Role policy for Vulnerability Assessment for AWS and VM Threat Detection

This page contains the permissions policy for the Amazon Web Services (AWS) role that is required by the following services:

Replace the following:

  • AWS_REGION: the region where you are installing AWS CloudFormation
  • AWS_ACCOUNT_ID: the AWS account ID where you are installing AWS CloudFormation

Paste this policy into the AWS role to add permissions.

{  "Version": "2012-10-17",  "Statement": [  {  "Action": [  "sqs:CreateQueue",  "sqs:TagQueue"  ],  "Resource": [  "arn:aws:sqs:*:AWS_ACCOUNT_ID:PurpleboxQueue"  ],  "Effect": "Allow"  },  {  "Action": [  "logs:FilterLogEvents",  "logs:PutRetentionPolicy"  ],  "Resource": [  "arn:aws:logs:AWS_REGION:AWS_ACCOUNT_ID:log-group:/aws/lambda/PurpleBox",  "arn:aws:logs:AWS_REGION:AWS_ACCOUNT_ID:log-group:/aws/lambda/PurpleBox:log-stream",  "arn:aws:logs:AWS_REGION:AWS_ACCOUNT_ID:log-group:/aws/lambda/PurpleBox:log-stream:"  ],  "Effect": "Allow"  },  {  "Action": [  "ssm:GetParameter"  ],  "Resource": "arn:aws:ssm:*::parameter/aws/service/ami-amazon-linux-latest*",  "Effect": "Allow"  },  {  "Action": [  "lambda:DeleteFunction"  ],  "Resource": "arn:aws:lambda:*:AWS_ACCOUNT_ID:function:purplebox-sqs-processing",  "Effect": "Allow"  },  {  "Action": [  "ec2:CreateTags",  "ec2:DescribeInstances",  "ec2:DescribeVolumes",  "ec2:DescribeSnapshots",  "ec2:DescribeRegions",  "ec2:DescribeVpcs",  "ec2:DescribeSubnets",  "ec2:DescribeSecurityGroups",  "ec2:DescribeRouteTables",  "ec2:DescribeVpcEndpoints",  "ec2:DescribeInternetGateways",  "ecr:DescribeRepositories",  "ecr:DescribeImages",  "ecr-public:DescribeRepositories",  "ecr-public:DescribeImages",  "ec2:CreateSnapshot",  "events:ListRules",  "servicequotas:ListServiceQuotas",  "organizations:DescribeOrganization",  "lambda:TagResource",  "events:TagResource",  "cloudwatch:GetMetricStatistics",  "ssm:DescribeInstanceInformation",  "ssm:GetCommandInvocation",  "ssm:ListCommandInvocations",  "ec2:DescribeSecurityGroupRules",  "lambda:ListEventSourceMappings",  "lambda:ListFunctions",  "s3:ListAllMyBuckets",  "events:DescribeRule",  "events:PutRule",  "events:PutTargets",  "events:RemoveTargets",  "events:DeleteRule"  ],  "Resource": "*",  "Effect": "Allow"  },  {  "Action": [  "s3:*"  ],  "Resource": [  "arn:aws:s3:::purplebox.cnspec.*",  "arn:aws:s3:::purplebox.cnspec.*/*"  ],  "Effect": "Allow"  },  {  "Condition": {  "StringEquals": {  "aws:RequestTag/Created By": "Purplebox"  }  },  "Action": [  "ec2:CreateSubnet"  ],  "Resource": "arn:aws:ec2:*:AWS_ACCOUNT_ID:subnet/*",  "Effect": "Allow"  },  {  "Action": [  "cloudformation:DeleteStack",  "cloudformation:UpdateStack",  "cloudformation:GetTemplate",  "cloudformation:DescribeStacks"  ],  "Resource": [  "arn:aws:cloudformation:AWS_REGION:AWS_ACCOUNT_ID:stack/*"  ],  "Effect": "Allow"  },  {  "Condition": {  "StringEquals": {  "aws:ResourceTag/Created By": "Purplebox"  }  },  "Action": [  "ec2:CreateSecurityGroup"  ],  "Resource": "arn:aws:ec2:*:AWS_ACCOUNT_ID:vpc/*",  "Effect": "Allow"  },  {  "Condition": {  "StringEquals": {  "aws:ResourceTag/Created By": "Purplebox"  }  },  "Action": [  "ec2:CreateSubnet"  ],  "Resource": "arn:aws:ec2:*:AWS_ACCOUNT_ID:vpc/*",  "Effect": "Allow"  },  {  "Condition": {  "StringEquals": {  "aws:ResourceTag/Created By": "Purplebox"  }  },  "Action": [  "ec2:AuthorizeSecurityGroupIngress"  ],  "Resource": "arn:aws:ec2:*:AWS_ACCOUNT_ID:security-group*",  "Effect": "Allow"  },  {  "Condition": {  "StringEquals": {  "aws:RequestTag/Created By": "Purplebox"  }  },  "Action": [  "ec2:AuthorizeSecurityGroupIngress"  ],  "Resource": [  "arn:aws:ec2:*:AWS_ACCOUNT_ID:security-group-rule",  "arn:aws:ec2:*:AWS_ACCOUNT_ID:security-group-rule/*"  ],  "Effect": "Allow"  },  {  "Condition": {  "StringEquals": {  "aws:RequestTag/Created By": "Purplebox"  }  },  "Action": [  "ec2:CreateRouteTable"  ],  "Resource": "arn:aws:ec2:*:AWS_ACCOUNT_ID:route-table/*",  "Effect": "Allow"  },  {  "Condition": {  "StringEquals": {  "aws:RequestTag/Created By": "Purplebox"  }  },  "Action": [  "ec2:CreateSecurityGroup"  ],  "Resource": "arn:aws:ec2:*:AWS_ACCOUNT_ID:security-group/*",  "Effect": "Allow"  },  {  "Condition": {  "StringEquals": {  "aws:RequestTag/Created By": "Purplebox"  }  },  "Action": [  "ec2:CreateVpcEndpoint"  ],  "Resource": "arn:aws:ec2:*:AWS_ACCOUNT_ID:vpc-endpoint*",  "Effect": "Allow"  },  {  "Condition": {  "StringEquals": {  "aws:ResourceTag/Created By": "Purplebox"  }  },  "Action": [  "ec2:CreateVpcEndpoint"  ],  "Resource": [  "arn:aws:ec2:*:AWS_ACCOUNT_ID:vpc/*",  "arn:aws:ec2:*:AWS_ACCOUNT_ID:subnet/*",  "arn:aws:ec2:*:AWS_ACCOUNT_ID:security-group*"  ],  "Effect": "Allow"  },  {  "Condition": {  "StringEquals": {  "aws:RequestTag/Created By": "Purplebox"  }  },  "Action": [  "ec2:CreateInternetGateway"  ],  "Resource": "arn:aws:ec2:*:AWS_ACCOUNT_ID:internet-gateway/*",  "Effect": "Allow"  },  {  "Condition": {  "StringEquals": {  "aws:ResourceTag/Created By": "Purplebox"  }  },  "Action": [  "events:PutTargets",  "events:RemoveTargets"  ],  "Resource": [  "arn:aws:lambda:AWS_REGION:AWS_ACCOUNT_ID:function:PurpleBox",  "arn:aws:lambda:*:AWS_ACCOUNT_ID:function:purplebox-sqs-processing",  "arn:aws:events:*:AWS_ACCOUNT_ID:rule/purplebox*"  ],  "Effect": "Allow"  },  {  "Condition": {  "StringEquals": {  "aws:RequestTag/Created By": "Purplebox"  }  },  "Action": [  "ec2:CreateVpc"  ],  "Resource": "arn:aws:ec2:*:AWS_ACCOUNT_ID:vpc/*",  "Effect": "Allow"  },  {  "Action": [  "ec2:CreateVpcEndpoint"  ],  "Resource": "arn:aws:ec2:*:AWS_ACCOUNT_ID:route-table/*",  "Effect": "Allow"  },  {  "Condition": {  "StringEquals": {  "aws:ResourceTag/Created By": "Purplebox"  }  },  "Action": [  "ec2:ModifyVpcAttribute",  "ec2:AssociateRouteTable",  "ec2:AttachInternetGateway"  ],  "Resource": [  "arn:aws:ec2:*:AWS_ACCOUNT_ID:internet-gateway/*",  "arn:aws:ec2:*:AWS_ACCOUNT_ID:route-table/*",  "arn:aws:ec2:*:AWS_ACCOUNT_ID:vpc/*"  ],  "Effect": "Allow"  },  {  "Condition": {  "StringEquals": {  "aws:ResourceTag/Created