AWS Policies and Permissions
CloudGuard uses AWS Amazon® Web Services. Public cloud platform that offers global compute, storage, database, application and other cloud services. policies to manage your environments and periodically updates permissions for AWS account entities.
The policies give CloudGuard permission to manage specific entities, such as Security Groups and instances, on your AWS environment. The permissions type depends on your environment's selected mode (Monitor or Full Protection) of your environment.
Policies
These are the AWS policies that CloudGuard uses:
-
Mandatory:
-
SecurityAudit (managed by AWS) for proper CloudGuard functionality.
-
CloudGuard-readonly-policy created during the onboarding procedure is required for different CloudGuard features, such as Posture Management and Network Security.
This policy contains specific permissions to fetch information from AWS and use it in CloudGuard. If one of these permissions is not explicitly added to the policy, then information for that specific service becomes unavailable in CloudGuard. This does not affect CloudGuard functionality related to other services that are explicitly included in the policy.
Best Practice - Check Point recommends to use the latest version of the CloudGuard-readonly-policy available for download from GitHub.
-
-
Optional:
-
AmazonInspectorReadOnlyAccess (managed by AWS) enables CloudGuard to fetch the AWS Inspector information.
-
ReadOnlyAccess (managed by AWS) grants CloudGuard reading permissions to support new services in the future.
-
CloudGuard-write-policy created during the onboarding or update permissions procedure enables CloudGuard to manage your AWS account in the Full-Protection mode. It contains permissions for CloudGuard to manage Network Security.
Best Practice - Check Point recommends to use the latest version of the CloudGuard-write-policy available for download from GitHub.
-
The table below shows the AWS permissions included in the CloudGuard Read, Write, and IAM Identity and Access Management (IAM) - A web service that customers can use to manage users and user permissions within their organizations. Policies, as they are used by each CloudGuard module.
In addition, CloudGuard uses the AWS SecurityAudit policy, and the permissions included in this policy.
AWS Permission |
CloudGuard Mode |
CSPM |
Network Security |
IAM Safety |
---|---|---|---|---|
ec2:AuthorizeSecurityGroupIngress |
Read-Only, Full |
|
|
|
ec2:CreateSecurityGroup |
Read-Only, Full |
|
|
|
ec2:DeleteSecurityGroup |
Read-Only, Full |
|
|
|
ec2:RevokeSecurityGroupEgress |
Read-Only, Full |
|
|
|
ec2:RevokeSecurityGroupIngress |
Read-Only, Full |
|
|
|
ec2:ModifyNetworkInterfaceAttribute |
Read-Only, Full |
|
|
|
ec2:CreateTags |
Read-Only, Full |
|
|
|
ec2:DeleteTags |
Read-Only, Full |
|
|
|
dynamodb:DescribeTable |
Full |
|
|
|
elasticfilesystem:Describe* |
Full |
|
|
|
elasticache:ListTagsForResource |
Full |
|
|
|
firehose:Describe* |
Full |
|
|
|
firehose:List* |
Full |
|
|
|
guardduty:Get* |
Full |
|
|
|
guardduty:List* |
Full |
|
|
|
kinesis:List* |
Full |
|
|
|
kinesis:Describe* |
Full |
|
|
|
kinesisvideo:Describe* |
Full |
|
|
|
kinesisvideo:List* |
Full |
|
|
|
logs:Describe* |
Full |
|
|
|
logs:Get* |
Full |
|
|
|
logs:FilterLogEvents |
Full |
|
|
|
lambda:List* |
Full |
|
|
|
s3:List* |
Full |
|
|
|
sns:ListSubscriptions |
Full |
|
|
|
sns:ListSubscriptionsByTopic |
Full |
|
|
|
waf-regional:ListResourcesForWebACL |
Full |
|
|
|
iam:Get* |
- |
|
|
|
iam:List* |
- |
|
|
|
iam:AttachRolePolicy |
- |
|
|
|
iam:DetachRolePolicy |
- |
|
|
|
iam:AddUserToGroup |
- |
|
|
|
iam:RemoveUserFromGroup |
- |
|
|
|
Updating AWS Permissions
When onboarding your AWS account, CloudGuard receives permissions for specific entities in your AWS environment. It is necessary to update these permissions, at intervals, to ensure that CloudGuard obtains up-to-date information about these entities. Missing permissions for an entity in your environment cause CloudGuard's inability to manage or monitor the entity. Nevertheless, this does not affect other entities, if CloudGuard has the correct permissions for them.
