This page contains the permissions policy for the Amazon Web Services (AWS) role that is required by the following services:
Replace the following:
-
AWS_REGION: the region where you are installing AWS CloudFormation -
AWS_ACCOUNT_ID: the AWS account ID where you are installing AWS CloudFormation
Paste this policy into the AWS role to add permissions.
{
"Version"
:
"2012-10-17"
,
"Statement"
:
[
{
"Action"
:
[
"sqs:CreateQueue"
,
"sqs:TagQueue"
],
"Resource"
:
[
"arn:aws:sqs:*: AWS_ACCOUNT_ID
:PurpleboxQueue"
],
"Effect"
:
"Allow"
},
{
"Action"
:
[
"logs:FilterLogEvents"
,
"logs:PutRetentionPolicy"
],
"Resource"
:
[
"arn:aws:logs: AWS_REGION
: AWS_ACCOUNT_ID
:log-group:/aws/lambda/PurpleBox"
,
"arn:aws:logs: AWS_REGION
: AWS_ACCOUNT_ID
:log-group:/aws/lambda/PurpleBox:log-stream"
,
"arn:aws:logs: AWS_REGION
: AWS_ACCOUNT_ID
:log-group:/aws/lambda/PurpleBox:log-stream:"
],
"Effect"
:
"Allow"
},
{
"Action"
:
[
"ssm:GetParameter"
],
"Resource"
:
"arn:aws:ssm:*::parameter/aws/service/ami-amazon-linux-latest*"
,
"Effect"
:
"Allow"
},
{
"Action"
:
[
"lambda:DeleteFunction"
],
"Resource"
:
"arn:aws:lambda:*: AWS_ACCOUNT_ID
:function:purplebox-sqs-processing"
,
"Effect"
:
"Allow"
},
{
"Action"
:
[
"ec2:CreateTags"
,
"ec2:DescribeInstances"
,
"ec2:DescribeVolumes"
,
"ec2:DescribeSnapshots"
,
"ec2:DescribeRegions"
,
"ec2:DescribeVpcs"
,
"ec2:DescribeSubnets"
,
"ec2:DescribeSecurityGroups"
,
"ec2:DescribeRouteTables"
,
"ec2:DescribeVpcEndpoints"
,
"ec2:DescribeInternetGateways"
,
"ecr:DescribeRepositories"
,
"ecr:DescribeImages"
,
"ecr-public:DescribeRepositories"
,
"ecr-public:DescribeImages"
,
"ec2:CreateSnapshot"
,
"events:ListRules"
,
"servicequotas:ListServiceQuotas"
,
"organizations:DescribeOrganization"
,
"lambda:TagResource"
,
"events:TagResource"
,
"cloudwatch:GetMetricStatistics"
,
"ssm:DescribeInstanceInformation"
,
"ssm:GetCommandInvocation"
,
"ssm:ListCommandInvocations"
,
"ec2:DescribeSecurityGroupRules"
,
"lambda:ListEventSourceMappings"
,
"lambda:ListFunctions"
,
"s3:ListAllMyBuckets"
,
"events:DescribeRule"
,
"events:PutRule"
,
"events:PutTargets"
,
"events:RemoveTargets"
,
"events:DeleteRule"
],
"Resource"
:
"*"
,
"Effect"
:
"Allow"
},
{
"Action"
:
[
"s3:*"
],
"Resource"
:
[
"arn:aws:s3:::purplebox.cnspec.*"
,
"arn:aws:s3:::purplebox.cnspec.*/*"
],
"Effect"
:
"Allow"
},
{
"Condition"
:
{
"StringEquals"
:
{
"aws:RequestTag/Created By"
:
"Purplebox"
