This page contains the permissions policy for the Amazon Web Services (AWS) role that is required by the following services:
Replace the following:
AWS_REGION
: the region where you are installing AWS CloudFormationAWS_ACCOUNT_ID
: the AWS account ID where you are installing AWS CloudFormation
Paste this policy into the AWS role to add permissions.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"sqs:CreateQueue",
"sqs:TagQueue"
],
"Resource": [
"arn:aws:sqs:*:AWS_ACCOUNT_ID:PurpleboxQueue"
],
"Effect": "Allow"
},
{
"Action": [
"logs:FilterLogEvents",
"logs:PutRetentionPolicy"
],
"Resource": [
"arn:aws:logs:AWS_REGION:AWS_ACCOUNT_ID:log-group:/aws/lambda/PurpleBox",
"arn:aws:logs:AWS_REGION:AWS_ACCOUNT_ID:log-group:/aws/lambda/PurpleBox:log-stream",
"arn:aws:logs:AWS_REGION:AWS_ACCOUNT_ID:log-group:/aws/lambda/PurpleBox:log-stream:"
],
"Effect": "Allow"
},
{
"Action": [
"ssm:GetParameter"
],
"Resource": "arn:aws:ssm:*::parameter/aws/service/ami-amazon-linux-latest*",
"Effect": "Allow"
},
{
"Action": [
"lambda:DeleteFunction"
],
"Resource": "arn:aws:lambda:*:AWS_ACCOUNT_ID:function:purplebox-sqs-processing",
"Effect": "Allow"
},
{
"Action": [
"ec2:CreateTags",
"ec2:DescribeInstances",
"ec2:DescribeVolumes",
"ec2:DescribeSnapshots",
"ec2:DescribeRegions",
"ec2:DescribeVpcs",
"ec2:DescribeSubnets",
"ec2:DescribeSecurityGroups",
"ec2:DescribeRouteTables",
"ec2:DescribeVpcEndpoints",
"ec2:DescribeInternetGateways",
"ecr:DescribeRepositories",
"ecr:DescribeImages",
"ecr-public:DescribeRepositories",
"ecr-public:DescribeImages",
"ec2:CreateSnapshot",
"events:ListRules",
"servicequotas:ListServiceQuotas",
"organizations:DescribeOrganization",
"lambda:TagResource",
"events:TagResource",
"cloudwatch:GetMetricStatistics",
"ssm:DescribeInstanceInformation",
"ssm:GetCommandInvocation",
"ssm:ListCommandInvocations",
"ec2:DescribeSecurityGroupRules",
"lambda:ListEventSourceMappings",
"lambda:ListFunctions",
"s3:ListAllMyBuckets",
"events:DescribeRule",
"events:PutRule",
"events:PutTargets",
"events:RemoveTargets",
"events:DeleteRule"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::purplebox.cnspec.*",
"arn:aws:s3:::purplebox.cnspec.*/*"
],
"Effect": "Allow"
},
{
"Condition": {
"StringEquals": {
"aws:RequestTag/Created By": "Purplebox"
}
},
"Action": [
"ec2:CreateSubnet"
],
"Resource": "arn:aws:ec2:*:AWS_ACCOUNT_ID:subnet/*",
"Effect": "Allow"
},
{
"Action": [
"cloudformation:DeleteStack",
"cloudformation:UpdateStack",
"cloudformation:GetTemplate",
"cloudformation:DescribeStacks"
],
"Resource": [
"arn:aws:cloudformation:AWS_REGION:AWS_ACCOUNT_ID:stack/*"
],
"Effect": "Allow"
},
{
"Condition": {
"StringEquals": {
"aws:ResourceTag/Created By": "Purplebox"
}
},
"Action": [
"ec2:CreateSecurityGroup"
],
"Resource": "arn:aws:ec2:*:AWS_ACCOUNT_ID:vpc/*",
"Effect": "Allow"
},
{
"Condition": {
"StringEquals": {
