicies
application-autoscaling:DescribeScheduledActions
athena:GetQueryExecution
athena:ListQueryExecutions
athena:ListTagsForResource
backup:DescribeBackupVault
backup:ListBackupVaults
backup:ListRecoveryPointsByResource
backup:GetBackupVaultAccessPolicy
ce:GetAnomalies
ce:GetAnomalyMonitors
dax:DescribeClusters
dax:ListTags
dms:DescribeReplicationInstances
dms:ListTagsForResource
ds:DescribeDirectories
ds:ListTagsForResource
elasticbeanstalk:DescribeConfigurationSettings
elasticbeanstalk:DescribeEnvironments
ecr:DescribeRepositories
ecr:GetRepositoryPolicy
ecr:GetLifecyclePolicy
ecr:DescribeImages
eks:DescribeCluster
eks:ListClusters
events:DescribeEventBus
events:ListRules
events:DescribeRule
firehose:DescribeDeliveryStream
firehose:ListDeliveryStreams
kafka:DescribeCluster
kafka:ListClusters
kafka:ListNodes
mq:DescribeBroker
mq:ListBrokers
glue:GetDataCatalogEncryptionSettings
glue:GetSecurityConfiguration
glue:GetSecurityConfigurations
glue:GetDatabases
guardduty:GetDetector
guardduty:GetFindings
guardduty:ListDetectors
guardduty:ListFindings
health:DescribeAffectedEntities
health:DescribeEventDetails
health:DescribeEvents
inspector:DescribeFindings
inspector:DescribeAssessmentRuns
inspector:DescribeAssessmentTemplates
inspector:DescribeExclusions
inspector:ListFindings
inspector:ListAssessmentRuns
inspector:ListAssessmentTemplates
inspector:ListExclusions
kinesis:DescribeStream
kinesis:ListStreams
kinesis:ListTagsForStream
organizations:DescribeAccount
organizations:DescribeCreateAccountStatus
organizations:DescribeHandshake
organizations:DescribeOrganization
organizations:DescribeOrganizationalUnit
organizations:DescribePolicy
organizations:ListAWSServiceAccessForOrganization
organizations:ListAccounts
organizations:ListAccountsForParent
organizations:ListChildren
organizations:ListCreateAccountStatus
organizations:ListHandshakesForAccount
organizations:ListHandshakesForOrganization
organizations:ListOrganizationalUnitsForParent
organizations:ListParents
organizations:ListPolicies
organizations:ListPoliciesForTarget
organizations:ListRoots
organizations:ListTargetsForPolicy
route53domains:GetDomainDetail
s3:GetAccelerateConfiguration
s3:GetAccountPublicAccessBlock
s3:GetBucketAcl
s3:GetBucketLocation
s3:GetBucketLogging
s3:GetBucketObjectLockConfiguration
s3:GetBucketPolicy
s3:GetBucketPolicyStatus
s3:GetBucketPublicAccessBlock
s3:GetBucketTagging
s3:GetBucketVersioning
s3:GetBucketWebsite
s3:GetEncryptionConfiguration
s3:GetLifecycleConfiguration
s3:ListBucket
3:ListAllMyBuckets
securityhub:GetEnabledStandards
securityhub:GetFindings
securityhub:GetInsightResults
securityhub:GetInsights
securityhub:GetMasterAccount
securityhub:GetMembers
securityhub:ListEnabledProductsForImport
securityhub:ListInvitations
securityhub:ListMembers
servicequotas:ListServiceQuotas
sagemaker:DescribeNotebookInstance
sagemaker:ListNotebookInstances
sagemaker:ListTags
sagemaker:DescribeDomain
sagemaker:ListDomains
sagemaker:ListModels
sagemaker:DescribeModel
sagemaker:ListEndpoints
sagemaker:DescribeEndpoint
sagemaker:ListImages
sagemaker:ListClusters
sagemaker:DescribeCluster
sagemaker:ListClusterNodes
sagemaker:DescribeClusterNode
sagemaker:DescribeImageVersion
secretsmanager:DescribeSecret
secretsmanager:ListSecrets
shield:DescribeSubscription
ssm:DescribeParameters
ssm:DescribeSessions
ssm:DescribeInstanceInformation
storagegateway:DescribeNFSFileShares
storagegateway:DescribeSMBFileShares
storagegateway:DescribeTapes
storagegateway:ListFileShares
storagegateway:ListTagsForResource
storagegateway:ListTapes
transfer:DescribeServer
transfer:ListServers
xray:GetEncryptionConfig
waf:GetWebACL
waf:ListWebACLs
wafv2:GetWebACL
wafv2:ListWebACLs
workspaces:DescribeTags
workspaces:DescribeWorkspaces
workspaces:DescribeWorkspacesConnectionStatus
support:DescribeSeverityLevels
support:DescribeTrustedAdvisorChecks
support:DescribeTrustedAdvisorCheckResult
support:DescribeTrustedAdvisorCheckRefreshStatuses
support:RefreshTrustedAdvisorCheck
comprehend:ListKeyPhrasesDetectionJobs
comprehend:ListSentimentDetectionJobs
comprehend:ListTopicsDetectionJobs
comprehend:ListEntitiesDetectionJobs
comprehend:ListDocumentClassificationJobs
comprehend:ListDominantLanguageDetectionJobs
wellarchitected:ListWorkloads
wellarchitected:GetWorkload
ecs:DescribeTaskDefinition
ecs:ListTaskDefinitions
compute-optimizer:GetAutoScalingGroupRecommendations
compute-optimizer:GetEC2InstanceRecommendations
ecs:ListClusters
ecs:ListServices
ecs:DescribeServices
ecs:ListContainerInstances
ecs:DescribeContainerInstances
config:SelectResourceConfig
iam:GetAccountAuthorizationDetails
lambda:ListFunctionUrlConfigs
rds:DescribeDBParameterGroups
firehose:ListTagsForDeliveryStream
inspector:DescribeAssessmentTargets
inspector:DescribeResourceGroups
inspector:ListAssessmentTargets
inspector:PreviewAgents
macie2:GetClassificationExportConfiguration
macie2:GetFindingStatistics
macie2:ListClassificationJobs
securityhub:DescribeHub
ecs:DescribeClusters
ecs:ListTagsForResource
appflow:DescribeFlow
appflow:ListFlows
bedrock:ListAgents
bedrock:GetAgent
bedrock:ListGuardrails
bedrock:GetGuardrail
bedrock:ListCustomModels
bedrock:GetCustomModel
bedrock:ListFoundationModels
bedrock:ListTagsForResource
bedrock:ListDataSources
bedrock:GetDataSource
bedrock:ListKnowledgeBases
bedrock:GetKnowledgeBase
bedrock:ListAgentActionGroups
bedrock:GetAgentActionGroup
bedrock:ListAgentKnowledgeBases
bedrock:GetAgentKnowledgeBase
bedrock:ListImportedModels
bedrock:GetImportedModel
aoss:ListCollections
aoss:ListTagsForResource
elasticache:DescribeServerlessCaches
inspector2:ListFindings

Amazon ECSのコンテナ保護

ランタイム検索:

sqs:SendMessage

この権限は、Container SecurityがAmazon ECSクラスターでランタイム脆弱性スキャンを有効にするために必要です。

この権限により、Runtime ScanningがSQSメッセージを送信し、実行中のコンテナイメージに対する脆弱性検索をトリガーします。

ランタイムセキュリティ:

ecs:DescribeServices
ecs:DeleteService
ecs:UpdateService
ecs:CreateService
ecs:TagResource
ecs:UntagResource
ssm:PutParameter
ssm:DeleteParameters
ssm:AddTagsToResource
ssm:RemoveTagsFromResource
iam:PassRole

これらの権限は、Amazon ECSクラスターでRuntime Securityを有効にするためにContainer Securityによって必要とされます。

これらの権限により、ランタイムセキュリティは次のことが可能になります:

trendmicro-scoutサービスでcreate/read/update/deleteアクションを実行し、ECSで実行してランタイムセキュリティを提供します。
SSMパラメータに対してcreate/read/update/deleteアクションを実行し、名前にV1CS/*を含めてAPIキー、地域のTrend Vision One Container Securityドメイン名、およびプロキシの設定を管理します。
trendmicro-scout ECSサービスの実行を許可する (iam:PassRole)。

ECS対応:

ecs:StopTask

この権限は、Container SecurityがAmazon ECSクラスターでコンテナの対応処理を有効にするために必要です。

Response Managementアプリは、ecs:StopTask権限を使用して、クラスター内のタスクを停止することができます。この機能はWorkflow and Automation → Response Managementで利用可能です。