}
},
"Action"
:
[
"ec2:CreateSubnet"
],
"Resource"
:
"arn:aws:ec2:*: AWS_ACCOUNT_ID
:subnet/*"
,
"Effect"
:
"Allow"
},
{
"Action"
:
[
"cloudformation:DeleteStack"
,
"cloudformation:UpdateStack"
,
"cloudformation:GetTemplate"
,
"cloudformation:DescribeStacks"
],
"Resource"
:
[
"arn:aws:cloudformation: AWS_REGION
: AWS_ACCOUNT_ID
:stack/*"
],
"Effect"
:
"Allow"
},
{
"Condition"
:
{
"StringEquals"
:
{
"aws:ResourceTag/Created By"
:
"Purplebox"
}
},
"Action"
:
[
"ec2:CreateSecurityGroup"
],
"Resource"
:
"arn:aws:ec2:*: AWS_ACCOUNT_ID
:vpc/*"
,
"Effect"
:
"Allow"
},
{
"Condition"
:
{
"StringEquals"
:
{
"aws:ResourceTag/Created By"
:
"Purplebox"
}
},
"Action"
:
[
"ec2:CreateSubnet"
],
"Resource"
:
"arn:aws:ec2:*: AWS_ACCOUNT_ID
:vpc/*"
,
"Effect"
:
"Allow"
},
{
"Condition"
:
{
"StringEquals"
:
{
"aws:ResourceTag/Created By"
:
"Purplebox"
}
},
"Action"
:
[
"ec2:AuthorizeSecurityGroupIngress"
],
"Resource"
:
"arn:aws:ec2:*: AWS_ACCOUNT_ID
:security-group*"
,
"Effect"
:
"Allow"
},
{
"Condition"
:
{
"StringEquals"
:
{
"aws:RequestTag/Created By"
:
"Purplebox"
}
},
"Action"
:
[
"ec2:AuthorizeSecurityGroupIngress"
],
"Resource"
:
[
"arn:aws:ec2:*: AWS_ACCOUNT_ID
:security-group-rule"
,
"arn:aws:ec2:*: AWS_ACCOUNT_ID
:security-group-rule/*"
],
"Effect"
:
"Allow"
},
{
"Condition"
:
{
"StringEquals"
:
{
"aws:RequestTag/Created By"
:
"Purplebox"
}
},
"Action"
:
[
"ec2:CreateRouteTable"
],
"Resource"
:
"arn:aws:ec2:*: AWS_ACCOUNT_ID
:route-table/*"
,
"Effect"
:
"Allow"
},
{
"Condition"
:
{
"StringEquals"
:
{
"aws:RequestTag/Created By"
:
"Purplebox"
}
},
"Action"
:
[
"ec2:CreateSecurityGroup"
],
"Resource"
:
"arn:aws:ec2:*: AWS_ACCOUNT_ID
:security-group/*"
,
"Effect"
:
"Allow"
},
{
"Condition"
:
{
"StringEquals"
:
{
"aws:RequestTag/Created By"
:
"Purplebox"
}
},
"Action"
:
[
"ec2:CreateVpcEndpoint"
],
"Resource"
:
"arn:aws:ec2:*: AWS_ACCOUNT_ID
:vpc-endpoint*"
,
"Effect"
:
"Allow"
},
{
"Condition"
:
{
"StringEquals"
:
{
"aws:ResourceTag/Created By"
:
"Purplebox"
}
},
"Action"
:
[
"ec2:CreateVpcEndpoint"
],
"Resource"
:
[
"arn:aws:ec2:*: AWS_ACCOUNT_ID
:vpc/*"
,
"arn:aws:ec2:*: AWS_ACCOUNT_ID
:subnet/*"
,
"arn:aws:ec2:*: AWS_ACCOUNT_ID
:security-group*"
],
"Effect"
:
"Allow"
},
{
"Condition"
:
{
"StringEquals"
:
{
"aws:RequestTag/Created By"
:
"Purplebox"
}
},
"Action"
:
[
"ec2:CreateInternetGateway"
],
"Resource"
:
"arn:aws:ec2:*: AWS_ACCOUNT_ID
:internet-gateway/*"
