AWS Permissions used by Dome9

In this topic:

    [The contents of this page are included in AWS Policies & Permissions. This page should be deprecated]

    This article describes the AWS permissions used by Dome9 for accounts onboarded to Dome9. Permissions are granted to Dome9 through two IAM policies that are created and applied to Dome9 when an AWS account is onboarded to Dome9, the read-policy and the write-policy.

    The table below lists the permissions, and the Dome9 module(s) that use them.

    AWS Permission Dome9 Mode Compliance

    Network

    Security

    IAM
             
    ec2:AuthorizeSecurityGroupEgress Read-Only, Full   X  
    ec2:AuthorizeSecurityGroupIngress Read-Only, Full   X  
    ec2:CreateSecurityGroup Read-Only, Full   X  
    ec2:DeleteSecurityGroup Read-Only, Full   X  
    ec2:RevokeSecurityGroupEgress Read-Only, Full   X  
    ec2:RevokeSecurityGroupIngress Read-Only, Full   X  
    ec2:ModifyNetworkInterfaceAttribute Read-Only, Full   X  
    ec2:CreateTags Read-Only, Full   X  
    ec2:DeleteTags Read-Only, Full   X  
             
    dynamodb:DescribeTable Full X    
    elasticfilesystem:Describe* Full X X  
    elasticache:ListTagsForResource  Full  X X  
    firehose:Describe* Full x    
    firehose:List* Full x    
    guardduty:Get* Full X    
    guardduty:List* Full X    
    kinesis:List* Full X    
    kinesis:Describe* Full X    
    kinesisvideo:Describe* Full X    
    kinesisvideo:List* Full X    
    logs:Describe* Full ? X  
    logs:Get* Full ? X  
    logs:FilterLogEvents Full ? X  
    lambda:List* Full X X  
    s3:List* Full X    
    sns:ListSubscriptions Full X    
    sns:ListSubscriptionsByTopic Full X    
    waf-regional:ListResourcesForWebACL Full X