Permissions for Sophos scripts
You can create custom roles with the appropriate permissions needed to run the Sophos Cloud Optix scripts for adding AWS environments.
We recommend that you run the Sophos Cloud Optix scripts using an IAM Administrator role. However, if you want to run the scripts with limited permissions, use the permissions outlined here to create a custom role.
The permissions you need vary depending on whether you want to add or delete an environment.
Permissions for adding an environment
As an IAM Administrator, you must have the following permissions when adding an AWS environment:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"cloudtrail:AddTags",
"cloudtrail:CreateTrail",
"cloudtrail:DescribeTrails",
"cloudtrail:GetEventSelectors",
"cloudtrail:GetInsightSelectors",
"cloudtrail:GetTrailStatus",
"cloudtrail:ListTags",
"cloudtrail:PutEventSelectors",
"cloudtrail:StartLogging",
"cloudtrail:UpdateTrail",
"ec2:CreateFlowLogs",
"ec2:CreateTags",
"ec2:DeleteFlowLogs",
"ec2:DescribeFlowLogs",
"ec2:DescribeRegions",
"ec2:DescribeVpcs",
"iam:AttachRolePolicy",
"iam:CreateInstanceProfile",
"iam:CreatePolicy",
"iam:CreateRole",
"iam:CreateServiceLinkedRole",
"iam:DeleteRole",
"iam:DeleteRolePolicy",
"iam:GetPolicy",
"iam:GetPolicyVersion",
"iam:GetRole",
"iam:GetRolePolicy",
"iam:ListAttachedRolePolicies",
"iam:PassRole",
"iam:PutRolePolicy",
"iam:TagRole",
"lambda:AddPermission",
"lambda:CreateFunction",
"lambda:GetFunction",
"lambda:GetPolicy",
"lambda:InvokeFunction",
"lambda:ListVersionsByFunction",
"lambda:TagResource",
"logs:CreateLogDelivery",
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:DeleteLogGroup",
"logs:DescribeLogGroups",
"logs:ListTagsLogGroup",
"logs:PutLogEvents",
"logs:PutRetentionPolicy",
"logs:PutSubscriptionFilter",
"s3:CreateBucket",
"s3:GetAccelerateConfiguration",
"s3:GetBucket*",
"s3:GetObject",
"s3:ListBucket",
"s3:PutBucketNotification",
"s3:PutBucketPolicy",
"s3:PutBucketPublicAccessBlock",
"s3:PutBucketTagging",
"s3:PutEncryptionConfiguration",
"s3:PutLifecycleConfiguration",
"sns:AddPermission",
"sns:CreateTopic",
"sns:DeleteTopic",
"sns:GetSubscriptionAttributes",
"sns:GetTopicAttributes",
"sns:ListTagsForResource",
"sns:RemovePermission",
"sns:SetTopicAttributes",
"sns:Subscribe",
"sns:TagResource",
"sns:Unsubscribe",
"sts:GetCallerIdentity",
"tag:TagResources"
],
"Resource": "*"
}
]
}
Permissions for deleting an environment
As an IAM Administrator, you must have the following permissions when deleting an AWS environment:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"cloudtrail:DeleteTrail",
"ec2:DeleteFlowLogs",
"ec2:DescribeFlowLogs",
"ec2:DescribeRegions",
"iam:DeleteRole",
"iam:DeleteRolePolicy",
"iam:DetachRolePolicy",
"iam:GetRole",
"iam:GetRolePolicy",
"iam:ListAttachedRolePolicies",
"iam:ListRolePolicies",
"lambda:DeleteFunction",
"lambda:GetFunction",
"lambda:RemovePermission",
"logs:DeleteLogDelivery",
"logs:DeleteLogGroup",
"logs:DescribeLogGroups",
"s3:DeleteBucketPolicy",
"sns:DeleteTopic",
"sns:GetTopicAttributes",
"sts:GetCallerIdentity"
],
"Resource": "*"
}
]
}