List of Amazon Web Services (AWS) permissions for use during Cortex Cortex XSIAM outpost onboarding to enable continuous monitoring in your cloud environment.
When onboarding Amazon Web Services (AWS) outposts, Cortex XSIAM creates an authentication template that requests the permissions needed for monitoring your cloud environment. Depending on which security capabilities you select in the onboarding wizard, different permissions are requested. The following tables are organized by security module and list the CSP permissions being requested as well as the purpose (and where relevant, the scope):
The following IAM policies are required for the Required base permissions module.
The following AWS permissions are granted by the artifact-bucket-delete-object-access policy.
Permission | Scope | Used by IAM Roles | Description |
|---|---|---|---|
s3:DeleteObject | The bucket must be owned by the user's current AWS account. | gcp_saas_role | Delete an object from an S3 bucket. This permission allows Cortex to remove temporary artifacts, logs, or results stored in the artifact bucket after they have been processed, ensuring storage hygiene. |
The following AWS permissions are granted by the artifact-bucket-list-access policy.
Permission | Scope | Used by IAM Roles | Description |
|---|---|---|---|
s3:ListBucket | Users can view: The list of contents for the specific ${cf_template_bucket} and the contents of any S3 bucket they own that has a name starting with the prefix ${bucket_name}- | gcp_saas_role, dspm_scanner, proxy_vm, ads_scanner, registry_scanner, scanner_of_serverless | List bucket contents. This permission allows Cortex to view the objects within specific S3 buckets. It is necessary to identify available input files, logs, or templates that need to be processed. |
The following AWS permissions are granted by the artifact-bucket-put-policy-access policy.
Permission | Scope | Used by IAM Roles | Description |
|---|---|---|---|
s3:GetBucketPolicy | The bucket must be owned by the user's current AWS account. | gcp_saas_role | Retrieve the bucket policy. This allows Cortex to verify the access permissions configured on the artifact bucket, ensuring that the policy allows the necessary access for the outpost and scanner roles. |
s3:PutBucketPolicy | S3 buckets that users own and whose name begins with the prefix: ${bucket_name}- | gcp_saas_role | Update the bucket policy. This permission allows Cortex to apply or update the resource-based policy on the artifact bucket. This ensures that the bucket is correctly secured and that only authorized entities have access. |
The following AWS permissions are granted by the artifact-bucket-write-access policy.
Permission | Scope | Used by IAM Roles | Description |
|---|---|---|---|
s3:GetObject | Users can read (download) any file from the ${cf_template_bucket} Also, users can read files from any S3 bucket they own that begins with the prefix ${bucket_name}-, with specific access paths defined for the general bucket contents and files within the output/, input/, and output/logs/ folders | dspm_scanner, gcp_saas_role, proxy_vm, ads_scanner, registry_scanner, scanner_of_serverless | Download an object from an S3 bucket. This permission enables Cortex to retrieve configuration templates, input data, or logs from specified buckets. It is essential for the operation of the outpost and the retrieval of scan results. |
s3:GetObjectAttributes | Users can read the metadata (attributes) of files from any S3 bucket they own that begins with the prefix: ${bucket_name}- This permission applies to files located anywhere within that bucket, but the specific paths are detailed as the general bucket contents and files within the output/, input/, and output/logs/ folders | dspm_scanner, gcp_saas_role, proxy_vm, ads_scanner, registry_scanner, scanner_of_serverless | Get object attributes. This allows Cortex to retrieve system metadata and attributes for S3 objects, such as size or modification time, without downloading the entire file. This is useful for checking file status before processing. |
s3:PutObject | Communication buckets, artifact bucket, cf-template bucket, owned by the current AWS account | dspm_scanner, gcp_saas_role, proxy_vm, ads_scanner, registry_scanner, scanner_of_serverless | Upload scan results / artifacts / logs / CF template to S3 |
The following AWS permissions are granted by the assume-role-other-accounts policy.
Permission | Scope | Used by IAM Roles | Description |
|---|---|---|---|
sts:AssumeRole | Resource belongs to a different AWS account than the current account | dspm_scanner, registry_scanner, scanner_of_serverless, gcp_saas_role | Assume an IAM role. This permission allows the outpost to temporarily adopt the permissions of another role, typically in a different account. This is the mechanism used to perform cross-account scanning or to elevate privileges for specific tasks securely. |
The following AWS permissions are granted by the cf-template-bucket-access policy.