Those permissions that are irrelevant to you, you can ignore. If after it the permissions become relevant, restore them.
You can select the method of the CloudGuard permissions update during the onboarding procedure only. When an environment is onboarded to CloudGuard with a specific method of permissions updating or deletion, you cannot change the method from the CloudGuard portal. On the Welcome page of the Environment Onboarding wizard, below CFT Permissions Management:
-
Select Allow CloudGuard to update and delete its CloudFormation stack resources if you agree to start the procedure of permissions update automatically, from CloudGuard. See Updating Permissions Automatically.
-
Do not select Allow CloudGuard to update and delete its CloudFormation stack resources if you do not agree, and, when a permissions update is required, do it manually in the AWS portal. See Updating Permissions Manually.
CloudGuard requires specific permissions in AWS defined in the AWS policies listed above, see Policies.
Mandatory Policies:
-
SecurityAudit policy managed by AWS
-
CloudGuard-readonly-policy created during the onboarding procedure.
Optional Policies:
-
AmazonInspectorReadOnlyAccess managed by AWS is required only if your AWS environment uses the Inspector
-
ReadOnlyAccess managed by AWS grants CloudGuard reading permissions to support new services in the future.
-
CloudGuard-write-policy created during the onboarding or update permissions procedure is required for Full Protection (Read/Write) mode.
Ignoring and Restoring Permissions
Ignore irrelevant permissions so they do not affect the environment status in CloudGuard.
To ignore permissions that are missing for CloudGuard:
-
Go to Assets > Environments.
-
Search for an environment that requires permissions to update and click its name.
-
In the Missing Permissions message, click Show more to see the missing permissions table.
-
Select one or more permissions and do one of these:
-
Click Ignore on the top menu.
-
In the Ignore column, set the toggle to ON individually for each permission.
-
When all missing permissions are ignored or updated, the environment status becomes validated.
To restore permissions:
-
Go to Assets > Environments.
-
Open the environment.
-
In the Missing permissions message, click Show more to see the missing permissions table.
-
Select one or more permissions and do one of these:
-
Click Restore on the top menu.
-
In the Ignore column, set the toggle to OFF individually for each permission.
-
Reviewing Permissions
You can review the list of affected cloud resources and associated fail messages.
-
In the Missing Permissions table, select a Resource and click Show Entities.
-
Compare the list of affected resources with the total population of resources of that type in the affected cloud environment (for example, using the Protected Assets page).
-
If the list of affected resources represents the entire population of resources of that type in the affected cloud environment, then a problem can be on the environment level (such as a missing permission in the IAM role).
-
If the list of affected resources is less than the entire population of resources of that type in the affected cloud environment, then the source of the problem must necessarily be specific to the individual affected cloud resources (for example, resource-level IAM "deny" policies, "ghost" resources deleted incorrectly or incompletely and so continue to trigger permission errors, "cross-account" resource deployment or resource sharing/reference issues, etc.).
Updating Permissions Automatically
You can update your account permissions automatically if you agreed to start this procedure during your account onboarding. This option is available for environments onboarded with a Unified procedure, if you selected Allow CloudGuard to update and delete its CloudFormation stack resources when onboarding your account. For more details, see Unified Onboarding of AWS Environments..
You can update the permissions remotely from the CloudGuard portal.
-
Go to Assets > Environments.
-
Search for an environment that requires permissions to update. The alert icon in the environment Status shows missing permissions.
-
Click the environment name.
-
Click Update Permissions at the top.
The Update Permissions window opens with the details of your AWS account and the number of current and available versions of permissions.
-
As an alternative, click the link to view the changes in GitHub that opens in a new browser tab.
-
Click Update to start the automatic procedure.
