Role policy for Vulnerability Assessment for AWS and VM Threat Detection

This page contains the permissions policy for the Amazon Web Services (AWS) role that is required by the following services:

Replace the following:

  • AWS_REGION: the region where you are installing AWS CloudFormation
  • AWS_ACCOUNT_ID: the AWS account ID where you are installing AWS CloudFormation

Paste this policy into the AWS role to add permissions.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "sqs:CreateQueue",
        "sqs:TagQueue"
      ],
      "Resource": [
        "arn:aws:sqs:*:AWS_ACCOUNT_ID:PurpleboxQueue"
      ],
      "Effect": "Allow"
    },
    {
      "Action": [
        "logs:FilterLogEvents",
        "logs:PutRetentionPolicy"
      ],
      "Resource": [
        "arn:aws:logs:AWS_REGION:AWS_ACCOUNT_ID:log-group:/aws/lambda/PurpleBox",
        "arn:aws:logs:AWS_REGION:AWS_ACCOUNT_ID:log-group:/aws/lambda/PurpleBox:log-stream",
        "arn:aws:logs:AWS_REGION:AWS_ACCOUNT_ID:log-group:/aws/lambda/PurpleBox:log-stream:"
      ],
      "Effect": "Allow"
    },
    {
      "Action": [
        "ssm:GetParameter"
      ],
      "Resource": "arn:aws:ssm:*::parameter/aws/service/ami-amazon-linux-latest*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "lambda:DeleteFunction"
      ],
      "Resource": "arn:aws:lambda:*:AWS_ACCOUNT_ID:function:purplebox-sqs-processing",
      "Effect": "Allow"
    },
    {
      "Action": [
        "ec2:CreateTags",
        "ec2:DescribeInstances",
        "ec2:DescribeVolumes",
        "ec2:DescribeSnapshots",
        "ec2:DescribeRegions",
        "ec2:DescribeVpcs",
        "ec2:DescribeSubnets",
        "ec2:DescribeSecurityGroups",
        "ec2:DescribeRouteTables",
        "ec2:DescribeVpcEndpoints",
        "ec2:DescribeInternetGateways",
        "ecr:DescribeRepositories",
        "ecr:DescribeImages",
        "ecr-public:DescribeRepositories",
        "ecr-public:DescribeImages",
        "ec2:CreateSnapshot",
        "events:ListRules",
        "servicequotas:ListServiceQuotas",
        "organizations:DescribeOrganization",
        "lambda:TagResource",
        "events:TagResource",
        "cloudwatch:GetMetricStatistics",
        "ssm:DescribeInstanceInformation",
        "ssm:GetCommandInvocation",
        "ssm:ListCommandInvocations",
        "ec2:DescribeSecurityGroupRules",
        "lambda:ListEventSourceMappings",
        "lambda:ListFunctions",
        "s3:ListAllMyBuckets",
        "events:DescribeRule",
        "events:PutRule",
        "events:PutTargets",
        "events:RemoveTargets",
        "events:DeleteRule"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "s3:*"
      ],
      "Resource": [
        "arn:aws:s3:::purplebox.cnspec.*",
        "arn:aws:s3:::purplebox.cnspec.*/*"
      ],
      "Effect": "Allow"
    },
    {
      "Condition": {
        "StringEquals": {
          "aws:RequestTag/Created By": "Purplebox"
        }
      },
      "Action": [
        "ec2:CreateSubnet"
      ],
      "Resource": "arn:aws:ec2:*:AWS_ACCOUNT_ID:subnet/*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "cloudformation:DeleteStack",
        "cloudformation:UpdateStack",
        "cloudformation:GetTemplate",
        "cloudformation:DescribeStacks"
      ],
      "Resource": [
        "arn:aws:cloudformation:AWS_REGION:AWS_ACCOUNT_ID:stack/*"
      ],
      "Effect": "Allow"
    },
    {
      "Condition": {
        "StringEquals": {
          "aws:ResourceTag/Created By": "Purplebox"
        }
      },
      "Action": [
        "ec2:CreateSecurityGroup"
      ],
      "Resource": "arn:aws:ec2:*:AWS_ACCOUNT_ID:vpc/*",
      "Effect": "Allow"
    },
    {
      "Condition": {
        "StringEquals": {
          "aws:ResourceTag/Created By": "Purplebox"
        }
      },
