Create Custom Policy

You need additional permissions to evaluate controls related to the following resources:

- Elastic File System (EFS)

- Step Functions

- Amazon Quantum Ledger Database (QLDB)

- Managed Streaming for Apache Kafka (MSK)

- API Gateway

- AWS Backup

- WAF

- CodeBuild

- Lambda

- Elastic Block Storage (EBS)

- Elastic Map Reduce (EMR)

- Glue

- GuardDuty

- Directory Service

You need to assign additional permissions to the IAM role associated with the AWS connector to evaluate the above-mentioned resources in your cloud environment.

Note: These additional permissions are not required for Cloud Inventory users.

You can create a new policy with the required permissions and attach the policy to the IAM role associated with the AWS connector.

Create the Custom Policy

1 - Log in to your Amazon Web Services (AWS) IAM console at https://console.aws.amazon.com/iam/ with user that has administrator permissions.
2 - In the navigation pane, choose Policies.
3 - In the content pane, choose Create policy.
4 - Choose the JSON tab. Paste the following text into the JSON text box.

{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Sid":"QualysCustomPolicyPermissions",
         "Effect":"Allow",
         "Action":[
            "states:DescribeStateMachine",
            "elasticfilesystem:DescribeFileSystemPolicy",
            "qldb:ListLedgers",
            "qldb:DescribeLedger",
            "kafka:ListClusters",
            "codebuild:BatchGetProjects",
            "wafv2:GetWebACLForResource",
            "backup:ListBackupVaults",
            "backup:DescribeBackupVault",
            "ec2:GetEbsEncryptionByDefault",
            "ec2:GetEbsDefaultKmsKeyId",
            "guardduty:ListDetectors",
            "guardduty:GetDetector",
            "glue:GetDataCatalogEncryptionSettings",
            "elasticmapreduce:GetBlockPublicAccessConfiguration",
            "lambda:GetFunctionConcurrency",
            "ds:ListLogSubscriptions"
         ],
         "Resource":"*"
      },
      {
         "Sid":"QualysAPIGatewayGetPermissions",
         "Effect":"Allow",
         "Action":"apigateway:GET",
         "Resource":"arn:aws:apigateway:*::/restapis/*"
      }
   ]


}

5 - Click Next: Tags.

6 - Provide a name and description for the policy and then click Create policy. For example, let us create Sample_Custom_Policy. 

The policy is created with required permissions. The next step is to associate the policy with the IAM role associated with the connector.

Attach Policy To The IAM Role

Once you create the policy, attach it with the role associated with the connector.

1 - Log in to your Amazon Web Services (AWS) IAM console at https://console.aws.amazon.com/iam/ with user that has administrator permissions.
2 - In the navigation pane, choose Roles.
3 - Select the IAM Role being used by the connector.
4 - Choose the Permissions tab and click Attach Policies.
5 - Find the policy you created (example: Sample_Custom_Policy) and click Attach Policy.