AWS Permission and Resource Requirements

There are some AWS permissions and resources required to be created during AWS Cloud Formation for adding the AWS account to FortiCNP.

List of permissions and resources created during CloudFormation:

FortiCNP S3 Bucket
FortiCNP Basic Permission Policy
FortiCNP AutoFix Permission Policy (Optional)
FortiCNP Notification Permission Policy (Optional)
FortiCNP External ID Permission Policy (Temporary)
FortiCNP Temporary Permission Policy (Temporary)
FortiCNP Organization Permission Policy (AWS Organization only)
FortiCNP Cloud Trail
FortiCNP IAM Role
EventBridgeIAMrole (Security Hub Integration)
EventRuleRegion1 (Security Hub Integration)

FortiCNP S3 bucket is created and configured to store AWS Cloud Trail logs. All permission policies are created and attached to the FortiCNP IAM Role.

Basic Permission Policy and Integration Policy are read-only AWS permissions that need to be created for basic functionality and integration between FortiCNP and AWS.

AutoFix permission Policy and Notification Permission Policy are optional permissions that are used to remediate security vulnerabilities and send notification via AWS SNS and AWS SQS. W

FortiCNP External ID Permission Policy and FortiCNP Temporary Permission Policy are only created during CloudFormation, and are removed after the AWS account is successfully added to FortiCNP.

EventBridgeIAMrole is the AWS IAM role with permission policy to add Amazon Inspector and Guard Duty events to FortiCNP's AWS Event Bus.

EventRuleRegion1 is the AWS account IAM role that creates AWS Event Rule that would share the Amazon Inspector and Guard Duty events with FortiCNP AWS Event Bus.

Below are each type of AWS permission policy created with details.

Basic Permissions (required)

This permission list is mandatory for adding AWS accounts to FortriCWP. This includes the permissions related to AWS S3, CloudTrail, CloudFormation, IAM User Permissions and EC2.