      "Action": [
        "ec2:CreateSubnet"
      ],
      "Resource": "arn:aws:ec2:*:AWS_ACCOUNT_ID:vpc/*",
      "Effect": "Allow"
    },
    {
      "Condition": {
        "StringEquals": {
          "aws:ResourceTag/Created By": "Purplebox"
        }
      },
      "Action": [
        "ec2:AuthorizeSecurityGroupIngress"
      ],
      "Resource": "arn:aws:ec2:*:AWS_ACCOUNT_ID:security-group*",
      "Effect": "Allow"
    },
    {
      "Condition": {
        "StringEquals": {
          "aws:RequestTag/Created By": "Purplebox"
        }
      },
      "Action": [
        "ec2:AuthorizeSecurityGroupIngress"
      ],
      "Resource": [
        "arn:aws:ec2:*:AWS_ACCOUNT_ID:security-group-rule",
        "arn:aws:ec2:*:AWS_ACCOUNT_ID:security-group-rule/*"
      ],
      "Effect": "Allow"
    },
    {
      "Condition": {
        "StringEquals": {
          "aws:RequestTag/Created By": "Purplebox"
        }
      },
      "Action": [
        "ec2:CreateRouteTable"
      ],
      "Resource": "arn:aws:ec2:*:AWS_ACCOUNT_ID:route-table/*",
      "Effect": "Allow"
    },
    {
      "Condition": {
        "StringEquals": {
          "aws:RequestTag/Created By": "Purplebox"
        }
      },
      "Action": [
        "ec2:CreateSecurityGroup"
      ],
      "Resource": "arn:aws:ec2:*:AWS_ACCOUNT_ID:security-group/*",
      "Effect": "Allow"
    },
    {
      "Condition": {
        "StringEquals": {
          "aws:RequestTag/Created By": "Purplebox"
        }
      },
      "Action": [
        "ec2:CreateVpcEndpoint"
      ],
      "Resource": "arn:aws:ec2:*:AWS_ACCOUNT_ID:vpc-endpoint*",
      "Effect": "Allow"
    },
    {
      "Condition": {
        "StringEquals": {
          "aws:ResourceTag/Created By": "Purplebox"
        }
      },
      "Action": [
        "ec2:CreateVpcEndpoint"
      ],
      "Resource": [
        "arn:aws:ec2:*:AWS_ACCOUNT_ID:vpc/*",
        "arn:aws:ec2:*:AWS_ACCOUNT_ID:subnet/*",
        "arn:aws:ec2:*:AWS_ACCOUNT_ID:security-group*"
      ],
      "Effect": "Allow"
    },
    {
      "Condition": {
        "StringEquals": {
          "aws:RequestTag/Created By": "Purplebox"
        }
      },
      "Action": [
        "ec2:CreateInternetGateway"
      ],
      "Resource": "arn:aws:ec2:*:AWS_ACCOUNT_ID:internet-gateway/*",
      "Effect": "Allow"
    },
    {
      "Condition": {
        "StringEquals": {
          "aws:ResourceTag/Created By": "Purplebox"
        }
      },
      "Action": [
        "events:PutTargets",
        "events:RemoveTargets"
      ],
      "Resource": [
        "arn:aws:lambda:AWS_REGION:AWS_ACCOUNT_ID:function:PurpleBox",
        "arn:aws:lambda:*:AWS_ACCOUNT_ID:function:purplebox-sqs-processing",
        "arn:aws:events:*:AWS_ACCOUNT_ID:rule/purplebox*"
      ],
      "Effect": "Allow"
    },
    {
      "Condition": {
        "StringEquals": {
          "aws:RequestTag/Created By": "Purplebox"
        }
      },
      "Action": [
        "ec2:CreateVpc"
      ],
      "Resource": "arn:aws:ec2:*:AWS_ACCOUNT_ID:vpc/*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "ec2:CreateVpcEndpoint"
      ],
      "Resource": "arn:aws:ec2:*:AWS_ACCOUNT_ID:route-table/*",
      "Effect": "Allow"
    },
    {
      "Condition": {
        "StringEquals": {
          "aws:ResourceTag/Created By": "Purplebox"
        }
      },
      "Action": [
        "ec2:ModifyVpcAttribute",
        "ec2:AssociateRouteTable",
        "ec2:AttachInternetGateway"
      ],
      "Resource": [
        "arn:aws:ec2:*:AWS_ACCOUNT_ID:internet-gateway/*",
        "arn:aws:ec2:*:AWS_ACCOUNT_ID:route-table/*",
        "arn:aws:ec2:*:AWS_ACCOUNT_ID:vpc/*"
      ],
      "Effect": "Allow"
    },
    {
      "Condition": {
        "StringEquals": {
          "aws:ResourceTag/Created By": "Purplebox"
        }
      },
