Appendix A - Cloud Protection Amazon Policy Usage
Communication between AWS and FortiCNP requires granting FortiCNP with permissions to access AWS account resource configuration settings. The method is done through creating custom policy on AWS in JSON format in AWS for .
Below are lists of the AWS services/policies used and the corresponding reasoning to be used in FortiCNP.
FortiCNP Basic Permission
Service | Policy in JSON Format | Permission Purpose |
RDS |
"rds:Describe*" "rds:DownloadDBLogFilePortion" "rds:ListTagsForResource" |
1. FortiCNP Resource List 2. RDS profile 3. RDS Topology 4. RDS Risk assessment |
"rds:ModifyDBInstance" | 1. Allow autofix feature of RDS Risk assessment policy "RDS instances should not be publicly accessible". | |
EFS | "elasticfilesystem:Describe*" |
1. FortiCNP Resource List 2. EFS profile 3. EFS Risk assessment |
ELB | "elasticloadbalancing:Describe*" |
1. FortiCNP Resource List 2. Listener, Load Balancer, Target Group profile 3. ELB Topology 4. ELB Risk assessment |
"elasticloadbalancing:ModifyLoadBalancer Attributes" | 1. Allow autofix feature of ELB Risk assessment policy "ELB/ALB deletion protection should be enabled". | |
Certificate Manager |
"acm:List*" "acm:Describe*" |
1. FortiCNP Resource List 2. ACM Certificate profile 3. ACM Certificate Risk assessment |
CloudFront |
"cloudfront:List*" "cloudfront:Get*" |
1. FortiCNP Resource List 2. CloudFront profile 3. CloudFront Risk assessment |
"cloudfront:UpdateDistribution" | 1. Allow autofix feature of CloudFront Risk assessment policy "CloudFront should use secure ciphers for distribution". | |
EKS |
"eks:ListUpdates" "eks:DescribeUpdate" "eks:DescribeCluster" "eks:ListClusters" |
1. FortiCNP Resource List 2. EKS profile 3. EKS Topology |
KMS |
"kms:List*" "kms:Describe*" "kms:Get*" |
1. FortiCNP Resource List 2. KMS Key profile 3. KMS Risk assessment |
"kms:EnableKeyRotation" | 1. Allow autofix feature of KMS Risk assessment policy "KMS key rotation should be enabled". | |
Lambda |
"lambda:List*" "lambda:GetPolicy" |
1. FortiCNP Resource List 2. Lambda profile 3. Lambda Risk assessment |
SQS |
"sqs:ReceiveMessage" "sqs:GetQueueUrl" "sqs:GetQueueAttributes" "sqs:ListQueueTags" "sqs:ListQueues" "sqs:ListDeadLetterSourceQueues" |
1. FortiCNP Resource List 2. SQS profile 3. SQS Risk assessment |
"sqs:TagQueue" "sqs:UntagQueue" "sqs:ChangeMessageVisibility "sqs:ChangeMessageVisibilityBatch" "sqs:CreateQueue" "sqs:DeleteMessage" "sqs:DeleteMessageBatch" "sqs:DeleteQueue" "sqs:PurgeQueue" "sqs:SendMessage" "sqs:SendMessageBatch" "sqs:SetQueueAttributes" |
1. FortiCNP Notification’s integration with AWS SQS service | |
IAM |
"iam:List*" "iam:SimulateCustomPolicy" "iam:GenerateCredentialReport" "iam:Get*" "iam:SimulatePrincipalPolicy" |
1. FortiCNP Resource List 2. IAM profile 3. IAM Risk assessment |
"iam:UpdateAccountPasswordPolicy" | 1. Allow autofix feature of Redshift Risk assessment policy "Password requirements should be enforced". | |
Redshift | "redshift:Describe*" |
1. FortiCNP Resource List 2. Redshift profile 3. Redshift Risk assessment |
"redshift:Describe*" "redshift:ModifyClusterParameterGroup" |
1. Allow autofix feature of Redshift Risk assessment policy "Redshift database should use SSL for connections". | |
Elastic Container Service | "ecs:Describe*" "ecs:List*" |
1. FortiCNP Resource List 2. ECS profile 3. ECS Topology |
EC2 |
"ec2:Describe* "ec2:SearchTransitGatewayRoutes "ec2:GetTransitGatewayAttachmentPropagations "ec2:GetTransitGatewayRouteTablePropagations "ec2:GetTransitGatewayRouteTableAssociations" |
1. FortiCNP Resource List 2. VPC, Route Table, Subnet, Network ACL, Security Group, Machine Image(AMI), EC2, EBS volume, EBS snapshot profile 3. VPC, Subnet, Network ACL, Security Group, EC2 Topology 4. VPC, Subnet, Security Group, AMI, EC2, EBS Risk assessment |
"ec2:ModifySnapshotAttribute" "ec2:RevokeSecurityGroupEgress "ec2:RevokeSecurityGroupIngress" |
