AWS Permissions Granted to Arctic Wolf

Updated Aug 31, 2023

AWS permissions granted to Arctic Wolf

AWS permissions granted to Arctic Wolf

The CloudFormation templates create an Identity and Access Management (IAM) role in your Amazon Web Services® (AWS) account that Arctic Wolf uses to collect security events and support your Concierge Security® Team (CST) with basic diagnostic information. This IAM role has the following permissions, in addition to the permissions that the AWS managed Security Audit policy provides:

Event	Permission
S3 buckets storing CloudTrail and Cloudwatch logs: s3:ListBucket s3:GetObject s3:GetBucketNotification s3:PutBucketNotification	Collect logs and maintain notifications of new log content from your account to Arctic Wolf.
Diagnostic events: cloudformation:Describe* cloudformation:List* ec2:Describe* firehose:Describe* firehose:List* logs:Describe* logs:Get*	Collect diagnostics from your AWS account and perform troubleshooting as necessary.
CloudTrail information: cloudtrail:Get* cloudtrail:DescribeTrails cloudtrail:LookupEvents	Retrieve information from CloudTrail.
New log content notifications: sns:GetTopicAttributes sns:ListSubscriptionsByTopic sns:Subscribe	Confirm and maintain notifications of new log content from your account to Arctic Wolf.
Resources: acm:DescribeCertificate acm:ListCertificates logs:DescribeLogGroups logs:DescribeMetricFilters es:DescribeElasticsearchDomainConfig ses:GetIdentity sns:ListSubscriptionsByTopic	A variety of cross-service, read-only permissions that allows Arctic Wolf to audit resources in your account.
guardduty:* and related IAM permissions	Lets Arctic Wolf enable and access AWS GuardDuty service in your account, if desired. For more information about AWS GuardDuty, see the AWS GuardDuty documentation and pricing on the AWS website.