AWS Permissions Granted to Arctic Wolf

Updated Aug 31, 2023

AWS permissions granted to Arctic Wolf

The CloudFormation templates create an Identity and Access Management (IAM) role in your Amazon Web Services® (AWS) account that Arctic Wolf uses to collect security events and support your Concierge Security® Team (CST) with basic diagnostic information. This IAM role has the following permissions, in addition to the permissions that the AWS managed Security Audit policy provides:

Event Permission
S3 buckets storing CloudTrail and Cloudwatch logs:
  • s3:ListBucket
  • s3:GetObject
  • s3:GetBucketNotification
  • s3:PutBucketNotification
Collect logs and maintain notifications of new log content from your account to Arctic Wolf.
Diagnostic events:
  • cloudformation:Describe*
  • cloudformation:List*
  • ec2:Describe*
  • firehose:Describe*
  • firehose:List*
  • logs:Describe*
  • logs:Get*
Collect diagnostics from your AWS account and perform troubleshooting as necessary.
CloudTrail information:
  • cloudtrail:Get*
  • cloudtrail:DescribeTrails
  • cloudtrail:LookupEvents
Retrieve information from CloudTrail.
New log content notifications:
  • sns:GetTopicAttributes
  • sns:ListSubscriptionsByTopic
  • sns:Subscribe
Confirm and maintain notifications of new log content from your account to Arctic Wolf.
Resources:
  • acm:DescribeCertificate
  • acm:ListCertificates
  • logs:DescribeLogGroups
  • logs:DescribeMetricFilters
  • es:DescribeElasticsearchDomainConfig
  • ses:GetIdentity
  • sns:ListSubscriptionsByTopic
A variety of cross-service, read-only permissions that allows Arctic Wolf to audit resources in your account.
guardduty:* and related IAM permissions Lets Arctic Wolf enable and access AWS GuardDuty service in your account, if desired. For more information about AWS GuardDuty, see the AWS GuardDuty documentation and pricing on the AWS website.