Create the remediation role
This section tells you how to create the role needed before you can use remediation.
By default, Sophos Cloud Optix uses read only permissions that are setup when you add AWS environments.
If you want to use remediation, you must run an additional script first, to provide specific write access permissions to your environment.
After you’ve added an AWS environment, do as follows:
The script creates a remediation role with the following permissions:
- s3:GetBucketAcl
- s3:PutBucketAcl
- s3:GetBucketPolicy
- s3:PutBucketPolicy
- s3:PutEncryptionConfiguration
- iam:GetAccountPasswordPolicy
- iam:UpdateAccountPasswordPolicy
- cloudtrail:UpdateTrail
- ec2:DeleteSecurityGroup
- ec2:DescribeSecurityGroups
- ec2:RevokeSecurityGroupIngress