Role policy for Vulnerability Assessment for AWS

This page contains the permissions policy for the Amazon Web Services (AWS) role that is required to enable the Vulnerability Assessment for AWS service.

Replace the following:

  • AWS_REGION: the region where you are installing AWS CloudFormation
  • AWS_ACCOUNT_ID: the AWS account ID where you are installing AWS CloudFormation
  • SOURCE_BUCKET: the bucket where the binaries are stored

Paste this policy into the AWS role to add permissions.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "sqs:CreateQueue",
                "sqs:TagQueue"
            ],
            "Resource": [
                "arn:aws:sqs:*:`AWS_ACCOUNT_ID`:PurpleboxQueue"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "logs:FilterLogEvents",
                "logs:PutRetentionPolicy"
            ],
            "Resource": [
                "arn:aws:logs:`AWS_REGION`:`AWS_ACCOUNT_ID`:log-group:/aws/lambda/PurpleBox",
                "arn:aws:logs:`AWS_REGION`:`AWS_ACCOUNT_ID`:log-group:/aws/lambda/PurpleBox:log-stream",
                "arn:aws:logs:`AWS_REGION`:`AWS_ACCOUNT_ID`:log-group:/aws/lambda/PurpleBox:log-stream:"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "ssm:GetParameter"
            ],
            "Resource": "arn:aws:ssm:*::parameter/aws/service/ami-amazon-linux-latest*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "lambda:DeleteFunction"
            ],
            "Resource": "arn:aws:lambda:*:`AWS_ACCOUNT_ID`:function:purplebox-sqs-processing",
            "Effect": "Allow"
        },
        {
            "Action": [
                "ec2:CreateTags",
                "ec2:DescribeInstances",
                "ec2:DescribeVolumes",
                "ec2:DescribeSnapshots",
                "ec2:DescribeRegions",
                "ec2:DescribeVpcs",
                "ec2:DescribeSubnets",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeRouteTables",
                "ec2:DescribeVpcEndpoints",
                "ec2:DescribeInternetGateways",
                "ecr:DescribeRepositories",
                "ecr:DescribeImages",
                "ecr-public:DescribeRepositories",
                "ecr-public:DescribeImages",
                "ec2:CreateSnapshot",
                "events:ListRules",
                "servicequotas:ListServiceQuotas",
                "organizations:DescribeOrganization",
                "lambda:TagResource",
                "events:TagResource",
                "cloudwatch:GetMetricStatistics",
                "ssm:DescribeInstanceInformation",
                "ssm:GetCommandInvocation",
                "ssm:ListCommandInvocations",
                "ec2:DescribeSecurityGroupRules",
                "lambda:ListEventSourceMappings",
                "lambda:ListFunctions",
                "s3:ListAllMyBuckets",
                "events:DescribeRule",
                "events:PutRule",
                "events:PutTargets",
                "events:RemoveTargets",
                "events:DeleteRule"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "s3:*"
            ],
            "Resource": [
                "arn:aws:s3:::purplebox.cnspec.*",
                "arn:aws:s3:::purplebox.cnspec.*/*"
            ],
            "Effect": "Allow"
        },
        {
            "Condition": {
                "StringEquals": {
                    "aws:RequestTag/Created By": "Purplebox"
                }
            },
            "Action": [
                "ec2:CreateSubnet"
            ],
            "Resource": "arn:aws:ec2:*:`AWS_ACCOUNT_ID`:subnet/*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "cloudformation:DeleteStack",
                "cloudformation:UpdateStack",
                "cloudformation:GetTemplate",
                "cloudformation:DescribeStacks"
            ],
            "Resource": [
                "arn:aws:cloudformation:`AWS_REGION`:`AWS_ACCOUNT_ID`:stack/testpurplebox-1o5k4/5060a950-17bb-11ef-9061-128493f57bb9"
            ],
            "Effect": "Allow"
        },
        {
            "Condition": {
                "StringEquals": {
                    "aws:ResourceTag/Created By": "Purplebox"
                }
            },
            "Action": [
                "ec2:CreateSecurityGroup"
            ],
            "Resource": "arn:aws:ec2:*:`AWS_ACCOUNT_ID`:vpc/*",
            "Effect": "Allow"
        },
        {
            "Condition": {
                "StringEquals": {
                    "aws:ResourceTag/Created By": "Purplebox"
                }
            },
            "Action": [
                "ec2:CreateSubnet"
            ],
