AWS permissions granted to Arctic Wolf

The CloudFormation templates create an Identity and Access Management (IAM) role in your Amazon Web Services (AWS)® account. Arctic Wolf® uses the IAM role to collect security events and support your Concierge Security® Team (CST) with basic diagnostic information. This IAM role has these permissions, in addition to the permissions that the AWS managed Security Audit policy provides:

Event

Permission
S3 buckets storing CloudTrail and CloudWatch logs:
  • s3:ListBucket
  • s3:GetObject
  • s3:GetBucketNotification
  • s3:PutBucketNotification

Collect logs and maintain notifications of new log content from your account to Arctic Wolf.
Diagnostic events:
  • cloudformation:Describe*
  • cloudformation:List*
  • ec2:Describe*
  • firehose:Describe*
  • firehose:List*
  • logs:Describe*
  • logs:Get*

Collect diagnostics from your AWS account and complete troubleshooting, as necessary.
CloudTrail information:
  • cloudtrail:Get*
  • cloudtrail:DescribeTrails
  • cloudtrail:LookupEvents

Retrieve information from CloudTrail.
New log content notifications:
  • sns:GetTopicAttributes
  • sns:ListSubscriptionsByTopic
  • sns:Subscribe

Confirm and maintain notifications of new log content from your account to Arctic Wolf.
Resources:
  • acm:DescribeCertificate
  • acm:ListCertificates
  • logs:DescribeLogGroups
  • logs:DescribeMetricFilters
  • es:DescribeElasticsearchDomainConfig
  • ses:GetIdentity
  • sns:ListSubscriptionsByTopic

A variety of cross-service, read-only permissions that allow Arctic Wolf to audit resources in your account.

guardduty:* and related IAM permissions

Lets Arctic Wolf enable and access the GuardDuty service in your account, if desired.

KMS:Decrypt

Enables the IAM role to decrypt encrypted logs for ingestion.