IAM Permission Boundary
bucketAV utilizes CloudFormation to deploy a production-ready malware scanning system to your AWS account. Part of that process is creating IAM roles. The EC2 instance uses those IAM roles to receive outstanding scan jobs via SQS or to download S3 objects for scanning, for example.
In case your AWS organization uses IAM permission boundaries, you need to set the PermissionsBoundary configuration parameter when deploying bucketAV’s CloudFormation stacks.
Required IAM actions
Here is a list of all IAM actions required by the IAM roles created by bucketAV. Ensure that your permission boundary also grants access to those IAM actions.
autoscaling:CompleteLifecycleActionautoscaling:DescribeAutoScalingInstancesautoscaling:RecordLifecycleActionHeartbeataws-marketplace:MeterUsagecloudformation:DescribeStackscloudwatch:GetMetricStatisticscloudwatch:PutMetricDatadynamodb:DeleteItemdynamodb:GetItemdynamodb:PutItemdynamodb:Scandynamodb:UpdateItemec2messages:AcknowledgeMessageec2messages:DeleteMessageec2messages:FailMessageec2messages:GetEndpointec2messages:GetMessagesec2messages:SendReplyevents:DescribeEventBusevents:DescribeRuleevents:ListRuleNamesByTargetevents:PutEventskms:Decryptlambda:InvokeFunctionlogs:CreateLogDeliverylogs:CreateLogGrouplogs:CreateLogStreamlogs:DeleteLogDeliverylogs:DescribeLogGroupslogs:DescribeLogStreamslogs:DescribeResourcePolicieslogs:GetLogDeliverylogs:GetQueryResultslogs:ListLogDeliverieslogs:PutLogEventslogs:PutResourcePolicylogs:StartQuerylogs:UpdateLogDeliveryorganizations:DescribeOrganizations3:DeleteObject*s3:GetBucketNotifications3:GetBucketTaggings3:GetObject*s3:GetObjectTaggings3:GetObjectVersionTaggings3:ListAllMyBucketss3:ListBucket*s3:PutBucketNotifications3:PutObjectTaggings3:PutObjectVersionTaggingsns:ListSubscriptionsByTopicsns:Publishsqs:ChangeMessageVisibilitysqs:DeleteMessagesqs:ReceiveMessagesqs:SendMessagessm:GetParameterssm:GetParametersByPathssm:ListAssociationsssm:ListInstanceAssociationsssm:PutParameterssm:UpdateInstanceInformationssmmessages:CreateControlChannelssmmessages:CreateDataChannelssmmessages:OpenControlChannelssmmessages:OpenDataChannelstates:StartExecutionsts:AssumeRole
autoscaling:CompleteLifecycleActionautoscaling:DescribeAutoScalingInstancesautoscaling:RecordLifecycleActionHeartbeataws-marketplace:MeterUsagecloudformation:DescribeStackscloudwatch:GetMetricStatisticscloudwatch:PutMetricDatadynamodb:DeleteItemdynamodb:GetItemdynamodb:PutItemdynamodb:Scandynamodb:UpdateItemec2messages:AcknowledgeMessageec2messages:DeleteMessageec2messages:FailMessageec2messages:GetEndpointec2messages:GetMessagesec2messages:SendReplyevents:DescribeEventBusevents:DescribeRuleevents:ListRuleNamesByTargetevents:PutEventskms:Decryptlambda:InvokeFunctionlogs:CreateLogDeliverylogs:CreateLogGrouplogs:CreateLogStreamlogs:DeleteLogDeliverylogs:DescribeLogGroupslogs:DescribeLogStreamslogs:DescribeResourcePolicieslogs:GetLogDeliverylogs:GetQueryResultslogs:ListLogDeliverieslogs:PutLogEventslogs:PutResourcePolicylogs:StartQuerylogs:UpdateLogDeliveryorganizations:DescribeOrganizations3:DeleteObject*s3:GetBucketNotifications3:GetBucketTaggings3:GetObject*s3:GetObjectTaggings3:GetObjectVersionTaggings3:ListAllMyBucketss3:ListBucket*s3:PutBucketNotifications3:PutObjectTaggings3:PutObjectVersionTaggingsns:ListSubscriptionsByTopicsns:Publishsqs:ChangeMessageVisibilitysqs:DeleteMessagesqs:ReceiveMessagesqs:SendMessagessm:GetParameterssm:GetParametersByPathssm:ListAssociationsssm:ListInstanceAssociationsssm:PutParameterssm:UpdateInstanceInformationssmmessages:CreateControlChannelssmmessages:CreateDataChannelssmmessages:OpenControlChannelssmmessages:OpenDataChannelstates:StartExecutionsts:AssumeRole
