Cross-Account Role Permissions

An outline of the permissions associated with the Cross-Account role.

To deploy AUTOMATE+ and ensure you receive end-to-end functionality, a Cross-Account role must be created within your AWS Account. AUTOMATE+ provides you with a CloudFormation template which will create the Cross-Account role for you.

The deployment of AUTOMATE+ is a multi-step process which has two primary phases:
1) Deployment
2) Post-Deployment

AUTOMATE+ requires certain permissions to be able to successfully complete the deployment step of the application, as well as ongoing permissions that allow the application to function as required on an ongoing basis. Both the Deployment and Post-Deployment phase permissions have been hardened to ensure Least Privilege.

As you can see below, the Deployment phase has many more permissions than the Post-Deployment phase, these additional permissions are required to allow the components of the application to be deployed correctly within your AWS account. Once the deployment of AUTOMATE+ is completed, the final automated step ensures that all unnecessary Deployment permissions are removed.

You will be able to review both the Deployment and Post-Deployment permissions directly throughout the deployment process from within your AWS IAM console.

The Cross-Account Role created by AUTOMATE+ is named: six-pillars-role

Post-Deployment Permissions

6pillars-access
"events:DescribeRule",
"events:DisableRule",
"events:EnableRule",
"events:ListRules",
"states:StartExecution"
"Resource": "*",
"Effect": "Allow"

6pillars-drs-control-access
"ec2:DescribeInstances",
"drs:DescribeSourceServers",
"drs:GetReplicationConfiguration",
"drs:DescribeJobs",
"drs:DescribeRecoverySnapshots",
"drs:StartRecovery"
"Resource": "*",
"Effect": "Allow"

6pillars-read-only-access
"securityhub:UpdateStandardsControl",
"securityhub:DescribeStandardsControls",
"securityhub:GetEnabledStandards",
"securityhub:GetFindings",
"wellarchitected:CreateWorkload",
"wellarchitected:UpdateAnswer",
"wellarchitected:CreateMilestone",
"wellarchitected:DeleteWorkload",
"wellarchitected:List*",
"wellarchitected:Get*"
"Resource": "*",
"Effect": "Allow"

6pillars-ssecurity-hub-integration-access
"securityhub:EnableImportFindingsForProduct",
"securityhub:BatchImportFindings",
"securityhub:GetInsights",
"securityhub:ListMembers"
"Resource": "*",
"Effect": "Allow"

6pillars-support-control-access
"Action": "support:DescribeSeverityLevels",
"Resource": "*",
"Effect": "Allow"

Deployment Permissions

As outlined above, the below list of permissions are in place only for the time taken to complete the deployment of AUTOMATE+ (approx. 25 minutes).

6pillars-access
"events:DescribeRule",
"events:DisableRule",
"events:EnableRule",
"events:ListRules",
"states:StartExecution"
"Resource": "*",
"Effect": "Allow"

