AWS Onboarding - Roles, Policies, and Permissions
When you connect your AWS account to Panoptica – whether you’re launching a CloudFormation Stack via the Panoptica console or running a Terraform script – you will be defining the following roles and permissions.
Deployment
In order to integrate Panoptica with your AWS account, the user onboarding the account needs to have administrative rights to the AWS account.
Technically, it’s sufficient for the user launching the stack to be able to create/delete roles, create/delete policies, attach policies to roles, launch/delete stacks, and, if enabling serverless scans, create/delete Lambdas. But that’s pretty much the definition of the AdministratorAccess policy.
Roles
When you launch the CloudFormation stack (or run the Terraform script) you create a new IAM role in your account called SecurityAuditRole. Panoptica does not have access to make any changes to this roles after onboarding.
SecurityAuditRole is a role that has different policies attached to it that define what Panoptica can and cannot do. See [Policies] below for details. The full name is Panoptica-<onboarding_date>-<some random chars>-SecurityAuditRole-<more random chars>.
This role is assumed by a dedicated role in Panoptica’s AWS account (460146075389 for US and global customers; 365334924617 for EU customers) to facilitate the scans, according to a trust relationship. This Panoptica role is unique to your company, and is the only Panoptica resource with permissions to use the SecurityAuditRole. You can view the relationship in the Trust relationships tab of the SecurityAuditRole, under IAM > Roles.
Policies
Panoptica creates various policies at onboarding to enable the SecurityAuditRole to scan your AWS resources: three “AWS Managed” policies to enable standard CSPM security access, plus one customized policy to facilitate additional read-only access Panoptica requires. Additional policies may be created based on preferences you select at onboarding, such as CVE and/or Serverless scanning.
- AWSOrganizationsReadOnlyAccess (AWS Managed) - Provides read-only access to AWS Organizations.
- ViewOnlyAccess (AWS Managed) - Grants permissions to view resources and basic metadata across all AWS services.
- SecurityAudit (AWS Managed) - Grants access to read security configuration metadata.
- Panoptica-extendedAuditPermissions-policy (Customer inline) - This customized policy facilitates read-only access to resources not included in the standard policies, to support Panoptica features such as Compliance Framework, ECR scanning, and more. It also enables Panoptica to discover new AWS services as they come online.
Workload Scanning
If you enable CVE scanning of your workloads at onboarding, an additional policy is created for the SecurityAuditRole to support the scanning function, according to the scanning method you selec.
Whether you select External scan or Internal scan, Panoptica takes snapshots of the EBS volumes and scans the snapshots, to minimize impact on your environment. The only difference is where the snapshots are scanned: in Panoptica’s AWS account (External), or in a local account you designate during onboarding (Internal).
-
panoptica-external-ec2-scan-policy (Customer inline) – This policy facilitates scanning snapshots in an account other than the current one. This could be Panoptica’s account ID, if you selected External scanning, or the scanner account ID you provided when onboarding, in the case of Internal scanning. Yes, even “Internal scanning” uses the external scan policy for any of your accounts that are not hosting the scan. Note that the snapshots are shared with the scanning account – whether external or internal – never copied or moved.
This JSON script defines the permissions that are included in this policy:
{ "Version": "2012-10-17", "Statement": [ { "Condition": { "ForAnyValue:StringLikeIfExists": { "ec2:ResourceTag/used_by": "panoptica - ec2 scan" } }, "Action": [ "ec2:DescribeSnapshots", "ec2:DeleteSnapshot" ], "Resource": "*", "Effect": "Allow", "Sid": "cleaning" }, { "Action": [ "ec2:CopySnapshot", "ec2:ModifySnapshotAttribute", "ec2:CreateTags", "ec2:CreateSnapshot", "kms:RevokeGrant", "kms:ReEncryptTo", "kms:DescribeKey", "kms:CreateGrant", "kms:ReEncryptFrom", "kms:GenerateDataKeyWithoutPlaintext" ], "Resource": "*", "Effect": "Allow", "Sid": "scanning" } ] } -
panoptica-internal-ec2-scan (Customer inline) – This policy facilitates hosting CVE scans for accounts you choose to scan using the Internal scan.