"aws:ResourceTag/Created By": "Purplebox"
}
},
"Action": [
"ec2:CreateSubnet"
],
"Resource": "arn:aws:ec2:*:AWS_ACCOUNT_ID:vpc/*",
"Effect": "Allow"
},
{
"Condition": {
"StringEquals": {
"aws:ResourceTag/Created By": "Purplebox"
}
},
"Action": [
"ec2:AuthorizeSecurityGroupIngress"
],
"Resource": "arn:aws:ec2:*:AWS_ACCOUNT_ID:security-group*",
"Effect": "Allow"
},
{
"Condition": {
"StringEquals": {
"aws:RequestTag/Created By": "Purplebox"
}
},
"Action": [
"ec2:AuthorizeSecurityGroupIngress"
],
"Resource": [
"arn:aws:ec2:*:AWS_ACCOUNT_ID:security-group-rule",
"arn:aws:ec2:*:AWS_ACCOUNT_ID:security-group-rule/*"
],
"Effect": "Allow"
},
{
"Condition": {
"StringEquals": {
"aws:RequestTag/Created By": "Purplebox"
}
},
"Action": [
"ec2:CreateRouteTable"
],
"Resource": "arn:aws:ec2:*:AWS_ACCOUNT_ID:route-table/*",
"Effect": "Allow"
},
{
"Condition": {
"StringEquals": {
"aws:RequestTag/Created By": "Purplebox"
}
},
"Action": [
"ec2:CreateSecurityGroup"
],
"Resource": "arn:aws:ec2:*:AWS_ACCOUNT_ID:security-group/*",
"Effect": "Allow"
},
{
"Condition": {
"StringEquals": {
"aws:RequestTag/Created By": "Purplebox"
}
},
"Action": [
"ec2:CreateVpcEndpoint"
],
"Resource": "arn:aws:ec2:*:AWS_ACCOUNT_ID:vpc-endpoint*",
"Effect": "Allow"
},
{
"Condition": {
"StringEquals": {
"aws:ResourceTag/Created By": "Purplebox"
}
},
"Action": [
"ec2:CreateVpcEndpoint"
],
"Resource": [
"arn:aws:ec2:*:AWS_ACCOUNT_ID:vpc/*",
"arn:aws:ec2:*:AWS_ACCOUNT_ID:subnet/*",
"arn:aws:ec2:*:AWS_ACCOUNT_ID:security-group*"
],
"Effect": "Allow"
},
{
"Condition": {
"StringEquals": {
"aws:RequestTag/Created By": "Purplebox"
}
},
"Action": [
"ec2:CreateInternetGateway"
],
"Resource": "arn:aws:ec2:*:AWS_ACCOUNT_ID:internet-gateway/*",
"Effect": "Allow"
},
{
"Condition": {
"StringEquals": {
"aws:ResourceTag/Created By": "Purplebox"
}
},
"Action": [
"events:PutTargets",
"events:RemoveTargets"
],
"Resource": [
"arn:aws:lambda:AWS_REGION:AWS_ACCOUNT_ID:function:PurpleBox",
"arn:aws:lambda:*:AWS_ACCOUNT_ID:function:purplebox-sqs-processing",
"arn:aws:events:*:AWS_ACCOUNT_ID:rule/purplebox*"
],
"Effect": "Allow"
},
{
"Condition": {
"StringEquals": {
"aws:RequestTag/Created By": "Purplebox"
}
},
"Action": [
"ec2:CreateVpc"
],
"Resource": "arn:aws:ec2:*:AWS_ACCOUNT_ID:vpc/*",
"Effect": "Allow"
},
{
"Action": [
"ec2:CreateVpcEndpoint"
],
"Resource": "arn:aws:ec2:*:AWS_ACCOUNT_ID:route-table/*",
"Effect": "Allow"
},
{
"Condition": {
"StringEquals": {
"aws:ResourceTag/Created By": "Purplebox"
}
},
"Action": [
"ec2:ModifyVpcAttribute",
"ec2:AssociateRouteTable",
"ec2:AttachInternetGateway"
],
"Resource": [
"arn:aws:ec2:*:AWS_ACCOUNT_ID:internet-gateway/*",
"arn:aws:ec2:*:AWS_ACCOUNT_ID:route-table/*",
"arn:aws:ec2:*:AWS_ACCOUNT_ID:vpc/*"
],
"Effect": "Allow"
},
{
"Condition": {
"StringEquals": {
"aws:ResourceTag/Created By": "Purplebox"
}
},
"Action": [