Permission Detail

"acm:Describe*",

"acm:List*",

"appstream:Describe*",

"autoscaling:Describe*",

"cloudformation:DescribeStack*",

"cloudformation:GetTemplate",

"cloudformation:ListStack*",

"cloudfront:Get*",

"cloudfront:List*",

"cloudsearch:Describe*",

"cloudtrail:DescribeTrails",

"cloudtrail:GetEventSelectors",

"cloudtrail:GetTrailStatus",

"cloudtrail:ListTags",

"cloudtrail:LookupEvents",

"cloudwatch:Describe*",

"codedeploy:Batch*",

"codedeploy:Get*",

"codedeploy:List*",

"config:Deliver*",

"config:Describe*",

"config:Get*",

"datapipeline:DescribeObjects",

"datapipeline:DescribePipelines",

"datapipeline:EvaluateExpression",

"datapipeline:GetPipelineDefinition",

"datapipeline:ListPipelines",

"datapipeline:QueryObjects",

"datapipeline:ValidatePipelineDefinition",

"dax:BatchGetItem",

"dax:ConditionCheckItem",

"dax:DescribeClusters",

"dax:DescribeDefaultParameters",

"dax:DescribeEvents",

"dax:DescribeParameterGroups",

"dax:DescribeParameters",

"dax:DescribeSubnetGroups",

"dax:GetItem",

"dax:ListTags",

"dax:Query",

"dax:Scan",

"directconnect:Describe*",

"ds:Describe*",

"dynamodb:DescribeTable",

"dynamodb:ListTables",

"ec2:Describe*",

"ec2:GetTransitGatewayAttachmentPropagations",

"ec2:GetTransitGatewayRouteTableAssociations",

"ec2:GetTransitGatewayRouteTablePropagations",

"ec2:SearchTransitGatewayRoutes",

"ecs:Describe*",

"ecs:List*",

"eks:DescribeCluster",

"eks:DescribeUpdate",

"eks:ListClusters",

"eks:ListUpdates",

"elasticache:Describe*",

"elasticache:List*",

"elasticbeanstalk:Describe*",

"elasticfilesystem:Describe*",

"elasticloadbalancing:Describe*",

"elasticmapreduce:DescribeCluster",

"elasticmapreduce:DescribeEditor",

"elasticmapreduce:DescribeSecurityConfiguration",

"elasticmapreduce:DescribeStep",

"elasticmapreduce:List*",

"es:Describe*",

"es:List*",

"glacier:GetVaultAccessPolicy",

"glacier:ListVaults",

"iam:GenerateCredentialReport",

"iam:Get*",

"iam:List*",

"iam:SimulateCustomPolicy",

"iam:SimulatePrincipalPolicy",

"kms:Describe*",

"kms:Get*",

"kms:List*",

"lambda:GetPolicy",

"lambda:List*",

"logs:Describe*",

"logs:FilterLogEvents",

"logs:Get*",

"rds:Describe*",

"rds:DownloadDBLogFilePortion",

"rds:ListTagsForResource",

"redshift:Describe*",

"route53:GetAccountLimit",

"route53:GetChange",

"route53:GetCheckerIpRanges",

"route53:GetGeoLocation",

"route53:GetHealthCheck",

"route53:GetHealthCheckCount",

"route53:GetHealthCheckLastFailureReason",

"route53:GetHealthCheckStatus",

"route53:GetHostedZone",

"route53:GetHostedZoneCount",

"route53:GetHostedZoneLimit",

"route53:GetQueryLoggingConfig",

"route53:GetReusableDelegationSet",

"route53:GetReusableDelegationSetLimit",

"route53:GetTrafficPolicy",

"route53:GetTrafficPolicyInstance",

"route53:GetTrafficPolicyInstanceCount",

"route53:ListGeoLocations",

"route53:ListHealthChecks",

"route53:ListHostedZones",

"route53:ListHostedZonesByName",

"route53:ListQueryLoggingConfigs",

"route53:ListResourceRecordSets",

"route53:ListReusableDelegationSets",

"route53:ListTagsForResource",

"route53:ListTagsForResources",

"route53:ListTrafficPolicies",

"route53:ListTrafficPolicyInstances",

"route53:ListTrafficPolicyInstancesByHostedZone",

"route53:ListTrafficPolicyInstancesByPolicy",

"route53:ListTrafficPolicyVersions",

"route53:ListVPCAssociationAuthorizations",

"route53domains:CheckDomainAvailability",

"route53domains:GetContactReachabilityStatus",

"route53domains:GetDomainDetail",

"route53domains:GetDomainSuggestions",

"route53domains:GetOperationDetail",

"route53domains:ListDomains",

"route53domains:ListOperations",

"route53domains:ListTagsForDomain",

"s3:GetAccelerateConfiguration",

"s3:GetAccountPublicAccessBlock",

"s3:GetAnalyticsConfiguration",

"s3:GetBucket*",

"s3:GetEncryptionConfiguration",

"s3:GetInventoryConfiguration",

"s3:GetLifecycleConfiguration",

"s3:GetMetricsConfiguration",

"s3:GetObject",

"s3:GetObjectAcl",

"s3:GetObjectTagging",

"s3:GetObjectTorrent",

"s3:GetObjectVersion",

"s3:GetObjectVersionAcl",

"s3:GetObjectVersionForReplication",

"s3:GetObjectVersionTagging",

"s3:GetObjectVersionTorrent",

"s3:GetReplicationConfiguration",

"s3:ListAllMyBuckets",

"s3:ListBucket",

"s3:ListBucketMultipartUploads",

"s3:ListBucketVersions",

"s3:ListMultipartUploadParts",

"sdb:DomainMetadata",

"sdb:ListDomains",

"ses:Get*",

"ses:List*",

"tag:GetResources",

"tag:GetTagKeys",

"waf:Get*",

"waf:List*",

"workspaces:Describe*"

AutoFix Permissions (optional)

This permission list includes the minimum write permissions of the AWS resources such as AWS EC2, S3, IAM etc

Permission Detail

"cloudfront:UpdateDistribution",

"cloudtrail:StartLogging",

"cloudtrail:UpdateTrail",

"ec2:ModifySnapshotAttribute",

"ec2:RevokeSecurityGroupEgress",

"ec2:RevokeSecurityGroupIngress",

"elasticloadbalancing:ModifyLoadBalancerAttributes",

"iam:UpdateAccountPasswordPolicy",

"kms:CancelKeyDeletion",

"kms:EnableKeyRotation",

"rds:ModifyDBInstance",

"redshift:ModifyCluster",

"redshift:ModifyClusterParameterGroup",

"s3:PutBucketAcl",

"s3:PutBucketPolicy",

"s3:PutBucketVersioning",

"s3:PutObjectAcl",

"s3:PutObjectVersionAcl"

Notification Permissions (optional)

This permission is required for FortiCNP to send notifications. This consists of SQS (Simple Queue Service) and SNS (Simple Notification Service).

