Knowledge Base

IAM Permission Boundary

bucketAV utilizes CloudFormation to deploy a production-ready malware scanning system to your AWS account. Part of that process is creating IAM roles. The EC2 instance uses those IAM roles to receive outstanding scan jobs via SQS or to download S3 objects for scanning, for example.

In case your AWS organization uses IAM permission boundaries, you need to set the PermissionsBoundary parameter when deploying bucketAV’s CloudFormation stacks.

Required IAM actions

Here is a list of all IAM actions required by the IAM roles created by bucketAV. Ensure that your permission boundary also grants access to those IAM actions.

  • autoscaling:CompleteLifecycleAction
  • autoscaling:DescribeAutoScalingInstances
  • autoscaling:RecordLifecycleActionHeartbeat
  • aws-marketplace:MeterUsage
  • cloudformation:DescribeStacks
  • cloudwatch:GetMetricStatistics
  • cloudwatch:PutMetricData
  • dynamodb:DeleteItem
  • dynamodb:GetItem
  • dynamodb:PutItem
  • dynamodb:Scan
  • dynamodb:UpdateItem
  • ec2messages:AcknowledgeMessage
  • ec2messages:DeleteMessage
  • ec2messages:FailMessage
  • ec2messages:GetEndpoint
  • ec2messages:GetMessages
  • ec2messages:SendReply
  • events:DescribeEventBus
  • events:DescribeRule
  • events:ListRuleNamesByTarget
  • kms:Decrypt
  • lambda:InvokeFunction
  • logs:CreateLogGroup
  • logs:CreateLogStream
  • logs:DescribeLogGroups
  • logs:DescribeLogStreams
  • logs:PutLogEvents
  • organizations:DescribeOrganization
  • s3:DeleteObject*
  • s3:GetBucketLocation
  • s3:GetBucketNotification
  • s3:GetObject*
  • s3:GetObjectTagging
  • s3:GetObjectVersionTagging
  • s3:ListAllMyBuckets
  • s3:ListBucket*
  • s3:PutBucketNotification
  • s3:PutObjectTagging
  • s3:PutObjectVersionTagging
  • sns:ListSubscriptionsByTopic
  • sns:Publish
  • sqs:ChangeMessageVisibility
  • sqs:ChangeMessageVisibilityBatch
  • sqs:DeleteMessage
  • sqs:DeleteMessageBatch
  • sqs:ReceiveMessage
  • sqs:SendMessage
  • ssm:GetParameter
  • ssm:GetParametersByPath
  • ssm:ListAssociations
  • ssm:ListInstanceAssociations
  • ssm:PutParameter
  • ssm:UpdateInstanceInformation
  • ssmmessages:CreateControlChannel
  • ssmmessages:CreateDataChannel
  • ssmmessages:OpenControlChannel
  • ssmmessages:OpenDataChannel
  • states:StartExecution
  • sts:AssumeRole
  • autoscaling:CompleteLifecycleAction
  • autoscaling:DescribeAutoScalingInstances
  • autoscaling:RecordLifecycleActionHeartbeat
  • aws-marketplace:MeterUsage
  • cloudformation:DescribeStacks
  • cloudwatch:GetMetricStatistics
  • cloudwatch:PutMetricData
  • dynamodb:DeleteItem
  • dynamodb:GetItem
  • dynamodb:PutItem
  • dynamodb:Scan
  • dynamodb:UpdateItem
  • ec2messages:AcknowledgeMessage
  • ec2messages:DeleteMessage
  • ec2messages:FailMessage
  • ec2messages:GetEndpoint
  • ec2messages:GetMessages
  • ec2messages:SendReply
  • events:DescribeEventBus
  • events:DescribeRule
  • events:ListRuleNamesByTarget
  • kms:Decrypt
  • lambda:InvokeFunction
  • logs:CreateLogGroup
  • logs:CreateLogStream
  • logs:DescribeLogGroups
  • logs:DescribeLogStreams
  • logs:PutLogEvents
  • organizations:DescribeOrganization
  • s3:DeleteObject*
  • s3:GetBucketLocation
  • s3:GetBucketNotification
  • s3:GetObject*
  • s3:GetObjectTagging
  • s3:GetObjectVersionTagging
  • s3:ListAllMyBuckets
  • s3:ListBucket*