autoscaling:CompleteLifecycleActionautoscaling:DescribeAutoScalingInstancesautoscaling:RecordLifecycleActionHeartbeatcloudformation:DescribeStackscloudwatch:GetMetricStatisticscloudwatch:PutMetricDatadynamodb:DeleteItemdynamodb:GetItemdynamodb:PutItemdynamodb:Scandynamodb:UpdateItemec2messages:AcknowledgeMessageec2messages:DeleteMessageec2messages:FailMessageec2messages:GetEndpointec2messages:GetMessagesec2messages:SendReplyevents:DescribeEventBusevents:DescribeRuleevents:ListRuleNamesByTargetevents:PutEventskms:Decryptlambda:InvokeFunctionlogs:CreateLogDeliverylogs:CreateLogGrouplogs:CreateLogStreamlogs:DeleteLogDeliverylogs:DescribeLogGroupslogs:DescribeLogStreamslogs:DescribeResourcePolicieslogs:GetLogDeliverylogs:GetQueryResultslogs:ListLogDeliverieslogs:PutLogEventslogs:PutResourcePolicylogs:StartQuerylogs:UpdateLogDeliveryorganizations:DescribeOrganizations3:DeleteObject*s3:GetBucketNotifications3:GetBucketTaggings3:GetObject*s3:GetObjectTaggings3:GetObjectVersionTaggings3:ListAllMyBucketss3:ListBucket*s3:PutBucketNotifications3:PutObjectTaggings3:PutObjectVersionTaggingsecurityhub:BatchImportFindingssns:ListSubscriptionsByTopicsns:Publishsqs:ChangeMessageVisibilitysqs:DeleteMessagesqs:ReceiveMessagesqs:SendMessagessm:CreateOpsItemssm:GetParameterssm:GetParametersByPathssm:ListAssociationsssm:ListInstanceAssociationsssm:PutParameterssm:UpdateInstanceInformationssmmessages:CreateControlChannelssmmessages:CreateDataChannelssmmessages:OpenControlChannelssmmessages:OpenDataChannelstates:StartExecutionsts:AssumeRole
autoscaling:CompleteLifecycleActionautoscaling:DescribeAutoScalingInstancesautoscaling:RecordLifecycleActionHeartbeatcloudformation:DescribeStackscloudwatch:GetMetricStatisticscloudwatch:PutMetricDatadynamodb:DeleteItemdynamodb:GetItemdynamodb:PutItemdynamodb:Scandynamodb:UpdateItemec2messages:AcknowledgeMessageec2messages:DeleteMessageec2messages:FailMessageec2messages:GetEndpointec2messages:GetMessagesec2messages:SendReplyevents:DescribeEventBusevents:DescribeRuleevents:ListRuleNamesByTargetevents:PutEventskms:Decryptlambda:InvokeFunctionlogs:CreateLogDeliverylogs:CreateLogGrouplogs:CreateLogStreamlogs:DeleteLogDeliverylogs:DescribeLogGroupslogs:DescribeLogStreamslogs:DescribeResourcePolicieslogs:GetLogDeliverylogs:GetQueryResultslogs:ListLogDeliverieslogs:PutLogEventslogs:PutResourcePolicylogs:StartQuerylogs:UpdateLogDeliveryorganizations:DescribeOrganizations3:DeleteObject*s3:GetBucketNotifications3:GetBucketTaggings3:GetObject*s3:GetObjectTaggings3:GetObjectVersionTaggings3:ListAllMyBucketss3:ListBucket*s3:PutBucketNotifications3:PutObjectTaggings3:PutObjectVersionTaggingsecurityhub:BatchImportFindingssns:ListSubscriptionsByTopicsns:Publishsqs:ChangeMessageVisibilitysqs:DeleteMessagesqs:ReceiveMessagesqs:SendMessagessm:CreateOpsItemssm:GetParameterssm:GetParametersByPathssm:ListAssociationsssm:ListInstanceAssociationsssm:PutParameterssm:UpdateInstanceInformationssmmessages:CreateControlChannelssmmessages:CreateDataChannelssmmessages:OpenControlChannelssmmessages:OpenDataChannelstates:StartExecutionsts:AssumeRole
