IAM Permission Boundary
bucketAV utilizes CloudFormation to deploy a production-ready malware scanning system to your AWS account. Part of that process is creating IAM roles. The EC2 instance uses those IAM roles to receive outstanding scan jobs via SQS or to download S3 objects for scanning, for example.
In case your AWS organization uses IAM permission boundaries, you need to set the PermissionsBoundary parameter when deploying bucketAV’s CloudFormation stacks.
Required IAM actions (#)
Here is a list of all IAM actions required by the IAM roles created by bucketAV. Ensure that your permission boundary also grants access to those IAM actions.
autoscaling:CompleteLifecycleActionautoscaling:DescribeAutoScalingInstancesautoscaling:RecordLifecycleActionHeartbeataws-marketplace:MeterUsagecloudformation:DescribeStackscloudwatch:GetMetricStatisticscloudwatch:PutMetricDatadynamodb:DeleteItemdynamodb:GetItemdynamodb:PutItemdynamodb:Scandynamodb:UpdateItemec2messages:AcknowledgeMessageec2messages:DeleteMessageec2messages:FailMessageec2messages:GetEndpointec2messages:GetMessagesec2messages:SendReplyevents:DescribeEventBusevents:DescribeRuleevents:ListRuleNamesByTargetkms:Decryptlambda:InvokeFunctionlogs:CreateLogGrouplogs:CreateLogStreamlogs:DescribeLogGroupslogs:DescribeLogStreamslogs:PutLogEventsorganizations:DescribeOrganizations3:DeleteObject*s3:GetBucketLocations3:GetBucketNotifications3:GetObject*s3:GetObjectTaggings3:GetObjectVersionTaggings3:ListAllMyBucketss3:ListBucket*s3:PutBucketNotifications3:PutObjectTaggings3:PutObjectVersionTaggingsns:ListSubscriptionsByTopicsns:Publishsqs:ChangeMessageVisibilitysqs:ChangeMessageVisibilityBatchsqs:DeleteMessagesqs:DeleteMessageBatchsqs:ReceiveMessagesqs:SendMessagessm:GetParameterssm:GetParametersByPathssm:ListAssociationsssm:ListInstanceAssociationsssm:PutParameterssm:UpdateInstanceInformationssmmessages:CreateControlChannelssmmessages:CreateDataChannelssmmessages:OpenControlChannelssmmessages:OpenDataChannelstates:StartExecutionsts:AssumeRole
autoscaling:CompleteLifecycleActionautoscaling:DescribeAutoScalingInstancesautoscaling:RecordLifecycleActionHeartbeataws-marketplace:MeterUsagecloudformation:DescribeStackscloudwatch:GetMetricStatisticscloudwatch:PutMetricDatadynamodb:DeleteItemdynamodb:GetItemdynamodb:PutItemdynamodb:Scandynamodb:UpdateItemec2messages:AcknowledgeMessageec2messages:DeleteMessageec2messages:FailMessageec2messages:GetEndpointec2messages:GetMessagesec2messages:SendReplyevents:DescribeEventBusevents:DescribeRuleevents:ListRuleNamesByTargetkms:Decryptlambda:InvokeFunctionlogs:CreateLogGrouplogs:CreateLogStreamlogs:DescribeLogGroupslogs:DescribeLogStreamslogs:PutLogEventsorganizations:DescribeOrganizations3:DeleteObject*s3:GetBucketLocations3:GetBucketNotifications3:GetObject*s3:GetObjectTaggings3:GetObjectVersionTaggings3:ListAllMyBucketss3:ListBucket*s3:PutBucketNotifications3:PutObjectTaggings3:PutObjectVersionTaggingsns:ListSubscriptionsByTopicsns:Publishsqs:ChangeMessageVisibilitysqs:ChangeMessageVisibilityBatchsqs:DeleteMessagesqs:DeleteMessageBatchsqs:ReceiveMessagesqs:SendMessagessm:GetParameterssm:GetParametersByPathssm:ListAssociationsssm:ListInstanceAssociationsssm:PutParameterssm:UpdateInstanceInformationssmmessages:CreateControlChannelssmmessages:CreateDataChannelssmmessages:OpenControlChannelssmmessages:OpenDataChannelstates:StartExecutionsts:AssumeRole
