Required Permissions

In order for Secberus to collect the data it needs from your AWS account, the data source needs the following permissions:

  1. The following AWS managed policies:
    1. SecurityAudit
    2. AWSCloudTrail_ReadOnlyAccess
  2. A custom policy with the remaining permissions:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "VisualEditor0",
      "Effect": "Allow",
      "Action": [
        "apigateway:GET",
        "cloudfront:DescribeFunction",
        "ec2:GetEbsDefaultKmsKeyId",
        "ecr:DescribePullThroughCacheRules",
        "ecs:DescribeTaskSets",
        "ecs:GetTaskProtection",
        "elasticmapreduce:ListReleaseLabels",
        "elasticmapreduce:ListStudios",
        "elasticmapreduce:ListSupportedInstanceTypes",
        "emr:ListReleaseLabels",
        "emr:ListStudios",
        "emr:ListSupportedInstanceTypes",
        "es:ListElasticsearchInstanceTypes",
        "es:ListVpcEndpoints",
        "lambda:GetCodeSigningConfig",
        "lambda:GetFunction",
        "lambda:GetFunctionCodeSigningConfig",
        "lambda:GetRuntimeManagementConfig",
        "lambda:ListAliases",
        "lambda:ListEventSourceMappings",
        "lambda:ListFunctionEventInvokeConfigs",
        "lambda:ListFunctions",
        "lambda:ListLayers",
        "lambda:ListLayerVersions",
        "lambda:ListProvisionedConcurrencyConfigs",
        "lambda:ListVersionsByFunction",
        "organizations:ListAccounts",
        "organizations:ListRoots",
        "organizations:ListPolicies",
        "organizations:ListDelegatedAdministrators",
        "s3:ListBucket",
        "sns:GetSubscriptionAttributes",
        "waf:ListRuleGroups",
        "waf:ListRules",
        "waf:ListSubscribedRuleGroups",
        "waf-regional:ListRateBasedRules",
        "waf-regional:ListRuleGroups",
        "waf-regional:ListRules",
        "wafv2:DescribeManagedRuleGroup"
      ],
      "Resource": "*"
    }
  ]
}