IAM Permission Boundary
bucketAV utilizes CloudFormation to deploy a production-ready malware scanning system to your AWS account. Part of that process is creating IAM roles. The EC2 instance uses those IAM roles to receive outstanding scan jobs via SQS or to download S3 objects for scanning, for example.
In case your AWS organization uses IAM permission boundaries, you need to set the PermissionsBoundary
parameter when deploying bucketAV’s CloudFormation stacks.
Required IAM actions for bucketAV powered by ClamAV/Sophos (#)
Here is a list of all IAM actions required by the IAM roles created by bucketAV. Ensure that your permission boundary also grants access to those IAM actions.
autoscaling:CompleteLifecycleAction
autoscaling:DescribeAutoScalingInstances
autoscaling:RecordLifecycleActionHeartbeat
cloudformation:DescribeStacks
cloudformation:ListStacks
cloudwatch:GetMetricStatistics
cloudwatch:PutMetricData
dynamodb:DeleteItem
dynamodb:PutItem
dynamodb:Scan
events:DescribeRule
events:ListRuleNamesByTarget
kms:Decrypt
logs:CreateLogGroup
logs:CreateLogStream
logs:DescribeLogGroups
logs:DescribeLogStreams
logs:PutLogEvents
s3:GetBucketLocation
s3:GetBucketNotification
s3:GetObject*
s3:ListAllMyBuckets
s3:ListBucket*
s3:PutObjectTagging
s3:PutObjectVersionTagging
sns:ListSubscriptionsByTopic
sns:Publish
sqs:ChangeMessageVisibility
sqs:ChangeMessageVisibilityBatch
sqs:DeleteMessage
sqs:DeleteMessageBatch
sqs:ReceiveMessage
ssm:GetParametersByPath
Additional IAM actions required by bucketAV powered by Sophos (#)
When using bucketAV powered by Sophos, additional IAM actions are needed.
aws-marketplace:MeterUsage
Optional IAM actions (#)
Additional IAM actions are required when the parameter DeleteInfectedFiles
is set to true
.
s3:DeleteObject*
Additional IAM actions are required when the parameter SystemsManagerAccess
is set to true
.
ec2messages:AcknowledgeMessage
ec2messages:DeleteMessage
ec2messages:FailMessage
ec2messages:GetEndpoint
ec2messages:GetMessages
ec2messages:SendReply
ssm:ListAssociations
ssm:ListInstanceAssociations
ssm:UpdateInstanceInformation
ssmmessages:CreateControlChannel
ssmmessages:CreateDataChannel
ssmmessages:OpenControlChannel
ssmmessages:OpenDataChannel