autoscaling:CompleteLifecycleActionautoscaling:DescribeAutoScalingInstancesautoscaling:RecordLifecycleActionHeartbeatcloudformation:DescribeStackscloudwatch:GetMetricStatisticscloudwatch:PutMetricDatadynamodb:DeleteItemdynamodb:GetItemdynamodb:PutItemdynamodb:Scandynamodb:UpdateItemec2messages:AcknowledgeMessageec2messages:DeleteMessageec2messages:FailMessageec2messages:GetEndpointec2messages:GetMessagesec2messages:SendReplyevents:DescribeEventBusevents:DescribeRuleevents:ListRuleNamesByTargetkms:Decryptlambda:InvokeFunctionlogs:CreateLogGrouplogs:CreateLogStreamlogs:DescribeLogGroupslogs:DescribeLogStreamslogs:PutLogEventsorganizations:DescribeOrganizations3:DeleteObject*s3:GetBucketLocations3:GetBucketNotifications3:GetObject*s3:GetObjectTaggings3:GetObjectVersionTaggings3:ListAllMyBucketss3:ListBucket*s3:PutBucketNotifications3:PutObjectTaggings3:PutObjectVersionTaggingsecurityhub:BatchImportFindingssns:ListSubscriptionsByTopicsns:Publishsqs:ChangeMessageVisibilitysqs:ChangeMessageVisibilityBatchsqs:DeleteMessagesqs:DeleteMessageBatchsqs:ReceiveMessagesqs:SendMessagessm:CreateOpsItemssm:GetParameterssm:GetParametersByPathssm:ListAssociationsssm:ListInstanceAssociationsssm:PutParameterssm:UpdateInstanceInformationssmmessages:CreateControlChannelssmmessages:CreateDataChannelssmmessages:OpenControlChannelssmmessages:OpenDataChannelstates:StartExecutionsts:AssumeRole
autoscaling:CompleteLifecycleActionautoscaling:DescribeAutoScalingInstancesautoscaling:RecordLifecycleActionHeartbeatcloudformation:DescribeStackscloudwatch:GetMetricStatisticscloudwatch:PutMetricDatadynamodb:DeleteItemdynamodb:GetItemdynamodb:PutItemdynamodb:Scandynamodb:UpdateItemec2messages:AcknowledgeMessageec2messages:DeleteMessageec2messages:FailMessageec2messages:GetEndpointec2messages:GetMessagesec2messages:SendReplyevents:DescribeEventBusevents:DescribeRuleevents:ListRuleNamesByTargetkms:Decryptlambda:InvokeFunctionlogs:CreateLogGrouplogs:CreateLogStreamlogs:DescribeLogGroupslogs:DescribeLogStreamslogs:PutLogEventsorganizations:DescribeOrganizations3:DeleteObject*s3:GetBucketLocations3:GetBucketNotifications3:GetObject*s3:GetObjectTaggings3:GetObjectVersionTaggings3:ListAllMyBucketss3:ListBucket*s3:PutBucketNotifications3:PutObjectTaggings3:PutObjectVersionTaggingsecurityhub:BatchImportFindingssns:ListSubscriptionsByTopicsns:Publishsqs:ChangeMessageVisibilitysqs:ChangeMessageVisibilityBatchsqs:DeleteMessagesqs:DeleteMessageBatchsqs:ReceiveMessagesqs:SendMessagessm:CreateOpsItemssm:GetParameterssm:GetParametersByPathssm:ListAssociationsssm:ListInstanceAssociationsssm:PutParameterssm:UpdateInstanceInformationssmmessages:CreateControlChannelssmmessages:CreateDataChannelssmmessages:OpenControlChannelssmmessages:OpenDataChannelstates:StartExecutionsts:AssumeRole