Permission | Scope | Used by IAM Roles | Description |
|---|---|---|---|
s3:GetObject | Users can read (download) any file from the ${cf_template_bucket} Also, users can read files from any S3 bucket they own that begins with the prefix ${bucket_name}-, with specific access paths defined for the general bucket contents and files within the output/, input/, and output/logs/ folders | dspm_scanner, gcp_saas_role, proxy_vm, ads_scanner, registry_scanner, scanner_of_serverless | Download an object from an S3 bucket. This permission enables Cortex to retrieve configuration templates, input data, or logs from specified buckets. It is essential for the operation of the outpost and the retrieval of scan results. |
s3:ListBucket | Users can view: The list of contents for the specific ${cf_template_bucket} and the contents of any S3 bucket they own that has a name starting with the prefix ${bucket_name}- | gcp_saas_role, dspm_scanner, proxy_vm, ads_scanner, registry_scanner, scanner_of_serverless | List bucket contents. This permission allows Cortex to view the objects within specific S3 buckets. It is necessary to identify available input files, logs, or templates that need to be processed. |
s3:PutObject | Communication buckets, artifact bucket, cf-template bucket, owned by the current AWS account | dspm_scanner, gcp_saas_role, proxy_vm, ads_scanner, registry_scanner, scanner_of_serverless | Upload scan results / artifacts / logs / CF template to S3 |
The following AWS permissions are granted by the cortex-communications-bucket-access policy.
Permission | Scope | Used by IAM Roles | Description |
|---|---|---|---|
s3:GetObject | Users can read (download) any file from the ${cf_template_bucket} Also, users can read files from any S3 bucket they own that begins with the prefix ${bucket_name}-, with specific access paths defined for the general bucket contents and files within the output/, input/, and output/logs/ folders | dspm_scanner, gcp_saas_role, proxy_vm, ads_scanner, registry_scanner, scanner_of_serverless | Download an object from an S3 bucket. This permission enables Cortex to retrieve configuration templates, input data, or logs from specified buckets. It is essential for the operation of the outpost and the retrieval of scan results. |
s3:GetObjectAttributes | Users can read the metadata (attributes) of files from any S3 bucket they own that begins with the prefix: ${bucket_name}- This permission applies to files located anywhere within that bucket, but the specific paths are detailed as the general bucket contents and files within the output/, input/, and output/logs/ folders | dspm_scanner, gcp_saas_role, proxy_vm, ads_scanner, registry_scanner, scanner_of_serverless | Get object attributes. This allows Cortex to retrieve system metadata and attributes for S3 objects, such as size or modification time, without downloading the entire file. This is useful for checking file status before processing. |
s3:ListBucket | Users can view: The list of contents for the specific ${cf_template_bucket} and the contents of any S3 bucket they own that has a name starting with the prefix ${bucket_name}- | gcp_saas_role, dspm_scanner, proxy_vm, ads_scanner, registry_scanner, scanner_of_serverless | List bucket contents. This permission allows Cortex to view the objects within specific S3 buckets. It is necessary to identify available input files, logs, or templates that need to be processed. |
s3:PutObject | Communication buckets, artifact bucket, cf-template bucket, owned by the current AWS account | dspm_scanner, gcp_saas_role, proxy_vm, ads_scanner, registry_scanner, scanner_of_serverless | Upload scan results / artifacts / logs / CF template to S3 |
The following AWS permissions are granted by the cortex-communications-proxy-bucket-access policy.
Permission | Scope | Used by IAM Roles | Description |
|---|---|---|---|
s3:GetObject | Users can read (download) any file from the ${cf_template_bucket} and Also, users can read files from any S3 bucket they own that begins with the prefix ${bucket_name}-, with specific access paths defined for the general bucket contents and files within the output/, input/, and output/logs/ folders | dspm_scanner, gcp_saas_role, proxy_vm, ads_scanner, registry_scanner, scanner_of_serverless | Download an object from an S3 bucket. This permission enables Cortex to retrieve configuration templates, input data, or logs from specified buckets. It is essential for the operation of the outpost and the retrieval of scan results. |
s3:GetObjectAttributes | Users can read the metadata (attributes) of files from any S3 bucket they own that begins with the prefix: ${bucket_name}- This permission applies to files located anywhere within that bucket, but the specific paths are detailed as the general bucket contents and files within the output/, input/, and output/logs/ folders | dspm_scanner, gcp_saas_role, proxy_vm, ads_scanner, registry_scanner, scanner_of_serverless | Get object attributes. This allows Cortex to retrieve system metadata and attributes for S3 objects, such as size or modification time, without downloading the entire file. This is useful for checking file status before processing. |
s3:ListBucket | Users can view: The list of contents for the specific ${cf_template_bucket} and the contents of any S3 bucket they own that has a name starting with the prefix ${bucket_name}- | gcp_saas_role, dspm_scanner, proxy_vm, ads_scanner, registry_scanner, scanner_of_serverless | List bucket contents. This permission allows Cortex to view the objects within specific S3 buckets. It is necessary to identify available input files, logs, or templates that need to be processed. |
s3:PutObject | Communication buckets, artifact bucket, cf-template bucket, owned by the current AWS account | dspm_scanner, gcp_saas_role, proxy_vm, ads_scanner, registry_scanner, scanner_of_serverless | Upload scan results / artifacts / logs / CF template to S3 |
The following AWS permissions are granted by the cortex-ssm-read policy.