  • s3:PutBucketNotification
  • s3:PutObjectTagging
  • s3:PutObjectVersionTagging
  • sns:ListSubscriptionsByTopic
  • sns:Publish
  • sqs:ChangeMessageVisibility
  • sqs:ChangeMessageVisibilityBatch
  • sqs:DeleteMessage
  • sqs:DeleteMessageBatch
  • sqs:ReceiveMessage
  • sqs:SendMessage
  • ssm:GetParameter
  • ssm:GetParametersByPath
  • ssm:ListAssociations
  • ssm:ListInstanceAssociations
  • ssm:PutParameter
  • ssm:UpdateInstanceInformation
  • ssmmessages:CreateControlChannel
  • ssmmessages:CreateDataChannel
  • ssmmessages:OpenControlChannel
  • ssmmessages:OpenDataChannel
  • states:StartExecution
  • sts:AssumeRole
  • autoscaling:CompleteLifecycleAction
  • autoscaling:DescribeAutoScalingInstances
  • autoscaling:RecordLifecycleActionHeartbeat
  • aws-marketplace:MeterUsage
  • cloudformation:DescribeStacks
  • cloudwatch:GetMetricStatistics
  • cloudwatch:PutMetricData
  • dynamodb:DeleteItem
  • dynamodb:GetItem
  • dynamodb:PutItem
  • dynamodb:Scan
  • dynamodb:UpdateItem
  • ec2messages:AcknowledgeMessage
  • ec2messages:DeleteMessage
  • ec2messages:FailMessage
  • ec2messages:GetEndpoint
  • ec2messages:GetMessages
  • ec2messages:SendReply
  • events:DescribeEventBus
  • events:DescribeRule
  • events:ListRuleNamesByTarget
  • kms:Decrypt
  • lambda:InvokeFunction
  • logs:CreateLogGroup
  • logs:CreateLogStream
  • logs:DescribeLogGroups
  • logs:DescribeLogStreams
  • logs:PutLogEvents
  • organizations:DescribeOrganization
  • s3:DeleteObject*
  • s3:GetBucketLocation
  • s3:GetBucketNotification
  • s3:GetObject*
  • s3:GetObjectTagging
  • s3:GetObjectVersionTagging
  • s3:ListAllMyBuckets
  • s3:ListBucket*
  • s3:PutBucketNotification
  • s3:PutObjectTagging
  • s3:PutObjectVersionTagging
  • sns:ListSubscriptionsByTopic
  • sns:Publish
  • sqs:ChangeMessageVisibility
  • sqs:ChangeMessageVisibilityBatch
  • sqs:DeleteMessage
  • sqs:DeleteMessageBatch
  • sqs:ReceiveMessage
  • sqs:SendMessage
  • ssm:GetParameter
  • ssm:GetParametersByPath
  • ssm:ListAssociations
  • ssm:ListInstanceAssociations
  • ssm:PutParameter
  • ssm:UpdateInstanceInformation
  • ssmmessages:CreateControlChannel
  • ssmmessages:CreateDataChannel
  • ssmmessages:OpenControlChannel
  • ssmmessages:OpenDataChannel
  • states:StartExecution
  • sts:AssumeRole
  • autoscaling:CompleteLifecycleAction
  • autoscaling:DescribeAutoScalingInstances
  • autoscaling:RecordLifecycleActionHeartbeat
  • cloudformation:DescribeStacks
  • cloudwatch:GetMetricStatistics
  • cloudwatch:PutMetricData
  • dynamodb:DeleteItem
  • dynamodb:GetItem
  • dynamodb:PutItem
  • dynamodb:Scan
  • dynamodb:UpdateItem
  • ec2messages:AcknowledgeMessage
  • ec2messages:DeleteMessage
  • ec2messages:FailMessage
  • ec2messages:GetEndpoint
  • ec2messages:GetMessages
  • ec2messages:SendReply
  • events:DescribeEventBus
  • events:DescribeRule
  • events:ListRuleNamesByTarget
  • kms:Decrypt
  • lambda:InvokeFunction
  • logs:CreateLogGroup
  • logs:CreateLogStream
  • logs:DescribeLogGroups
  • logs:DescribeLogStreams
  • logs:PutLogEvents
  • organizations:DescribeOrganization
  • s3:DeleteObject*
  • s3:GetBucketLocation
  • s3:GetBucketNotification
  • s3:GetObject*
  • s3:GetObjectTagging
  • s3:GetObjectVersionTagging
  • s3:ListAllMyBuckets
  • s3:ListBucket*
  • s3:PutBucketNotification
  • s3:PutObjectTagging
  • s3:PutObjectVersionTagging
