Permissions for Sophos scripts
You can create custom roles with the appropriate permissions needed to run the Sophos Cloud Optix scripts that add AWS environments.
We recommend that you run the Sophos Cloud Optix scripts using an IAM Administrator role. But if you want to run the script with limited permissions, use the permissions here to create a custom role.
The permissions you need vary depending on whether you want to add or delete an environment.
Permissions for adding an environment
Set the permissions for adding an AWS environment as follows.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"cloudtrail:AddTags",
"cloudtrail:CreateTrail",
"cloudtrail:DescribeTrails",
"cloudtrail:GetEventSelectors",
"cloudtrail:GetInsightSelectors",
"cloudtrail:GetTrailStatus",
"cloudtrail:ListTags",
"cloudtrail:PutEventSelectors",
"cloudtrail:StartLogging",
"cloudtrail:UpdateTrail",
"ec2:CreateFlowLogs",
"ec2:CreateTags",
"ec2:DeleteFlowLogs",
"ec2:DescribeFlowLogs",
"ec2:DescribeRegions",
"ec2:DescribeVpcs",
"iam:AttachRolePolicy",
"iam:CreateInstanceProfile",
"iam:CreatePolicy",
"iam:CreateRole",
"iam:CreateServiceLinkedRole",
"iam:DeleteRole",
"iam:DeleteRolePolicy",
"iam:GetPolicy",
"iam:GetPolicyVersion",
"iam:GetRole",
"iam:GetRolePolicy",
"iam:ListAttachedRolePolicies",
"iam:PassRole",
"iam:PutRolePolicy",
"iam:TagRole",
"lambda:AddPermission",
"lambda:CreateFunction",
"lambda:GetFunction",
"lambda:GetPolicy",
"lambda:InvokeFunction",
"lambda:ListVersionsByFunction",
"lambda:TagResource",
"logs:CreateLogDelivery",
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:DeleteLogGroup",
"logs:DescribeLogGroups",
"logs:ListTagsLogGroup",
"logs:PutLogEvents",
"logs:PutRetentionPolicy",
"logs:PutSubscriptionFilter",
"s3:CreateBucket",
"s3:GetAccelerateConfiguration",
"s3:GetBucket*",
"s3:GetObject",
"s3:ListBucket",
"s3:PutBucketNotification",
"s3:PutBucketPolicy",
"s3:PutBucketPublicAccessBlock",
"s3:PutBucketTagging",
"s3:PutEncryptionConfiguration",
"s3:PutLifecycleConfiguration",
"sns:AddPermission",
"sns:CreateTopic",
"sns:DeleteTopic",
"sns:GetSubscriptionAttributes",
"sns:GetTopicAttributes",
"sns:ListTagsForResource",
"sns:RemovePermission",
"sns:SetTopicAttributes",
"sns:Subscribe",
"sns:TagResource",
"sns:Unsubscribe",
"sts:GetCallerIdentity",
"tag:TagResources"
],
"Resource": "*"
}
]
}
Permissions for deleting an environment
Set the permissions for deleting an AWS environment as follows.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"cloudtrail:DeleteTrail",
"ec2:DeleteFlowLogs",
"ec2:DescribeFlowLogs",
"ec2:DescribeRegions",
"iam:DeleteRole",
"iam:DeleteRolePolicy",
"iam:DetachRolePolicy",
"iam:GetRole",
"iam:GetRolePolicy",
"iam:ListAttachedRolePolicies",
"iam:ListRolePolicies",
"lambda:DeleteFunction",
"lambda:GetFunction",
"lambda:RemovePermission",
"logs:DeleteLogDelivery",
"logs:DeleteLogGroup",
"logs:DescribeLogGroups",
"s3:DeleteBucketPolicy",
"sns:DeleteTopic",
"sns:GetTopicAttributes",
"sts:GetCallerIdentity"
],
"Resource": "*"
}
]
}