Roles and Permissions for Amazon Web Services accounts
Three roles with some permissions are automatically created when you connect an Amazon Web Services (AWS) account with IBM Guardium DSPM.
The three roles are:
- Cross Account Metadata role
- Analyzer role
- Log Ingestion role
For more information about the functions of these roles, see the Results sub-section in the Connecting with Amazon Web Services cloud accounts section.
Cross Account Metadata role
The Cross Account Metadata role is created for every AWS account that is connected with Guardium DSPM. This role has the permissions to scan the AWS account, access the metadata, and create various resources in the AWS environment. The following table provides the scope of permissions that this role has over various AWS services in the cloud account.
AWS Services | Scope of permissions | Additional information about permissions |
---|---|---|
S3 |
|
|
SQS |
|
|
SNS |
|
|
RDS |
|
|
IAM |
|
iam:PassRole permission is conditioned only for the Guardium DSPM roles |
EC2 |
|
|
DynamoDB |
|
|
EKS |
|
|
Elastic Filesystem | elasticfilesystem:Describe* | |
Auto Scaling |
|
|
KMS |
|
kms:* permission is conditioned only for the keys created byGuardium DSPM |
CloudTrail |
|
Analyzer Role
The Analyzer role is created for every AWS account that is connected with Guardium DSPMAnalyzer role uses an AWS managed, read only role. For more details about the scope of permissions of this role, see the arn:aws:iam::aws:policy/ReadOnlyAccess in the AWS console.
Log Ingestion Role
Guardium DSPM creates the Log Ingestion role is after understanding where the logs are enabled in the AWS account. This role has access to the logs and the scope of permissions for this role based on the logs enabled in the AWS account.
Permissions for custom managed keys
You need to add a set of permissions in the KMS key policy of the Custom Managed Keys (CMK). These keys are associated with each data store in the AWS cloud account. This association enables Guardium DSPM access to the AWS, S3, and RDS services in the cloud account:
- polar-helpers-role-<region>
- polar-role-<tenant_Name>-<region>
For more information about why we need to create the keys, see https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-modifying-external-accounts.html. For more information on how to add the roles, see https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-modifying-external-accounts.html#cross-account-key-policy.