Permission | Scope | Used by IAM Roles | Description |
|---|---|---|---|
ssm:GetParameter | SSM parameter named cortex-outposts-..., but only if that specific parameter resource is already tagged with managed_by: paloaltonetworks | ads_scanner, dspm_scanner, registry_scanner | Retrieve an SSM parameter. This permission allows Cortex to fetch stored secrets, such as credentials for unmanaged container registries or database connections, enabling the scanner to authenticate and access those resources securely. |
The following AWS permissions are granted by the dspm-kms-access policy.
Permission | Scope | Used by IAM Roles | Description |
|---|---|---|---|
kms:* | Keys must be accessed through a legitimate, identified AWS service (such as S3, RDS, EC2, and so on) | dspm_scanner | Perform cryptographic operations. This broad permission is required to handle encrypted data during the scanning process. It allows the scanner to decrypt volumes or snapshots encrypted with KMS keys to perform the analysis. |
kms:Decrypt | Redshift: keys accessed via the redshift-serverless service; DSPM: any key the scanner is otherwise granted access to | dspm_scanner, gcp_saas_role | Decrypt KMS-encrypted data during scanning |
kms:DescribeKey | Redshift: keys accessed via the redshift-serverless service; DSPM: any key the scanner is otherwise granted access to | dspm_scanner, gcp_saas_role | Retrieve metadata about a KMS key. Used to validate key configuration before decrypting Redshift (DSPM) data or customer data accessed by the DSPM scanner. |
The following AWS permissions are granted by the redshit-operations policy.
Permission | Scope | Used by IAM Roles | Description |
|---|---|---|---|
ec2:DescribeAvailabilityZones | * | gcp_saas_role | List availability zones. This permission enables Cortex to determine the optimal location for deploying scanner resources, ensuring high availability and compliance with regional data residency requirements. |
kms:CreateGrant | Keys accessed via the redshift-serverless service | gcp_saas_role | Create a KMS grant. Required so Redshift Serverless (DSPM) can use the relevant KMS key on Cortex's behalf during data classification scans. |
kms:Decrypt | Redshift: keys accessed via the redshift-serverless service; DSPM: any key the scanner is otherwise granted access to | dspm_scanner, gcp_saas_role | Decrypt KMS-encrypted data during scanning |
kms:DescribeKey | Redshift: keys accessed via the redshift-serverless service; DSPM: any key the scanner is otherwise granted access to | dspm_scanner, gcp_saas_role | Retrieve metadata about a KMS key. Used to validate key configuration before decrypting Redshift (DSPM) data or customer data accessed by the DSPM scanner. |
The following AWS permissions are granted by the saas-role-policy policy.
Permission | Scope | Used by IAM Roles | Description |
|---|---|---|---|
ec2:DescribeAddresses | * | gcp_saas_role | List Elastic IP addresses. This allows Cortex to identify available static IPs or verify the status of IPs allocated to proxy VMs, ensuring that network resources are correctly managed and available for use. |
ec2:DescribeVpcEndpoints | * | gcp_saas_role | List VPC endpoints. This allows Cortex to verify the existence and configuration of private endpoints used for secure communication with AWS services, ensuring that the isolated network environment is correctly set up. |
iam:PassRole | Limited to the specific list of roles designated as 'scanner roles' within the account | gcp_saas_role | Pass an IAM role to a service. This allows Cortex to assign a specific "scanner role" to the EC2 instances it launches. This ensures the scanner VMs have the exact permissions they need to operate, adhering to the principle of least privilege. |
kms:ReEncryptFrom | The request must be initiated by the Amazon EC2 service and be contextually tied to the encryption of an EBS volume or snapshot | gcp_saas_role | Re-encrypt data. This permission is used when copying encrypted snapshots. It allows Cortex to decrypt data encrypted with one key and re-encrypt it with another, ensuring that data remains secure even when moving between contexts or accounts. |
sqs:DeleteMessage | Messages from any SQS queue that is already tagged with managed_by: paloaltonetworks and whose name begins with the prefix: ${queue_prefix}- | gcp_saas_role | Delete a message from an SQS queue. This permission allows Cortex to remove messages from the queue after they have been successfully processed, preventing duplicate handling. |
sqs:GetQueueUrl | URL for any SQS queue that is already tagged with managed_by: paloaltonetworks and whose name begins with the prefix: ${queue_prefix}- | gcp_saas_role | Get the URL of an SQS queue. This allows Cortex to look up the correct address for the message queue it needs to interact with, enabling it to send or receive messages. |
sqs:ListQueues | URL for any SQS queue that is already tagged with managed_by: paloaltonetworks and whose name begins with the prefix: ${queue_prefix}- | gcp_saas_role | List SQS queues. This provides visibility into the available message queues, allowing Cortex to identify the correct queues for communication and coordination between outpost components. |
sqs:ReceiveMessage | Messages from any SQS queue that is already tagged with managed_by: paloaltonetworks and whose name begins with the prefix: ${queue_prefix}- | gcp_saas_role | Receive a message from an SQS queue. This permission allows Cortex to pull messages from the queue, which typically contain instructions, notifications, or status updates regarding scanning tasks. |
ssm:AddTagsToResource | SSM Parameter named cortex-outposts-..., but only if the tagging request itself includes the managed_by: paloaltonetworks tag | gcp_saas_role | Add tags to an SSM parameter. This allows Cortex to tag parameters stored in the Systems Manager Parameter Store. Tagging is used to manage lifecycle and ownership of the secrets used for unmanaged registries. |
ssm:DeleteParameter | SSM parameter named cortex-outposts-..., but only if that specific parameter resource is already tagged with managed_by: paloaltonetworks | gcp_saas_role | Delete an SSM parameter. This permission allows Cortex to securely remove stored secrets or configuration parameters when they are no longer needed, ensuring that sensitive information is not left lingering in the account. |
ssm:PutParameter | Group of SSM parameter store parameters in a specified AWS account with the request tag: managed_by: paloaltonetworks | gcp_saas_role | Create or update an SSM parameter. This permission allows Cortex to securely store secrets or configuration values in the Parameter Store, such as credentials for accessing unmanaged registries. |
sts:AssumeRole | Resource belongs to a different AWS account than the current account | dspm_scanner, registry_scanner, scanner_of_serverless, gcp_saas_role | Assume an IAM role. This permission allows the outpost to temporarily adopt the permissions of another role, typically in a different account. This is the mechanism used to perform cross-account scanning or to elevate privileges for specific tasks securely. |
The following AWS permissions are granted by the saas-role-policy-ec2 policy.
Permission | Scope | Used by IAM Roles | Description |
|---|---|---|---|
ec2:AllocateAddress | Resources with the request tag: managed_by: paloaltonetworks | gcp_saas_role | Allocate a static public IP address. This permission is necessary to assign a consistent IP to the proxy VM, ensuring stable and secure communication between the outpost and external services during scanning operations. |
ec2:AssociateAddress | Resources with the request tag: managed_by: paloaltonetworks | gcp_saas_role | Associate a static public IP address with a network interface. This binds the allocated IP to the proxy VM, enabling it to route traffic correctly and maintain the connectivity required for the scanning process. |
ec2:CreateFleet | Resources with the request tag: managed_by: paloaltonetworks | gcp_saas_role | Create an EC2 Fleet. This permission allows Cortex to launch a group of scanner instances (on-demand and/or spot) in a single request, which is how the outpost provisions compute capacity for scans. |
ec2:CreateLaunchTemplate | Resources with the request tag: managed_by: paloaltonetworks | gcp_saas_role | Create a launch template. This defines the reusable configuration (AMI, instance type, networking, tags) used by the EC2 Fleet to launch scanner VMs consistently. |
ec2:CreateNetworkInterface | Any region in the specified AWS account with the tag managed_by: paloaltonetworks; applies to network interfaces, subnets, and security groups. | gcp_saas_role | Create a network interface. This permission is necessary to connect the scanner or proxy VM to the designated subnet and security group, ensuring network traffic flows securely according to the defined network policies. |
ec2:CreateTags | Resources with the request tag: managed_by: paloaltonetworks tag | gcp_saas_role | Add tags to resources. This is used for permission scoping, resource tracking, and cost visibility. Cortex tags every resource it creates with `managed_by=paloaltonetworks` so the tag scopes downstream permissions to Cortex-owned resources and enables automatic cleanup after scanning. |
ec2:CreateVpcEndpoint | The VPC endpoint being created must: 1) Have the request tag: managed_by: paloaltonetworks 2) Only reference Palo Alto Networks-managed network components (VPCs, security groups, subnets, and route tables, and so on, with the request tag: managed_by: paloaltonetworks) 3) Connect to an approved VpceServiceName service as defined by policy | gcp_saas_role | Create VPC endpoints. These endpoints allow scanners to access managed AWS services using private IP addresses, ensuring that data traffic remains within the AWS network and is not exposed to the public internet during the scanning process. |
ec2:DeleteLaunchTemplate | Launch templates in the specified account with the resource tag: managed_by: paloaltonetworks | gcp_saas_role | Delete a launch template created for launching scanner VMs |
ec2:DeleteNetworkInterface | Network interfaces with the request resource tag: managed_by: paloaltonetworks | gcp_saas_role | Delete a network interface. This permission is critical for hygiene and resource cleanup. It allows Cortex to remove network interfaces created for scanner or proxy VMs once the scanning task is complete, preventing unused resources from cluttering the account. |
