AWS Required Permissions
- 21 Jul 2024
- 12 Minutes to read
- Print
- PDF
AWS Required Permissions
- Updated on 21 Jul 2024
- 12 Minutes to read
- Print
- PDF
Article summary
Did you find this summary helpful?
Thank you for your feedback
Roles and Permissions
Below is a list of the roles Prisma Cloud DSPM uses to access your AWS environment and the permissions they have. Permissions are used to access different types of data, or perform actions such as creating/deleting virtual machines (VMs), exporting snapshots, etc.
IMPORTANT
If your AWS account has any firewall or network restrictions in place, it is imperative to grant access to the following Prisma Cloud DSPM IP addresses.
EU Stack: 52.48.123.3, 99.80.210.235, 34.247.249.123
US Stack: 54.225.205.121, 18.214.146.232, 3.93.120.3
DigSecurityReadOnlyRole
Used as a read-only access to your environment, this role enables Prisma Cloud DSPM to:
Access your assets’ metadata such as size, name and region
Collect CloudTrail logs for DDR capabilities
This role is installed on every account monitored by Prisma Cloud DSPM, allowing us to detect and protect your assets. Prisma Cloud DSPM’s own account assumes the DigSecurityReadOnlyRole role with a unique external ID as the best practice security measure.
Permissions
Managed Policy | Scope | Purpose |
|---|---|---|
ReadOnlyAccess | All resources | Read-only access to the client's environment |
AmazonMemoryDBReadOnlyAccess | All resources | Read-only access to the client’s MemoryDB resources |
bedrock:ListGuardrails | The entire account | Content filtering risk assessment in AI deployments |
bedrock:GetGuardrail | The entire account | Content filtering risk assessment in AI deployments |
DigSecurityScannerRole
This role is installed on all the scanned (monitored) accounts in your environment, as well as on the DigSecurityReadOnlyRole. It enables Prisma Cloud DSPM to detect and scan data for analysis and classification. This role can only be assumed by the DigSecurityOrchestratorRole
All sensitive data that is detected, scanned and classified by Prisma Cloud DSPM’s resources never leaves the client's environment.
Permissions
Permission | Scope | Purpose |
|---|---|---|
aoss:APIAccessAll | OpenSearch Serverless in the account | Enables Prisma Cloud DSPM to get data from opensearch serverless |
aoss:CreateSecurityPolicy | OpenSearch Serverless in the account | Enables Prisma Cloud DSPM to create a security policy to allow Orchestrator VPC endpoint to access the collection |
aoss:DeleteSecurityPolicy | OpenSearch Serverless in the account | Enables Prisma Cloud DSPM to delete security policies |
aoss:CreateAccessPolicy | OpenSearch Serverless in the account | Enables Prisma Cloud DSPM to create an access policy to allow only Dig Scanner to access the scanned collection |
aoss:DeleteAccessPolicy | OpenSearch Serverless in the account | Enables Prisma Cloud DSPM to delete access policies |
aoss:GetAccessPolicy | OpenSearch Serverless in the account | Enables Prisma Cloud DSPM to retrieve metadata regarding access policies |
aoss:GetSecurityPolicy | OpenSearch Serverless in the account | Enables Prisma Cloud DSPM to retrieve metadata regarding security policies |
bedrock:list | All resources | Listing bedrock resources |
bedrock:get | All resources | Describing models (and get S3 bucket information) |
ec2:CopySnapshot | Snapshots in the account | Enables copying snapshots to a snapshot that Prisma Cloud DSPM can share with the scanner account |
ec2:CreateSnapshots | Snapshots in the account | Enables creating an EC2 instance from multiple snapshots simultaneously, so that Prisma Cloud DSPM can start scanning for databases |
ec2:CreateTags | EC2 instances in the account | Enables creating a unique tag for resources in order to find them at a later stage |
ec2:DeleteSnapshot | Only snapshots created by Prisma Cloud DSPM (based on tags) | Enables deleting existing stale snapshots |
ec2:DescribeAvailabilityZones | Availability zones in the account | Enables getting information about the snapshot’s availability zone and store it within the same snapshot |
ec2:DescribeImages | All publicly available AWS images | Enables getting information about the available images for EC2 instances |
ec2:DescribeInstances | EC2 instances in the account | Enables getting information about EC2 instances |
ec2:DescribeSnapshots | Snapshots in the account | Enables getting information about snapshots in the account |
ec2:ModifySnapshotAttribute | Only snapshots created by Prisma Cloud DSPM (based on tags) | Enables sharing the snapshots created in the scanner account |
iam:PassRole | DigSecurityScannerRole role only | Enables creating export tasks for RDS snapshots |
kms:CreateAlias | KMS keys in the account | Enables giving a unique alias name to keys in order to find them at a later stage |
kms:CreateGrant | Only AWS services | The created EC2 instance sends a CreateGrant request to AWS KMS so that it can share the encrypted snapshot with the outpost account |
kms:CreateKey | KMS keys in the account | Enables creating Dig’s CMK key to encrypt the snapshots and volume, thus ensuring that data is encrypted at every step |
kms:Decrypt | No scope | Enables to decrypt the encrypted snapshots. Prisma Cloud DSPM can decrypt only encrypted snapshots that it created itself |
kms:DeleteAlias | KMS keys in the account | Enables deleting the alias name for the created keys |
kms:DescribeKey | KMS keys in the account | Enables getting information about the KMS keys in the account |
kms:Encrypt | Only KMS keys for which Prisma Cloud DSPM created ListGrants | Enables to encrypt the snapshot copy to ensure data is encrypted at every step |
kms:GenerateDataKeyWithoutPlaintext | Only KMS keys created by Prisma Cloud DSPM | Enables encrypting the created snapshot |
kms:GenerateDataKey | KMS keys in the account | Enables encrypting the created snapshot / backup |
kms:GenerateRandom | KMS keys in the account | Enables encrypting the created snapshot |
kms:ListAliases | KMS keys in the account | Enables listing keys in the account in order to use Dig’s KMS key |
kms:ListGrants | Only AWS services | Enables listing the grants on a specific key so that the created EC2 instance can send a CreateGrant request to AWS KMS. This enables Prisma Cloud DSPM to share the encrypted snapshot with the scanner account |
kms:ListKeys | KMS keys in the account | Enables searching Prisma Cloud DSPM’s key in the account |
kms:ListResourceTags | KMS keys in the account | Enables getting the tags on the KMS keys, which enables Prisma Cloud DSPM to find its own keys |
kms:ReEncryptTo | KMS keys in the account | Enables encrypting the copied snapshot with the created KMS to ensure data is encrypted at every step |
kms:TagResource | KMS keys in the account | Enables creating a unique tag for the created keys in order to find them at a later stage |
kms:TagResource | Only KMS keys that Prisma Cloud DSPM created | Enables deleting the tag from the created key |
rds:AddTagsToResource | RDS resources in the account | Enables creating a unique tag for the created RDS resourceCreateDBSnapshots in order to find them at a later stage |
rds:CreateDBClusterSnapshot | RDS clusters in the account | Enables creating a snapshot for the RDS clusters that need to be scanned at a later stage |
rds:CreateDBSnapshot | RDS instances in the account | Enables creating a snapshot for the RDS instances that need to be scanned at a later stage |
rds:DeleteDBSnapshot | Only RDS snapshots created by Prisma Cloud DSPM(based on tags) | Enables deleting stale snapshots that were created |
rds:DeleteDBClusterSnapshot | Only RDS cluster snapshots created by Prisma Cloud DSPM(based on tags) | Enables deleting stale snapshots that were created |
rds:Describe* | RDS resources in the account | Describe permissions enable Prisma Cloud DSPM to get metadata information on the RDS instance |
rds:List* | RDS resources in the account | List permissions enable Prisma Cloud DSPM to understand which instances and snapshots exist in the account |
rds:StartExportTask | RDS snapshots in the account | Enables to export data from the snapshots to an S3 bucket |
s3:CreateBucket | Only the bucket Prisma Cloud DSPM created for the export task | Enables creating an S3 bucket for the export task |
s3:DeleteBucket | Only the bucket Prisma Cloud DSPM created for the export task | Enables deleting an S3 bucket for the export task |
s3:DeleteObject | Only the bucket Prisma Cloud DSPM created for the export task | Enables deleting stale objects that were created |
s3:Get* | S3 buckets | Get permissions enable Prisma Cloud DSPM to read exported data over an S3 bucket |
s3:List* | S3 buckets | List permissions enable Prisma Cloud DSPM to understand which S3 buckets exist in the account |
s3:PutBucketNotification | Only the bucket Prisma Cloud DSPM created for the export task | Enables connecting the bucket to the created SNS |
s3:PutBucketPolicy | Only the bucket Prisma Cloud DSPM created for the export task | Enables adding a policy to the created bucket |
s3:PutBucketPublicAccessBlock | Only the bucket Prisma Cloud DSPM created for the export task | Since S3 buckets are public by default, this permission enables Dig to block public access to the created S3 bucket |
s3:PutBucketTagging | Only the bucket Prisma Cloud DSPM created for the export task | Enables tagging the created bucket |
s3:PutBucketVersioning | Only the bucket Prisma Cloud DSPM created for the export task | Enables versioning in the created bucket |
s3:PutEncryptionConfiguration | Only the bucket Prisma Cloud DSPM created for the export task | Enables encrypting data in the bucket, which allows Dig to secure its data |