Permission Detail

"sns:CheckIfPhoneNumberIsOptedOut",

"sns:GetEndpointAttributes",

"sns:GetPlatformApplicationAttributes",

"sns:GetSMSAttributes",

"sns:GetSMSSandboxAccountStatus",

"sns:GetSubscriptionAttributes",

"sns:GetTopicAttributes",

"sns:ListEndpointsByPlatformApplication",

"sns:ListOriginationNumbers",

"sns:ListPhoneNumbersOptedOut",

"sns:ListPlatformApplications",

"sns:ListSMSSandboxPhoneNumbers",

"sns:ListSubscriptions",

"sns:ListSubscriptionsByTopic",

"sns:ListTagsForResource",

"sns:ListTopics",

"sns:publish",

"sqs:ChangeMessageVisibility",

"sqs:ChangeMessageVisibilityBatch",

"sqs:CreateQueue",

"sqs:DeleteMessage",

"sqs:DeleteMessageBatch",

"sqs:DeleteQueue",

"sqs:GetQueueAttributes",

"sqs:GetQueueUrl",

"sqs:ListDeadLetterSourceQueues",

"sqs:ListQueues",

"sqs:ListQueueTags",

"sqs:ReceiveMessage",

"sqs:SendMessage",

"sqs:SendMessageBatch",

"sqs:SetQueueAttributes"

Security Hub Integration Permissions

Only EventBridgeIAMrole IAM role requires permission to add the events from Amazon Inspector and Guard Duty to FortiCNP's AWS Event Bus.

"events:PutEvents"

AWS Permission and Resource Requirements

There are some AWS permissions and resources required to be created during AWS Cloud Formation for adding the AWS account to FortiCNP.

List of permissions and resources created during CloudFormation:

FortiCNP S3 Bucket
FortiCNP Basic Permission Policy
FortiCNP AutoFix Permission Policy (Optional)
FortiCNP Notification Permission Policy (Optional)
FortiCNP External ID Permission Policy (Temporary)
FortiCNP Temporary Permission Policy (Temporary)
FortiCNP Organization Permission Policy (AWS Organization only)
FortiCNP Cloud Trail
FortiCNP IAM Role
EventBridgeIAMrole (Security Hub Integration)
EventRuleRegion1 (Security Hub Integration)

FortiCNP S3 bucket is created and configured to store AWS Cloud Trail logs. All permission policies are created and attached to the FortiCNP IAM Role.

Basic Permission Policy and Integration Policy are read-only AWS permissions that need to be created for basic functionality and integration between FortiCNP and AWS.

AutoFix permission Policy and Notification Permission Policy are optional permissions that are used to remediate security vulnerabilities and send notification via AWS SNS and AWS SQS. W

FortiCNP External ID Permission Policy and FortiCNP Temporary Permission Policy are only created during CloudFormation, and are removed after the AWS account is successfully added to FortiCNP.

EventBridgeIAMrole is the AWS IAM role with permission policy to add Amazon Inspector and Guard Duty events to FortiCNP's AWS Event Bus.

EventRuleRegion1 is the AWS account IAM role that creates AWS Event Rule that would share the Amazon Inspector and Guard Duty events with FortiCNP AWS Event Bus.

Below are each type of AWS permission policy created with details.

Basic Permissions (required)

This permission list is mandatory for adding AWS accounts to FortriCWP. This includes the permissions related to AWS S3, CloudTrail, CloudFormation, IAM User Permissions and EC2.

