Legacy: Permissions for Sophos Cloud Optix AWS scripts
You can create custom roles with the appropriate permissions needed to run the Sophos Cloud Optix scripts that add AWS environments.
Warning
You must only use this help section if you opened your Sophos Cloud Optix account before November 17, 2020. If you opened your account after that date, you must use the instructions under Add your AWS environment.
We recommend that you run the Sophos Cloud Optix scripts using an IAM Administrator role. But if you want to run the script with limited permissions, use the permissions here to create a custom role.
The permissions you need vary depending on whether you want to add or delete an environment, or add remediation.
Permissions needed to add an AWS environment
Set the permissions for adding an AWS environment as follows.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"iam:CreateRole",
"iam:AttachRolePolicy",
"iam:PutRolePolicy",
"iam:PassRole",
"iam:DeleteRole",
"iam:DeleteRolePolicy",
"iam:GetPolicy",
"iam:GetRole",
"iam:GetRolePolicy",
"iam:ListAttachedRolePolicies",
"ec2:DescribeFlowLogs",
"ec2:CreateFlowLogs",
"ec2:DeleteFlowLogs",
"ec2:DescribeVpcs",
"s3:CreateBucket",
"s3:ListBucket",
"s3:PutBucketPolicy",
"s3:PutEncryptionConfiguration",
"s3:Get*",
"sts:GetCallerIdentity",
"lambda:AddPermission",
"lambda:CreateFunction",
"lambda:GetFunction",
"lambda:GetPolicy",
"lambda:ListVersionsByFunction",
"cloudtrail:CreateTrail",
"cloudtrail:DescribeTrails",
"cloudtrail:PutEventSelectors",
"cloudtrail:StartLogging",
"cloudtrail:UpdateTrail",
"cloudtrail:GetTrailStatus",
"cloudtrail:ListTags",
"cloudtrail:GetEventSelectors",
"logs:CreateLogGroup",
"logs:DeleteLogGroup",
"logs:DescribeLogGroups",
"logs:PutSubscriptionFilter",
"logs:PutRetentionPolicy",
"logs:ListTagsLogGroup"
],
"Resource": "*"
}
]
}
Permissions needed to delete an AWS environment
Set the permissions for deleting an AWS environment as follows.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"iam:DeleteRole",
"iam:DeleteRolePolicy",
"iam:DetachRolePolicy",
"iam:ListAttachedRolePolicies",
"iam:ListRolePolicies",
"ec2:DeleteFlowLogs",
"ec2:DescribeFlowLogs",
"sts:GetCallerIdentity",
"lambda:DeleteFunction",
"lambda:GetFunction",
"cloudtrail:DeleteTrail",
"logs:DeleteLogGroup",
"logs:DescribeLogGroups"
],
"Resource": "*"
}
]
}
Permissions needed to enable remediation features
Set the permissions for enabling remediation features as follows.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"iam:AttachRolePolicy",
"iam:CreatePolicy",
"iam:CreatePolicyVersion",
"iam:CreateRole",
"iam:DeletePolicyVersion",
"iam:GetPolicy",
"iam:GetRole",
"iam:ListPolicyVersions",
"sts:GetCallerIdentity"
],
"Resource": "*"
}
]
}