autoscaling:CompleteLifecycleActionautoscaling:DescribeAutoScalingInstancesautoscaling:RecordLifecycleActionHeartbeataws-marketplace:MeterUsagecloudformation:DescribeStackscloudwatch:PutMetricDataec2messages:AcknowledgeMessageec2messages:DeleteMessageec2messages:FailMessageec2messages:GetEndpointec2messages:GetMessagesec2messages:SendReplyevents:PutEventslogs:CreateLogGrouplogs:CreateLogStreamlogs:DescribeLogGroupslogs:DescribeLogStreamslogs:GetQueryResultslogs:PutLogEventslogs:StartQuerysecretsmanager:GetSecretValuesns:Publishsqs:ChangeMessageVisibilitysqs:DeleteMessagesqs:ReceiveMessagesqs:SendMessagessm:GetParameterssm:GetParametersByPathssm:ListAssociationsssm:ListInstanceAssociationsssm:UpdateInstanceInformationssmmessages:CreateControlChannelssmmessages:CreateDataChannelssmmessages:OpenControlChannelssmmessages:OpenDataChannel
autoscaling:CompleteLifecycleActionautoscaling:DescribeAutoScalingInstancesautoscaling:RecordLifecycleActionHeartbeataws-marketplace:MeterUsagecloudformation:DescribeStackscloudwatch:PutMetricDataec2messages:AcknowledgeMessageec2messages:DeleteMessageec2messages:FailMessageec2messages:GetEndpointec2messages:GetMessagesec2messages:SendReplyevents:PutEventslogs:CreateLogGrouplogs:CreateLogStreamlogs:DescribeLogGroupslogs:DescribeLogStreamslogs:GetQueryResultslogs:PutLogEventslogs:StartQuerysecretsmanager:GetSecretValuesns:Publishsqs:ChangeMessageVisibilitysqs:DeleteMessagesqs:ReceiveMessagesqs:SendMessagessm:GetParameterssm:GetParametersByPathssm:ListAssociationsssm:ListInstanceAssociationsssm:UpdateInstanceInformationssmmessages:CreateControlChannelssmmessages:CreateDataChannelssmmessages:OpenControlChannelssmmessages:OpenDataChannel
autoscaling:CompleteLifecycleActionautoscaling:DescribeAutoScalingInstancesautoscaling:RecordLifecycleActionHeartbeatcloudformation:DescribeStackscloudwatch:PutMetricDataec2messages:AcknowledgeMessageec2messages:DeleteMessageec2messages:FailMessageec2messages:GetEndpointec2messages:GetMessagesec2messages:SendReplyevents:PutEventslogs:CreateLogGrouplogs:CreateLogStreamlogs:DescribeLogGroupslogs:DescribeLogStreamslogs:GetQueryResultslogs:PutLogEventslogs:StartQuerysecretsmanager:GetSecretValuesns:Publishsqs:ChangeMessageVisibilitysqs:DeleteMessagesqs:ReceiveMessagesqs:SendMessagessm:GetParameterssm:GetParametersByPathssm:ListAssociationsssm:ListInstanceAssociationsssm:UpdateInstanceInformationssmmessages:CreateControlChannelssmmessages:CreateDataChannelssmmessages:OpenControlChannelssmmessages:OpenDataChannel
autoscaling:CompleteLifecycleActionautoscaling:DescribeAutoScalingInstancesautoscaling:RecordLifecycleActionHeartbeatcloudformation:DescribeStackscloudwatch:PutMetricDataec2messages:AcknowledgeMessageec2messages:DeleteMessageec2messages:FailMessageec2messages:GetEndpointec2messages:GetMessagesec2messages:SendReplyevents:PutEventslogs:CreateLogGrouplogs:CreateLogStreamlogs:DescribeLogGroupslogs:DescribeLogStreamslogs:GetQueryResultslogs:PutLogEventslogs:StartQuerysecretsmanager:GetSecretValuesns:Publishsqs:ChangeMessageVisibilitysqs:DeleteMessagesqs:ReceiveMessagesqs:SendMessagessm:GetParameterssm:GetParametersByPathssm:ListAssociationsssm:ListInstanceAssociationsssm:UpdateInstanceInformationssmmessages:CreateControlChannelssmmessages:CreateDataChannelssmmessages:OpenControlChannelssmmessages:OpenDataChannel