This JSON script defines the permissions that are included in this policy:
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateKeyPair", "ec2:CreateNatGateway", "ec2:CreateVpc", "ec2:CreateRouteTable", "ec2:AttachInternetGateway", "ec2:AssociateRouteTable", "ec2:CreateRoute", "ec2:CreateSecurityGroup", "ec2:CreateInternetGateway", "ec2:CreateSubnet", "ec2:ModifySubnetAttribute", "ec2:CreateLaunchTemplate", "ec2:AllocateAddress" ], "Resource": [ "arn:aws:ec2:*:*:key-pair/panoptica_ec2_scan", "arn:aws:ec2:*:*:security-group/*", "arn:aws:ec2:*:*:instance/*", "arn:aws:ec2:*:*:elastic-ip/*", "arn:aws:ec2:*:*:network-interface/*", "arn:aws:ec2:*:*:internet-gateway/*", "arn:aws:ec2:*:*:route-table/*", "arn:aws:ec2:*:*:vpc/*", "arn:aws:ec2:*:*:volume/*", "arn:aws:ec2:*:*:subnet/*", "arn:aws:ec2:*:*:natgateway/*", "arn:aws:ec2:*:*:snapshot/*", "arn:aws:ec2:*::image/*", "arn:aws:ec2:*:*:fleet/*", "arn:aws:ec2:*:*:launch-template/*" ], "Effect": "Allow", "Sid": "CreateScanningInfrastructure" }, { "Action": [ "iam:CreateInstanceProfile", "iam:PassRole", "iam:TagRole", "iam:CreateRole", "iam:PutRolePolicy", "iam:AddRoleToInstanceProfile", "iam:TagInstanceProfile", "iam:AttachRolePolicy" ], "Resource": [ "arn:aws:iam::*:instance-profile/panoptica-snap-scan", "arn:aws:iam::*:role/panoptica-snap-scan" ], "Effect": "Allow", "Sid": "SetPermissions" }, { "Action": [ "ec2:CreateTags" ], "Resource": [ "arn:aws:ec2:*:*:key-pair/*", "arn:aws:ec2:*::image/*", "arn:aws:ec2:*:*:network-interface/*", "arn:aws:ec2:*:*:security-group/*", "arn:aws:ec2:*:*:subnet/*", "arn:aws:ec2:*:*:volume/*", "arn:aws:ec2:*:*:instance/*", "arn:aws:ec2:*:*:snapshot/*", "arn:aws:ec2:*:*:launch-template/*", "arn:aws:ec2:*:*:fleet/*", "arn:aws:ec2:*:*:natgateway/*", "arn:aws:ec2:*:*:internet-gateway/*", "arn:aws:ec2:*:*:vpc/*", "arn:aws:ec2:*:*:elastic-ip/*", "arn:aws:ec2:*:*:route-table/*", "arn:aws:ec2:*:*:security-group/*", "arn:aws:ec2:*:*:spot-fleet-request/*" ], "Effect": "Allow", "Sid": "tagScanResources" }, { "Action": [ "ec2:CancelSpotFleetRequests", "ec2:DeleteLaunchTemplateVersions", "ec2:CreateLaunchTemplateVersion", "ec2:CreateSnapshot" ], "Resource": [ "arn:aws:ec2:*:*:volume/*", "arn:aws:ec2:*:*:instance/*", "arn:aws:ec2:*:*:snapshot/*", "arn:aws:ec2:*:*:launch-template/*", "arn:aws:ec2:*:*:fleet/*", "arn:aws:ec2:*:*:internet-gateway/*", "arn:aws:ec2:*:*:spot-fleet-request/*" ], "Effect": "Allow", "Sid": "Scanning" }, { "Action": [ "ec2:CreateFleet", "ec2:RunInstances", "ec2:RequestSpotFleet" ], "Resource": [ "arn:aws:ec2:*:*:*" ], "Effect": "Allow", "Sid": "CreateFleet" }, { "Action": [ "ec2:DescribeImages", "ec2:DescribeSnapshots", "ec2:DescribeSpotFleetInstances", "ec2:DescribeSpotFleetRequestHistory", "ec2:DescribeVpcs", "ec2:DescribeLaunchTemplateVersions", "ec2:DescribeNatGateways", "ec2:DescribeInstanceStatus", "ec2:DescribeSpotFleetRequests", "ec2:DescribeInstanceTypeOfferings", "ec2:DescribeInstanceTypes", "ec2:DescribeSubnets", "sts:DecodeAuthorizationMessage" ], "Resource": "*", "Effect": "Allow", "Sid": "VisualEditor1" }, { "Action": "iam:CreateServiceLinkedRole", "Resource": [ "arn:aws:iam::*:role/aws-service-role/spot.amazonaws.com/AWSServiceRoleForEC2Spot", "arn:aws:iam::*:role/aws-service-role/spotfleet.amazonaws.com/AWSServiceRoleForEC2SpotFleet", "arn:aws:iam::*:role/aws-service-role/ec2fleet.amazonaws.com/AWSServiceRoleForEC2Fleet" ], "Effect": "Allow", "Sid": "EnableRunningSpotFleets" }, { "Condition": { "StringEquals": { "ec2:ResourceTag/used_by": "panoptica - ec2 scan" } }, "Action": [ "ec2:DescribeVolumes", "ec2:DeleteVolume", "ec2:DeleteSnapshot", "ec2:DescribeInstances", "ec2:DeleteLaunchTemplate", "ec2:DeleteSubnet", "ec2:DeleteFleets", "ec2:CancelSpotFleetRequests", "ec2:DeleteNatGateway", "ec2:DeleteVpc", "ec2:DeleteKeyPair", "ec2:DeleteInternetGateway", "ec2:DetachInternetGateway", "ec2:DeleteSecurityGroup" ], "Resource": "*", "Effect": "Allow", "Sid": "DeleteInfrastructure" }, { "Condition": { "StringEquals": { "ec2:ResourceTag/used_by": "panoptica - ec2 scan" } }, "Action": [ "ec2:TerminateInstances" ], "Resource": [ "arn:aws:ec2:*:*:instance/*" ], "Effect": "Allow", "Sid": "Cleanup" }, { "Action": [ "ec2:DeleteRoute", "ec2:DeleteRouteTable", "iam:RemoveRoleFromInstanceProfile", "iam:DeleteInstanceProfile", "iam:DeleteRolePolicy", "iam:DeleteRole" ], "Resource": [ "arn:aws:ec2:*:*:route-table/*", "arn:aws:iam::*:instance-profile/panoptica-snap-scan", "arn:aws:iam::*:role/panoptica-snap-scan" ], "Effect": "Allow", "Sid": "DeleteInfrastructureComponents" }, { "Action": [ "ec2:DisassociateRouteTable", "ec2:ReleaseAddress" ], "Resource": [ "arn:aws:ec2:*:*:*/*" ], "Effect": "Allow", "Sid": "DeleteUntaggedInfrastructureComponents" }, { "Action": [ "kms:CreateGrant", "kms:RevokeGrant", "kms:ReEncryptTo", "kms:DescribeKey", "kms:ReEncryptFrom", "kms:GenerateDataKeyWithoutPlaintext", "kms:TagResource", "kms:ListResourceTags", "kms:ListAliases", "kms:CreateAlias", "kms:DeleteAlias" ], "Resource": [ "arn:aws:kms:*:*:key/*", "arn:aws:kms:*:*:alias/*" ], "Effect": "Allow", "Sid": "KMSEncryptionManagement" }, { "Condition": { "StringEquals": { "aws:ResourceTag/used_by": "panoptica - ec2 scan" } }, "Action": [ "kms:ScheduleKeyDeletion" ], "Resource": "arn:aws:kms:*:*:key/*", "Effect": "Allow", "Sid": "DeleteKey" }, { "Condition": { "StringEquals": { "aws:ResourceTag/used_by": "panoptica - ec2 scan" } }, "Action": [ "kms:CreateKey" ], "Resource": "*", "Effect": "Allow", "Sid": "CreateKey" } ] }
See AWS CVE Scanning - Details for more information on workload scanning.
Serverless Scanning
If you enable Serverless Scans at onboarding, two additional policies are created.
- AWSLambda_ReadOnlyAccess (AWS Managed) – This policy grants read-only access to AWS Lambda service, AWS Lambda console features, and other related AWS services.
- securecn-policy (Customer inline) – This policy facilitates security scanning of Lambda functions
We also create a Lambda function to perform the scan, and a dedicated role for this Lambda to use named LambdaVerifierRole.
NOTE:
Editing these policies and roles in any way will impact Panoptica’s ability to scan your resources and ensure your security posture. Please reach out to your Customer Success team if you have any questions.
AWS Organization
When onboarding an AWS Organization, the same roles and policies are created in a CloudFormation Stack in your root account. After you select the OUs to which you want to deploy the stack, AWS will deploy via StackSet to each account under the selected OUs.
Other Resources
The onboarding process also creates SNSPubResource, a notifier to inform the Panoptica backend when the onboarding is complete and scanning can begin.
Updated about 1 month ago