詳細については、コンテナの対応処理(Isolate/Resume、Terminate)を参照してください。

エージェントレスによる脆弱性と脅威の検出

AppConfig管理アクション:

appconfig:CreateApplication
appconfig:CreateConfigurationProfile
appconfig:CreateDeploymentStrategy
appconfig:CreateEnvironment
appconfig:CreateHostedConfigurationVersion
appconfig:StartDeployment
appconfig:StopDeployment
appconfig:GetApplication
appconfig:GetConfigurationProfile
appconfig:GetDeployment
appconfig:GetEnvironment
appconfig:GetHostedConfigurationVersion
appconfig:GetLatestConfiguration
appconfig:ListHostedConfigurationVersions
appconfig:ListTagsForResource
appconfig:DeleteApplication
appconfig:DeleteConfigurationProfile
appconfig:DeleteDeploymentStrategy
appconfig:DeleteEnvironment
appconfig:DeleteHostedConfigurationVersion
appconfig:TagResource
appconfig:StartConfigurationSession
appconfig:UntagResource
appconfig:UpdateApplication
appconfig:UpdateDeploymentStrategy
appconfig:UpdateConfigurationProfile
appconfig:UpdateEnvironment

エージェントレスによる脆弱性と脅威の検出は、接続されたクラウドアカウントで有効化されたサーバーレス機能です。この機能は、他のリソースや実行中のアプリケーションに影響を与えることなく、サポートされているクラウドリソースを脆弱性や不正プログラムのために検索します。

CloudFormationオペレーション:

cloudformation:CancelUpdateStack
cloudformation:ContinueUpdateRollback
cloudformation:CreateChangeSet
cloudformation:CreateStack
cloudformation:DeleteChangeSet
cloudformation:DeleteStack
cloudformation:ExecuteChangeSet
cloudformation:RecordHandlerProgress
cloudformation:RollbackStack
cloudformation:SignalResource
cloudformation:UpdateStack
cloudformation:TagResource
cloudformation:DescribeStacks
cloudformation:DescribeStackEvents
cloudformation:DescribeStackResource
cloudformation:ListStackResources
cloudformation:UntagResource

Lambda関数管理:

lambda:ListFunctions
lambda:ListTags
lambda:UpdateFunctionCode
lambda:UpdateFunctionConfiguration
lambda:CreateFunction
lambda:TagResource
lambda:DeleteFunction
lambda:GetFunction
lambda:GetFunctionCodeSigningConfig
lambda:GetFunctionConfiguration
lambda:AddPermission
lambda:RemovePermission
lambda:InvokeFunction
lambda:UntagResource
lambda:DeleteLayerVersion
lambda:PublishLayerVersion
lambda:GetLayerVersion
lambda:CreateEventSourceMapping
lambda:GetEventSourceMapping
lambda:DeleteEventSourceMapping
lambda:UpdateEventSourceMapping

ストレージ操作アクション:

s3:GetObject
s3:DeleteObject
s3:DeleteObjectVersion
s3:GetObjectVersion
s3:ListBucket
s3:ListBucketVersions
s3:PutLifecycleConfiguration
s3:GetObjectTagging
s3:PutObject
s3:PutObjectTagging
s3:GetBucketNotification
s3:PutBucketNotification
s3:GetBucketLocation

メッセージングとキューイングのアクション:

sqs:SetQueueAttributes
sqs:GetQueueUrl
sqs:GetQueueAttributes
sqs:DeleteQueue
sqs:CreateQueue
sqs:TagQueue
sqs:ReceiveMessage
sqs:DeleteMessage
sqs:SendMessage
sqs:UntagQueue

シークレットとパラメータのアクション:

secretsmanager:DeleteSecret
secretsmanager:DescribeSecret
secretsmanager:ReplicateSecretToRegions
secretsmanager:RemoveRegionsFromReplication
secretsmanager:CreateSecret
secretsmanager:PutSecretValue
secretsmanager:GetSecretValue
secretsmanager:UpdateSecret
secretsmanager:UpdateSecretVersionStage
secretsmanager:TagResource
secretsmanager:UntagResource
ssm:AddTagsToResource
ssm:DeleteParameter
ssm:GetParameter
ssm:GetParameters
ssm:RemoveTagsFromResource
ssm:PutParameter