ec2:DeleteVpcEndpoints | VPC endpoints in the specified account with the resource tag: managed_by: paloaltonetworks | gcp_saas_role | Delete VPC endpoints. This permission allows for the cleanup of temporary network connections established for the scanning session. It ensures that the network configuration returns to its previous state and no unused endpoints remain active. |
ec2:DescribeAvailabilityZones | * | gcp_saas_role | List availability zones. This permission enables Cortex to determine the optimal location for deploying scanner resources, ensuring high availability and compliance with regional data residency requirements. |
ec2:DescribeImages | * | gcp_saas_role | List AMI images. This is used to verify the creation status of images used for scanning or to identify the correct machine image to launch for scanner VMs. |
ec2:DescribeInstances | * | gcp_saas_role | List EC2 instances. This provides visibility into the instances running in the account, allowing Cortex to verify the status of scanner or proxy VMs and ensure they are operating as expected. |
ec2:DescribeInstanceTypes | * | gcp_saas_role | List instance types. This allows Cortex to dynamically select the most appropriate and cost-effective VM sizes for scanner instances based on the specific workload requirements and availability. |
ec2:DescribeKeyPairs | * | gcp_saas_role | List key pairs. This permission is used to verify the existence of key pairs that may be required for launching instances, ensuring that the outpost can provision VMs with the correct access configurations. |
ec2:DescribeNetworkInterfaces | * | gcp_saas_role | List network interfaces. This provides visibility into the network configuration of resources, helping to verify that scanner VMs are correctly connected to the network and troubleshooting any connectivity issues. |
ec2:DescribeSecurityGroups | * | gcp_saas_role | List security groups. This allows Cortex to identify the correct security groups to associate with scanner resources, ensuring that the necessary firewall rules are applied to permit scanning traffic while blocking unauthorized access. |
ec2:DescribeSubnets | * | gcp_saas_role | List subnets. This permission enables Cortex to discover available network subnets for deploying scanner resources, ensuring they are placed in the correct network segment according to the deployment configuration. |
ec2:DescribeVpcs | * | gcp_saas_role | List VPCs. This provides context about the virtual private clouds in the account, allowing Cortex to identify the correct network environment for deploying scanner resources. |
ec2:DisassociateAddress | Volumes with the resource tag: managed_by: paloaltonetworks | gcp_saas_role | Disassociate an Elastic IP from an instance. This permission allows Cortex to release the binding between a static IP and a proxy VM, facilitating the cleanup of network resources after the proxy is no longer needed. |
ec2:GetSpotPlacementScores | * | gcp_saas_role | Get spot placement scores. This allows Cortex to query AWS for the optimal availability zones to request Spot Instances. It helps ensure reliable and cost-effective scanner deployment by predicting capacity availability. |
ec2:ModifyInstanceAttribute | Instances in the specified account, where both of the following conditions are met: The target EC2 instance has the resource tag: managed_by: paloaltonetworks and the modify action must be specifically related to changing the value of the SourceDestCheck attribute | gcp_saas_role | Modify instance attributes. This is used to change specific settings on the proxy or scanner VM, such as disabling source/destination checks (SourceDestCheck), which is often required for instances performing network traffic inspection or routing. |
ec2:ReleaseAddress | Resources with the resource tag: managed_by: paloaltonetworks | gcp_saas_role | Release an Elastic IP address. This permission is critical for cost management. It allows Cortex to release static public IPs back to the AWS pool when they are no longer in use by a proxy VM, preventing unnecessary charges. |
ec2:RunInstances | The new EC2 instance must be launched into a network environment (VPC, subnets, security groups, and key pairs) that is already designated as managed_by: paloaltonetworks, and if the request correctly specifies that the newly-created instance, network interfaces, and volumes are also tagged as managed_by: paloaltonetworks. The use of source snapshots for volumes is permitted without any tagging restrictions | gcp_saas_role | Launch EC2 instances. This is the core permission required to spin up scanner and proxy VMs. It allows Cortex to dynamically provision the compute resources needed to perform security scans within the customer's environment. |
ec2:TerminateInstances | EC2 instances with the tag: managed_by: paloaltonetworks | gcp_saas_role | Terminate EC2 instances. This permission allows Cortex to shut down and remove scanner and proxy VMs after their tasks are complete. It is essential for lifecycle management and ensures that compute resources do not run indefinitely. |
The following AWS permissions are granted by the scanner-communications-bucket-access policy.