  • securityhub:BatchImportFindings
  • sns:ListSubscriptionsByTopic
  • sns:Publish
  • sqs:ChangeMessageVisibility
  • sqs:ChangeMessageVisibilityBatch
  • sqs:DeleteMessage
  • sqs:DeleteMessageBatch
  • sqs:ReceiveMessage
  • sqs:SendMessage
  • ssm:CreateOpsItem
  • ssm:GetParameter
  • ssm:GetParametersByPath
  • ssm:ListAssociations
  • ssm:ListInstanceAssociations
  • ssm:PutParameter
  • ssm:UpdateInstanceInformation
  • ssmmessages:CreateControlChannel
  • ssmmessages:CreateDataChannel
  • ssmmessages:OpenControlChannel
  • ssmmessages:OpenDataChannel
  • states:StartExecution
  • sts:AssumeRole
  • autoscaling:CompleteLifecycleAction
  • autoscaling:DescribeAutoScalingInstances
  • autoscaling:RecordLifecycleActionHeartbeat
  • cloudformation:DescribeStacks
  • cloudwatch:GetMetricStatistics
  • cloudwatch:PutMetricData
  • dynamodb:DeleteItem
  • dynamodb:GetItem
  • dynamodb:PutItem
  • dynamodb:Scan
  • dynamodb:UpdateItem
  • ec2messages:AcknowledgeMessage
  • ec2messages:DeleteMessage
  • ec2messages:FailMessage
  • ec2messages:GetEndpoint
  • ec2messages:GetMessages
  • ec2messages:SendReply
  • events:DescribeEventBus
  • events:DescribeRule
  • events:ListRuleNamesByTarget
  • kms:Decrypt
  • lambda:InvokeFunction
  • logs:CreateLogGroup
  • logs:CreateLogStream
  • logs:DescribeLogGroups
  • logs:DescribeLogStreams
  • logs:PutLogEvents
  • organizations:DescribeOrganization
  • s3:DeleteObject*
  • s3:GetBucketLocation
  • s3:GetBucketNotification
  • s3:GetObject*
  • s3:GetObjectTagging
  • s3:GetObjectVersionTagging
  • s3:ListAllMyBuckets
  • s3:ListBucket*
  • s3:PutBucketNotification
  • s3:PutObjectTagging
  • s3:PutObjectVersionTagging
  • securityhub:BatchImportFindings
  • sns:ListSubscriptionsByTopic
  • sns:Publish
  • sqs:ChangeMessageVisibility
  • sqs:ChangeMessageVisibilityBatch
  • sqs:DeleteMessage
  • sqs:DeleteMessageBatch
  • sqs:ReceiveMessage
  • sqs:SendMessage
  • ssm:CreateOpsItem
  • ssm:GetParameter
  • ssm:GetParametersByPath
  • ssm:ListAssociations
  • ssm:ListInstanceAssociations
  • ssm:PutParameter
  • ssm:UpdateInstanceInformation
  • ssmmessages:CreateControlChannel
  • ssmmessages:CreateDataChannel
  • ssmmessages:OpenControlChannel
  • ssmmessages:OpenDataChannel
  • states:StartExecution
  • sts:AssumeRole
  • autoscaling:CompleteLifecycleAction
  • autoscaling:DescribeAutoScalingInstances
  • autoscaling:RecordLifecycleActionHeartbeat
  • cloudformation:DescribeStacks
  • cloudwatch:GetMetricStatistics
  • cloudwatch:PutMetricData
  • dynamodb:DeleteItem
  • dynamodb:GetItem
  • dynamodb:PutItem
  • dynamodb:Scan
  • dynamodb:UpdateItem
  • ec2messages:AcknowledgeMessage
  • ec2messages:DeleteMessage
  • ec2messages:FailMessage
  • ec2messages:GetEndpoint
  • ec2messages:GetMessages
  • ec2messages:SendReply
  • events:DescribeEventBus
  • events:DescribeRule
  • events:ListRuleNamesByTarget
  • kms:Decrypt
  • lambda:InvokeFunction
  • logs:CreateLogGroup
  • logs:CreateLogStream
  • logs:DescribeLogGroups
  • logs:DescribeLogStreams
  • logs:PutLogEvents
  • organizations:DescribeOrganization
  • s3:DeleteObject*
  • s3:GetBucketLocation
  • s3:GetBucketNotification
  • s3:GetObject*
  • s3:GetObjectTagging
  • s3:GetObjectVersionTagging
  • s3:ListAllMyBuckets
  • s3:ListBucket*
  • s3:PutBucketNotification
  • s3:PutObjectTagging