autoscaling:CompleteLifecycleActionautoscaling:DescribeAutoScalingInstancesautoscaling:RecordLifecycleActionHeartbeataws-marketplace:MeterUsagecloudformation:DescribeStackscloudwatch:PutMetricDataec2messages:AcknowledgeMessageec2messages:DeleteMessageec2messages:FailMessageec2messages:GetEndpointec2messages:GetMessagesec2messages:SendReplylogs:CreateLogGrouplogs:CreateLogStreamlogs:DescribeLogGroupslogs:DescribeLogStreamslogs:PutLogEventssecretsmanager:GetSecretValuesns:Publishsqs:ChangeMessageVisibilitysqs:ChangeMessageVisibilityBatchsqs:DeleteMessagesqs:DeleteMessageBatchsqs:ReceiveMessagesqs:SendMessagessm:GetParameterssm:GetParametersByPathssm:ListAssociationsssm:ListInstanceAssociationsssm:UpdateInstanceInformationssmmessages:CreateControlChannelssmmessages:CreateDataChannelssmmessages:OpenControlChannelssmmessages:OpenDataChannel
autoscaling:CompleteLifecycleActionautoscaling:DescribeAutoScalingInstancesautoscaling:RecordLifecycleActionHeartbeataws-marketplace:MeterUsagecloudformation:DescribeStackscloudwatch:PutMetricDataec2messages:AcknowledgeMessageec2messages:DeleteMessageec2messages:FailMessageec2messages:GetEndpointec2messages:GetMessagesec2messages:SendReplylogs:CreateLogGrouplogs:CreateLogStreamlogs:DescribeLogGroupslogs:DescribeLogStreamslogs:PutLogEventssecretsmanager:GetSecretValuesns:Publishsqs:ChangeMessageVisibilitysqs:ChangeMessageVisibilityBatchsqs:DeleteMessagesqs:DeleteMessageBatchsqs:ReceiveMessagesqs:SendMessagessm:GetParameterssm:GetParametersByPathssm:ListAssociationsssm:ListInstanceAssociationsssm:UpdateInstanceInformationssmmessages:CreateControlChannelssmmessages:CreateDataChannelssmmessages:OpenControlChannelssmmessages:OpenDataChannel
autoscaling:CompleteLifecycleActionautoscaling:DescribeAutoScalingInstancesautoscaling:RecordLifecycleActionHeartbeatcloudformation:DescribeStackscloudwatch:PutMetricDataec2messages:AcknowledgeMessageec2messages:DeleteMessageec2messages:FailMessageec2messages:GetEndpointec2messages:GetMessagesec2messages:SendReplylogs:CreateLogGrouplogs:CreateLogStreamlogs:DescribeLogGroupslogs:DescribeLogStreamslogs:PutLogEventssecretsmanager:GetSecretValuesns:Publishsqs:ChangeMessageVisibilitysqs:ChangeMessageVisibilityBatchsqs:DeleteMessagesqs:DeleteMessageBatchsqs:ReceiveMessagesqs:SendMessagessm:GetParameterssm:GetParametersByPathssm:ListAssociationsssm:ListInstanceAssociationsssm:UpdateInstanceInformationssmmessages:CreateControlChannelssmmessages:CreateDataChannelssmmessages:OpenControlChannelssmmessages:OpenDataChannel
autoscaling:CompleteLifecycleActionautoscaling:DescribeAutoScalingInstancesautoscaling:RecordLifecycleActionHeartbeatcloudformation:DescribeStackscloudwatch:PutMetricDataec2messages:AcknowledgeMessageec2messages:DeleteMessageec2messages:FailMessageec2messages:GetEndpointec2messages:GetMessagesec2messages:SendReplylogs:CreateLogGrouplogs:CreateLogStreamlogs:DescribeLogGroupslogs:DescribeLogStreamslogs:PutLogEventssecretsmanager:GetSecretValuesns:Publishsqs:ChangeMessageVisibilitysqs:ChangeMessageVisibilityBatchsqs:DeleteMessagesqs:DeleteMessageBatchsqs:ReceiveMessagesqs:SendMessagessm:GetParameterssm:GetParametersByPathssm:ListAssociationsssm:ListInstanceAssociationsssm:UpdateInstanceInformationssmmessages:CreateControlChannelssmmessages:CreateDataChannelssmmessages:OpenControlChannelssmmessages:OpenDataChannel