            "Resource": "arn:aws:ec2:*:`AWS_ACCOUNT_ID`:vpc/*",
            "Effect": "Allow"
        },
        {
            "Condition": {
                "StringEquals": {
                    "aws:ResourceTag/Created By": "Purplebox"
                }
            },
            "Action": [
                "ec2:AuthorizeSecurityGroupIngress"
            ],
            "Resource": "arn:aws:ec2:*:`AWS_ACCOUNT_ID`:security-group*",
            "Effect": "Allow"
        },
        {
            "Condition": {
                "StringEquals": {
                    "aws:RequestTag/Created By": "Purplebox"
                }
            },
            "Action": [
                "ec2:AuthorizeSecurityGroupIngress"
            ],
            "Resource": [
                "arn:aws:ec2:*:`AWS_ACCOUNT_ID`:security-group-rule",
                "arn:aws:ec2:*:`AWS_ACCOUNT_ID`:security-group-rule/*"
            ],
            "Effect": "Allow"
        },
        {
            "Condition": {
                "StringEquals": {
                    "aws:RequestTag/Created By": "Purplebox"
                }
            },
            "Action": [
                "ec2:CreateRouteTable"
            ],
            "Resource": "arn:aws:ec2:*:`AWS_ACCOUNT_ID`:route-table/*",
            "Effect": "Allow"
        },
        {
            "Condition": {
                "StringEquals": {
                    "aws:RequestTag/Created By": "Purplebox"
                }
            },
            "Action": [
                "ec2:CreateSecurityGroup"
            ],
            "Resource": "arn:aws:ec2:*:`AWS_ACCOUNT_ID`:security-group/*",
            "Effect": "Allow"
        },
        {
            "Condition": {
                "StringEquals": {
                    "aws:RequestTag/Created By": "Purplebox"
                }
            },
            "Action": [
                "ec2:CreateVpcEndpoint"
            ],
            "Resource": "arn:aws:ec2:*:`AWS_ACCOUNT_ID`:vpc-endpoint*",
            "Effect": "Allow"
        },
        {
            "Condition": {
                "StringEquals": {
                    "aws:ResourceTag/Created By": "Purplebox"
                }
            },
            "Action": [
                "ec2:CreateVpcEndpoint"
            ],
            "Resource": [
                "arn:aws:ec2:*:`AWS_ACCOUNT_ID`:vpc/*",
                "arn:aws:ec2:*:`AWS_ACCOUNT_ID`:subnet/*",
                "arn:aws:ec2:*:`AWS_ACCOUNT_ID`:security-group*"
            ],
            "Effect": "Allow"
        },
        {
            "Condition": {
                "StringEquals": {
                    "aws:RequestTag/Created By": "Purplebox"
                }
            },
            "Action": [
                "ec2:CreateInternetGateway"
            ],
            "Resource": "arn:aws:ec2:*:`AWS_ACCOUNT_ID`:internet-gateway/*",
            "Effect": "Allow"
        },
        {
            "Condition": {
                "StringEquals": {
                    "aws:ResourceTag/Created By": "Purplebox"
                }
            },
            "Action": [
                "events:PutTargets",
                "events:RemoveTargets"
            ],
            "Resource": [
                "arn:aws:lambda:`AWS_REGION`:`AWS_ACCOUNT_ID`:function:PurpleBox",
                "arn:aws:lambda:*:`AWS_ACCOUNT_ID`:function:purplebox-sqs-processing",
                "arn:aws:events:*:`AWS_ACCOUNT_ID`:rule/purplebox*"
            ],
            "Effect": "Allow"
        },
        {
            "Condition": {
                "StringEquals": {
                    "aws:RequestTag/Created By": "Purplebox"
                }
            },
            "Action": [
                "ec2:CreateVpc"
            ],
            "Resource": "arn:aws:ec2:*:`AWS_ACCOUNT_ID`:vpc/*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "ec2:CreateVpcEndpoint"
            ],
            "Resource": "arn:aws:ec2:*:`AWS_ACCOUNT_ID`:route-table/*",
            "Effect": "Allow"
        },
        {
            "Condition": {
                "StringEquals": {
                    "aws:ResourceTag/Created By": "Purplebox"
                }
            },
            "Action": [
                "ec2:ModifyVpcAttribute",
                "ec2:AssociateRouteTable",
                "ec2:AttachInternetGateway"
            ],
            "Resource": [
                "arn:aws:ec2:*:`AWS_ACCOUNT_ID`:internet-gateway/*",
                "arn:aws:ec2:*:`AWS_ACCOUNT_ID`:route-table/*",
                "arn:aws:ec2:*:`AWS_ACCOUNT_ID`:vpc/*"
            ],
            "Effect": "Allow"
        },
        {