"ec2:TerminateInstances"
],
"Resource": [
"arn:aws:ec2:*:AWS_ACCOUNT_ID:instance/*"
],
"Effect": "Allow"
},
{
"Condition": {
"StringEquals": {
"ec2:Owner": "amazon"
}
},
"Action": [
"ec2:RunInstances"
],
"Resource": "arn:aws:ec2:*::image/*",
"Effect": "Allow"
},
{
"Action": [
"ec2:RunInstances"
],
"Resource": [
"arn:aws:ec2:*:AWS_ACCOUNT_ID:network-interface/*",
"arn:aws:ec2:*:AWS_ACCOUNT_ID:subnet/*",
"arn:aws:ec2:*:AWS_ACCOUNT_ID:volume/*"
],
"Effect": "Allow"
},
{
"Condition": {
"StringEquals": {
"aws:ResourceTag/Created By": "Purplebox"
}
},
"Action": [
"ec2:RunInstances"
],
"Resource": [
"arn:aws:ec2:*:AWS_ACCOUNT_ID:security-group/*",
"arn:aws:ec2:*::snapshot/*"
],
"Effect": "Allow"
},
{
"Action": [
"iam:GetRole",
"iam:PassRole",
"iam:TagRole",
"iam:PutRolePolicy",
"iam:GetRolePolicy",
"iam:AttachRolePolicy",
"iam:DeleteRole",
"iam:DeleteRolePolicy",
"lambda:DeleteCodeSigningConfig",
"iam:CreateRole",
"iam:GetInstanceProfile",
"iam:CreateInstanceProfile",
"iam:DeleteInstanceProfile",
"iam:AddRoleToInstanceProfile",
"lambda:GetFunction",
"lambda:CreateFunction",
"lambda:CreateEventSourceMapping",
"lambda:GetEventSourceMapping",
"lambda:DeleteEventSourceMapping",
"ssm:SendCommand",
"iam:DetachRolePolicy",
"iam:RemoveRoleFromInstanceProfile"
],
"Resource": [
"*"
],
"Effect": "Allow"
},
{
"Condition": {
"StringEquals": {
"aws:ResourceTag/Created By": "Purplebox"
}
},
"Action": [
"ec2:AttachVolume",
"ec2:DetachVolume",
"ec2:DeleteVolume",
"ec2:DeleteSnapshot",
"ec2:DeleteVpc",
"ec2:DeleteSubnet",
"ec2:DeleteSecurityGroup",
"ec2:DeleteVpcEndpoints",
"ec2:DeleteRouteTable",
"ec2:DeleteInternetGateway",
"ec2:DetachInternetGateway",
"lambda:DeleteFunction"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Condition": {
"StringEquals": {
"aws:RequestTag/Created By": "Purplebox"
}
},
"Action": [
"ec2:CreateVolume"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Condition": {
"StringEquals": {
"ec2:InstanceProfile": "arn:aws:iam::AWS_ACCOUNT_ID:instance-profile/scanner-instance-profile",
"ec2:InstanceType": [
"t4g.micro",
"t2.micro",
"t4g.medium"
]
}
},
"Action": [
"ec2:RunInstances"
],
"Resource": "arn:aws:ec2:*:AWS_ACCOUNT_ID:instance/*",
"Effect": "Allow"
},
{
"Condition": {
"StringEquals": {
"aws:ResourceTag/Created By": "Purplebox",
"kms:CallerAccount": "AWS_ACCOUNT_ID",
"kms:ViaService": "lambda.AWS_REGION.amazonaws.com"
},
"Bool": {
"kms:GrantIsForAWSResource": "true"
}
},
"Action": "kms:CreateGrant",
"Resource": "arn:aws:kms:*:AWS_ACCOUNT_ID:key/*",
"Effect": "Allow"
},
{
"Action": [
"events:PutRule",
"events:DeleteRule",
"events:TagResource"
],
"Resource": "arn:aws:events:*:AWS_ACCOUNT_ID:rule/purplebox*",
"Effect": "Allow"
},
{
"Action": [
"ssm:SendCommand"
],
"Resource": [
"arn:aws:ssm:*::document/AWS-RunShellScript",
"arn:aws:ssm:*::document/AWS-RunPowerShellScript"
],
"Effect": "Allow"
