top of page

AUTOMATE+ Requirements - AWS Cross-Account Role & associated permissions

As part of the SaaS deployment, AUTOMATE+ streamlines the enablement and configuration of a number of native AWS services, detailed here:
https://www.well-architected.ai/kb/automate%2B-deployment-requirements-and-troubleshooting

In order to deploy, configure & integrate with the relevant AWS services, the SaaS service requires a Cross Account Role, in turn the service provides the ability for the platform to provide security visibility, co-ordinate 1-click remediation and/or self healing & integrate with the AWS Well-Architected Tool.

The cross account role is created at first with additional temporary permissions (while the Cloud Formation stacks are running) due to the deployment functions taking place, and then after less than 30 minutes, the cross account role is hardened to least-permissive principals.

Should you have any additional questions relating to the role configuration, permissions or requirements, please contact 6pillars at support@6pillars.ai.

Details of the AWS cross account role permissions can be found below:

⦿ Permissions - Post Deployment

●AUTOMATE+ (read-only)●

6pillars-read-only-access
"events:ListRules",
"securityhub:UpdateStandardsControl",
"securityhub:DescribeStandardsControls",
"securityhub:GetEnabledStandards",
"securityhub:GetFindings",
"wellarchitected:CreateWorkload",
"wellarchitected:UpdateAnswer",
"wellarchitected:CreateMilestone",
"wellarchitected:DeleteWorkload",
"wellarchitected:List*",
"wellarchitected:Get*"

6pillars-security-hub-integration-access
"securityhub:EnableImportFindingsForProduct",
"securityhub:BatchImportFindings",
"securityhub:GetInsights",
"securityhub:ListMembers"

6pillars-support-control-access
"support:DescribeSeverityLevels",

●AUTOMATE+ (with remediation functionality)●

6pillars-access
"events:DescribeRule",
"events:DisableRule",
"events:EnableRule",
"events:ListRules",
"states:StartExecution"

6pillars-drs-control-access
"ec2:DescribeInstances",
"drs:DescribeSourceServers",
"drs:GetReplicationConfiguration",
"drs:DescribeJobs",
"drs:DescribeRecoverySnapshots",
"drs:StartRecovery"

6pillars-read-only-access
"securityhub:UpdateStandardsControl",
"securityhub:DescribeStandardsControls",
"securityhub:GetEnabledStandards",
"securityhub:GetFindings",
"wellarchitected:CreateWorkload",
"wellarchitected:UpdateAnswer",
"wellarchitected:CreateMilestone",
"wellarchitected:DeleteWorkload",
"wellarchitected:List*",
"wellarchitected:Get*"

6pillars-security-hub-integration-access
"securityhub:EnableImportFindingsForProduct",
"securityhub:BatchImportFindings",
"securityhub:GetInsights",
"securityhub:ListMembers"

6pillars-support-control-access
"support:DescribeSeverityLevels",

⦿ Temporary Permissions - During Deployment only (approx 15-30 mins)

●AUTOMATE+ (Read Only deployment)●

6pillars-deploy-access
"cloudformation:CreateStack",
"cloudformation:DescribeChangeSet",
"cloudformation:DescribeStacks",
"config:DeleteConfigurationRecorder",
"config:DeleteDeliveryChannel",
"config:DescribeConfigurationRecorders",
"config:DescribeDeliveryChannels",
"config:GetResourceConfigHistory",
"config:ListDiscoveredResources",
"config:PutConfigurationRecorder",
"config:PutDeliveryChannel",
"config:StartConfigurationRecorder",
"events:DeleteRule",
"events:DescribeRule",
"events:PutRule",
"events:PutTargets",
"events:RemoveTargets",
"iam:AttachRolePolicy",
"iam:CreateRole",
"iam:CreateServiceLinkedRole",
"iam:DeleteRole",
"iam:DeleteRolePolicy",
"iam:DetachRolePolicy",
"iam:GetRole",
"iam:GetRolePolicy",
"iam:PassRole",
"iam:PutRolePolicy",
"kms:CreateAlias",
"kms:CreateKey",
"kms:DescribeKey",
"kms:EnableKeyRotation",
"kms:PutKeyPolicy",
"lambda:CreateFunction",
"lambda:DeleteFunction",
"lambda:GetFunction",
"lambda:GetFunctionCodeSigningConfig",
"lambda:InvokeFunction",
"s3:CreateBucket",
"s3:DeleteBucketPolicy",
"s3:GetBucketPolicy",
"s3:PutBucketPolicy",
"s3:PutBucketPublicAccessBlock",
"s3:PutEncryptionConfiguration",
"securityhub:BatchEnableStandards",
"securityhub:BatchUpdateFindings",
"securityhub:CreateActionTarget",
"securityhub:DeleteActionTarget",
"securityhub:DescribeActionTargets",
"securityhub:DescribeStandards",
"securityhub:EnableSecurityHub",
"sns:AddPermission",
"sns:ConfirmSubscription",
"sns:CreateTopic",
"sns:DeleteTopic",
"sns:GetSubscriptionAttributes",
"sns:GetTopicAttributes",
"sns:List*",
"sns:SetSubscriptionAttributes",
"sns:SetTopicAttributes",
"sns:Subscribe",
"sts:AssumeRole"

