Exciting news! We are redesigning the Arctic Wolf Help Documentation site to provide a better user experience. Our new site will launch on May 1, 2024.

AWS Permissions Granted to Arctic Wolf

Updated Jan 17, 2024

AWS permissions granted to Arctic Wolf

The CloudFormation templates create an Identity and Access Management (IAM) role in your Amazon Web Services® (AWS) account that Arctic Wolf® uses to collect security events and support your Concierge Security® Team (CST) with basic diagnostic information. This IAM role has these permissions, in addition to the permissions that the AWS managed Security Audit policy provides:

Event Permission
S3 buckets storing CloudTrail and Cloudwatch logs:
  • s3:ListBucket
  • s3:GetObject
  • s3:GetBucketNotification
  • s3:PutBucketNotification
Collect logs and maintain notifications of new log content from your account to Arctic Wolf.
Diagnostic events:
  • cloudformation:Describe*
  • cloudformation:List*
  • ec2:Describe*
  • firehose:Describe*
  • firehose:List*
  • logs:Describe*
  • logs:Get*
Collect diagnostics from your AWS account and complete troubleshooting as necessary.
CloudTrail information:
  • cloudtrail:Get*
  • cloudtrail:DescribeTrails
  • cloudtrail:LookupEvents
Retrieve information from CloudTrail.
New log content notifications:
  • sns:GetTopicAttributes
  • sns:ListSubscriptionsByTopic
  • sns:Subscribe
Confirm and maintain notifications of new log content from your account to Arctic Wolf.
Resources:
  • acm:DescribeCertificate
  • acm:ListCertificates
  • logs:DescribeLogGroups
  • logs:DescribeMetricFilters
  • es:DescribeElasticsearchDomainConfig
  • ses:GetIdentity
  • sns:ListSubscriptionsByTopic
A variety of cross-service, read-only permissions that allows Arctic Wolf to audit resources in your account.
guardduty:* and related IAM permissions Lets Arctic Wolf enable and access AWS GuardDuty service in your account, if desired. For more information about AWS GuardDuty, see the AWS GuardDuty documentation and pricing on the AWS website.