Permission | Scope | Used by IAM Roles | Description |
|---|---|---|---|
s3:GetObject | Users can read (download) any file from the ${cf_template_bucket} Also, users can read files from any S3 bucket they own that begins with the prefix ${bucket_name}-, with specific access paths defined for the general bucket contents and files within the output/, input/, and output/logs/ folders | dspm_scanner, gcp_saas_role, proxy_vm, ads_scanner, registry_scanner, scanner_of_serverless | Download an object from an S3 bucket. This permission enables Cortex to retrieve configuration templates, input data, or logs from specified buckets. It is essential for the operation of the outpost and the retrieval of scan results. |
s3:GetObjectAttributes | Users can read the metadata (attributes) of files from any S3 bucket they own that begins with the prefix: ${bucket_name}- This permission applies to files located anywhere within that bucket, but the specific paths are detailed as the general bucket contents and files within the output/, input/, and output/logs/ folders | dspm_scanner, gcp_saas_role, proxy_vm, ads_scanner, registry_scanner, scanner_of_serverless | Get object attributes. This allows Cortex to retrieve system metadata and attributes for S3 objects, such as size or modification time, without downloading the entire file. This is useful for checking file status before processing. |
s3:ListBucket | Users can view: The list of contents for the specific ${cf_template_bucket} and the contents of any S3 bucket they own that has a name starting with the prefix ${bucket_name}- | gcp_saas_role, dspm_scanner, proxy_vm, ads_scanner, registry_scanner, scanner_of_serverless | List bucket contents. This permission allows Cortex to view the objects within specific S3 buckets. It is necessary to identify available input files, logs, or templates that need to be processed. |
s3:PutObject | Communication buckets, artifact bucket, cf-template bucket, owned by the current AWS account | dspm_scanner, gcp_saas_role, proxy_vm, ads_scanner, registry_scanner, scanner_of_serverless | Upload scan results / artifacts / logs / CF template to S3 |
The following IAM policies are required for the ADS module.
The following AWS permissions are granted by the saas-role-policy-ec2 policy.
Permission | Scope | Used by IAM Roles | Description |
|---|---|---|---|
ec2:AttachVolume | Volumes in the specified AWS account with the managed_by: paloaltonetworks | gcp_saas_role | Attach a volume to a scanner VM. This allows the scanner to access the disk data that needs to be analyzed. It is a critical step in the scanning workflow where the scanner inspects the volume's contents for security risks without modifying the original data. |
ec2:CreateVolume | Volumes with the request tag: managed_by: paloaltonetworks tag | gcp_saas_role | Create an EBS volume. This permission is used to create a temporary volume from a snapshot for analysis. It enables the scanner to inspect data in an isolated environment without impacting the performance or integrity of the live production workload. |
ec2:DeleteVolume | Volumes in the specified account with the request tag: managed_by: paloaltonetworks | gcp_saas_role | Delete an EBS volume. This permission is used to remove the temporary volumes created for analysis after the scan is finished. It ensures that no data artifacts remain in the environment, maintaining security and reducing storage costs. |
ec2:DescribeVolumeAttribute | Volumes in the specified account with the request tag: managed_by: paloaltonetworks | gcp_saas_role | View volume attributes. This allows Cortex to check specific properties of EBS volumes, such as encryption status or IOPS, to ensure compatibility and correct configuration before attaching them to a scanner. |
ec2:DescribeVolumes | * | gcp_saas_role | List EBS volumes. This permission provides an inventory of volumes in the account, which is necessary to identify the volumes that need to be scanned or to verify the status of temporary volumes created during the process. |
ec2:DescribeVolumesModifications | * | gcp_saas_role | View volume modification status. This allows Cortex to track the progress of volume operations, ensuring that volumes are in a stable state before they are attached to scanners or deleted. |
ec2:DescribeVolumeStatus | * | gcp_saas_role | View volume status. This permission is used to verify the health and availability of EBS volumes, ensuring that data can be reliably accessed during the scanning process. |
ec2:DetachVolume | Volumes in the specified account with the request tag: managed_by: paloaltonetworks | gcp_saas_role | Detach a volume from an instance. This permission is used to disconnect the temporary analysis volume from the scanner VM once the scan is complete, enabling the subsequent deletion of the volume. |
ec2:ImportVolume | Volumes in the specified account with the request tag: managed_by: paloaltonetworks | gcp_saas_role | Import a volume. This permission enables the creation of a volume from an external source or file, supporting specific migration or recovery scanning workflows where data needs to be brought into the environment for analysis. |
ec2:ModifyVolume* | Volumes in the specified account with the request tag: managed_by: paloaltonetworks | gcp_saas_role | Modify volume attributes. This permission allows Cortex to adjust volume settings if necessary, such as performance parameters, to optimize the scanning process. |
The following IAM policies are required for the DSPM module.