  • s3:PutObjectVersionTagging
  • securityhub:BatchImportFindings
  • sns:ListSubscriptionsByTopic
  • sns:Publish
  • sqs:ChangeMessageVisibility
  • sqs:ChangeMessageVisibilityBatch
  • sqs:DeleteMessage
  • sqs:DeleteMessageBatch
  • sqs:ReceiveMessage
  • sqs:SendMessage
  • ssm:CreateOpsItem
  • ssm:GetParameter
  • ssm:GetParametersByPath
  • ssm:ListAssociations
  • ssm:ListInstanceAssociations
  • ssm:PutParameter
  • ssm:UpdateInstanceInformation
  • ssmmessages:CreateControlChannel
  • ssmmessages:CreateDataChannel
  • ssmmessages:OpenControlChannel
  • ssmmessages:OpenDataChannel
  • states:StartExecution
  • sts:AssumeRole
  • autoscaling:CompleteLifecycleAction
  • autoscaling:DescribeAutoScalingInstances
  • autoscaling:RecordLifecycleActionHeartbeat
  • aws-marketplace:MeterUsage
  • cloudformation:DescribeStacks
  • cloudwatch:PutMetricData
  • ec2messages:AcknowledgeMessage
  • ec2messages:DeleteMessage
  • ec2messages:FailMessage
  • ec2messages:GetEndpoint
  • ec2messages:GetMessages
  • ec2messages:SendReply
  • logs:CreateLogGroup
  • logs:CreateLogStream
  • logs:DescribeLogGroups
  • logs:DescribeLogStreams
  • logs:PutLogEvents
  • secretsmanager:GetSecretValue
  • sns:Publish
  • sqs:ChangeMessageVisibility
  • sqs:ChangeMessageVisibilityBatch
  • sqs:DeleteMessage
  • sqs:DeleteMessageBatch
  • sqs:ReceiveMessage
  • sqs:SendMessage
  • ssm:GetParameter
  • ssm:GetParametersByPath
  • ssm:ListAssociations
  • ssm:ListInstanceAssociations
  • ssm:UpdateInstanceInformation
  • ssmmessages:CreateControlChannel
  • ssmmessages:CreateDataChannel
  • ssmmessages:OpenControlChannel
  • ssmmessages:OpenDataChannel
  • autoscaling:CompleteLifecycleAction
  • autoscaling:DescribeAutoScalingInstances
  • autoscaling:RecordLifecycleActionHeartbeat
  • aws-marketplace:MeterUsage
  • cloudformation:DescribeStacks
  • cloudwatch:PutMetricData
  • ec2messages:AcknowledgeMessage
  • ec2messages:DeleteMessage
  • ec2messages:FailMessage
  • ec2messages:GetEndpoint
  • ec2messages:GetMessages
  • ec2messages:SendReply
  • logs:CreateLogGroup
  • logs:CreateLogStream
  • logs:DescribeLogGroups
  • logs:DescribeLogStreams
  • logs:PutLogEvents
  • secretsmanager:GetSecretValue
  • sns:Publish
  • sqs:ChangeMessageVisibility
  • sqs:ChangeMessageVisibilityBatch
  • sqs:DeleteMessage
  • sqs:DeleteMessageBatch
  • sqs:ReceiveMessage
  • sqs:SendMessage
  • ssm:GetParameter
  • ssm:GetParametersByPath
  • ssm:ListAssociations
  • ssm:ListInstanceAssociations
  • ssm:UpdateInstanceInformation
  • ssmmessages:CreateControlChannel
  • ssmmessages:CreateDataChannel
  • ssmmessages:OpenControlChannel
  • ssmmessages:OpenDataChannel
  • autoscaling:CompleteLifecycleAction
  • autoscaling:DescribeAutoScalingInstances
  • autoscaling:RecordLifecycleActionHeartbeat
  • aws-marketplace:MeterUsage
  • cloudformation:DescribeStacks
  • cloudwatch:PutMetricData
  • ec2messages:AcknowledgeMessage
  • ec2messages:DeleteMessage
  • ec2messages:FailMessage
  • ec2messages:GetEndpoint
  • ec2messages:GetMessages
  • ec2messages:SendReply
  • logs:CreateLogGroup
  • logs:CreateLogStream
  • logs:DescribeLogGroups
  • logs:DescribeLogStreams
  • logs:PutLogEvents
  • secretsmanager:GetSecretValue
  • sns:Publish
  • sqs:ChangeMessageVisibility
  • sqs:ChangeMessageVisibilityBatch
  • sqs:DeleteMessage
  • sqs:DeleteMessageBatch
