AWS Policies & Permissions

This topic describes the AWS policies that CloudGuard uses to manage your accounts and the procedure to update permissions for AWS account entities.

The policies give CloudGuard permission to manage specific entities (such as Security Groups, Instances, etc) in your AWS account. The type of permissions depend on whether the account is managed as Read-Only or Full Protection.

Policies

These are the AWS policies used by CloudGuard.

SecurityAudit

The SecurityAudit policy (AWS Managed policy) is a mandatory policy which is required in order for CloudGuard to function properly.

AmazonInspectorReadOnlyAccess

The AmazonInspectorReadOnlyAccess policy (AWS Managed policy) is an optional policy which is required in order for CloudGuard to be able to fetch AWS inspector information.

CloudGuard-readonly-policy

The CloudGuard-readonly-policy is a mandatory policy which is required in order to use various CloudGuard features like Compliance and Network Security. This policy contains specific permissions required for fetching information from AWS and using it within CloudGuard. If any of these permissions are not explicitly added to the policy, then information for that specific service will not be available within CloudGuard. There will be no impact on CloudGuard for other services (which are explicitly included in the policy).

Best Practice - Check Point recommends to use the latest version of the readonly-policy, which you can download from https://github.com/dome9/policies.

CloudGuard-write-policy

The CloudGuard-write-policy is an optional policy which is required for CloudGuard to manage your AWS account (Full-Protection mode).

The policy contains permissions for actions that CloudGuard performs for Network Security management.

Best Practice - Check Point recommends to use the latest version of the write-policy, which you can download from https://github.com/dome9/policies. The policy name is networkSecurity-Manage to indicate that it is used for network management actions.

Update AWS Permissions

This section describes how to update permissions for specific entities in your AWS environment. These permissions are required by CloudGuard to obtain up-to-date information about these entities. If you are missing permissions for an entity in your account, CloudGuard will not be able to manage or monitor it (but this will not affect other entities, if CloudGuard has the correct permissions for them).

CloudGuard requires specific permissions in AWS, currently defined in the AWS policies shown below.

Mandatory Policies

  • SecurityAudit policy, which is managed by AWS.

  • CloudGuard-readonly-policy, which is created during the onboarding process.

Optional Policies

  • AmazonInspectorReadOnlyAccess, which is managed by AWS; this is required only if your AWS account uses the Inspector.

  • CloudGuard-write-policy, which is also created in the onboarding process or the update permissions process; this is required for Full Protection (Read/Write) Mode.

See also: