Dome9 AWS Policies & Permissions

In this topic:

    This topic describes the AWS policies that Dome9 uses to manage your accounts and the procedure to update permissions for AWS account entities.

    The policies give Dome9 permission to manage specific entities (such as Security Groups, Instances, etc) in your AWS account. The type of permissions depend on whether the account is managed as Read-Only or Full Protection.

    Policies

    These are the AWS policies used by Dome9.

    SecurityAudit

    The SecurityAudit policy (AWS Managed policy) is a mandatory policy which is required in order for Dome9 to function properly.

     

    AmazonInspectorReadOnlyAccess

    The AmazonInspectorReadOnlyAccess policy (AWS Managed policy) is an optional policy which is required in order for Dome9 to be able to fetch AWS inspector information.

     

    Dome9-readonly-policy

    The Dome9-readonly-policy is a mandatory policy which is required in order to use various Dome9 features like Compliance and Network Security. This policy contains specific permissions required for fetching information from AWS and using it within Dome9. If any of these permissions are not explicitly added to the policy, then information for that specific service will not be available within Dome9. There will be no impact on Dome9 for other services (which are explicitly included in the policy).

    dome9-readonly-policyXML Template

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "Dome9ReadOnly",
                "Action": [
                    "cloudtrail:LookupEvents",
                    "dynamodb:DescribeTable",
                    "elasticfilesystem:Describe*",
                    "elasticache:ListTagsForResource",
                    "firehose:Describe*",
                    "firehose:List*",
                    "guardduty:Get*",
                    "guardduty:List*",
                    "kinesis:List*",
                    "kinesis:Describe*",
                    "kinesisvideo:Describe*",
                    "kinesisvideo:List*",
                    "logs:Describe*",
                    "logs:Get*",
                    "logs:FilterLogEvents",
                    "lambda:List*",
                    "s3:List*",
                    "sns:ListSubscriptions",
                    "sns:ListSubscriptionsByTopic",
                    "waf-regional:ListResourcesForWebACL"
                ],
                "Effect": "Allow",
                "Resource": "*"
            }
        ]
    }

    Version updates:

    Mar 05 2018 - Added Kinesis permissions. 
    Mar 27 2018 - Added Guard duty permissions.
    May 1 2018 - Added ElasticCache list tags.
    May 1 2018 - Added DynamoDb describe table.
    May 30 2018 - Added Waf-regional list resources for web ACL.
     

    Dome9-write-policy

    The Dome9-write-policy is an optional policy which is required in order for Dome9 to manage your AWS account (Full Protection mode).

    The policy contains permissions required for actions performed by Dome9 for functions such as Network Security.

    dome9-write-policyXML Template

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "Dome9Write",
                "Action": [
                    "ec2:AuthorizeSecurityGroupEgress",
                    "ec2:AuthorizeSecurityGroupIngress",
                    "ec2:CreateSecurityGroup",
                    "ec2:DeleteSecurityGroup",
                    "ec2:RevokeSecurityGroupEgress",
                    "ec2:RevokeSecurityGroupIngress",
                    "ec2:ModifyNetworkInterfaceAttribute",
                    "ec2:CreateTags",
                    "ec2:DeleteTags"
                ],
                "Effect": "Allow",
                "Resource": "*"
            }
        ]
    }
     
     

    AWS Permissions used by Dome9

    The table below shows the AWS permissions used by each Dome9 module.

    AWS Permission Dome9 Mode Compliance

    Network

    Security

    IAM
    ec2:AuthorizeSecurityGroupEgress Read-Only, Full   X  
    ec2:AuthorizeSecurityGroupIngress Read-Only, Full   X  
    ec2:CreateSecurityGroup Read-Only, Full   X  
    ec2:DeleteSecurityGroup Read-Only, Full   X  
    ec2:RevokeSecurityGroupEgress Read-Only, Full   X  
    ec2:RevokeSecurityGroupIngress Read-Only, Full   X  
    ec2:ModifyNetworkInterfaceAttribute Read-Only, Full   X  
    ec2:CreateTags Read-Only, Full   X  
    ec2:DeleteTags Read-Only, Full   X  
             
    dynamodb:DescribeTable Full X    
    elasticfilesystem:Describe* Full X X  
    elasticache:ListTagsForResource  Full  X X  
    firehose:Describe* Full x    
    firehose:List* Full x    
    guardduty:Get* Full X    
    guardduty:List* Full X    
    kinesis:List* Full X    
    kinesis:Describe* Full X    
    kinesisvideo:Describe* Full X    
    kinesisvideo:List* Full X    
    logs:Describe* Full ? X  
    logs:Get* Full ? X  
    logs:FilterLogEvents Full ? X  
    lambda:List* Full X X  
    s3:List* Full X    
    sns:ListSubscriptions Full X    
    sns:ListSubscriptionsByTopic Full X    
    waf-regional:ListResourcesForWebACL Full X    

    Update AWS Permissions

    This section describes how to update permissions for specific entities in your AWS cloud account. These permissions are required by Dome9 to obtain up-to-date information about these entities. If you are missing permissions for an entity in your account, Dome9 will not be able to manage or monitor it (but this will not affect other entities, if Dome9 has the correct permissions for them).

    Dome9 requires specific permissions in AWS, currently defined in the AWS policies shown below.

    Mandatory policies

    • SecurityAudit policy, which is managed by AWS.

    • dome9-readonly-policy, which is created during the on-boarding process.

     

    Optional policies

    • AmazonInspectorReadOnlyAccess, which is managed by AWS; this is required only if your AWS account uses the Inspector.

    • dome9-write-policy, which is also created in the on-boarding process or the update permissions process; this is required for Full Protection (Read/Write) Mode.

    For more information and the policies content see Policies, above.

     

    Notification of missing permissions

    Dome9 fetches information on assets of your cloud accounts, across all regions. If access is denied for any asset, Dome9 will retry several times, after which it will mark the specific entity as missing permissions. Dome9 will notify you of missing permissions on the Cloud Account page.

    The missing permissions notifications shows the number of affected permissions for the specified Role.

    Click Show more to see details for the missing permissions and he number of affected entities.

    There are two options to resolve missing permissions:

    • VALIDATE PERMISSIONS - the will reset the mechanism and will try to validate the permissions. If this fails to resolve the issue, run the Permissions Wizard to add the missing permissions.

    • RUN PERMISSIONS WIZARD - this will open the Permissions Wizard to guide you to add the missing permissions to the policies (this is described below).

     

    Update Permissions using the Permissions Wizard

    This wizard will guide you to add missing permissions to the AWS policies used by Dome9.

    Before starting, decide on the operation mode for your Dome9 account - Monitor or Full Protection (see AWS Security Group Management Considerations).

    Note - choosing Full Protection for the account does not switch your Security Groups to fully managed. Security Groups can be individually set as Read-Only or Full Protection. See How to set a Security Group to Full Protection mode in Dome9.

    1. Navigate to the Protect menu in the Dome9 console, and select Add AWS Account. Select the operation mode for the account.

    2. Follow the instructions. If the policy exists, the following steps will update it; if it does not exist, they will create a new one.

      For example: step 4 - search for dome9-readonly-policy, and answer Yes or No; the answer will show instructions to update the policy (Yes) or how to create a new policy (No).

    3. If you answered No to step 4, above, follow the following steps to create a new policy.

    4. If you answered Yes, follow these steps to update the policy.

    5. Do the same for the dome9-write-policy, if necessary, and then click NEXT to continue to the next part.

    6. In the next step, make sure that all the required policies are attached to the Role.

    7. Click FINISH. It could take up to 30 minutes to apply the changes.

     

    UnauthorizedOperation Exception

    If the following message appears for any of your cloud accounts, it usually means that something happened to a legitimate policy that now prevents Dome9 from using it.

    The main reasons for this are:

    1. The Mandatory policies SecurityAudit or dome9-readonly-policy were detached from the role.

    2. The role was deleted or the External ID was changed.

    3. There is a global policy that denies several permissions that Dome9 uses.(AWS Organizations check organization policies).

    In order to fix this exception do the following:

    1. Try to update your permissions using this guide.

    2. If required try using a new Role and update the new Role details on the Cloud accounts page:

    3. Fill in the new Role ARN and the External ID (this must have a value; either generate it or just create one, it must be the same as the value given in the Role external ID).

    4. Check for any global polices that can affect the Role connection, and check that there is no Deny for EC2* in any of the global policies.

    5. If these steps don't resolve the problem, contact Dome9 support.