6pillars-deploy-access
"securityhub:CreateActionTarget",
"securityhub:DeleteActionTarget",
"securityhub:DescribeActionTargets",
"securityhub:BatchUpdateFindings",
"securityhub:EnableSecurityHub",
"securityhub:DescribeStandards",
"securityhub:BatchEnableStandards",
"logs:CreateLogDelivery",
"logs:GetLogDelivery",
"logs:UpdateLogDelivery",
"logs:DeleteLogDelivery",
"logs:ListLogDeliveries",
"logs:PutResourcePolicy",
"logs:DescribeResourcePolicies",
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents",
"logs:DescribeLogGroups",
"logs:DescribeLogStreams",
"logs:PutMetricFilter",
"logs:PutRetentionPolicy",
"logs:GetLogEvents",
"sts:AssumeRole",
"sts:GetCallerIdentity",
"states:StartExecution",
"states:CreateStateMachine",
"states:DescribeStateMachine",
"states:TagResource",
"ssm:GetParameter",
"ssm:GetParameters",
"ssm:PutParameter",
"ssm:DescribeAutomationExecutions",
"ssm:DescribeDocument",
"ssm:StartAutomationExecution",
"ssm:GetAutomationExecution",
"ssm:DescribeAutomationStepExecutions",
"ssm:DeleteParameter",
"ssm:CreateActivation",
"ssm:CreateAssociation",
"ssm:CreateDocument",
"ssm:DeleteActivation",
"ssm:DeleteAssociation",
"ssm:DeleteDocument",
"ssm:Describe*",
"ssm:Get*",
"ssm:List*",
"cloudwatch:PutMetricData",
"cloudwatch:PutMetricAlarm",
"iam:GetPolicy",
"iam:ListEntitiesForPolicy",
"iam:DetachUserPolicy",
"iam:DetachGroupPolicy",
"iam:AttachGroupPolicy",
"iam:GetGroup",
"iam:CreateGroup",
"iam:AddUserToGroup",
"iam:GetRole",
"iam:PassRole",
"iam:CreateRole",
"iam:AttachRolePolicy",
"iam:TagRole",
"iam:UpdateAccessKey",
"iam:ListAccessKeys",
"iam:GetAccessKeyLastUsed",
"iam:GetUser",
"iam:GetLoginProfile",
"iam:DeleteLoginProfile",
"iam:UpdateAccountPasswordPolicy",
"iam:GetAccountPasswordPolicy",
"iam:DeleteRolePolicy",
"iam:DetachRolePolicy",
"iam:GetRolePolicy",
"iam:PutRolePolicy",
"iam:DeleteRole",
"iam:CreateServiceLinkedRole",
"iam:CreatePolicy",
"cloudtrail:CreateTrail",
"cloudtrail:UpdateTrail",
"cloudtrail:GetTrail",
"cloudtrail:StartLogging",
"s3:GetBucketPolicy",
"s3:CreateBucket",
"s3:PutEncryptionConfiguration",
"s3:PutBucketLogging",
"s3:PutBucketAcl",
"s3:PutBucketPolicy",
"s3:PutBucketPublicAccessBlock",
"s3:GetBucketPublicAccessBlock",
"s3:PutAccountPublicAccessBlock",
"s3:GetAccountPublicAccessBlock",
"s3:DeleteBucketPolicy",
"sns:CreateTopic",
"sns:SetTopicAttributes",
"sns:GetTopicAttributes",
"sns:AddPermission",
"sns:DeleteTopic",
"sns:ConfirmSubscription",
"sns:GetSubscriptionAttributes",
"sns:List*",
"sns:SetSubscriptionAttributes",
"sns:Subscribe",
"autoscaling:UpdateAutoScalingGroup",
"autoscaling:DescribeAutoScalingGroups",
"config:PutConfigurationRecorder",
"config:PutDeliveryChannel",
"config:DescribeConfigurationRecorders",
"config:StartConfigurationRecorder",
"config:ListDiscoveredResources",
"config:GetResourceConfigHistory",
"config:DeleteDeliveryChannel",
"config:DeleteConfigurationRecorder",
"config:DescribeDeliveryChannels",
"ec2:CreateFlowLogs",
"ec2:ModifySnapshotAttribute",
"ec2:DescribeSnapshots",
"ec2:DescribeSecurityGroupReferences",
"ec2:DescribeSecurityGroups",
"ec2:UpdateSecurityGroupRuleDescriptionsEgress",
"ec2:UpdateSecurityGroupRuleDescriptionsIngress",
"ec2:RevokeSecurityGroupIngress",
"ec2:RevokeSecurityGroupEgress",
"ec2:EnableEBSEncryptionByDefault",
"ec2:GetEbsEncryptionByDefault",
"rds:ModifyDBSnapshotAttribute",
"rds:ModifyDBClusterSnapshotAttribute",
"rds:DescribeDBClusters",
"rds:ModifyDBCluster",
"rds:ModifyDBInstance",
"rds:DescribeDBInstances",
"rds:CopyDBSnapshot",
"rds:CopyDBClusterSnapshot",
"rds:DescribeDBSnapshots",
"rds:DescribeDBClusterSnapshots",
"rds:DeleteDBSnapshot",
"rds:DeleteDBClusterSnapshots",
"lambda:GetPolicy",
"lambda:InvokeFunction",
"lambda:RemovePermission",
"lambda:GetFunction",
"lambda:GetFunctionCodeSigningConfig",
"lambda:CreateFunction",
"lambda:DeleteFunction",
"lambda:PublishLayerVersion",
"lambda:DeleteLayerVersion",
"lambda:GetLayerVersion",
"kms:EnableKeyRotation",
"kms:GetKeyRotationStatus",
"kms:Encrypt",
"kms:Decrypt",
"kms:GenerateDataKey",
"kms:CreateKey",
"kms:PutKeyPolicy",
"kms:DescribeKey",
"kms:CreateAlias",
"kms:DeleteAlias",
"kms:ListKeys",
"kms:ListAliases",
"cloudformation:CreateStack",
"cloudformation:DescribeChangeSet",
"cloudformation:DescribeStacks",
"events:PutRule",
"events:RemoveTargets",
"events:DescribeRule",
"events:PutTargets",
"events:DeleteRule",
"servicecatalog:SearchProducts",
"servicecatalog:ListLaunchPaths",
"servicecatalog:ListProvisioningArtifacts",
"servicecatalog:ProvisionProduct",
"servicecatalog:DescribeProvisionedProduct",
"sqs:GetQueueAttributes",
"sqs:List*",
"codeBuild:BatchGetProjects",
"codeBuild:UpdateProject",
"redshift:ModifyCluster",
"redshift:DescribeClusters",
"redshift:DescribeLoggingStatus",
"redshift:EnableLogging",
"lambda:PutFunctionConcurrency"
"Resource": "*",
"Effect": "Allow"

