Required Permissions
In order for Secberus to collect the data it needs from your AWS account, the data source needs the following permissions:
- The following AWS managed policies:
- SecurityAudit
- AWSCloudTrail_ReadOnlyAccess
- A custom policy with the remaining permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"apigateway:GET",
"cloudfront:DescribeFunction",
"ec2:GetEbsDefaultKmsKeyId",
"ecr:DescribePullThroughCacheRules",
"ecs:DescribeTaskSets",
"ecs:GetTaskProtection",
"elasticmapreduce:ListReleaseLabels",
"elasticmapreduce:ListStudios",
"elasticmapreduce:ListSupportedInstanceTypes",
"emr:ListReleaseLabels",
"emr:ListStudios",
"emr:ListSupportedInstanceTypes",
"es:ListElasticsearchInstanceTypes",
"es:ListVpcEndpoints",
"lambda:GetCodeSigningConfig",
"lambda:GetFunction",
"lambda:GetFunctionCodeSigningConfig",
"lambda:GetRuntimeManagementConfig",
"lambda:ListAliases",
"lambda:ListEventSourceMappings",
"lambda:ListFunctionEventInvokeConfigs",
"lambda:ListFunctions",
"lambda:ListLayers",
"lambda:ListLayerVersions",
"lambda:ListProvisionedConcurrencyConfigs",
"lambda:ListVersionsByFunction",
"organizations:ListAccounts",
"organizations:ListRoots",
"organizations:ListPolicies",
"organizations:ListDelegatedAdministrators",
"s3:ListBucket",
"sns:GetSubscriptionAttributes",
"waf:ListRuleGroups",
"waf:ListRules",
"waf:ListSubscribedRuleGroups",
"waf-regional:ListRateBasedRules",
"waf-regional:ListRuleGroups",
"waf-regional:ListRules",
"wafv2:DescribeManagedRuleGroup"
],
"Resource": "*"
}
]
}Updated 2 days ago