Permission Detail

"acm:Describe*",

"acm:List*",

"appstream:Describe*",

"autoscaling:Describe*",

"cloudformation:DescribeStack*",

"cloudformation:GetTemplate",

"cloudformation:ListStack*",

"cloudfront:Get*",

"cloudfront:List*",

"cloudsearch:Describe*",

"cloudtrail:DescribeTrails",

"cloudtrail:GetEventSelectors",

"cloudtrail:GetTrailStatus",

"cloudtrail:ListTags",

"cloudtrail:LookupEvents",

"cloudwatch:Describe*",

"codedeploy:Batch*",

"codedeploy:Get*",

"codedeploy:List*",

"config:Deliver*",

"config:Describe*",

"config:Get*",

"datapipeline:DescribeObjects",

"datapipeline:DescribePipelines",

"datapipeline:EvaluateExpression",

"datapipeline:GetPipelineDefinition",

"datapipeline:ListPipelines",

"datapipeline:QueryObjects",

"datapipeline:ValidatePipelineDefinition",

"dax:BatchGetItem",

"dax:ConditionCheckItem",

"dax:DescribeClusters",

"dax:DescribeDefaultParameters",

"dax:DescribeEvents",

"dax:DescribeParameterGroups",

"dax:DescribeParameters",

"dax:DescribeSubnetGroups",

"dax:GetItem",

"dax:ListTags",

"dax:Query",

"dax:Scan",

"directconnect:Describe*",

"ds:Describe*",

"dynamodb:DescribeTable",

"dynamodb:ListTables",

"ec2:Describe*",

"ec2:GetTransitGatewayAttachmentPropagations",

"ec2:GetTransitGatewayRouteTableAssociations",

"ec2:GetTransitGatewayRouteTablePropagations",

"ec2:SearchTransitGatewayRoutes",

"ecs:Describe*",

"ecs:List*",

"eks:DescribeCluster",

"eks:DescribeUpdate",

"eks:ListClusters",

"eks:ListUpdates",

"elasticache:Describe*",

"elasticache:List*",

"elasticbeanstalk:Describe*",

"elasticfilesystem:Describe*",

"elasticloadbalancing:Describe*",

"elasticmapreduce:DescribeCluster",

"elasticmapreduce:DescribeEditor",

"elasticmapreduce:DescribeSecurityConfiguration",

"elasticmapreduce:DescribeStep",

"elasticmapreduce:List*",

"es:Describe*",

"es:List*",

"glacier:GetVaultAccessPolicy",

"glacier:ListVaults",

"iam:GenerateCredentialReport",

"iam:Get*",

"iam:List*",

"iam:SimulateCustomPolicy",

"iam:SimulatePrincipalPolicy",

"kms:Describe*",

"kms:Get*",

"kms:List*",

"lambda:GetPolicy",

"lambda:List*",

"logs:Describe*",

"logs:FilterLogEvents",

"logs:Get*",

"rds:Describe*",

"rds:DownloadDBLogFilePortion",

"rds:ListTagsForResource",

"redshift:Describe*",

"route53:GetAccountLimit",

"route53:GetChange",

"route53:GetCheckerIpRanges",

"route53:GetGeoLocation",

"route53:GetHealthCheck",

"route53:GetHealthCheckCount",

"route53:GetHealthCheckLastFailureReason",

"route53:GetHealthCheckStatus",

"route53:GetHostedZone",

"route53:GetHostedZoneCount",

"route53:GetHostedZoneLimit",

"route53:GetQueryLoggingConfig",

"route53:GetReusableDelegationSet",

"route53:GetReusableDelegationSetLimit",

"route53:GetTrafficPolicy",

"route53:GetTrafficPolicyInstance",

"route53:GetTrafficPolicyInstanceCount",

"route53:ListGeoLocations",

"route53:ListHealthChecks",

"route53:ListHostedZones",

"route53:ListHostedZonesByName",

"route53:ListQueryLoggingConfigs",

"route53:ListResourceRecordSets",

"route53:ListReusableDelegationSets",

"route53:ListTagsForResource",

"route53:ListTagsForResources",

"route53:ListTrafficPolicies",

"route53:ListTrafficPolicyInstances",

"route53:ListTrafficPolicyInstancesByHostedZone",

"route53:ListTrafficPolicyInstancesByPolicy",

"route53:ListTrafficPolicyVersions",

"route53:ListVPCAssociationAuthorizations",

"route53domains:CheckDomainAvailability",

"route53domains:GetContactReachabilityStatus",

"route53domains:GetDomainDetail",

