Skip to content

AWS Data Access Policies

Permissions can be assigned by creating an IAM role or an IAM user.

IAM Role

An IAM role is an IAM entity that defines a set of permissions for making AWS service requests. IAM roles are not associated with a specific user or group.

Policies can be attached to roles to provide different levels of access to your AWS resources. IAM policies define permissions for an action regardless of the method that you use to perform the operation. They can be included or excluded depending on needs.

When creating an IAM role via the the Quick Create form, all permissions (towards the bottom of the page) will all be added to your account by default.

IAM User

Note

We do not recommend you create an IAM user and use it to authenticate for SecureCloudDB. Instead, you should have SecureCloudDB assume an IAM role.

An AWS IAM user is an entity that you create in AWS to represent the person or application that uses it to interact with AWS. A user in AWS consists of a name and credentials.

Policies

You will have the option to turn off all the permissions minus the SecureCloudDB-ReadOnly role. The AWS Resources Read Only role is required for basic analytics, all the others can be turned off based on needs; however, it will restrict any user or extensions scanning accordingly.

SecureCloudDB Core Policy

The following policy grants SecureCloudDB read-only access to your AWS Resources. It does not grant access to your database servers. Using this role will allow SecureCloudDB to perform core security assessments, but some enhanced assessments will not be possible.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "rds:Describe*",
        "rds:List*",
        "redshift:Describe*",
        "redshift:List*",
        "dynamodb:Describe*",
        "dynamodb:List*",
        "es:Describe*",
        "es:List*",
        "elasticache:Describe*",
        "elasticache:List*",
        "ec2:DescribeAccountAttributes",
        "ec2:DescribeAddresses",
        "ec2:DescribeAvailabilityZones",
        "ec2:DescribeInternetGateways",
        "ec2:DescribeRegions",
        "ec2:DescribeRouteTables",
        "ec2:DescribeSecurityGroupReferences",
        "ec2:DescribeSecurityGroups",
        "ec2:DescribeSubnets",
        "ec2:DescribeTags",
        "ec2:DescribeVpcAttribute",
        "ec2:DescribeVpcPeeringConnections",
        "ec2:DescribeVpcs"
      ],
      "Resource": "*"
    }
  ]
}

SecureCloudDB Extended Policies: Database Access

Relational Database Service (RDS) Data API Access

The following IAM policy allows SecureCloudDB to connect to your RDS Database or Cluster using the RDS Data API.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "rds-data:ExecuteStatement"
      ],
      "Resource": "*"
    }
  ]
}

Relational Database Service (RDS) IAM Auth

The following IAM policy allows SecureCloudDB to connect to your RDS Database or Cluster using IAM Auth.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "rds-db:connect"
      ],
      "Resource": "arn:aws:rds-db:*:*:dbuser:*/secureclouddb"
    }
  ]
}

Redshift Service Data Access

The following IAM policy allows SecureCloudDB to connect to your Redshift cluster.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "redshift:GetClusterCredentials"
      ],
      "Resource": "arn:aws:redshift:*:*:dbuser:*/secureclouddb"
    }
  ]
}

SecureCloudDB Extended Policies: Activity Monitoring

DynamoDB Stream Activity Monitoring

The following IAM policy allows SecureCloudDB to monitor table activity using DynamoDB streams.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "dynamodb:DescribeStream",
        "dynamodb:DescribeTable",
        "dynamodb:GetRecords",
        "dynamodb:GetShardIterator"
      ],
      "Resource": "*",
      "Effect": "Allow"
    }
  ]
}

RDS Log File Activity Monitoring

The following IAM policy allows SecureCloudDB to monitor RDS log file activity.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "rds:DescribeDBClusterParameters",
        "rds:DownloadDBLogFilePortion",
        "rds:DescribeOptionGroupOptions",
        "rds:DescribeDBLogFiles",
        "rds:DescribeDBParameters",
        "rds:DescribeDBParameterGroups",
        "rds:DescribeOptionGroups",
        "rds:DescribeDBClusterParameterGroups"
      ],
      "Resource": [
        "arn:aws:rds:*:*:db:*",
        "arn:aws:rds:*:*:og:*",
        "arn:aws:rds:*:*:cluster-pg:*",
        "arn:aws:rds:*:*:pg:*"
      ]
    }
  ]
}

SecureCloudDB Extended Policies: EC2 Access

Elastic Compute Cloud (EC2) Data API Access

The following IAM policy allows SecureCloudDB to connect to your EC2 intances using the EC2 Data API.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ec2:DescribeInstances",
        "ec2:DescribeVPCs",
        "ec2:DescribeNetworkACLs",
        "ec2:DescribeSecurityGroups"
      ],
      "Resource": "*"
    }
  ]
}