AWS Integration FAQ
    • 28 Apr 2025
    • 3 Minutes to read
    • PDF

    AWS Integration FAQ

    • PDF

    Article summary


    FAQ

    What general permissions does Red Canary need in AWS?

    CloudTrail
    Red Canary needs permission within your AWS environment to read data from the S3 bucket which stores the CloudTrail telemetry. The S3 bucket must publish S3 object write events to a SNS topic, and Red Canary must have permission to subscribe to that topic.

    GuardDuty
    Red Canary needs permission within your AWS environment to read data from the S3 bucket which stores the GuardDuty findings. The S3 bucket must publish S3 object write events to a SNS topic, and Red Canary must have permission to subscribe to that topic.

    Environment Scanning
    Red Canary infrastructure needs to assume a role within your AWS environment in order to regularly scan for newly-created accounts and resources, ensuring that data is properly attributed and monitored as the environment grows and evolves.

    Why does Red Canary need the permissions in the CloudFormation and Terraform templates?

    The permissions are the minimum we need for discovery inside your environment. None of these permissions edit, add, or delete your resources in any way.

    The following permissions are required for the CloudTrail and GuardDuty integrations:

    Service

    Permission

    Justification

    S3

    s3:GetBucketLocation

    Allows Red Canary to get the region for the S3 buckets used to store CloudTrail/GuardDuty information

    s3:GetBucketNotification

    Allows Red Canary to to retrieve the notification configuration for the S3 buckets used to store CloudTrail/GuardDuty information

    s3:ListBucket

    Allows Red Canary to look at CloudTrail/GuardDuty information stored in the S3 buckets

    s3:GetObject

    Allows Red Canary to fetch CloudTrail log files

    s3:GetObjectAttributes

    Allows Red Canary to look at extended attributes of the log files to enable processing

    s3:GetObjectVersion

    Allows Red Canary to look at the versions of the log files to enable processing

    SNS

    sns:Subscribe
    sns:ConfirmSubscription
    sns:ListSubscriptionsByTopic
    sns:Unsubscribe

    Allow Red Canary to subscribe to an SQS Queue for notification when files are added to the CloudTrail/GuardDuty S3 buckets

    KMS

    kms:GetPublicKey
    kms:DescribeKey
    kms:Decrypt

    Allows Red Canary to decrypt data from S3 (if you use KMS)

    The following permissions are used for license calculation purposes. For more information, see How Cloud Control Plane Licensing and Usage are Determined.

    Service

    Permission

    Justification

    DynamoDB

    dynamodb:ListGlobalTables
    dynamodb:ListTables

    Allows Red Canary to list DynamoDB Tables for licensing purposes

    EC2

    ec2:DescribeInstances
    ec2:DescribeVolumes

    Allows Red Canary to list EC2 Instances for licensing purposes

    ECR (Elastic Container Registry)

    ecr-public:DescribeImages
    ecr-public:DescribeRepositories
    ecr:DescribeRepositories
    ecr:ListImages

    Allows Red Canary to list Container Images for licensing purposes

    ECS (Elastic Container Service)

    ecs:DescribeServices
    ecs:DescribeTaskDefinition
    ecs:ListClusters
    ecs:ListServices

    AllowsRed Canary to list Container Services for licensing purposes

    EKS (Elastic Kubernetes Service)

    eks:ListClusters

    Allows Red Canary to list EKS Clusters for licensing purposes

    Elastic File System (EFS)

    elasticfilesystem:DescribeFileSystems

    Allows Red Canary to list EFS for licensing purposes

    Lambda

    lambda:ListFunctions

    Allows Red Canary to list Lambda Functions for licensing purposes

    RDS (Relational Database Service)

    rds:DescribeDBInstances

    Allows Red Canary to list RDS Instances for licensing purposes

    S3

    s3:GetBucketLocation
    s3:ListAllMyBuckets
    s3:ListBucket

    Allows Red Canary to list S3 Buckets for licensing purposes

    We also need the following roles for the Red Canary partner access role (redcanary-partner-access):

    Role

    Description

    AmazonGuardDutyReadOnlyAccess

    Allows Red Canary to poll the GuardDuty findings for ingestion and investigation

    AWSOrganizationsReadOnlyAccess

    Allows Red Canary to read information about your AWS Organization to help enumerate accounts

    AWSResourceExplorerReadOnlyAccess

    Allows Red Canary to read information about your AWS resources to help enumerate accounts

    Do I need to have GuardDuty enabled?

    Important Cost Information

    Before enabling GuardDuty, understand that it’s a paid service that monitors for malicious activity and unauthorized behavior to protect your AWS resources. The service charges are based on the volume of AWS data analyzed, such as logs and events. Ensure you review the pricing details on the GuardDuty page to understand the cost implications and budget accordingly before activation.

    Red Canary strongly recommends turning on AWS GuardDuty. GuardDuty is a powerful ally that bolsters your security posture. It helps correlate and enrich the telemetry data we’re already analyzing with CloudTrail. By enabling GuardDuty, you're not just collecting data but empowering our systems to deliver deeper insights and more comprehensive security analysis.

    GuardDuty and CloudTrail create a dynamic duo for Red Canary, enhancing our ability to detect and respond to potential threats more swiftly and effectively.

    Finally, GuardDuty acts as an extra layer of intelligence, providing context to the footage by correlating different data points and highlighting activities that require closer inspection. Red Canary will be able to review what has been recorded while also understanding the bigger picture and respond more effectively to security incidents.

    Can I remove GuardDuty from the integration?

    While we recommend that you allow Red Canary to ingest GuardDuty findings, you can remove GuardDuty from the integration by deleting the ARNs from the GuardDuty section on the configuration page. You can also add GuardDuty if you chose to skip it during initial provisioning.

    Must the 'redcanary-partner-access role’ be deployed to all AWS accounts, and how should it be configured in the system?

    Yes. You must deploy the 'redcanary-partner-access' role to all AWS accounts. It’s used to access the S3 buckets where the CloudTrail and GuardDuty data is stored, and also for license scanning. We suggest using CloudFormation to automate this deployment, using the template generated by the integration configuration page.


    Was this article helpful?

    Changing your password will log you out immediately. Use the new password to log back in.
    First name must have atleast 2 characters. Numbers and special characters are not allowed.
    Last name must have atleast 1 characters. Numbers and special characters are not allowed.
    Enter a valid email
    Enter a valid password
    Your profile has been successfully updated.