"route53domains:GetDomainSuggestions",

"route53domains:GetOperationDetail",

"route53domains:ListDomains",

"route53domains:ListOperations",

"route53domains:ListTagsForDomain",

"s3:GetAccelerateConfiguration",

"s3:GetAccountPublicAccessBlock",

"s3:GetAnalyticsConfiguration",

"s3:GetBucket*",

"s3:GetEncryptionConfiguration",

"s3:GetInventoryConfiguration",

"s3:GetLifecycleConfiguration",

"s3:GetMetricsConfiguration",

"s3:GetObject",

"s3:GetObjectAcl",

"s3:GetObjectTagging",

"s3:GetObjectTorrent",

"s3:GetObjectVersion",

"s3:GetObjectVersionAcl",

"s3:GetObjectVersionForReplication",

"s3:GetObjectVersionTagging",

"s3:GetObjectVersionTorrent",

"s3:GetReplicationConfiguration",

"s3:ListAllMyBuckets",

"s3:ListBucket",

"s3:ListBucketMultipartUploads",

"s3:ListBucketVersions",

"s3:ListMultipartUploadParts",

"sdb:DomainMetadata",

"sdb:ListDomains",

"ses:Get*",

"ses:List*",

"tag:GetResources",

"tag:GetTagKeys",

"waf:Get*",

"waf:List*",

"workspaces:Describe*"

AutoFix Permissions (optional)

This permission list includes the minimum write permissions of the AWS resources such as AWS EC2, S3, IAM etc

Permission Detail

"cloudfront:UpdateDistribution",

"cloudtrail:StartLogging",

"cloudtrail:UpdateTrail",

"ec2:ModifySnapshotAttribute",

"ec2:RevokeSecurityGroupEgress",

"ec2:RevokeSecurityGroupIngress",

"elasticloadbalancing:ModifyLoadBalancerAttributes",

"iam:UpdateAccountPasswordPolicy",

"kms:CancelKeyDeletion",

"kms:EnableKeyRotation",

"rds:ModifyDBInstance",

"redshift:ModifyCluster",

"redshift:ModifyClusterParameterGroup",

"s3:PutBucketAcl",

"s3:PutBucketPolicy",

"s3:PutBucketVersioning",

"s3:PutObjectAcl",

"s3:PutObjectVersionAcl"

Notification Permissions (optional)

This permission is required for FortiCNP to send notifications. This consists of SQS (Simple Queue Service) and SNS (Simple Notification Service).

Permission Detail

"sns:CheckIfPhoneNumberIsOptedOut",

"sns:GetEndpointAttributes",

"sns:GetPlatformApplicationAttributes",

"sns:GetSMSAttributes",

"sns:GetSMSSandboxAccountStatus",

"sns:GetSubscriptionAttributes",

"sns:GetTopicAttributes",

"sns:ListEndpointsByPlatformApplication",

"sns:ListOriginationNumbers",

"sns:ListPhoneNumbersOptedOut",

"sns:ListPlatformApplications",

"sns:ListSMSSandboxPhoneNumbers",

"sns:ListSubscriptions",

"sns:ListSubscriptionsByTopic",

"sns:ListTagsForResource",

"sns:ListTopics",

"sns:publish",

"sqs:ChangeMessageVisibility",

"sqs:ChangeMessageVisibilityBatch",

"sqs:CreateQueue",

"sqs:DeleteMessage",

"sqs:DeleteMessageBatch",

"sqs:DeleteQueue",

"sqs:GetQueueAttributes",

"sqs:GetQueueUrl",

"sqs:ListDeadLetterSourceQueues",

"sqs:ListQueues",

"sqs:ListQueueTags",

"sqs:ReceiveMessage",

"sqs:SendMessage",

"sqs:SendMessageBatch",

"sqs:SetQueueAttributes"

Security Hub Integration Permissions

Only EventBridgeIAMrole IAM role requires permission to add the events from Amazon Inspector and Guard Duty to FortiCNP's AWS Event Bus.

"events:PutEvents"

Online Help

AWS Permission and Resource Requirements

AWS Permission and Resource Requirements

Basic Permissions (required)

Permission Detail

AutoFix Permissions (optional)

Permission Detail

Notification Permissions (optional)

Permission Detail

Security Hub Integration Permissions

AWS Permission and Resource Requirements

Basic Permissions (required)

Permission Detail

AutoFix Permissions (optional)

Permission Detail

Notification Permissions (optional)

Permission Detail

Security Hub Integration Permissions