Permissions needed to run Sophos Cloud Optix scripts for AWS

You can create custom roles with the appropriate permissions needed to run the Sophos Cloud Optix scripts that add AWS environments.

Generally, we recommend that you run the Sophos Cloud Optix scripts using an IAM "Administrator" role. However, if you want to run the script with limited permissions, you can use the permissions provided here to create a custom role.

The permissions you need vary depending on whether you want to add or delete an environment, or add remediation.

Permissions needed to add an AWS environment

Set the permissions for adding an AWS environment as follows.

{
    "Version": "2012-10-17",
    "Statement": [
        {
           "Sid": "VisualEditor0",
           "Effect": "Allow",
           "Action": [
               "iam:CreateRole",
               "iam:AttachRolePolicy",
               "iam:PutRolePolicy",
               "iam:PassRole",
               "iam:DeleteRole",
               "iam:DeleteRolePolicy",
               "iam:GetPolicy",
               "iam:GetRole",
               "iam:GetRolePolicy",
               "iam:ListAttachedRolePolicies",
       
               "ec2:DescribeFlowLogs",
               "ec2:CreateFlowLogs",
               "ec2:DeleteFlowLogs",
               "ec2:DescribeVpcs",
       
               "s3:CreateBucket",
               "s3:ListBucket",
               "s3:PutBucketPolicy",
               "s3:PutEncryptionConfiguration",
               "s3:Get*",
       
               "sts:GetCallerIdentity",
       
               "lambda:AddPermission",
               "lambda:CreateFunction",
               "lambda:GetFunction",
               "lambda:GetPolicy",
               "lambda:ListVersionsByFunction",
       
               "cloudtrail:CreateTrail",
               "cloudtrail:DescribeTrails",
               "cloudtrail:PutEventSelectors",
               "cloudtrail:StartLogging",
               "cloudtrail:UpdateTrail",
               "cloudtrail:GetTrailStatus",
               "cloudtrail:ListTags",
               "cloudtrail:GetEventSelectors",
       
               "logs:CreateLogGroup",
               "logs:DeleteLogGroup",
               "logs:DescribeLogGroups",
               "logs:PutSubscriptionFilter",
               "logs:PutRetentionPolicy",
               "logs:ListTagsLogGroup"
           ],
           "Resource": "*"
       }
    ]
}
   

Permissions needed to delete an AWS environment

Set the permissions for deleting an AWS environment as follows.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "iam:DeleteRole",
                "iam:DeleteRolePolicy",
                "iam:DetachRolePolicy",
                "iam:ListAttachedRolePolicies",
                "iam:ListRolePolicies",

                "ec2:DeleteFlowLogs",
                "ec2:DescribeFlowLogs",

                "sts:GetCallerIdentity",

                "lambda:DeleteFunction",
                "lambda:GetFunction",

                "cloudtrail:DeleteTrail",

                "logs:DeleteLogGroup",
                "logs:DescribeLogGroups"
            ],
            "Resource": "*"
        }
    ]
}

Permissions needed to enable remediation features

Set the permissions for enabling remediation features as follows.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "iam:AttachRolePolicy",
                "iam:CreatePolicy",
                "iam:CreatePolicyVersion",
                "iam:CreateRole",
                "iam:DeletePolicyVersion",
                "iam:GetPolicy",
                "iam:GetRole",
                "iam:ListPolicyVersions",
                
                "sts:GetCallerIdentity"
            ],
            "Resource": "*"
        }
    ]
}