IAM Permission Boundary

bucketAV utilizes CloudFormation to deploy a production-ready malware scanning system to your AWS account. Part of that process is creating IAM roles. The EC2 instance uses those IAM roles to receive outstanding scan jobs via SQS or to download S3 objects for scanning, for example.

In case your AWS organization uses IAM permission boundaries, you need to set the PermissionsBoundary parameter when deploying bucketAV’s CloudFormation stacks.

Required IAM actions for bucketAV powered by ClamAV/Sophos (#)

Here is a list of all IAM actions required by the IAM roles created by bucketAV. Ensure that your permission boundary also grants access to those IAM actions.

autoscaling:CompleteLifecycleAction
autoscaling:DescribeAutoScalingInstances
autoscaling:RecordLifecycleActionHeartbeat
cloudformation:DescribeStacks
cloudformation:ListStacks
cloudwatch:GetMetricStatistics
cloudwatch:PutMetricData
dynamodb:DeleteItem
dynamodb:PutItem
dynamodb:Scan
events:DescribeRule
events:ListRuleNamesByTarget
kms:Decrypt
logs:CreateLogGroup
logs:CreateLogStream
logs:DescribeLogGroups                  
logs:DescribeLogStreams
logs:PutLogEvents
s3:GetBucketLocation
s3:GetBucketNotification
s3:GetObject*
s3:ListAllMyBuckets
s3:ListBucket*
s3:PutObjectTagging
s3:PutObjectVersionTagging
sns:ListSubscriptionsByTopic
sns:Publish
sqs:ChangeMessageVisibility
sqs:ChangeMessageVisibilityBatch
sqs:DeleteMessage
sqs:DeleteMessageBatch
sqs:ReceiveMessage
ssm:GetParametersByPath

Additional IAM actions required by bucketAV powered by Sophos (#)

When using bucketAV powered by Sophos, additional IAM actions are needed.

aws-marketplace:MeterUsage

Optional IAM actions (#)

Additional IAM actions are required when the parameter DeleteInfectedFiles is set to true.

s3:DeleteObject*

Additional IAM actions are required when the parameter SystemsManagerAccess is set to true.

ec2messages:AcknowledgeMessage
ec2messages:DeleteMessage
ec2messages:FailMessage
ec2messages:GetEndpoint
ec2messages:GetMessages
ec2messages:SendReply
ssm:ListAssociations
ssm:ListInstanceAssociations
ssm:UpdateInstanceInformation
ssmmessages:CreateControlChannel
ssmmessages:CreateDataChannel
ssmmessages:OpenControlChannel
ssmmessages:OpenDataChannel

Need more help?

Write us, and we'll get back to you as soon as we can.

Send us an email