s3:PutObject | Only the bucket Prisma Cloud DSPM created for the export task | Enables writing data to an object in Prisma Cloud DSPM’s bucket to export data from the RDS instances |
sts:DecodeAuthorizationMessage | Errors detected in the scanner role | Enables getting information about any API errors in AWS API calls |
redshift-serverless:PutResourcePolicy | Redshift resources in the account | Enables creating and updating resource policies for Serverless sharing with the Orchestrator account |
redshift-serverless:DeleteResourcePolicy | Redshift resources in the account | Enables removing policies created by Prisma Cloud DSPM |
redshift-serverless:GetResourcePolicy | Redshift resources in the account | Enables retrieving the current resource policy |
redshift:AuthorizeSnapshotAccess | Redshift resources in the account | Enables snapshot sharing with the Orchestrator account |
redshift:CopyClusterSnapshot | Redshift resources in the account | Enables copying the snapshot for the Redshift clusters so that Dig will be able to use them at a later stage |
redshift:CreateClusterSnapshot | Redshift resources in the account | Enables creating a snapshot for the Redshift clusters that will be scanned at a later stage |
redshift:CreateTags | Redshift resources in the account | Enables creating a unique tag for the created keys in order to find them at a later stage |
redshift:DeleteClusterSnapshot | Only snapshots created by Prisma Cloud DSPM | Enables deleting stale snapshots that were created |
redshift:Describe* | Redshift resources in the account | Enables querying Redshift resource metadata information |
redshift:EnableSnapshotCopy | Redshift resources in the account | Enables activating snapshot copy feature for backups |
redshift:List* | Redshift resources in the account | Enables listing Redshift resources |
redshift:RevokeSnapshotAccess | Redshift resources in the account | Enables revoking access to shared Redshift snapshots after the scan is finished |
dynamodb:CreateBackup | DynamoDB resources in the account | Enables creating backups for DynamoDB tables for restoring and classifying them later |
dynamodb:CreateTable | DynamoDB resources in the account | Enables creating new DynamoDB tables as part of the restore process |
dynamodb:DeleteBackup | DynamoDB resources in the account | Enables deleting DynamoDB table backups after they are created |
dynamodb:Describe* | DynamoDB resources in the account | Enables getting metadata about DynamoDB resources |
dynamodb:GetItem | DynamoDB resources in the account | Enables retrieving a specific item from a DynamoDB table for on-demand classification |
dynamodb:GetRecords | DynamoDB resources in the account | Enables getting data records from a DynamoDB stream for on-demand classification |
dynamodb:RestoreTableFromAwsBackup | DynamoDB resources in the account | Enables restoring a DynamoDB table from an AWS Backup job |
dynamodb:RestoreTableFromBackup | DynamoDB resources in the account | Enables restoring a DynamoDB table from a specific backup |
dynamodb:Scan | DynamoDB resources in the account | Enables scanning DynamoDB tables to retrieve specific items as part of the on-demand classification process |
dynamodb:StartAwsBackupJob | DynamoDB resources in the account | Enables initiating AWS Backup jobs for DynamoDB tables |
dynamodb:TagResource | DynamoDB resources in the account | Enables adding tags to DynamoDB resources created by Prisma Cloud DSPM |
dynamodb:UpdateContinuousBackups | DynamoDB resources in the account | Enables modifying backup settings created by Prisma Cloud DSPM |
dynamodb:BatchWriteItem | Only tables created by Prisma Cloud DSPM | Enables writing multiple items to a DynamoDB table in a single operation as part of the restoration process |
dynamodb:DeleteItem | Only tables created by Prisma Cloud DSPM | Enables deleting a specific item from the created DynamoDB table |
dynamodb:DeleteTable | Only tables created by Prisma Cloud DSPM | Enables deleting the created DynamoDB table |
dynamodb:DeleteTableReplica | Only tables created by Prisma Cloud DSPM | Enables deleting a table replica in the created DynamoDB |
dynamodb:PutItem | Only tables created by Prisma Cloud DSPM | Enables inserting a new item into the DynamoDB table created as part of the restoration process |
dynamodb:UntagResource | Only tables created by Prisma Cloud DSPM | Enables removing tags from the created DynamoDB tables |
dynamodb:UpdateItem | Only tables created by Prisma Cloud DSPM | Enables modifying an existing item in the created DynamoDB table |
DigSecurityOrchestratorRole
This role is installed on the side account(s) in your AWS environment. It is used to deploy Prisma Cloud DSPM’s compute resources (e.g., EC2s for AWS) for scanning and analyzing the scanned accounts. This role is also in Prisma Cloud DSPM’s compute instances to assume the DigSecurityScannerRole.
Permissions
Permission | Scope | Purpose |
|---|---|---|
ec2:DeleteVpcEndpoint | Resources tagged with 'dig-security’ | Used for scanning OpenSearch Serverless instances |
aoss:DeleteVpcEndpoint | Orchestrator account | Used for scanning OpenSearch Serverless instances |
elasticfilesystem:ClientMount | All resources | Mounting an efs filesystem as readonly |
secretsmanager:CreateSecret | Only secrets tagged with Dig-Secuity:true | Enables Prisma Cloud DSPM to create a secret necessary for interacting with password-enabled services |
secretsmanager:GetSecretValue | Only secrets tagged with DigSecuity:true | Enables Prisma Cloud DSPM to pull the secret required for scanning |
secretsmanager:PutSecretValue | Only secrets tagged with Dig-Secuity:true | Enables Prisma Cloud DSPM to create the secret required for scanning |
secretsmanager:TagResource | Only secrets tagged with Dig-Secuity:true | Allows Prisma Cloud DSPM to tag the secrets and enable right-sized permissions |
ec2:AllocateAddress | Addresses in the account | Enables Dig to create a address for its EC2 |
ec2:AssociateAddress | Addresses in the account | Enables associating the created addresses |
ec2:AssociateRouteTable | Route tables in the account | Enables attaching the route table created for Prisma Cloud DSPM’s EC2 instance |
ec2:AttachInternetGateway | Internet gateways in the account | Enables attaching the Internet gateway created for Prisma Cloud DSPM’s EC2 instance |
ec2:AuthorizeSecurityGroupEgress | Security groups in the account | Enables attaching a security group to the EC2 instance |
ec2:AuthorizeSecurityGroupIngress | Security groups in the account | Enables attaching a security group to the EC2 instance |
ec2:CreateInternetGateway | Internet gateways in the account - only those with a "Dig-Security" tag | Enables creating an Internet gateway for Prisma Cloud DSPM’s EC2 to communicate with the Internet |
ec2:CreateNatGateway | Nat gateways in the account | Enables creating a Nat gateway for Prisma Cloud DSPM’s EC2 to communicate with the Internet |
ec2:CreateRoute | Route instances in the account | Enables creating a route table for routing the network from the created Internet gateway |
ec2:CreateRouteTable | Route tables in the account | Enables creating a route table with relevant routes for Prisma Cloud DSPM’s EC2 |
ec2:CreateSecurityGroup | Security groups in the account | Enables creating a security group attached to the EC2 instance |
ec2:CreateSubnet | Subnets in the account | Enables creating a subnet to be used by Prisma Cloud DSPM’s EC2 instance |
ec2:CreateTags | EC2 resources in the account | Enables creating tags on resources for identifying Prisma Cloud DSPM's resources in the account |
ec2:CreateVpc | Only VPC with a "Dig-Security" tag | Enables creating a VPC to be used by Prisma Cloud DSPM's EC2 instance |
ec2:DeleteInternetGateway | Only Prisma Cloud DSPM’s InternetGateway | Enables deleting stale internet gateways created in the process |
ec2:DeleteNatGateway | Only Prisma Cloud DSPM’s NatGateway | Enables deleting stale gateways created in the process |
ec2:DeleteRoute | Only Prisma Cloud DSPM’s Route | Enables deleting the stale routes created in the process |
ec2:DeleteRouteTable | Only Prisma Cloud DSPM’s RouteTable | Enables deleting the stale route tables created in the process |
ec2:DeleteSecurityGroup | Only Prisma Cloud DSPM’s SecurityGroup | Enables deleting the stale security groups created in the process |
ec2:DeleteSubnet | Only Prisma Cloud DSPM’s Subnet | Enables deleting the stale subnets created in the process |
ec2:DeleteVpc | Only Prisma Cloud DSPM’s VPC | Enables deleting the stale VPCs created in the process |
ec2:DetachInternetGateway | Only Prisma Cloud DSPM’s InternetGateway and VPC | Enables detaching the stale Internet gateways from VPCs created in the process |
ec2:ModifySecurityGroupRules | Only security group resources created by Prisma Cloud DSPM | Enables attaching security rules to the security group created |
ec2:RunInstances | Instances in the account | Enables creating EC2 instances |
ec2:TerminateInstances | All EC2 resources created by Prisma Cloud DSPM (based on tags) | Enables deleting the stale EC2 instances created in the process |
iam:PassRole | DigSecurityOrchestratorRole role only | Enables creating EC2 instances with an attached DigSecurityOrchestratorRole |
kms:CreateGrant | Only Prisma Cloud DSPM’s KMS keys and only for AWS Services | A created EC2 instance sends a CreateGrant request to AWS KMS so that it can encrypt the volume created from the snapshot |
kms:Decrypt | Only Prisma Cloud DSPM’s KMS keys | Enables attaching the volumes to be scanned |
kms:Encrypt | Only Prisma Cloud DSPM’s KMS keys | Enables attaching the volumes to be scanned to ensure they are encrypted |
kms:GenerateDataKeyWithoutPlaintext | Only Prisma Cloud DSPM’s KMS keys | AWS uses KMS to encrypt and decrypt encrypted volumes. The KMS generates a new data key, and encrypts it using the KMS key specified by Prisma Cloud DSPM in case the volume is encrypted with another KMS key. The encrypted data key is sent to the EBS to be stored with the volume metadata |
kms:ReEncryptFrom | Only Prisma Cloud DSPM’s KMS keys | Enables attaching the volumes to be scanned to ensure they are encrypted |
ReadOnlyAccess | All resources | Read-only access in the client’s environment |
sts:AssumeRole | DigSecurityScannerRole only | Enables assuming DigSecurityScannerRole to perform the scan logic in the monitored accounts |
sts:DecodeAuthorizationMessage | Errors of Prisma Cloud DSPM’s Orchestrator role that were detected | Enables assuming DigSecurityScannerRole to perform the scan logic in the monitored accounts |
iam:CreateServiceLinkedRole | All resources | Enables creating service-linked roles for AWS services, to access Redshift Serverless namespace in Orchestrator accounts for the first time |
redshift-data:Describe* | All resources | Enables querying Redshift data resources metadata information |
redshift-data:GetStatementResult | All resources | Enables retrieving SQL command results executed by Prisma Cloud DSPM on the Redshift namespace that were created |
redshift-data:List* | All resources | Enables listing Redshift data resources |
redshift-serverless:CreateNamespace | All resources | Enables creating Redshift Serverless namespaces from the shared snapshot |
redshift-serverless:CreateWorkgroup | All resources | Enables creating Redshift Serverless workgroups |
redshift-serverless:GetNamespace | All resources | Enables retrieving Redshift Serverless namespace details |
redshift-serverless:GetWorkgroup | All resources | Enables retrieving Redshift Serverless workgroup details |
redshift-serverless:ListNamespaces | All resources | Enables listing all Redshift Serverless namespaces |
redshift-serverless:RestoreFromSnapshot | All resources | Enables restoring a namespace from the shared snapshot |
redshift-serverless:TagResource | All resources | Enables creating tags on resources for identifying Prisma Cloud DSPM’s resources in the account |
redshift-data:BatchExecuteStatement | Only Prisma Cloud DSPM’s resources (by tags) | Enables executing multiple SQL statements in Redshift concurrently for the scanning process |
redshift-data:CancelStatement | Only Prisma Cloud DSPM’s resources (by tags) | Enables canceling the run of SQL statements in the Redshift cluster created by Prisma Cloud DSPM |
redshift-data:ExecuteStatement | Only Prisma Cloud DSPM’s resources (by tags) | Enables executing multiple SQL statements in Redshift concurrently for the scanning process |
redshift-serverless:DeleteNamespace | Only Prisma Cloud DSPM’s resources (by tags) | Enables deleting Redshift Serverless namespaces created by Prisma Cloud DSPM |
redshift-serverless:DeleteWorkgroup | Only Prisma Cloud DSPM’s resources (by tags) | Enables deleting Redshift Serverless workgroups created by Prisma Cloud DSPM |
redshift-serverless:GetCredentials | Only Prisma Cloud DSPM’s resources (by tags) | Enables retrieving Prisma Cloud DSPM’s Redshift Serverless credentials for access management |
Was this article helpful?