ログとモニタリングのアクション:

logs:DeleteLogGroup
logs:CreateLogStream
logs:PutLogEvents
logs:PutRetentionPolicy
logs:StartQuery
logs:TagResource
logs:ListTagsForResource
logs:UntagResource
logs:GetQueryResults
logs:DescribeLogGroups
cloudwatch:PutMetricData
cloudwatch:GetMetricStatistics

リソーススキャン機能のアクション:

ebs:ListSnapshotBlocks
ebs:GetSnapshotBlock
ec2:CreateTags
ec2:DeleteSnapshot
ec2:DeleteTags
ec2:CreateSnapshot
ec2:DescribeVolumes
ec2:DescribeSnapshots
ec2:DescribeInstances
ec2:DescribeImages
ecr:DescribeImages
ecr:DescribeRepositories
ecr:BatchGetImage
ecr:GetDownloadUrlForLayer
ec2:DescribeFlowLogs
ec2:DescribeVpcs

ステートマシン操作アクション:

states:CreateStateMachine
states:TagResource
states:DescribeStateMachine
states:DeleteStateMachine
states:UpdateStateMachine
states:UntagResource
states:StartExecution
states:ListExecutions

イベントとスケジュールアクション:

events:PutRule
events:RemoveTargets
events:DescribeRule
events:DeleteRule
events:ListTargetsByRule
events:PutTargets

コスト管理アクション:

ce:GetCostAndUsage

IAMロール管理アクション:

iam:PassRole
iam:GetRole

AWS CloudTrailのクラウド検出

lambda:ListTags

S3バケットにCloudTrailファイルを収集し、このAWSアカウント内のユーザのアクションとリソースの活動に関する洞察を得るために転送します。

VPCフローログのクラウド検出

AppConfig管理アクション:

appconfig:CreateApplication
appconfig:CreateConfigurationProfile
appconfig:CreateDeploymentStrategy
appconfig:CreateEnvironment
appconfig:CreateHostedConfigurationVersion
appconfig:StartDeployment
appconfig:StopDeployment
appconfig:GetApplication
appconfig:GetConfigurationProfile
appconfig:GetDeployment
appconfig:GetEnvironment
appconfig:GetHostedConfigurationVersion
appconfig:GetLatestConfiguration
appconfig:ListHostedConfigurationVersions
appconfig:ListTagsForResource
appconfig:DeleteApplication
appconfig:DeleteConfigurationProfile
appconfig:DeleteDeploymentStrategy
appconfig:DeleteEnvironment
appconfig:DeleteHostedConfigurationVersion
appconfig:TagResource
appconfig:StartConfigurationSession
appconfig:UntagResource
appconfig:UpdateApplication
appconfig:UpdateDeploymentStrategy
appconfig:UpdateConfigurationProfile
appconfig:UpdateEnvironment

AWS VPC Flow Logsの統合により、Trend Vision OneはAWS VPC Flow Logsにアクセスしてモニタし、潜在的な脅威を検出できます。

CloudFormationオペレーション:

cloudformation:CancelUpdateStack
cloudformation:ContinueUpdateRollback
cloudformation:CreateChangeSet
cloudformation:CreateStack
cloudformation:DeleteChangeSet
cloudformation:DeleteStack
cloudformation:ExecuteChangeSet
cloudformation:RecordHandlerProgress
cloudformation:RollbackStack
cloudformation:SignalResource
cloudformation:UpdateStack
cloudformation:TagResource
cloudformation:DescribeStacks
cloudformation:DescribeStackEvents
cloudformation:DescribeStackResource
cloudformation:ListStackResources
cloudformation:UntagResource

Lambda関数管理:

lambda:ListFunctions
lambda:ListTags
lambda:UpdateFunctionCode
lambda:UpdateFunctionConfiguration
lambda:CreateFunction
lambda:TagResource
lambda:DeleteFunction
lambda:GetFunction
lambda:GetFunctionCodeSigningConfig
lambda:GetFunctionConfiguration
lambda:AddPermission
lambda:RemovePermission
lambda:InvokeFunction
lambda:UntagResource
lambda:DeleteLayerVersion
lambda:PublishLayerVersion
lambda:GetLayerVersion
lambda:CreateEventSourceMapping
lambda:GetEventSourceMapping
lambda:DeleteEventSourceMapping
lambda:UpdateEventSourceMapping