6pillars-read-only-access
"events:ListRules",
"securityhub:UpdateStandardsControl",
"securityhub:DescribeStandardsControls",
"securityhub:GetEnabledStandards",
"securityhub:GetFindings",
"wellarchitected:CreateWorkload",
"wellarchitected:UpdateAnswer",
"wellarchitected:CreateMilestone",
"wellarchitected:DeleteWorkload",
"wellarchitected:List*",
"wellarchitected:Get*"

6pillars-security-hub-integration-access
"securityhub:EnableImportFindingsForProduct",
"securityhub:BatchImportFindings",
"securityhub:GetInsights",
"securityhub:ListMembers"

6pillars-support-control-access
"support:DescribeSeverityLevels",

●AUTOMATE+ (with remediation functionality)●

6pillars-access
"events:DescribeRule",
"events:DisableRule",
"events:EnableRule",
"events:ListRules",
"states:StartExecution"

6pillars-deploy-access
"securityhub:CreateActionTarget",
"securityhub:DeleteActionTarget",
"securityhub:DescribeActionTargets",
"securityhub:BatchUpdateFindings",
"securityhub:EnableSecurityHub",
"securityhub:DescribeStandards",
"securityhub:BatchEnableStandards",
"logs:CreateLogDelivery",
"logs:GetLogDelivery",
"logs:UpdateLogDelivery",
"logs:DeleteLogDelivery",
"logs:ListLogDeliveries",
"logs:PutResourcePolicy",
"logs:DescribeResourcePolicies",
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents",
"logs:DescribeLogGroups",
"logs:DescribeLogStreams",
"logs:PutMetricFilter",
"logs:PutRetentionPolicy",
"logs:GetLogEvents",
"sts:AssumeRole",
"sts:GetCallerIdentity",
"states:StartExecution",
"states:CreateStateMachine",
"states:DescribeStateMachine",
"states:TagResource",
"ssm:GetParameter",
"ssm:GetParameters",
"ssm:PutParameter",
"ssm:DescribeAutomationExecutions",
"ssm:DescribeDocument",
"ssm:StartAutomationExecution",
"ssm:GetAutomationExecution",
"ssm:DescribeAutomationStepExecutions",
"ssm:DeleteParameter",
"ssm:CreateActivation",
"ssm:CreateAssociation",
"ssm:CreateDocument",
"ssm:DeleteActivation",
"ssm:DeleteAssociation",
"ssm:DeleteDocument",
"ssm:Describe*",
"ssm:Get*",
"ssm:List*",
"cloudwatch:PutMetricData",
"cloudwatch:PutMetricAlarm",
"iam:GetPolicy",
"iam:ListEntitiesForPolicy",
"iam:DetachUserPolicy",
"iam:DetachGroupPolicy",
"iam:AttachGroupPolicy",
"iam:GetGroup",
"iam:CreateGroup",
"iam:AddUserToGroup",
"iam:GetRole",
"iam:PassRole",
"iam:CreateRole",
"iam:AttachRolePolicy",
"iam:TagRole",
"iam:UpdateAccessKey",
"iam:ListAccessKeys",
"iam:GetAccessKeyLastUsed",
"iam:GetUser",
"iam:GetLoginProfile",
"iam:DeleteLoginProfile",
"iam:UpdateAccountPasswordPolicy",
"iam:GetAccountPasswordPolicy",
"iam:DeleteRolePolicy",
"iam:DetachRolePolicy",
"iam:GetRolePolicy",
"iam:PutRolePolicy",
"iam:DeleteRole",
"iam:CreateServiceLinkedRole",
"iam:CreatePolicy",
"cloudtrail:CreateTrail",
"cloudtrail:UpdateTrail",
"cloudtrail:GetTrail",
"cloudtrail:StartLogging",
"s3:GetBucketPolicy",
"s3:CreateBucket",
"s3:PutEncryptionConfiguration",
"s3:PutBucketLogging",
"s3:PutBucketAcl",
"s3:PutBucketPolicy",
"s3:PutBucketPublicAccessBlock",
"s3:GetBucketPublicAccessBlock",
"s3:PutAccountPublicAccessBlock",
"s3:GetAccountPublicAccessBlock",
"s3:DeleteBucketPolicy",
"sns:CreateTopic",
"sns:SetTopicAttributes",
"sns:GetTopicAttributes",
"sns:AddPermission",
"sns:DeleteTopic",
"sns:ConfirmSubscription",
"sns:GetSubscriptionAttributes",
"sns:List*",
"sns:SetSubscriptionAttributes",
"sns:Subscribe",
"autoscaling:UpdateAutoScalingGroup",
"autoscaling:DescribeAutoScalingGroups",
"config:PutConfigurationRecorder",
"config:PutDeliveryChannel",
"config:DescribeConfigurationRecorders",
"config:StartConfigurationRecorder",
"config:ListDiscoveredResources",
"config:GetResourceConfigHistory",
"config:DeleteDeliveryChannel",
"config:DeleteConfigurationRecorder",
"config:DescribeDeliveryChannels",
"ec2:CreateFlowLogs",
"ec2:ModifySnapshotAttribute",
"ec2:DescribeSnapshots",
"ec2:DescribeSecurityGroupReferences",
"ec2:DescribeSecurityGroups",
"ec2:UpdateSecurityGroupRuleDescriptionsEgress",
"ec2:UpdateSecurityGroupRuleDescriptionsIngress",
"ec2:RevokeSecurityGroupIngress",
"ec2:RevokeSecurityGroupEgress",
"ec2:EnableEBSEncryptionByDefault",
"ec2:GetEbsEncryptionByDefault",
"rds:ModifyDBSnapshotAttribute",
"rds:ModifyDBClusterSnapshotAttribute",
"rds:DescribeDBClusters",
"rds:ModifyDBCluster",
"rds:ModifyDBInstance",
"rds:DescribeDBInstances",
"rds:CopyDBSnapshot",
"rds:CopyDBClusterSnapshot",
"rds:DescribeDBSnapshots",
"rds:DescribeDBClusterSnapshots",
"rds:DeleteDBSnapshot",
"rds:DeleteDBClusterSnapshots",
"lambda:GetPolicy",
"lambda:InvokeFunction",
"lambda:RemovePermission",
"lambda:GetFunction",
"lambda:GetFunctionCodeSigningConfig",
"lambda:CreateFunction",
"lambda:DeleteFunction",
"lambda:PublishLayerVersion",
"lambda:DeleteLayerVersion",
"lambda:GetLayerVersion",
"kms:EnableKeyRotation",
"kms:GetKeyRotationStatus",
"kms:Encrypt",
"kms:Decrypt",
"kms:GenerateDataKey",
"kms:CreateKey",
"kms:PutKeyPolicy",
"kms:DescribeKey",
"kms:CreateAlias",
"kms:DeleteAlias",
"kms:ListKeys",
"kms:ListAliases",
"cloudformation:CreateStack",
"cloudformation:DescribeChangeSet",
"cloudformation:DescribeStacks",
"events:PutRule",
"events:RemoveTargets",
"events:DescribeRule",
"events:PutTargets",
"events:DeleteRule",
"servicecatalog:SearchProducts",
"servicecatalog:ListLaunchPaths",
"servicecatalog:ListProvisioningArtifacts",
"servicecatalog:ProvisionProduct",
"servicecatalog:DescribeProvisionedProduct",
"sqs:GetQueueAttributes",
"sqs:List*",
"codeBuild:BatchGetProjects",
"codeBuild:UpdateProject",
"redshift:ModifyCluster",
"redshift:DescribeClusters",
"redshift:DescribeLoggingStatus",
"redshift:EnableLogging",
"lambda:PutFunctionConcurrency"

