AWS Policies and Permissions

CloudGuard uses AWSClosed Amazon® Web Services. Public cloud platform that offers global compute, storage, database, application and other cloud services. policies to manage your environments and periodically updates permissions for AWS account entities.

The policies give CloudGuard permission to manage specific entities, such as Security Groups and instances, on your AWS environment. The permissions type depends on your environment's selected mode (Monitor or Full Protection) of your environment.

Policies

These are the AWS policies that CloudGuard uses:

  • Mandatory:

    • SecurityAudit (managed by AWS) for proper CloudGuard functionality.

    • CloudGuard-readonly-policy created during the onboarding procedure is required for different CloudGuard features, such as Posture Management and Network Security.

      This policy contains specific permissions to fetch information from AWS and use it in CloudGuard. If one of these permissions is not explicitly added to the policy, then information for that specific service becomes unavailable in CloudGuard. This does not affect CloudGuard functionality related to other services that are explicitly included in the policy.

      Best Practice - Check Point recommends to use the latest version of the CloudGuard-readonly-policy available for download from GitHub.

  • Optional:

    • AmazonInspectorReadOnlyAccess (managed by AWS) enables CloudGuard to fetch the AWS Inspector information.

    • ReadOnlyAccess (managed by AWS) grants CloudGuard reading permissions to support new services in the future.

    • CloudGuard-write-policy created during the onboarding or update permissions procedure enables CloudGuard to manage your AWS account in the Full-Protection mode. It contains permissions for CloudGuard to manage Network Security.

      Best Practice - Check Point recommends to use the latest version of the CloudGuard-write-policy available for download from GitHub.

Updating AWS Permissions

When onboarding your AWS account, CloudGuard receives permissions for specific entities in your AWS environment. It is necessary to update these permissions, at intervals, to ensure that CloudGuard obtains up-to-date information about these entities. Missing permissions for an entity in your environment cause CloudGuard's inability to manage or monitor the entity. Nevertheless, this does not affect other entities, if CloudGuard has the correct permissions for them. For troubleshooting steps after onboarding, see Troubleshooting AWS Onboarding.

Those permissions that are irrelevant to you, you can ignore. If after it the permissions become relevant, restore them.

You can select the method of the CloudGuard permissions update during the onboarding procedure only. When an environment is onboarded to CloudGuard with a specific method of permissions updating or deletion, you cannot change the method from the CloudGuard portal. On the Welcome page of the Environment Onboarding wizard, below CFT Permissions Management:

  • Select Allow CloudGuard to update and delete its CloudFormation stack resources if you agree to start the procedure of permissions update automatically, from CloudGuard. See Updating Permissions Automatically.

  • Do not select Allow CloudGuard to update and delete its CloudFormation stack resources if you do not agree, and, when a permissions update is required, do it manually in the AWS portal. See Updating Permissions Manually.

CloudGuard requires specific permissions in AWS defined in the AWS policies listed above, see Policies.

Mandatory Policies:

  • SecurityAudit policy managed by AWS

  • CloudGuard-readonly-policy created during the onboarding procedure.

Optional Policies:

  • AmazonInspectorReadOnlyAccess managed by AWS is required only if your AWS environment uses the Inspector

  • ReadOnlyAccess managed by AWS grants CloudGuard reading permissions to support new services in the future.

  • CloudGuard-write-policy created during the onboarding or update permissions procedure is required for Full Protection (Read/Write) mode.

Ignoring and Restoring Permissions

Ignore irrelevant permissions so they do not affect the environment status in CloudGuard.

When all missing permissions are ignored or updated, the environment status becomes validated.

Reviewing Permissions

You can review the list of affected cloud resources and associated fail messages.

  1. In the Missing Permissions table, select a Resource and click Show Entities.

  2. Compare the list of affected resources with the total population of resources of that type in the affected cloud environment (for example, using the Protected Assets page).

  3. If the list of affected resources represents the entire population of resources of that type in the affected cloud environment, then a problem can be on the environment level (such as a missing permission in the IAM role).

  4. If the list of affected resources is less than the entire population of resources of that type in the affected cloud environment, then the source of the problem must necessarily be specific to the individual affected cloud resources (for example, resource-level IAM "deny" policies, "ghost" resources deleted incorrectly or incompletely and so continue to trigger permission errors, "cross-account" resource deployment or resource sharing/reference issues, etc.).

Updating Permissions Automatically

You can update your account permissions automatically if you agreed to start this procedure during your account onboarding. This option is available for environments onboarded with a Unified procedure, if you selected Allow CloudGuard to update and delete its CloudFormation stack resources when onboarding your account. For more details, see Unified Onboarding of AWS Environments..

Updating Permissions Manually

  • To update permissions for newly onboarded AWS accounts, without the option to update and delete CloudFormation stack resources (you did not select Allow CloudGuard to update and delete its CloudFormation stack resources during the onboarding), see Local Updating

  • To update permissions for the old AWS accounts (onboarded before March 2022), see Updating Permissions in Old Accounts

Updating Permissions in Old Accounts

Follow these steps to update permissions in AWS accounts onboarded before March 2022.

More Links