6pillars-drs-control-access
"ec2:DescribeInstances",
"drs:DescribeSourceServers",
"drs:GetReplicationConfiguration",
"drs:DescribeJobs",
"drs:DescribeRecoverySnapshots",
"drs:StartRecovery"
"Resource": "*",
"Effect": "Allow"

6pillars-playbook-access-cross-account
"arn:aws:s3:::5pillars-uat-playbooks-reference/*",
"arn:aws:s3:::5pillars-uat-playbooks-ap-southeast-2/*",
"arn:aws:s3:::5pillars-uat-playbooks-ap-southeast-1/*",
"arn:aws:s3:::5pillars-uat-playbooks-ap-south-1/*",
"arn:aws:s3:::5pillars-uat-playbooks-ap-northeast-1/*",
"arn:aws:s3:::5pillars-uat-playbooks-us-east-1/*",
"arn:aws:s3:::5pillars-uat-playbooks-us-east-2/*",
"arn:aws:s3:::5pillars-uat-playbooks-us-west-1/*",
"arn:aws:s3:::5pillars-uat-playbooks-us-west-2/*"
"Effect": "Allow"

6pillars-read-only-access
"securityhub:UpdateStandardsControl",
"securityhub:DescribeStandardsControls",
"securityhub:GetEnabledStandards",
"securityhub:GetFindings",
"wellarchitected:CreateWorkload",
"wellarchitected:UpdateAnswer",
"wellarchitected:CreateMilestone",
"wellarchitected:DeleteWorkload",
"wellarchitected:List*",
"wellarchitected:Get*"
"Resource": "*",
"Effect": "Allow"

6pillars-security-hub-integration-access
"securityhub:EnableImportFindingsForProduct",
"securityhub:BatchImportFindings",
"securityhub:GetInsights",
"securityhub:ListMembers"
"Resource": "*",
"Effect": "Allow"

6pillars-support-control-access
"Action": "support:DescribeSeverityLevels",
"Resource": "*",
"Effect": "Allow"

Should you require further information on 6pillars AUTOMATE+ deployement processes or permission sets, please contact us at secure@6pillars.io .