6pillars-drs-control-access
"ec2:DescribeInstances",
"drs:DescribeSourceServers",
"drs:GetReplicationConfiguration",
"drs:DescribeJobs",
"drs:DescribeRecoverySnapshots",
"drs:StartRecovery"

6pillars-playbook-access-cross-account
"arn:aws:s3:::5pillars-uat-playbooks-reference/*",
"arn:aws:s3:::5pillars-uat-playbooks-ap-southeast-2/*",
"arn:aws:s3:::5pillars-uat-playbooks-ap-southeast-1/*",
"arn:aws:s3:::5pillars-uat-playbooks-ap-south-1/*",
"arn:aws:s3:::5pillars-uat-playbooks-ap-northeast-1/*",
"arn:aws:s3:::5pillars-uat-playbooks-us-east-1/*",
"arn:aws:s3:::5pillars-uat-playbooks-us-east-2/*",
"arn:aws:s3:::5pillars-uat-playbooks-us-west-1/*",
"arn:aws:s3:::5pillars-uat-playbooks-us-west-2/*"

6pillars-read-only-access
"securityhub:UpdateStandardsControl",
"securityhub:DescribeStandardsControls",
"securityhub:GetEnabledStandards",
"securityhub:GetFindings",
"wellarchitected:CreateWorkload",
"wellarchitected:UpdateAnswer",
"wellarchitected:CreateMilestone",
"wellarchitected:DeleteWorkload",
"wellarchitected:List*",
"wellarchitected:Get*"

6pillars-security-hub-integration-access
"securityhub:EnableImportFindingsForProduct",
"securityhub:BatchImportFindings",
"securityhub:GetInsights",
"securityhub:ListMembers"

6pillars-support-control-access
"support:DescribeSeverityLevels",

-Based on the latest version of AUTOMATE+-

AUTOMATE+ Requirements - AWS Cross-Account Role & associated permissions

Deploy AUTOMATE+

bottom of page