-
After you complete the steps on the AWS account, click Validate in the Validate Permissions window in CloudGuard.
When CloudGuard updates the environment permissions, its status changes to approved. During this process, CloudGuard considers all missing permissions, including ignored permissions.
Updating Permissions Manually
-
To update permissions for newly onboarded AWS accounts, without the option to update and delete CloudFormation stack resources (you did not select Allow CloudGuard to update and delete its CloudFormation stack resources during the onboarding), see Local Updating
-
To update permissions for the old AWS accounts (onboarded before March 2022), see Updating Permissions in Old Accounts
You can update the permissions locally, on the AWS portal.
-
Go to Assets > Environments.
-
Search for an environment that requires permissions update. The alert icon in the environment Status shows missing permissions.
-
Click the environment name.
-
Click Validate Permissions at the top.
-
The Validate Permissions window opens with instructions to follow to update the permissions in your AWS account.
-
After you complete the steps on the AWS account, click Validate in the Validate Permissions window in CloudGuard.
When CloudGuard validates the environment permissions, its status changes to approved. During this process, CloudGuard considers all missing permissions, including ignored permissions.
Updating Permissions in Old Accounts
Follow these steps to update permissions in AWS accounts onboarded before March 2022.
CloudGuard fetches information about your cloud assets from your environments, across all regions. If access is denied for any asset, CloudGuard retries several times, after which it marks the specific entity as missing permissions. CloudGuard notifies you of missing permissions on the Environments page.
When you click the environment, the missing permissions notifications inform you of permissions for the specified Role.
Click Show more to see details for the missing permissions and the number of affected entities.
There are two options to resolve missing permissions:
-
VALIDATE PERMISSIONS - this option resets the mechanism and tries to validate the permissions. If this succeeds, the warning is removed. If not, it suggests to run the Permissions Wizard to add the missing permissions.
-
RUN PERMISSIONS WIZARD - this option opens the Permissions Wizard that guides you to add the missing permissions to the policies. See the explanation below.
This wizard guides you to add missing permissions to the AWS policies used by CloudGuard.
Before you start, select the operation mode for your CloudGuard environment - Monitor or Full Protection (see AWS Security Group Management Considerations).
|
Note - If you select Full Protection for the environment, this does not set your Security Groups tobee fully managed. Security Groups can be individually set as Read-Only or Full Protection. See Full Protection Mode. |
-
Click Validate Permissions.
-
In the window that opens, click permission wizard. A new instance of the CloudGuard portal opens with the selection of the operation mode for the account.
-
Follow the wizard instructions. If the policy exists, the data you provide updates it; if it does not exist, the wizard creates a new one.
For example, in step 4, search for CloudGuard-readonly-policy and answer Yes or No; the answer shows instructions to update the policy (Yes) or how to create a new policy (No).
-
In the last window, click Finish. After about 30 minutes, the changes are applied.
The message "Error: UnauthorizedOperation: You are not authorized to perform this operation" in one of your environments means that something happened to a valid policy and CloudGuard cannot use it.
The primary reasons for this are:
-
The mandatory policies SecurityAudit or CloudGuard-readonly-policy are detached from the role.
-
The role is deleted, or the External ID is changed.
-
There is a global policy that denies some permissions that CloudGuard uses. (AWS Organizations check organization policies).
To solve this issue, follow these steps:
-
Update your permissions by the instructions above.
-
If required, use a new Role and click Edit Credentials on the environment page to update the new Role details.
-
Fill in the new Role ARN Amazon Resource Names (ARNs) uniquely identify AWS resources. They are required to specify a resource unambiguously across all of AWS, such as in IAM policies, Amazon Relational Database Service (Amazon RDS) tags, and API calls. and the External ID (this must have a value, which you can create. It must be the same as the value given in the Role external ID).
-
Review your global policies that can affect the Role connection and make sure that there is no
Deny
for EC2 Amazon EC2 - A web service for launching and managing Linux/UNIX and Windows Server instances in Amazon data centers.* in each of the global policies. -
If these steps do not resolve the problem, contact Check Point Support Center.
More Links