,
"Effect"
:
"Allow"
},
{
"Condition"
:
{
"StringEquals"
:
{
"aws:ResourceTag/Created By"
:
"Purplebox"
}
},
"Action"
:
[
"events:PutTargets"
,
"events:RemoveTargets"
],
"Resource"
:
[
"arn:aws:lambda: AWS_REGION
: AWS_ACCOUNT_ID
:function:PurpleBox"
,
"arn:aws:lambda:*: AWS_ACCOUNT_ID
:function:purplebox-sqs-processing"
,
"arn:aws:events:*: AWS_ACCOUNT_ID
:rule/purplebox*"
],
"Effect"
:
"Allow"
},
{
"Condition"
:
{
"StringEquals"
:
{
"aws:RequestTag/Created By"
:
"Purplebox"
}
},
"Action"
:
[
"ec2:CreateVpc"
],
"Resource"
:
"arn:aws:ec2:*: AWS_ACCOUNT_ID
:vpc/*"
,
"Effect"
:
"Allow"
},
{
"Action"
:
[
"ec2:CreateVpcEndpoint"
],
"Resource"
:
"arn:aws:ec2:*: AWS_ACCOUNT_ID
:route-table/*"
,
"Effect"
:
"Allow"
},
{
"Condition"
:
{
"StringEquals"
:
{
"aws:ResourceTag/Created By"
:
"Purplebox"
}
},
"Action"
:
[
"ec2:ModifyVpcAttribute"
,
"ec2:AssociateRouteTable"
,
"ec2:AttachInternetGateway"
],
"Resource"
:
[
"arn:aws:ec2:*: AWS_ACCOUNT_ID
:internet-gateway/*"
,
"arn:aws:ec2:*: AWS_ACCOUNT_ID
:route-table/*"
,
"arn:aws:ec2:*: AWS_ACCOUNT_ID
:vpc/*"
],
"Effect"
:
"Allow"
},
{
"Condition"
:
{
"StringEquals"
:
{
"aws:ResourceTag/Created By"
:
"Purplebox"
}
},
"Action"
:
[
"ec2:TerminateInstances"
],
"Resource"
:
[
"arn:aws:ec2:*: AWS_ACCOUNT_ID
:instance/*"
],
"Effect"
:
"Allow"
},
{
"Condition"
:
{
"StringEquals"
:
{
"ec2:Owner"
:
"amazon"
}
},
"Action"
:
[
"ec2:RunInstances"
],
"Resource"
:
"arn:aws:ec2:*::image/*"
,
"Effect"
:
"Allow"
},
{
"Action"
:
[
"ec2:RunInstances"
],
"Resource"
:
[
"arn:aws:ec2:*: AWS_ACCOUNT_ID
:network-interface/*"
,
"arn:aws:ec2:*: AWS_ACCOUNT_ID
:subnet/*"
,
"arn:aws:ec2:*: AWS_ACCOUNT_ID
:volume/*"
],
"Effect"
:
"Allow"
},
{
"Condition"
:
{
"StringEquals"
:
{
"aws:ResourceTag/Created By"
:
"Purplebox"
}
},
"Action"
:
[
"ec2:RunInstances"
],
"Resource"
:
[
"arn:aws:ec2:*: AWS_ACCOUNT_ID
:security-group/*"
,
"arn:aws:ec2:*::snapshot/*"
],
"Effect"
:
"Allow"
},
{
"Action"
:
[
"iam:GetRole"
,
"iam:PassRole"
,
"iam:TagRole"
,
"iam:PutRolePolicy"
,
"iam:GetRolePolicy"
,
"iam:AttachRolePolicy"
,
"iam:DeleteRole"
,
"iam:DeleteRolePolicy"
,
"lambda:DeleteCodeSigningConfig"
,
"iam:CreateRole"
,
"iam:GetInstanceProfile"
,
"iam:CreateInstanceProfile"
,
"iam:DeleteInstanceProfile"
,
"iam:AddRoleToInstanceProfile"
,
"lambda:GetFunction"
,
"lambda:CreateFunction"
,
"lambda:CreateEventSourceMapping"
,
"lambda:GetEventSourceMapping"
,