  • sqs:ReceiveMessage
  • sqs:SendMessage
  • ssm:GetParameter
  • ssm:GetParametersByPath
  • ssm:ListAssociations
  • ssm:ListInstanceAssociations
  • ssm:UpdateInstanceInformation
  • ssmmessages:CreateControlChannel
  • ssmmessages:CreateDataChannel
  • ssmmessages:OpenControlChannel
  • ssmmessages:OpenDataChannel
  • autoscaling:CompleteLifecycleAction
  • autoscaling:DescribeAutoScalingInstances
  • autoscaling:RecordLifecycleActionHeartbeat
  • cloudformation:DescribeStacks
  • cloudwatch:PutMetricData
  • ec2messages:AcknowledgeMessage
  • ec2messages:DeleteMessage
  • ec2messages:FailMessage
  • ec2messages:GetEndpoint
  • ec2messages:GetMessages
  • ec2messages:SendReply
  • logs:CreateLogGroup
  • logs:CreateLogStream
  • logs:DescribeLogGroups
  • logs:DescribeLogStreams
  • logs:PutLogEvents
  • secretsmanager:GetSecretValue
  • sns:Publish
  • sqs:ChangeMessageVisibility
  • sqs:ChangeMessageVisibilityBatch
  • sqs:DeleteMessage
  • sqs:DeleteMessageBatch
  • sqs:ReceiveMessage
  • sqs:SendMessage
  • ssm:GetParameter
  • ssm:GetParametersByPath
  • ssm:ListAssociations
  • ssm:ListInstanceAssociations
  • ssm:UpdateInstanceInformation
  • ssmmessages:CreateControlChannel
  • ssmmessages:CreateDataChannel
  • ssmmessages:OpenControlChannel
  • ssmmessages:OpenDataChannel
  • autoscaling:CompleteLifecycleAction
  • autoscaling:DescribeAutoScalingInstances
  • autoscaling:RecordLifecycleActionHeartbeat
  • cloudformation:DescribeStacks
  • cloudwatch:PutMetricData
  • ec2messages:AcknowledgeMessage
  • ec2messages:DeleteMessage
  • ec2messages:FailMessage
  • ec2messages:GetEndpoint
  • ec2messages:GetMessages
  • ec2messages:SendReply
  • logs:CreateLogGroup
  • logs:CreateLogStream
  • logs:DescribeLogGroups
  • logs:DescribeLogStreams
  • logs:PutLogEvents
  • secretsmanager:GetSecretValue
  • sns:Publish
  • sqs:ChangeMessageVisibility
  • sqs:ChangeMessageVisibilityBatch
  • sqs:DeleteMessage
  • sqs:DeleteMessageBatch
  • sqs:ReceiveMessage
  • sqs:SendMessage
  • ssm:GetParameter
  • ssm:GetParametersByPath
  • ssm:ListAssociations
  • ssm:ListInstanceAssociations
  • ssm:UpdateInstanceInformation
  • ssmmessages:CreateControlChannel
  • ssmmessages:CreateDataChannel
  • ssmmessages:OpenControlChannel
  • ssmmessages:OpenDataChannel
  • autoscaling:CompleteLifecycleAction
  • autoscaling:DescribeAutoScalingInstances
  • autoscaling:RecordLifecycleActionHeartbeat
  • cloudformation:DescribeStacks
  • cloudwatch:PutMetricData
  • ec2messages:AcknowledgeMessage
  • ec2messages:DeleteMessage
  • ec2messages:FailMessage
  • ec2messages:GetEndpoint
  • ec2messages:GetMessages
  • ec2messages:SendReply
  • logs:CreateLogGroup
  • logs:CreateLogStream
  • logs:DescribeLogGroups
  • logs:DescribeLogStreams
  • logs:PutLogEvents
  • secretsmanager:GetSecretValue
  • sns:Publish
  • sqs:ChangeMessageVisibility
  • sqs:ChangeMessageVisibilityBatch
  • sqs:DeleteMessage
  • sqs:DeleteMessageBatch
  • sqs:ReceiveMessage
  • sqs:SendMessage
  • ssm:GetParameter
  • ssm:GetParametersByPath
  • ssm:ListAssociations
  • ssm:ListInstanceAssociations
  • ssm:UpdateInstanceInformation
  • ssmmessages:CreateControlChannel
  • ssmmessages:CreateDataChannel
  • ssmmessages:OpenControlChannel
  • ssmmessages:OpenDataChannel

Need more help?

Write us, and we'll get back to you as soon as we can.

Send us an email