ストレージ操作アクション:

s3:GetObject
s3:DeleteObject
s3:DeleteObjectVersion
s3:GetObjectVersion
s3:ListBucket
s3:ListBucketVersions
s3:PutLifecycleConfiguration
s3:GetObjectTagging
s3:PutObject
s3:PutObjectTagging
s3:GetBucketNotification
s3:PutBucketNotification
s3:GetBucketLocation

メッセージングとキューイングのアクション:

sqs:SetQueueAttributes
sqs:GetQueueUrl
sqs:GetQueueAttributes
sqs:DeleteQueue
sqs:CreateQueue
sqs:TagQueue
sqs:ReceiveMessage
sqs:DeleteMessage
sqs:SendMessage
sqs:UntagQueue

シークレットとパラメータのアクション:

secretsmanager:DeleteSecret
secretsmanager:DescribeSecret
secretsmanager:ReplicateSecretToRegions
secretsmanager:RemoveRegionsFromReplication
secretsmanager:CreateSecret
secretsmanager:PutSecretValue
secretsmanager:GetSecretValue
secretsmanager:UpdateSecret
secretsmanager:UpdateSecretVersionStage
secretsmanager:TagResource
secretsmanager:UntagResource
ssm:AddTagsToResource
ssm:DeleteParameter
ssm:GetParameter
ssm:GetParameters
ssm:RemoveTagsFromResource
ssm:PutParameter

ログとモニタリングのアクション:

logs:DeleteLogGroup
logs:CreateLogStream
logs:PutLogEvents
logs:PutRetentionPolicy
logs:StartQuery
logs:TagResource
logs:ListTagsForResource
logs:UntagResource
logs:GetQueryResults
logs:DescribeLogGroups
cloudwatch:PutMetricData
cloudwatch:GetMetricStatistics

VPCおよびネットワーク監視アクション:

ec2:DescribeFlowLogs
ec2:DescribeVpcs

イベントとスケジュールアクション:

events:PutRule
events:RemoveTargets
events:DescribeRule
events:DeleteRule
events:ListTargetsByRule
events:PutTargets

コスト管理アクション:

ce:GetCostAndUsage

IAMロール管理アクション:

iam:PassRole
iam:GetRole
iam:TagRole

Amazon Security Lakeのクラウド検出

ssm:PutParameter
lambda:InvokeFunction

これらの権限により、Security Lakeはログを転送および分析し、AWSアカウント内の[PersonType]のアクションとリソース活動に関する洞察を提供します。

AWSのクラウド対応

iam:GetPolicy
iam:AttachGroupPolicy
iam:AttachUserPolicy
iam:AttachRolePolicy
iam:CreatePolicy

AWSクラウドレスポンスは、クラウドアカウント内でインシデントを封じ込めるために、疑わしいIAMユーザのアクセスを取り消すなどの対応処理を行うためのこれらの権限を持っています。

注意

これらの権限はコア機能にも必要です。

File Security Storage

cloudformation:DescribeStackResources
cloudformation:DescribeStacks
cloudformation:ListStackInstances
cloudformation:ListStacks
lambda:GetFunctionConfiguration
s3:GetBucketLocation
s3:GetBucketNotification
s3:GetObject
s3:ListAllMyBuckets
s3:ListBucket
sqs:GetQueueAttributes
ssm:GetParameter
ssm:GetParameters
lambda:GetLayerVersion

これらの権限は、File Security Storageがクラウドストレージサービス内のファイルに対して不正プログラム対策スキャンを実行するために必要です。

ユーザまたはプログラムが指定されたクラウドストレージコンテナにファイルをアップロードすると、File Security Storageが検索を実行します。

注意

検索は追加されたファイルのみに対して実行され、ストレージコンテナ内の既存のリソースには実行されません。

Data Security Posture

ssm:GetParametersByPath
account:ListRegions
macie2:GetMacieSession
macie2:GetAutomatedDiscoveryConfiguration
macie2:DescribeBuckets
macie2:GetResourceProfile
macie2:ListResourceProfileDetections
lambda:ListTags

これらの権限は、Data Security PostureがAWSクラウドアセットをモニタして機密データを検出するために必要です。