      "Action": [
        "ec2:TerminateInstances"
      ],
      "Resource": [
        "arn:aws:ec2:*:AWS_ACCOUNT_ID:instance/*"
      ],
      "Effect": "Allow"
    },
    {
      "Condition": {
        "StringEquals": {
          "ec2:Owner": "amazon"
        }
      },
      "Action": [
        "ec2:RunInstances"
      ],
      "Resource": "arn:aws:ec2:*::image/*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "ec2:RunInstances"
      ],
      "Resource": [
        "arn:aws:ec2:*:AWS_ACCOUNT_ID:network-interface/*",
        "arn:aws:ec2:*:AWS_ACCOUNT_ID:subnet/*",
        "arn:aws:ec2:*:AWS_ACCOUNT_ID:volume/*"
      ],
      "Effect": "Allow"
    },
    {
      "Condition": {
        "StringEquals": {
          "aws:ResourceTag/Created By": "Purplebox"
        }
      },
      "Action": [
        "ec2:RunInstances"
      ],
      "Resource": [
        "arn:aws:ec2:*:AWS_ACCOUNT_ID:security-group/*",
        "arn:aws:ec2:*::snapshot/*"
      ],
      "Effect": "Allow"
    },
    {
      "Action": [
        "iam:GetRole",
        "iam:PassRole",
        "iam:TagRole",
        "iam:PutRolePolicy",
        "iam:GetRolePolicy",
        "iam:AttachRolePolicy",
        "iam:DeleteRole",
        "iam:DeleteRolePolicy",
        "lambda:DeleteCodeSigningConfig",
        "iam:CreateRole",
        "iam:GetInstanceProfile",
        "iam:CreateInstanceProfile",
        "iam:DeleteInstanceProfile",
        "iam:AddRoleToInstanceProfile",
        "lambda:GetFunction",
        "lambda:CreateFunction",
        "lambda:CreateEventSourceMapping",
        "lambda:GetEventSourceMapping",
        "lambda:DeleteEventSourceMapping",
        "ssm:SendCommand",
        "iam:DetachRolePolicy",
        "iam:RemoveRoleFromInstanceProfile"
      ],
      "Resource": [
        "*"
      ],
      "Effect": "Allow"
    },
    {
      "Condition": {
        "StringEquals": {
          "aws:ResourceTag/Created By": "Purplebox"
        }
      },
      "Action": [
        "ec2:AttachVolume",
        "ec2:DetachVolume",
        "ec2:DeleteVolume",
        "ec2:DeleteSnapshot",
        "ec2:DeleteVpc",
        "ec2:DeleteSubnet",
        "ec2:DeleteSecurityGroup",
        "ec2:DeleteVpcEndpoints",
        "ec2:DeleteRouteTable",
        "ec2:DeleteInternetGateway",
        "ec2:DetachInternetGateway",
        "lambda:DeleteFunction"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Condition": {
        "StringEquals": {
          "aws:RequestTag/Created By": "Purplebox"
        }
      },
      "Action": [
        "ec2:CreateVolume"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Condition": {
        "StringEquals": {
          "ec2:InstanceProfile": "arn:aws:iam::AWS_ACCOUNT_ID:instance-profile/scanner-instance-profile",
          "ec2:InstanceType": [
            "t4g.micro",
            "t2.micro",
            "t4g.medium"
          ]
        }
      },
      "Action": [
        "ec2:RunInstances"
      ],
      "Resource": "arn:aws:ec2:*:AWS_ACCOUNT_ID:instance/*",
      "Effect": "Allow"
    },
    {
      "Condition": {
        "StringEquals": {
          "aws:ResourceTag/Created By": "Purplebox",
          "kms:CallerAccount": "AWS_ACCOUNT_ID",
          "kms:ViaService": "lambda.AWS_REGION.amazonaws.com"
        },
        "Bool": {
          "kms:GrantIsForAWSResource": "true"
        }
      },
      "Action": "kms:CreateGrant",
      "Resource": "arn:aws:kms:*:AWS_ACCOUNT_ID:key/*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "events:PutRule",
        "events:DeleteRule",
        "events:TagResource"
      ],
      "Resource": "arn:aws:events:*:AWS_ACCOUNT_ID:rule/purplebox*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "ssm:SendCommand"
      ],
      "Resource": [
        "arn:aws:ssm:*::document/AWS-RunShellScript",