"lambda:DeleteEventSourceMapping"
,
"ssm:SendCommand"
,
"iam:DetachRolePolicy"
,
"iam:RemoveRoleFromInstanceProfile"
],
"Resource"
:
[
"*"
],
"Effect"
:
"Allow"
},
{
"Condition"
:
{
"StringEquals"
:
{
"aws:ResourceTag/Created By"
:
"Purplebox"
}
},
"Action"
:
[
"ec2:AttachVolume"
,
"ec2:DetachVolume"
,
"ec2:DeleteVolume"
,
"ec2:DeleteSnapshot"
,
"ec2:DeleteVpc"
,
"ec2:DeleteSubnet"
,
"ec2:DeleteSecurityGroup"
,
"ec2:DeleteVpcEndpoints"
,
"ec2:DeleteRouteTable"
,
"ec2:DeleteInternetGateway"
,
"ec2:DetachInternetGateway"
,
"lambda:DeleteFunction"
],
"Resource"
:
"*"
,
"Effect"
:
"Allow"
},
{
"Condition"
:
{
"StringEquals"
:
{
"aws:RequestTag/Created By"
:
"Purplebox"
}
},
"Action"
:
[
"ec2:CreateVolume"
],
"Resource"
:
"*"
,
"Effect"
:
"Allow"
},
{
"Condition"
:
{
"StringEquals"
:
{
"ec2:InstanceProfile"
:
"arn:aws:iam:: AWS_ACCOUNT_ID
:instance-profile/scanner-instance-profile"
,
"ec2:InstanceType"
:
[
"t4g.micro"
,
"t2.micro"
,
"t4g.medium"
]
}
},
"Action"
:
[
"ec2:RunInstances"
],
"Resource"
:
"arn:aws:ec2:*: AWS_ACCOUNT_ID
:instance/*"
,
"Effect"
:
"Allow"
},
{
"Condition"
:
{
"StringEquals"
:
{
"aws:ResourceTag/Created By"
:
"Purplebox"
,
"kms:CallerAccount"
:
" AWS_ACCOUNT_ID
"
,
"kms:ViaService"
:
"lambda. AWS_REGION
.amazonaws.com"
},
"Bool"
:
{
"kms:GrantIsForAWSResource"
:
"true"
}
},
"Action"
:
"kms:CreateGrant"
,
"Resource"
:
"arn:aws:kms:*: AWS_ACCOUNT_ID
:key/*"
,
"Effect"
:
"Allow"
},
{
"Action"
:
[
"events:PutRule"
,
"events:DeleteRule"
,
"events:TagResource"
],
"Resource"
:
"arn:aws:events:*: AWS_ACCOUNT_ID
:rule/purplebox*"
,
"Effect"
:
"Allow"
},
{
"Action"
:
[
"ssm:SendCommand"
],
"Resource"
:
[
"arn:aws:ssm:*::document/AWS-RunShellScript"
,
"arn:aws:ssm:*::document/AWS-RunPowerShellScript"
],
"Effect"
:
"Allow"
},
{
"Action"
:
[
"ssm:PutParameter"
,
"ssm:DeleteParameter"
,
"ssm:AddTagsToResource"
,
"ssm:GetParameter"
,
"ssm:GetParameters"
],
"Resource"
:
"arn:aws:ssm: AWS_REGION
: AWS_ACCOUNT_ID
:parameter/Purplebox*"
,
"Effect"
:
"Allow"
},
{
"Action"
:
[
"sqs:SendMessage"
,
"sqs:DeleteMessage"
,
"sqs:SetQueueAttributes"
,
"sqs:DeleteQueue"
,
"sqs:ReceiveMessage"
,
"sqs:GetQueueAttributes"
,
"sqs:PurgeQueue"
],
"Resource"
:
"arn:aws:sqs:*: AWS_ACCOUNT_ID
:PurpleboxQueue"
,
"Effect"
:
"Allow"
},
{
"Action"
:
[
"lambda:UpdateFunctionConfiguration"
,
"lambda:GetFunctionConfiguration"
,
"lambda:*Permission"
,
"lambda:UpdateFunctionCode"
,