            "Condition": {
                "StringEquals": {
                    "aws:ResourceTag/Created By": "Purplebox"
                }
            },
            "Action": [
                "ec2:TerminateInstances"
            ],
            "Resource": [
                "arn:aws:ec2:*:`AWS_ACCOUNT_ID`:instance/*"
            ],
            "Effect": "Allow"
        },
        {
            "Condition": {
                "StringEquals": {
                    "ec2:Owner": "amazon"
                }
            },
            "Action": [
                "ec2:RunInstances"
            ],
            "Resource": "arn:aws:ec2:*::image/*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "ec2:RunInstances"
            ],
            "Resource": [
                "arn:aws:ec2:*:`AWS_ACCOUNT_ID`:network-interface/*",
                "arn:aws:ec2:*:`AWS_ACCOUNT_ID`:subnet/*",
                "arn:aws:ec2:*:`AWS_ACCOUNT_ID`:volume/*"
            ],
            "Effect": "Allow"
        },
        {
            "Condition": {
                "StringEquals": {
                    "aws:ResourceTag/Created By": "Purplebox"
                }
            },
            "Action": [
                "ec2:RunInstances"
            ],
            "Resource": [
                "arn:aws:ec2:*:`AWS_ACCOUNT_ID`:security-group/*",
                "arn:aws:ec2:*::snapshot/*"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "iam:GetRole",
                "iam:PassRole",
                "iam:TagRole",
                "iam:PutRolePolicy",
                "iam:GetRolePolicy",
                "iam:AttachRolePolicy",
                "iam:DeleteRole",
                "iam:DeleteRolePolicy",
                "lambda:DeleteCodeSigningConfig",
                "iam:CreateRole",
                "iam:GetInstanceProfile",
                "iam:CreateInstanceProfile",
                "iam:DeleteInstanceProfile",
                "iam:AddRoleToInstanceProfile",
                "lambda:GetFunction",
                "lambda:CreateFunction",
                "lambda:CreateEventSourceMapping",
                "lambda:GetEventSourceMapping",
                "lambda:DeleteEventSourceMapping",
                "ssm:SendCommand",
                "iam:DetachRolePolicy",
                "iam:RemoveRoleFromInstanceProfile"
            ],
            "Resource": [
                "*"
            ],
            "Effect": "Allow"
        },
        {
            "Condition": {
                "StringEquals": {
                    "aws:ResourceTag/Created By": "Purplebox"
                }
            },
            "Action": [
                "ec2:AttachVolume",
                "ec2:DetachVolume",
                "ec2:DeleteVolume",
                "ec2:DeleteSnapshot",
                "ec2:DeleteVpc",
                "ec2:DeleteSubnet",
                "ec2:DeleteSecurityGroup",
                "ec2:DeleteVpcEndpoints",
                "ec2:DeleteRouteTable",
                "ec2:DeleteInternetGateway",
                "ec2:DetachInternetGateway",
                "lambda:DeleteFunction"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Condition": {
                "StringEquals": {
                    "aws:RequestTag/Created By": "Purplebox"
                }
            },
            "Action": [
                "ec2:CreateVolume"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Condition": {
                "StringEquals": {
                    "ec2:InstanceProfile": "arn:aws:iam::`AWS_ACCOUNT_ID`:instance-profile/scanner-instance-profile",
                    "ec2:InstanceType": [
                        "t4g.micro",
                        "t2.micro",
                        "t4g.medium"
                    ]
                }
            },
            "Action": [
                "ec2:RunInstances"
            ],
            "Resource": "arn:aws:ec2:*:`AWS_ACCOUNT_ID`:instance/*",
            "Effect": "Allow"
        },
        {
            "Condition": {
                "StringEquals": {
                    "aws:ResourceTag/Created By": "Purplebox",
                    "kms:CallerAccount": "`AWS_ACCOUNT_ID`",
                    "kms:ViaService": "lambda.`AWS_REGION`.amazonaws.com"
                },
                "Bool": {
                    "kms:GrantIsForAWSResource": "true"
                }
            },
            "Action": "kms:CreateGrant",
            "Resource": "arn:aws:kms:*:`AWS_ACCOUNT_ID`:key/*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "events:PutRule",
                "events:DeleteRule",
                "events:TagResource"
            ],
