- 28 Apr 2025
- 3 Minutes to read
- PDF
AWS Integration FAQ
- Updated on 28 Apr 2025
- 3 Minutes to read
- PDF
FAQ
What general permissions does Red Canary need in AWS?
CloudTrail
Red Canary needs permission within your AWS environment to read data from the S3 bucket which stores the CloudTrail telemetry. The S3 bucket must publish S3 object write events to a SNS topic, and Red Canary must have permission to subscribe to that topic.
GuardDuty
Red Canary needs permission within your AWS environment to read data from the S3 bucket which stores the GuardDuty findings. The S3 bucket must publish S3 object write events to a SNS topic, and Red Canary must have permission to subscribe to that topic.
Environment Scanning
Red Canary infrastructure needs to assume a role within your AWS environment in order to regularly scan for newly-created accounts and resources, ensuring that data is properly attributed and monitored as the environment grows and evolves.
Why does Red Canary need the permissions in the CloudFormation and Terraform templates?
The permissions are the minimum we need for discovery inside your environment. None of these permissions edit, add, or delete your resources in any way.
The following permissions are required for the CloudTrail and GuardDuty integrations:
Service | Permission | Justification |
S3 | s3:GetBucketLocation | Allows Red Canary to get the region for the S3 buckets used to store CloudTrail/GuardDuty information |
s3:GetBucketNotification | Allows Red Canary to to retrieve the notification configuration for the S3 buckets used to store CloudTrail/GuardDuty information | |
s3:ListBucket | Allows Red Canary to look at CloudTrail/GuardDuty information stored in the S3 buckets | |
s3:GetObject | Allows Red Canary to fetch CloudTrail log files | |
s3:GetObjectAttributes | Allows Red Canary to look at extended attributes of the log files to enable processing | |
s3:GetObjectVersion | Allows Red Canary to look at the versions of the log files to enable processing | |
SNS | sns:Subscribe | Allow Red Canary to subscribe to an SQS Queue for notification when files are added to the CloudTrail/GuardDuty S3 buckets |
KMS | kms:GetPublicKey | Allows Red Canary to decrypt data from S3 (if you use KMS) |
The following permissions are used for license calculation purposes. For more information, see How Cloud Control Plane Licensing and Usage are Determined.
Service | Permission | Justification |
DynamoDB | dynamodb:ListGlobalTables | Allows Red Canary to list DynamoDB Tables for licensing purposes |
EC2 | ec2:DescribeInstances | Allows Red Canary to list EC2 Instances for licensing purposes |
ECR (Elastic Container Registry) | ecr-public:DescribeImages | Allows Red Canary to list Container Images for licensing purposes |
ECS (Elastic Container Service) | ecs:DescribeServices | AllowsRed Canary to list Container Services for licensing purposes |
EKS (Elastic Kubernetes Service) | eks:ListClusters | Allows Red Canary to list EKS Clusters for licensing purposes |
Elastic File System (EFS) | elasticfilesystem:DescribeFileSystems | Allows Red Canary to list EFS for licensing purposes |
Lambda | lambda:ListFunctions | Allows Red Canary to list Lambda Functions for licensing purposes |
RDS (Relational Database Service) | rds:DescribeDBInstances | Allows Red Canary to list RDS Instances for licensing purposes |
S3 | s3:GetBucketLocation | Allows Red Canary to list S3 Buckets for licensing purposes |
We also need the following roles for the Red Canary partner access role (redcanary-partner-access):
Role | Description |
AmazonGuardDutyReadOnlyAccess | Allows Red Canary to poll the GuardDuty findings for ingestion and investigation |
AWSOrganizationsReadOnlyAccess | Allows Red Canary to read information about your AWS Organization to help enumerate accounts |
AWSResourceExplorerReadOnlyAccess | Allows Red Canary to read information about your AWS resources to help enumerate accounts |
Do I need to have GuardDuty enabled?
Important Cost Information
Before enabling GuardDuty, understand that it’s a paid service that monitors for malicious activity and unauthorized behavior to protect your AWS resources. The service charges are based on the volume of AWS data analyzed, such as logs and events. Ensure you review the pricing details on the GuardDuty page to understand the cost implications and budget accordingly before activation.
Red Canary strongly recommends turning on AWS GuardDuty. GuardDuty is a powerful ally that bolsters your security posture. It helps correlate and enrich the telemetry data we’re already analyzing with CloudTrail. By enabling GuardDuty, you're not just collecting data but empowering our systems to deliver deeper insights and more comprehensive security analysis.
GuardDuty and CloudTrail create a dynamic duo for Red Canary, enhancing our ability to detect and respond to potential threats more swiftly and effectively.
Finally, GuardDuty acts as an extra layer of intelligence, providing context to the footage by correlating different data points and highlighting activities that require closer inspection. Red Canary will be able to review what has been recorded while also understanding the bigger picture and respond more effectively to security incidents.
Can I remove GuardDuty from the integration?
While we recommend that you allow Red Canary to ingest GuardDuty findings, you can remove GuardDuty from the integration by deleting the ARNs from the GuardDuty section on the configuration page. You can also add GuardDuty if you chose to skip it during initial provisioning.
Must the 'redcanary-partner-access role’ be deployed to all AWS accounts, and how should it be configured in the system?
Yes. You must deploy the 'redcanary-partner-access' role to all AWS accounts. It’s used to access the S3 buckets where the CloudTrail and GuardDuty data is stored, and also for license scanning. We suggest using CloudFormation to automate this deployment, using the template generated by the integration configuration page.