1. Allow autofix feature of EBS Risk assessment policy "EBS snapshots should not be publicly accessible". 2. Allow autofix feature of Security Group Risk assessment policy "Default Security Group should block all inbound traffic". |
|
CloudWatch Logs |
"logs:Get*" "logs:Describe*" "logs:FilterLogEvents" |
1. Feature "Traffic" on FortiCNP |
Glacier |
"glacier:ListVaults" "glacier:GetVaultAccessPolicy" |
1. FortiCNP Resource List 2. Glacier profile 3. Glacier Risk assessment |
CloudFormation |
"cloudformation:ListStack*" "cloudformation:GetTemplate" "cloudformation:DescribeStack*" |
1. FortiCNP Resource List 2. CloudFormation profile 3. CloudFormation Risk assessment |
S3 |
"s3:GetBucket*" "s3:GetReplicationConfiguration" "s3:GetLifecycleConfiguration" "s3:GetInventoryConfiguration" "s3:ListBucket" "s3:ListBucketMultipartUploads "s3:GetAccountPublicAccessBlock" "s3:ListAllMyBuckets" "s3:GetObjectVersion" "s3:GetObjectVersionTagging" "s3:GetObjectAcl" "s3:GetObjectVersionAcl" "s3:HeadBucket" "s3:ListMultipartUploadParts" "s3:GetObject" "s3:GetAnalyticsConfiguration "s3:GetObjectVersionForReplication" "s3:ListBucketByTags" "s3:ListBucketVersions" "s3:GetAccelerateConfiguration" "s3:GetObjectVersionTorrent" "s3:GetEncryptionConfiguration" "s3:GetObjectTagging" "s3:GetMetricsConfiguration" "s3:GetObjectTorrent" |
1. FortiCNP Resource List 2. S3 bucket profile 3. S3 Risk assessment 4. Feature "Buckets" on FortiCNP |
"s3:PutBucketVersioning" "s3:PutBucketAcl" "s3:PutBucketPolicy" "s3:PutObjectAcl" "s3:PutObjectVersionAcl" |
1. Allow autofix feature of S3 Risk assessment policy "S3 buckets should not be publicly available". | |
Pinpoint Email /SES |
"ses:List*" "ses:Get*" |
1. FortiCNP Resource List 2. SES profile 3. SES Risk assessment |
CloudTrail |
"cloudtrail:GetTrailStatus" "cloudtrail:LookupEvents" "cloudtrail:DescribeTrails" "cloudtrail:ListTags" "cloudtrail:GetEventSelectors" |
1. FortiCNP Resource List 2. CloudTrail profile 3. CloudTrail Risk assessment 4. Feature "Activity" on FortiCNP |
"cloudtrail:StartLogging" "cloudtrail:UpdateTrail" |
1. Allow autofix feature of CloudTrail Risk assessment policy "CloudTrail bucket should not be publicly accessible". | |
Elasticsearch Service |
"es:List*" "es:Describe*" |
1. FortiCNP Resource List 2. ElasticSearch profile 3. ElasticSearch Risk assessment |
Route 53 |
"route53:ListTrafficPolicyVersions" "route53:GetHealthCheck" "route53:ListHostedZonesByName" "route53:GetHostedZoneCount" "route53:GetHealthCheckLastFailureReason" "route53:ListVPCAssociationAuthorizations" "route53:GetReusableDelegationSetLimit" "route53:ListTagsForResources" "route53:GetAccountLimit" "route53:GetGeoLocation" "route53:GetTrafficPolicy" "route53:ListQueryLoggingConfigs" "route53:GetCheckerIpRanges" "route53:ListGeoLocations" "route53:GetTrafficPolicyInstance" "route53:ListHostedZones" "route53:ListTagsForResource" "route53:ListHealthChecks" "route53:GetHostedZone" "route53:ListResourceRecordSets" "route53:GetHealthCheckCount" "route53:ListReusableDelegationSets" "route53:ListTrafficPolicyInstancesByHostedZone" "route53:GetHostedZoneLimit "route53:ListTrafficPolicyInstances" "route53:GetTrafficPolicyInstanceCount" "route53:GetChange" "route53:ListTrafficPolicies" "route53:GetQueryLoggingConfig" "route53:GetHealthCheckStatus" "route53:GetReusableDelegationSet" "route53:ListTrafficPolicyInstancesByPolicy" |
1. FortiCNP Resource List 2. Route53 profile 3. Route53 Risk assessment |
SNS |
"sns:Get*" "sns:*" |
1. FortiCNP Resource List 2. SQS profile 3. SQS Risk assessment |
"sns:*" | 1. FortiCNP Notification’s integration with AWS SNS service | |
CloudWatch | "cloudwatch:Describe*" | 3. CloudWatch Risk assessment |
FortiCNP Integration Permission
Service | Policy in JSON Format | Permission Purpose |
SecurityHub | "securityhub:*" | 1. FortiCNP Integration Alerts for SecurityHub |
Inspector | "inspector:*" | 1. FortiCNP Integration Alerts for Inspector |
GuardDuty | "guardduty:*" | 1. FortiCNP Integration Alerts for GuardDuty |