            "Resource": "arn:aws:events:*:`AWS_ACCOUNT_ID`:rule/purplebox*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "ssm:SendCommand"
            ],
            "Resource": [
                "arn:aws:ssm:*::document/AWS-RunShellScript",
                "arn:aws:ssm:*::document/AWS-RunPowerShellScript"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "ssm:PutParameter",
                "ssm:DeleteParameter",
                "ssm:AddTagsToResource",
                "ssm:GetParameter",
                "ssm:GetParameters"
            ],
            "Resource": "arn:aws:ssm:`AWS_REGION`:`AWS_ACCOUNT_ID`:parameter/Purplebox*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "sqs:SendMessage",
                "sqs:DeleteMessage",
                "sqs:SetQueueAttributes",
                "sqs:DeleteQueue",
                "sqs:ReceiveMessage",
                "sqs:GetQueueAttributes",
                "sqs:PurgeQueue"
            ],
            "Resource": "arn:aws:sqs:*:`AWS_ACCOUNT_ID`:PurpleboxQueue",
            "Effect": "Allow"
        },
        {
            "Action": [
                "lambda:UpdateFunctionConfiguration",
                "lambda:GetFunctionConfiguration",
                "lambda:*Permission",
                "lambda:UpdateFunctionCode",
                "lambda:*Function",
                "lambda:PutFunctionConcurrency",
                "lambda:UpdateEventSourceMapping",
                "lambda:PutFunctionCodeSigningConfig"
            ],
            "Resource": [
                "arn:aws:lambda:`AWS_REGION`:`AWS_ACCOUNT_ID`:function:PurpleBox",
                "arn:aws:lambda:*:`AWS_ACCOUNT_ID`:function:purplebox-sqs-processing",
                "arn:aws:lambda:`AWS_REGION`:`AWS_ACCOUNT_ID`:function:PurpleBoxUpdater"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "s3:GetObject"
            ],
            "Resource": [
                "arn:aws:s3:::`SOURCE_BUCKET`.`AWS_REGION`/*",
                "arn:aws:s3:::`SOURCE_BUCKET`.*/*"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "events:RemovePermission"
            ],
            "Resource": "arn:aws:events:*:`AWS_ACCOUNT_ID`:event-bus/default",
            "Effect": "Allow"
        },
        {
            "Condition": {
                "StringEquals": {
                    "sts:AWSServiceName": "ec2.amazonaws.com"
                }
            },
            "Action": [
                "sts:GetServiceBearerToken"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "lambda:UpdateCodeSigningConfig"
            ],
            "Resource": "arn:aws:lambda:`AWS_REGION`:`AWS_ACCOUNT_ID`:code-signing-config:csc-04006c10ff4690ad0",
            "Effect": "Allow"
        },
        {
            "Action": [
                "lambda:CreateCodeSigningConfig",
                "lambda:GetCodeSigningConfig"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "iam:ListAttachedRolePolicies",
                "iam:ListRolePolicies"
            ],
            "Resource": [
                "arn:aws:iam::`AWS_ACCOUNT_ID`:role/scanner-role",
                "arn:aws:iam::`AWS_ACCOUNT_ID`:role/purplebox-sqs-lambda-role",
                "arn:aws:iam::`AWS_ACCOUNT_ID`:role/PurpleboxRole"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "sqs:ReceiveMessage",
                "sqs:DeleteMessage",
                "sqs:SendMessage",
                "sqs:GetQueueAttributes",
                "lambda:InvokeFunction",
                "lambda:CreateEventSourceMapping",
                "lambda:UpdateFunctionConfiguration",
                "lambda:ListEventSourceMappings",
                "lambda:UpdateEventSourceMapping"
            ],
            "Resource": [
                "arn:aws:lambda:*:`AWS_ACCOUNT_ID`:function:purplebox-sqs-processing",
                "arn:aws:sqs:*:`AWS_ACCOUNT_ID`:PurpleboxQueue"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "sqs:SendMessage"
            ],
            "Resource": "arn:aws:sqs:*:`AWS_ACCOUNT_ID`:PurpleboxQueue",
            "Effect": "Allow"
        },
        {
            "Action": [
                "ec2:DescribeInstances",
                "ecr:DescribeImages",
                "ecr-public:DescribeImages",
                "ecr:DescribeRepositories",
                "ecr-public:DescribeRepositories",
                "ecr:GetAuthorizationToken",
                "ecr:BatchGetImage",
                "ecr:GetDownloadUrlForLayer"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "s3:GetObject",
                "s3:PutObject"
            ],
            "Resource": "arn:aws:s3:::purplebox.cnspec.*",
            "Effect": "Allow"
        }
    ]
}