},
{
"Action": [
"ssm:PutParameter",
"ssm:DeleteParameter",
"ssm:AddTagsToResource",
"ssm:GetParameter",
"ssm:GetParameters"
],
"Resource": "arn:aws:ssm:AWS_REGION:AWS_ACCOUNT_ID:parameter/Purplebox*",
"Effect": "Allow"
},
{
"Action": [
"sqs:SendMessage",
"sqs:DeleteMessage",
"sqs:SetQueueAttributes",
"sqs:DeleteQueue",
"sqs:ReceiveMessage",
"sqs:GetQueueAttributes",
"sqs:PurgeQueue"
],
"Resource": "arn:aws:sqs:*:AWS_ACCOUNT_ID:PurpleboxQueue",
"Effect": "Allow"
},
{
"Action": [
"lambda:UpdateFunctionConfiguration",
"lambda:GetFunctionConfiguration",
"lambda:*Permission",
"lambda:UpdateFunctionCode",
"lambda:*Function",
"lambda:PutFunctionConcurrency",
"lambda:UpdateEventSourceMapping",
"lambda:PutFunctionCodeSigningConfig"
],
"Resource": [
"arn:aws:lambda:AWS_REGION:AWS_ACCOUNT_ID:function:PurpleBox",
"arn:aws:lambda:*:AWS_ACCOUNT_ID:function:purplebox-sqs-processing",
"arn:aws:lambda:AWS_REGION:AWS_ACCOUNT_ID:function:PurpleBoxUpdater"
],
"Effect": "Allow"
},
{
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::scc-vulnscanner.AWS_REGION/*",
"arn:aws:s3:::scc-vulnscanner.*/*"
],
"Effect": "Allow"
},
{
"Action": [
"events:RemovePermission"
],
"Resource": "arn:aws:events:*:AWS_ACCOUNT_ID:event-bus/default",
"Effect": "Allow"
},
{
"Condition": {
"StringEquals": {
"sts:AWSServiceName": "ec2.amazonaws.com"
}
},
"Action": [
"sts:GetServiceBearerToken"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"lambda:UpdateCodeSigningConfig"
],
"Resource": "arn:aws:lambda:AWS_REGION:AWS_ACCOUNT_ID:code-signing-config:csc-04006c10ff4690ad0",
"Effect": "Allow"
},
{
"Action": [
"lambda:CreateCodeSigningConfig",
"lambda:GetCodeSigningConfig"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"iam:ListAttachedRolePolicies",
"iam:ListRolePolicies"
],
"Resource": [
"arn:aws:iam::AWS_ACCOUNT_ID:role/scanner-role",
"arn:aws:iam::AWS_ACCOUNT_ID:role/purplebox-sqs-lambda-role",
"arn:aws:iam::AWS_ACCOUNT_ID:role/PurpleboxRole"
],
"Effect": "Allow"
},
{
"Action": [
"sqs:ReceiveMessage",
"sqs:DeleteMessage",
"sqs:SendMessage",
"sqs:GetQueueAttributes",
"lambda:InvokeFunction",
"lambda:CreateEventSourceMapping",
"lambda:UpdateFunctionConfiguration",
"lambda:ListEventSourceMappings",
"lambda:UpdateEventSourceMapping"
],
"Resource": [
"arn:aws:lambda:*:AWS_ACCOUNT_ID:function:purplebox-sqs-processing",
"arn:aws:sqs:*:AWS_ACCOUNT_ID:PurpleboxQueue"
],
"Effect": "Allow"
},
{
"Action": [
"sqs:SendMessage"
],
"Resource": "arn:aws:sqs:*:AWS_ACCOUNT_ID:PurpleboxQueue",
"Effect": "Allow"
},
{
"Action": [
"ec2:DescribeInstances",
"ecr:DescribeImages",
"ecr-public:DescribeImages",
"ecr:DescribeRepositories",
"ecr-public:DescribeRepositories",
"ecr:GetAuthorizationToken",
"ecr:BatchGetImage",
"ecr:GetDownloadUrlForLayer"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::purplebox.cnspec.*",
"Effect": "Allow"
}
]
}