API (self-hosted on AWS): IAM Permission Boundary

attachmentAV API utilizes CloudFormation to deploy a production-ready malware scanning system to your AWS account. Part of that process is creating IAM roles. The EC2 instance uses the IAM role to report metrics, logs, and much more.

In case your AWS organization uses IAM permission boundaries, you need to set the PermissionsBoundary configuration parameter when deploying attachmentAV’s CloudFormation stacks.

Required IAM actions (#)

Here is a list of all IAM actions required by the IAM roles created by bucketAV. Ensure that your permission boundary also grants access to those IAM actions.

Dedicated public VPC (#)

  • autoscaling:CompleteLifecycleAction
  • autoscaling:DescribeAutoScalingInstances
  • autoscaling:RecordLifecycleActionHeartbeat
  • aws-marketplace:MeterUsage
  • cloudwatch:PutMetricData
  • ec2messages:AcknowledgeMessage
  • ec2messages:DeleteMessage
  • ec2messages:FailMessage
  • ec2messages:GetEndpoint
  • ec2messages:GetMessages
  • ec2messages:SendReply
  • kms:Decrypt
  • logs:CreateLogGroup
  • logs:CreateLogStream
  • logs:DescribeLogGroups
  • logs:DescribeLogStreams
  • logs:PutLogEvents
  • s3:GetObject*
  • s3:ListBucket*
  • ssm:GetParameter
  • ssm:ListAssociations
  • ssm:ListInstanceAssociations
  • ssm:UpdateInstanceInformation
  • ssmmessages:CreateControlChannel
  • ssmmessages:CreateDataChannel
  • ssmmessages:OpenControlChannel
  • ssmmessages:OpenDataChannel

Existing VPC (#)

  • autoscaling:CompleteLifecycleAction
  • autoscaling:DescribeAutoScalingInstances
  • autoscaling:RecordLifecycleActionHeartbeat
  • aws-marketplace:MeterUsage
  • cloudwatch:PutMetricData
  • ec2:AssignPrivateIpAddresses
  • ec2:CreateNetworkInterface
  • ec2:DeleteNetworkInterface
  • ec2:DescribeNetworkInterfaces
  • ec2:DescribeSubnets
  • ec2:UnassignPrivateIpAddresses
  • ec2messages:AcknowledgeMessage
  • ec2messages:DeleteMessage
  • ec2messages:FailMessage
  • ec2messages:GetEndpoint
  • ec2messages:GetMessages
  • ec2messages:SendReply
  • kms:Decrypt
  • logs:CreateLogGroup
  • logs:CreateLogStream
  • logs:DescribeLogGroups
  • logs:DescribeLogStreams
  • logs:PutLogEvents
  • s3:GetObject*
  • s3:ListBucket*
  • ssm:GetParameter
  • ssm:ListAssociations
  • ssm:ListInstanceAssociations
  • ssm:UpdateInstanceInformation
  • ssmmessages:CreateControlChannel
  • ssmmessages:CreateDataChannel
  • ssmmessages:OpenControlChannel
  • ssmmessages:OpenDataChannel

Need more help?

Write us, and we'll get back to you as soon as we can.

Send us an email