The following AWS permissions are granted by the allow_outbound_federation_policy policy.
Permission | Scope | Used by IAM Roles | Description |
|---|---|---|---|
sts:GetWebIdentityToken | Resource belongs to Web Outbound Identity enbled in outpost for DBaaS DSPM | dspm_scanner | Retrieve web outbound identity token for token exchange in DBaaS like Databricks and MongoDB Atlas |
The following AWS permissions are granted by the redshit-operations policy.
Permission | Scope | Used by IAM Roles | Description |
|---|---|---|---|
ec2:DescribeAccountAttributes | * | gcp_saas_role | Describe account attributes. This provides Cortex with essential context about the AWS account environment, such as supported platforms and quotas, to ensure that resources are provisioned correctly and within limits. |
iam:CreateServiceLinkedRole | The role being created must be exclusively for the Amazon Redshift service | gcp_saas_role | Create a service-linked role. This permission is specifically needed to create the necessary roles for Amazon Redshift if they do not already exist, enabling the Redshift service to access other AWS resources on your behalf. |
redshift-data:DescribeStatement | * | gcp_saas_role | Describe SQL execution status. This provides detailed information about the state of a running or completed query, allowing Cortex to track progress and troubleshoot data retrieval. |
redshift-data:DescribeTable | Redshift Serverless workgroups tagged with managed_by: paloaltonetworks | gcp_saas_role | Describe a table. This permission allows Cortex to retrieve the schema/metadata of a Redshift table to drive data classification and discovery. |
redshift-data:ExecuteStatement | * | gcp_saas_role | Execute a SQL statement. This permission allows Cortex to run individual queries against a Redshift database to extract schema information or sample data for classification purposes. |
redshift-data:GetStatementResult | * | gcp_saas_role | Get SQL statement results. This allows Cortex to retrieve the actual data returned by a query, which is necessary for analyzing the content of the database for sensitive information. |
redshift-data:ListDatabases | Redshift Serverless workgroups tagged with managed_by: paloaltonetworks | gcp_saas_role | List databases. This permission allows Cortex to enumerate the databases within a Redshift Serverless workgroup so it can target them for data classification scans. |
redshift-serverless:CreateNamespace | Creation request includes tag: managed_by: paloaltonetworks | gcp_saas_role | Create a Redshift Serverless namespace. This permission is used to provision a logical container for database objects during the scanning of serverless Redshift environments. |
redshift-serverless:CreateWorkgroup | Creation request includes tag: managed_by: paloaltonetworks | gcp_saas_role | Create a Redshift Serverless workgroup. This provisions the compute resources required to process data within a namespace, enabling Cortex to run queries against serverless Redshift data. |
redshift-serverless:DeleteNamespace | Namespaces tagged with: managed_by: paloaltonetworks | gcp_saas_role | Delete a Redshift Serverless namespace. This permission is critical for cleanup. It allows Cortex to remove the logical container created for scanning, ensuring no empty or unused namespaces are left behind. |
redshift-serverless:DeleteWorkgroup | Workgroup tagged with: managed_by: paloaltonetworks | gcp_saas_role | Delete a Redshift Serverless workgroup. This permission allows Cortex to de-provision the compute resources used for scanning, ensuring that the customer is not charged for unused serverless capacity. |
redshift-serverless:GetCredentials | * | gcp_saas_role | Get database credentials. This allows Cortex to request temporary, secure credentials to connect to the Redshift Serverless database, enabling direct access for executing classification queries. |
redshift-serverless:GetNamespace | * | gcp_saas_role | Get namespace details. This provides configuration information about a specific namespace, allowing Cortex to verify its settings and status before or after operations. |
redshift-serverless:GetWorkgroup | * | gcp_saas_role | Get workgroup details. This retrieves configuration and status details for a workgroup, ensuring that the compute resources are available and correctly configured for scanning. |
redshift-serverless:ListNamespaces | * | gcp_saas_role | List namespaces. This provides visibility into the existing Redshift Serverless namespaces, enabling Cortex to identify resources that need to be scanned or managed. |
redshift-serverless:ListTagsForResource | * | gcp_saas_role | List tags for a resource. This allows Cortex to view the tags associated with Redshift resources, which is essential for identifying assets managed by Palo Alto Networks and enforcing scope boundaries. |
redshift-serverless:ListWorkgroups | * | gcp_saas_role | List workgroups. This allows Cortex to discover existing Redshift Serverless workgroups in the account to assess what compute resources are available or active. |
redshift-serverless:RestoreFromSnapshot | * | gcp_saas_role | Restore from snapshot. This permission allows Cortex to create a new namespace by restoring data from a backup snapshot. This enables analysis of historical data or safe testing without impacting the live database. |
redshift-serverless:TagResource | * | gcp_saas_role | Tag a resource. This permission is used to apply tags to Redshift Serverless resources. Tagging is crucial for cost allocation, governance, and identifying resources that are safe to delete after scanning. |
The following AWS permissions are granted by the redshit-operations (CloudFormation only) policy.