"lambda:*Function"
,
"lambda:PutFunctionConcurrency"
,
"lambda:UpdateEventSourceMapping"
,
"lambda:PutFunctionCodeSigningConfig"
],
"Resource"
:
[
"arn:aws:lambda: AWS_REGION
: AWS_ACCOUNT_ID
:function:PurpleBox"
,
"arn:aws:lambda:*: AWS_ACCOUNT_ID
:function:purplebox-sqs-processing"
,
"arn:aws:lambda: AWS_REGION
: AWS_ACCOUNT_ID
:function:PurpleBoxUpdater"
],
"Effect"
:
"Allow"
},
{
"Action"
:
[
"s3:GetObject"
],
"Resource"
:
[
"arn:aws:s3:::scc-vulnscanner. AWS_REGION
/*"
,
"arn:aws:s3:::scc-vulnscanner.*/*"
],
"Effect"
:
"Allow"
},
{
"Action"
:
[
"events:RemovePermission"
],
"Resource"
:
"arn:aws:events:*: AWS_ACCOUNT_ID
:event-bus/default"
,
"Effect"
:
"Allow"
},
{
"Condition"
:
{
"StringEquals"
:
{
"sts:AWSServiceName"
:
"ec2.amazonaws.com"
}
},
"Action"
:
[
"sts:GetServiceBearerToken"
],
"Resource"
:
"*"
,
"Effect"
:
"Allow"
},
{
"Action"
:
[
"lambda:UpdateCodeSigningConfig"
],
"Resource"
:
"arn:aws:lambda: AWS_REGION
: AWS_ACCOUNT_ID
:code-signing-config:csc-04006c10ff4690ad0"
,
"Effect"
:
"Allow"
},
{
"Action"
:
[
"lambda:CreateCodeSigningConfig"
,
"lambda:GetCodeSigningConfig"
],
"Resource"
:
"*"
,
"Effect"
:
"Allow"
},
{
"Action"
:
[
"iam:ListAttachedRolePolicies"
,
"iam:ListRolePolicies"
],
"Resource"
:
[
"arn:aws:iam:: AWS_ACCOUNT_ID
:role/scanner-role"
,
"arn:aws:iam:: AWS_ACCOUNT_ID
:role/purplebox-sqs-lambda-role"
,
"arn:aws:iam:: AWS_ACCOUNT_ID
:role/PurpleboxRole"
],
"Effect"
:
"Allow"
},
{
"Action"
:
[
"sqs:ReceiveMessage"
,
"sqs:DeleteMessage"
,
"sqs:SendMessage"
,
"sqs:GetQueueAttributes"
,
"lambda:InvokeFunction"
,
"lambda:CreateEventSourceMapping"
,
"lambda:UpdateFunctionConfiguration"
,
"lambda:ListEventSourceMappings"
,
"lambda:UpdateEventSourceMapping"
],
"Resource"
:
[
"arn:aws:lambda:*: AWS_ACCOUNT_ID
:function:purplebox-sqs-processing"
,
"arn:aws:sqs:*: AWS_ACCOUNT_ID
:PurpleboxQueue"
],
"Effect"
:
"Allow"
},
{
"Action"
:
[
"sqs:SendMessage"
],
"Resource"
:
"arn:aws:sqs:*: AWS_ACCOUNT_ID
:PurpleboxQueue"
,
"Effect"
:
"Allow"
},
{
"Action"
:
[
"ec2:DescribeInstances"
,
"ecr:DescribeImages"
,
"ecr-public:DescribeImages"
,
"ecr:DescribeRepositories"
,
"ecr-public:DescribeRepositories"
,
"ecr:GetAuthorizationToken"
,
"ecr:BatchGetImage"
,
"ecr:GetDownloadUrlForLayer"
],
"Resource"
:
"*"
,
"Effect"
:
"Allow"
},
{
"Action"
:
[
"s3:GetObject"
,
"s3:PutObject"
],
"Resource"
:
"arn:aws:s3:::purplebox.cnspec.*"
,
"Effect"
:
"Allow"
}
]
}