        "arn:aws:ssm:*::document/AWS-RunPowerShellScript"
      ],
      "Effect": "Allow"
    },
    {
      "Action": [
        "ssm:PutParameter",
        "ssm:DeleteParameter",
        "ssm:AddTagsToResource",
        "ssm:GetParameter",
        "ssm:GetParameters"
      ],
      "Resource": "arn:aws:ssm:AWS_REGION:AWS_ACCOUNT_ID:parameter/Purplebox*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "sqs:SendMessage",
        "sqs:DeleteMessage",
        "sqs:SetQueueAttributes",
        "sqs:DeleteQueue",
        "sqs:ReceiveMessage",
        "sqs:GetQueueAttributes",
        "sqs:PurgeQueue"
      ],
      "Resource": "arn:aws:sqs:*:AWS_ACCOUNT_ID:PurpleboxQueue",
      "Effect": "Allow"
    },
    {
      "Action": [
        "lambda:UpdateFunctionConfiguration",
        "lambda:GetFunctionConfiguration",
        "lambda:*Permission",
        "lambda:UpdateFunctionCode",
        "lambda:*Function",
        "lambda:PutFunctionConcurrency",
        "lambda:UpdateEventSourceMapping",
        "lambda:PutFunctionCodeSigningConfig"
      ],
      "Resource": [
        "arn:aws:lambda:AWS_REGION:AWS_ACCOUNT_ID:function:PurpleBox",
        "arn:aws:lambda:*:AWS_ACCOUNT_ID:function:purplebox-sqs-processing",
        "arn:aws:lambda:AWS_REGION:AWS_ACCOUNT_ID:function:PurpleBoxUpdater"
      ],
      "Effect": "Allow"
    },
    {
      "Action": [
        "s3:GetObject"
      ],
      "Resource": [
        "arn:aws:s3:::scc-vulnscanner.AWS_REGION/*",
        "arn:aws:s3:::scc-vulnscanner.*/*"
      ],
      "Effect": "Allow"
    },
    {
      "Action": [
        "events:RemovePermission"
      ],
      "Resource": "arn:aws:events:*:AWS_ACCOUNT_ID:event-bus/default",
      "Effect": "Allow"
    },
    {
      "Condition": {
        "StringEquals": {
          "sts:AWSServiceName": "ec2.amazonaws.com"
        }
      },
      "Action": [
        "sts:GetServiceBearerToken"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "lambda:UpdateCodeSigningConfig"
      ],
      "Resource": "arn:aws:lambda:AWS_REGION:AWS_ACCOUNT_ID:code-signing-config:csc-04006c10ff4690ad0",
      "Effect": "Allow"
    },
    {
      "Action": [
        "lambda:CreateCodeSigningConfig",
        "lambda:GetCodeSigningConfig"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "iam:ListAttachedRolePolicies",
        "iam:ListRolePolicies"
      ],
      "Resource": [
        "arn:aws:iam::AWS_ACCOUNT_ID:role/scanner-role",
        "arn:aws:iam::AWS_ACCOUNT_ID:role/purplebox-sqs-lambda-role",
        "arn:aws:iam::AWS_ACCOUNT_ID:role/PurpleboxRole"
      ],
      "Effect": "Allow"
    },
    {
      "Action": [
        "sqs:ReceiveMessage",
        "sqs:DeleteMessage",
        "sqs:SendMessage",
        "sqs:GetQueueAttributes",
        "lambda:InvokeFunction",
        "lambda:CreateEventSourceMapping",
        "lambda:UpdateFunctionConfiguration",
        "lambda:ListEventSourceMappings",
        "lambda:UpdateEventSourceMapping"
      ],
      "Resource": [
        "arn:aws:lambda:*:AWS_ACCOUNT_ID:function:purplebox-sqs-processing",
        "arn:aws:sqs:*:AWS_ACCOUNT_ID:PurpleboxQueue"
      ],
      "Effect": "Allow"
    },
    {
      "Action": [
        "sqs:SendMessage"
      ],
      "Resource": "arn:aws:sqs:*:AWS_ACCOUNT_ID:PurpleboxQueue",
      "Effect": "Allow"
    },
    {
      "Action": [
        "ec2:DescribeInstances",
        "ecr:DescribeImages",
        "ecr-public:DescribeImages",
        "ecr:DescribeRepositories",
        "ecr-public:DescribeRepositories",
        "ecr:GetAuthorizationToken",
        "ecr:BatchGetImage",
        "ecr:GetDownloadUrlForLayer"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "s3:GetObject",
        "s3:PutObject"
      ],
      "Resource": "arn:aws:s3:::purplebox.cnspec.*",
      "Effect": "Allow"
    }
  ]
}