What general permissions does Red Canary need in AWS?
CloudTrail
Red Canary needs permission within your AWS environment to read data from the S3 bucket which stores the CloudTrail telemetry. The S3 bucket must publish S3 object write events to a SNS topic, and Red Canary must have permission to subscribe to that topic.
GuardDuty
Red Canary needs permission within your AWS environment to read data from the S3 bucket which stores the GuardDuty findings. The S3 bucket must publish S3 object write events to a SNS topic, and Red Canary must have permission to subscribe to that topic.
Environment Scanning
Red Canary infrastructure needs to assume a role within your AWS environment in order to regularly scan for newly-created accounts and resources, ensuring that data is properly attributed and monitored as the environment grows and evolves.
Why does Red Canary need the permissions in the CloudFormation and Terraform templates?
The permissions are the minimum we need for discovery inside your environment. None of these permissions edit, add, or delete your resources in any way.
The following permissions are required for the CloudTrail and GuardDuty integrations:
Service | Permission | Justification |
S3 | s3:GetBucketLocation | Allows Red Canary to get the region for the S3 buckets used to store CloudTrail/GuardDuty information |
s3:GetBucketNotification | Allows Red Canary to to retrieve the notification configuration for the S3 buckets used to store CloudTrail/GuardDuty information | |
s3:ListBucket | Allows Red Canary to look at CloudTrail/GuardDuty information stored in the S3 buckets | |
s3:GetObject | Allows Red Canary to fetch CloudTrail log files | |
s3:GetObjectAttributes | Allows Red Canary to look at extended attributes of the log files to enable processing | |
s3:GetObjectVersion | Allows Red Canary to look at the versions of the log files to enable processing | |
SNS | sns:Subscribe | Allow Red Canary to subscribe to an SQS Queue for notification when files are added to the CloudTrail/GuardDuty S3 buckets |
KMS | kms:GetPublicKey | Allows Red Canary to decrypt data from S3 (if you use KMS) |
GuardDuty | guardduty:CreateSampleFindings | Allows Red Canary to create sample findings for status checks |
The following permissions are used for license calculation purposes. For more information, see How Cloud Control Plane Licensing and Usage are Determined.
Service | Permission | Justification |
DynamoDB | dynamodb:ListGlobalTables | Allows Red Canary to list DynamoDB Tables for licensing purposes |
EC2 | ec2:DescribeInstances | Allows Red Canary to list EC2 Instances for licensing purposes |
ECS (Elastic Container Service) | ecs:DescribeServices | AllowsRed Canary to list Container Services for licensing purposes |
EKS (Elastic Kubernetes Service) | eks:ListClusters | Allows Red Canary to list EKS Clusters for licensing purposes |
Elastic File System (EFS) | elasticfilesystem:DescribeFileSystems | Allows Red Canary to list EFS for licensing purposes |
Lambda | lambda:ListFunctions | Allows Red Canary to list Lambda Functions for licensing purposes |
RDS (Relational Database Service) | rds:DescribeDBInstances | Allows Red Canary to list RDS Instances for licensing purposes |
S3 | s3:GetBucketLocation | Allows Red Canary to list S3 Buckets for licensing purposes |
The following permissions are used for troubleshooting the integration:
Service | Permission | Justification |
IAM | iam:ListRolePolicies | Allows Red Canary to confirm that your role's AWS policies are set correctly |
We also need the following roles for the Red Canary partner access role (redcanary-partner-access):
Role | Description |
AmazonGuardDutyReadOnlyAccess | Allows Red Canary to poll the GuardDuty findings for ingestion and investigation |
AWSOrganizationsReadOnlyAccess | Allows Red Canary to read information about your AWS Organization to help enumerate accounts |
AWSResourceExplorerReadOnlyAccess | Allows Red Canary to read information about your AWS resources to help enumerate accounts |
Do I need to have GuardDuty enabled?
Important Cost Information
Before enabling GuardDuty, understand that it’s a paid service that monitors for malicious activity and unauthorized behavior to protect your AWS resources. The service charges are based on the volume of AWS data analyzed, such as logs and events. Ensure you review the pricing details on the GuardDuty page to understand the cost implications and budget accordingly before activation.
Red Canary strongly recommends turning on AWS GuardDuty. GuardDuty is a powerful ally that bolsters your security posture. It helps correlate and enrich the telemetry data we’re already analyzing with CloudTrail. By enabling GuardDuty, you're not just collecting data but empowering our systems to deliver deeper insights and more comprehensive security analysis.
GuardDuty and CloudTrail create a dynamic duo for Red Canary, enhancing our ability to detect and respond to potential threats more swiftly and effectively.
Finally, GuardDuty acts as an extra layer of intelligence, providing context to the footage by correlating different data points and highlighting activities that require closer inspection. Red Canary will be able to review what has been recorded while also understanding the bigger picture and respond more effectively to security incidents.
Can I remove GuardDuty from the integration?
While we recommend that you allow Red Canary to ingest GuardDuty findings, you can remove GuardDuty from the integration by deleting the ARNs from the GuardDuty section on the configuration page. You can also add GuardDuty if you chose to skip it during initial provisioning. Note that if you decide to add GuardDuty alerts later, you’ll also need to re-provision the IAM role to update the permissions.
Why are GuardDuty alerts not being processed?
A failing GuardDuty alerts are being processed status check in Red Canary can mean one of two things:
The Red Canary integration isn’t properly configured to read GuardDuty data from the S3 bucket
GuardDuty isn’t set up to export data to an S3 bucket in the AWS account
Please review Step 4 - Identify the GuardDuty S3 Bucket on the Integrate Amazon Web Services (AWS) with Red Canary page to ensure the integration is configured to read from the S3 bucket. For more information on setting up an S3 bucket for GuardDuty, see the AWS documentation.
Must the 'redcanary-partner-access role’ be deployed to all AWS accounts, and how should it be configured in the system?
Yes. You must deploy the redcanary-partner-access role to all AWS accounts. It’s used to access the S3 buckets where the CloudTrail and GuardDuty data is stored, and also for license scanning. We suggest using CloudFormation to automate this deployment, using the template generated by the integration configuration page.
Please do not rename the role or change its permissions.
Can I use an encrypted SNS topic for the S3 bucket notifications?
Yes, you can use an encrypted SNS topic to receive the event notifications sent when data is added to the S3 buckets that store the CloudTrail telemetry and GuardDuty findings. However, you’ll need to give the S3 service principal permission to access the KMS key used to encrypt the topic. Note that this means you can’t use an AWS managed key for encryption.
To set the service principal permissions, add the following policy to your KMS key:
{
"Version": "2012-10-17",
"Id": "example-ID",
"Statement": [
{
"Sid": "example-statement-ID",
"Effect": "Allow",
"Principal": {
"Service": "s3.amazonaws.com"
},
"Action": [
"kms:GenerateDataKey",
"kms:Decrypt"
],
"Resource": "*"
}
]
}For more information, please see the AWS documentation.