By": "Purplebox"  }  },  "Action": [  "ec2:TerminateInstances"  ],  "Resource": [  "arn:aws:ec2:*:AWS_ACCOUNT_ID:instance/*"  ],  "Effect": "Allow"  },  {  "Condition": {  "StringEquals": {  "ec2:Owner": "amazon"  }  },  "Action": [  "ec2:RunInstances"  ],  "Resource": "arn:aws:ec2:*::image/*",  "Effect": "Allow"  },  {  "Action": [  "ec2:RunInstances"  ],  "Resource": [  "arn:aws:ec2:*:AWS_ACCOUNT_ID:network-interface/*",  "arn:aws:ec2:*:AWS_ACCOUNT_ID:subnet/*",  "arn:aws:ec2:*:AWS_ACCOUNT_ID:volume/*"  ],  "Effect": "Allow"  },  {  "Condition": {  "StringEquals": {  "aws:ResourceTag/Created By": "Purplebox"  }  },  "Action": [  "ec2:RunInstances"  ],  "Resource": [  "arn:aws:ec2:*:AWS_ACCOUNT_ID:security-group/*",  "arn:aws:ec2:*::snapshot/*"  ],  "Effect": "Allow"  },  {  "Action": [  "iam:GetRole",  "iam:PassRole",  "iam:TagRole",  "iam:PutRolePolicy",  "iam:GetRolePolicy",  "iam:AttachRolePolicy",  "iam:DeleteRole",  "iam:DeleteRolePolicy",  "lambda:DeleteCodeSigningConfig",  "iam:CreateRole",  "iam:GetInstanceProfile",  "iam:CreateInstanceProfile",  "iam:DeleteInstanceProfile",  "iam:AddRoleToInstanceProfile",  "lambda:GetFunction",  "lambda:CreateFunction",  "lambda:CreateEventSourceMapping",  "lambda:GetEventSourceMapping",  "lambda:DeleteEventSourceMapping",  "ssm:SendCommand",  "iam:DetachRolePolicy",  "iam:RemoveRoleFromInstanceProfile"  ],  "Resource": [  "*"  ],  "Effect": "Allow"  },  {  "Condition": {  "StringEquals": {  "aws:ResourceTag/Created By": "Purplebox"  }  },  "Action": [  "ec2:AttachVolume",  "ec2:DetachVolume",  "ec2:DeleteVolume",  "ec2:DeleteSnapshot",  "ec2:DeleteVpc",  "ec2:DeleteSubnet",  "ec2:DeleteSecurityGroup",  "ec2:DeleteVpcEndpoints",  "ec2:DeleteRouteTable",  "ec2:DeleteInternetGateway",  "ec2:DetachInternetGateway",  "lambda:DeleteFunction"  ],  "Resource": "*",  "Effect": "Allow"  },  {  "Condition": {  "StringEquals": {  "aws:RequestTag/Created By": "Purplebox"  }  },  "Action": [  "ec2:CreateVolume"  ],  "Resource": "*",  "Effect": "Allow"  },  {  "Condition": {  "StringEquals": {  "ec2:InstanceProfile": "arn:aws:iam::AWS_ACCOUNT_ID:instance-profile/scanner-instance-profile",  "ec2:InstanceType": [  "t4g.micro",  "t2.micro",  "t4g.medium"  ]  }  },  "Action": [  "ec2:RunInstances"  ],  "Resource": "arn:aws:ec2:*:AWS_ACCOUNT_ID:instance/*",  "Effect": "Allow"  },  {  "Condition": {  "StringEquals": {  "aws:ResourceTag/Created By": "Purplebox",  "kms:CallerAccount": "AWS_ACCOUNT_ID",  "kms:ViaService": "lambda.AWS_REGION.amazonaws.com"  },  "Bool": {  "kms:GrantIsForAWSResource": "true"  }  },  "Action": "kms:CreateGrant",  "Resource": "arn:aws:kms:*:AWS_ACCOUNT_ID:key/*",  "Effect": "Allow"  },  {  "Action": [  "events:PutRule",  "events:DeleteRule",  "events:TagResource"  ],  "Resource": "arn:aws:events:*:AWS_ACCOUNT_ID:rule/purplebox*",  "Effect": "Allow"  },  {  "Action": [  "ssm:SendCommand"  ],  "Resource": [  "arn:aws:ssm:*::document/AWS-RunShellScript",  "arn:aws:ssm:*::document/AWS-RunPowerShellScript"  ],  "Effect": "Allow"  },  {  "Action": [  "ssm:PutParameter",  "ssm:DeleteParameter",  "ssm:AddTagsToResource",  "ssm:GetParameter",  "ssm:GetParameters"  ],  "Resource": "arn:aws:ssm:AWS_REGION:AWS_ACCOUNT_ID:parameter/Purplebox*",  "Effect": "Allow"  },  {  "Action": [  "sqs:SendMessage",  "sqs:DeleteMessage",  "sqs:SetQueueAttributes",  "sqs:DeleteQueue",  "sqs:ReceiveMessage",  "sqs:GetQueueAttributes",  "sqs:PurgeQueue"  ],  "Resource": "arn:aws:sqs:*:AWS_ACCOUNT_ID:PurpleboxQueue",  "Effect": "Allow"  },  {  "Action": [  "lambda:UpdateFunctionConfiguration",  "lambda:GetFunctionConfiguration",  "lambda:*Permission",  "lambda:UpdateFunctionCode",  "lambda:*Function",  "lambda:PutFunctionConcurrency",  "lambda:UpdateEventSourceMapping",  "lambda:PutFunctionCodeSigningConfig"  ],  "Resource": [  "arn:aws:lambda:AWS_REGION:AWS_ACCOUNT_ID:function:PurpleBox",  "arn:aws:lambda:*:AWS_ACCOUNT_ID:function:purplebox-sqs-processing",  "arn:aws:lambda:AWS_REGION:AWS_ACCOUNT_ID:function:PurpleBoxUpdater"  ],  "Effect": "Allow"  },  {  "Action": [  "s3:GetObject"  ],  "Resource": [  "arn:aws:s3:::scc-vulnscanner.AWS_REGION/*",  "arn:aws:s3:::scc-vulnscanner.*/*"  ],  "Effect": "Allow"  },  {  "Action": [  "events:RemovePermission"  ],  "Resource": "arn:aws:events:*:AWS_ACCOUNT_ID:event-bus/default",  "Effect": "Allow"  },  {  "Condition": {  "StringEquals": {  "sts:AWSServiceName": "ec2.amazonaws.com"  }  },  "Action": [  "sts:GetServiceBearerToken"  ],  "Resource": "*",  "Effect": "Allow"  },  {  "Action": [  "lambda:UpdateCodeSigningConfig"  ],  "Resource": "arn:aws:lambda:AWS_REGION:AWS_ACCOUNT_ID:code-signing-config:csc-04006c10ff4690ad0",  "Effect": "Allow"  },  {  "Action": [  "lambda:CreateCodeSigningConfig",  "lambda:GetCodeSigningConfig"  ],  "Resource": "*",  "Effect": "Allow"  },  {  "Action": [  "iam:ListAttachedRolePolicies",  "iam:ListRolePolicies"  ],  "Resource": [  "arn:aws:iam::AWS_ACCOUNT_ID:role/scanner-role",  "arn:aws:iam::AWS_ACCOUNT_ID:role/purplebox-sqs-lambda-role",  "arn:aws:iam::AWS_ACCOUNT_ID:role/PurpleboxRole"  ],  "Effect": "Allow"  },  {  "Action": [  "sqs:ReceiveMessage",  "sqs:DeleteMessage",  "sqs:SendMessage",  "sqs:GetQueueAttributes",  "lambda:InvokeFunction",  "lambda:CreateEventSourceMapping",  "lambda:UpdateFunctionConfiguration",  "lambda:ListEventSourceMappings",  "lambda:UpdateEventSourceMapping"  ],  "Resource": [  "arn:aws:lambda:*:AWS_ACCOUNT_ID:function:purplebox-sqs-processing",  "arn:aws:sqs:*:AWS_ACCOUNT_ID:PurpleboxQueue"  ],  "Effect": "Allow"  },  {  "Action": [  "sqs:SendMessage"  ],  "Resource": "arn:aws:sqs:*:AWS_ACCOUNT_ID:PurpleboxQueue",  "Effect": "Allow"  },  {  "Action": [  "ec2:DescribeInstances",  "ecr:DescribeImages",  "ecr-public:DescribeImages",  "ecr:DescribeRepositories",  "ecr-public:DescribeRepositories",  "ecr:GetAuthorizationToken",  "ecr:BatchGetImage",  "ecr:GetDownloadUrlForLayer"  ],  "Resource": "*",  "Effect": "Allow"  },  {  "Action": [  "s3:GetObject",  "s3:PutObject"  ],  "Resource": "arn:aws:s3:::purplebox.cnspec.*",  "Effect": "Allow"  }  ] }