Permission | Scope | Used by IAM Roles | Description |
|---|---|---|---|
redshift-data:BatchExecuteStatement | * | gcp_saas_role (via CloudFormation template only) | Execute a batch of SQL statements. This allows Cortex to run multiple queries simultaneously against a Redshift cluster, improving the efficiency of data classification and discovery tasks. |
redshift-data:CancelStatement | * | gcp_saas_role (via CloudFormation template only) | Cancel a SQL statement. This permission enables Cortex to stop a long-running or erroneous query, preventing unnecessary resource consumption on the Redshift cluster. |
redshift-data:Describe* | * | gcp_saas_role (via CloudFormation template only) | Describe SQL execution status. This provides detailed information about the state of a running or completed query, allowing Cortex to track progress and troubleshoot any issues with data retrieval. |
redshift-data:List* | * | gcp_saas_role (via CloudFormation template only) | List SQL statements. This provides a history of queries executed against the cluster, helping Cortex verify that its operations were submitted and processed correctly. |
The following AWS permissions are granted by the saas-role-policy-ec2 policy.
Permission | Scope | Used by IAM Roles | Description |
|---|---|---|---|
ec2:AttachVolume | Volumes in the specified AWS account with the managed_by: paloaltonetworks | gcp_saas_role | Attach a volume to a scanner VM. This allows the scanner to access the disk data that needs to be analyzed. It is a critical step in the scanning workflow where the scanner inspects the volume's contents for security risks without modifying the original data. |
ec2:CreateVolume | Volumes with the request tag: managed_by: paloaltonetworks tag | gcp_saas_role | Create an EBS volume. This permission is used to create a temporary volume from a snapshot for analysis. It enables the scanner to inspect data in an isolated environment without impacting the performance or integrity of the live production workload. |
ec2:DeleteVolume | Volumes in the specified account with the request tag: managed_by: paloaltonetworks | gcp_saas_role | Delete an EBS volume. This permission is used to remove the temporary volumes created for analysis after the scan is finished. It ensures that no data artifacts remain in the environment, maintaining security and reducing storage costs. |
ec2:DescribeVolumeAttribute | Volumes in the specified account with the request tag: managed_by: paloaltonetworks | gcp_saas_role | View volume attributes. This allows Cortex to check specific properties of EBS volumes, such as encryption status or IOPS, to ensure compatibility and correct configuration before attaching them to a scanner. |
ec2:DescribeVolumes | * | gcp_saas_role | List EBS volumes. This permission provides an inventory of volumes in the account, which is necessary to identify the volumes that need to be scanned or to verify the status of temporary volumes created during the process. |
ec2:DescribeVolumesModifications | * | gcp_saas_role | View volume modification status. This allows Cortex to track the progress of volume operations, ensuring that volumes are in a stable state before they are attached to scanners or deleted. |
ec2:DescribeVolumeStatus | * | gcp_saas_role | View volume status. This permission is used to verify the health and availability of EBS volumes, ensuring that data can be reliably accessed during the scanning process. |
ec2:DetachVolume | Volumes in the specified account with the request tag: managed_by: paloaltonetworks | gcp_saas_role | Detach a volume from an instance. This permission is used to disconnect the temporary analysis volume from the scanner VM once the scan is complete, enabling the subsequent deletion of the volume. |
ec2:ImportVolume | Volumes in the specified account with the request tag: managed_by: paloaltonetworks | gcp_saas_role | Import a volume. This permission enables the creation of a volume from an external source or file, supporting specific migration or recovery scanning workflows where data needs to be brought into the environment for analysis. |
ec2:ModifyVolume* | Volumes in the specified account with the request tag: managed_by: paloaltonetworks | gcp_saas_role | Modify volume attributes. This permission allows Cortex to adjust volume settings if necessary, such as performance parameters, to optimize the scanning process. |