Roles and Permissions for Amazon Web Services accounts

Three roles with some permissions are automatically created when you connect an Amazon Web Services (AWS) account with IBM Guardium DSPM.

The three roles are:

  • Cross Account Metadata role
  • Analyzer role
  • Log Ingestion role

For more information about the functions of these roles, see the Results sub-section in the Connecting with Amazon Web Services cloud accounts section.

Cross Account Metadata role

The Cross Account Metadata role is created for every AWS account that is connected with Guardium DSPM. This role has the permissions to scan the AWS account, access the metadata, and create various resources in the AWS environment. The following table provides the scope of permissions that this role has over various AWS services in the cloud account.

Table 1. Permissions for cross account metadata role
AWS Services Scope of permissions Additional information about permissions
S3
  • s3:list*
  • s3:getBucketPolicy
  • s3:getBucketLocation
  • s3:GetEncryptionConfiguration
  • s3:getBucketLogging
  • ss3:GetBucketPolicyStatus
  • s3:GetBucketPublicAccessBlock
  • s3:GetBucketVersioning
  • s3:getBucketLogging
  • s3:GetLifecycleConfiguration
  • s3:PutObject*
  • s3:GetObject*
  • s3:DeleteObject*
  • s3:PutObject* permission is conditioned only for the Guardium DSPM bucket
  • s3:GetObject* permission is conditioned only for the Guardium DSPM bucket
  • s3:DeleteObject* permission is conditioned only for the Guardium DSPM bucket
SQS
  • sqs:getQueueAttributes
  • sqs:list*
  
SNS
  • sns:pseudoattribute
  • sns:list*
  
RDS
  • rds:describe*
  • rds:StartExportTask
  • rds:CancelExportTask
  • rds:DeleteDBSnapshot
  • rds:DeleteDBClusterSnapshot
  • rds:CreateDBSnapshot
  • rds:CreateDBClusterSnapshot
  • rds:AddTagsToResource
  • rds:DeleteDBSnapshot permission is conditioned only for the snapshots created by Guardium DSPM
  • rds:DeleteDBClusterSnapshot permission is conditioned only for the snapshots created by Guardium DSPM
  • rds:CreateDBSnapshot permission is conditioned only for the snapshots created by Guardium DSPM
  • rds:CreateDBClusterSnapshot permission is conditioned only for the snapshots created by Guardium DSPM
  • rds:AddTagsToResource is conditioned only for the snapshots created by Guardium DSPM
IAM
  • iam:list*
  • iam:getUser
  • iam:getRole
  • iam:getInstanceProfile
  • iam:getPolicy
  • iam:getPolicyVersion
  • iam:getRolePolicy
  • iam:PassRole
 iam:PassRole permission is conditioned only for the Guardium DSPM roles
EC2
  • ec2:ModifySnapshotAttribute
  • ec2:createVolume
  • ec2:createSnapshot,
  • ec2:CopySnapshot
  • ec2:describe*
  • ec2:deleteSnapshot*
  • ec2:deleteVolume*
  • ec2:attachVolume
  • ec2:detachVolume
  • ec2:Get*
  • ec2:CreateTags
  • ec2:RunInstances
  • ec2:CreateLaunchTemplateVersion
  • ec2:ModifySnapshotAttribute is conditioned only for the snapshots created byGuardium DSPM
  • ec2:createVolume is conditioned only for the snapshots created byGuardium DSPM
  • ec2:deleteSnapshot* is conditioned only for the snapshots created byGuardium DSPM
  • ec2:deleteVolume* is conditioned only for the volumes created byGuardium DSPM
  • ec2:attachVolume is conditioned only for Guardium DSPM
  • ec2:detachVolume is conditioned only for Guardium DSPM
DynamoDB
  • dynamodb:ListTables
  • dynamodb:DescribeTable
  • dynamodb:ListBackups
  • dynamodb:DescribeContinuousBackups
  
EKS
  • eks:list*
  • eks:AccessKubernetesApi
  • eks:describe*
  
Elastic Filesystem elasticfilesystem:Describe*  
Auto Scaling
  • autoscaling:Describe*
  • autoscaling:StartInstanceRefresh
  • autoscaling:UpdateAutoScalingGroup
  • autoscaling:SetInstanceHealth
  • autoscaling:StartInstanceRefresh permission is conditioned only for the auto scaling group
  • autoscaling:UpdateAutoScalingGroup permission is conditioned only for the auto scaling group
  • autoscaling:SetInstanceHealth permission is conditioned only for the auto scaling group
KMS
  • kms:ListKeys
  • kms:ListResourceTags
  • kms:DescribeKey
  • kms:*
 kms:* permission is conditioned only for the keys created byGuardium DSPM
CloudTrail
  • cloudtrail:DescribeTrails
  • cloudtrail:GetEventSelectors
  • cloudtrail:LookupEvents
  

Analyzer Role

The Analyzer role is created for every AWS account that is connected with Guardium DSPMAnalyzer role uses an AWS managed, read only role. For more details about the scope of permissions of this role, see the arn:aws:iam::aws:policy/ReadOnlyAccess in the AWS console.

Log Ingestion Role

Guardium DSPM creates the Log Ingestion role is after understanding where the logs are enabled in the AWS account. This role has access to the logs and the scope of permissions for this role based on the logs enabled in the AWS account.

Permissions for custom managed keys

You need to add a set of permissions in the KMS key policy of the Custom Managed Keys (CMK). These keys are associated with each data store in the AWS cloud account. This association enables Guardium DSPM access to the AWS, S3, and RDS services in the cloud account:

  • polar-helpers-role-<region>
  • polar-role-<tenant_Name>-<region>

For more information about why we need to create the keys, see https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-modifying-external-accounts.html. For more information on how to add the roles, see https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-modifying-external-accounts.html#cross-account-key-policy.