Prisma AIRS
AWS Required Permissions
Table of Contents
AWS Required Permissions
Review what AWS permissions are required when onboarding your account to Prisma
AIRS.
| Where Can I Use This? | What Do I Need? |
|---|---|
|
|
Prisma AIRS requires the permissions listed below to ensure that you can use the
following functions in your onboarded cloud account
- Discovery—this option is pre-selected and cannot be disabled. This allows Prisma AIRS to identify and monitor assets in your AWS environment.
- Fully orchestrated security VPC—provides the necessary permissions for Prisma AIRS to read and write in your security VPC account.
- Fully automated traffic redirection application VPCs—provides the necessary permissions for Prisma AIRS to read and write in your application VPC account.
- IP-Tag Harvesting—grants the necessary permissions to collect IP address to tag information to enforce tag-based security policy that adapts to IP address changes in your AWS environment.
Discovery
"elasticloadbalancing:Describe*", "elasticloadbalancing:Get*", "network-firewall:Get*", "network-firewall:Describe*", "network-firewall:List*", "ec2:Describe*", "ec2:List*", "ec2:Get*", "lambda:List*", "lambda:Get*", "eks:AccessKubernetesApi", "eks:DescribeCluster", "eks:ListClusters", "bedrock:ListCustomModels"
Security VPC Orchestration
"autoscaling-plans:CreateScalingPlan", "autoscaling-plans:DeleteScalingPlan", "autoscaling-plans:DescribeScalingPlans"
"servicequotas:GetServiceQuota"
"autoscaling:CreateAutoScalingGroup", "autoscaling:DeleteAutoScalingGroup", "autoscaling:DeletePolicy", "autoscaling:DescribeAutoScalingGroups", "autoscaling:DescribeLaunchConfigurations", "autoscaling:DescribePolicies", "autoscaling:DescribeScalingActivities", "autoscaling:DescribeScheduledActions", "autoscaling:PutLifecycleHook", "autoscaling:PutScalingPolicy", "autoscaling:UpdateAutoScalingGroup"
"cloudwatch:DeleteAlarms", "cloudwatch:DescribeAlarms", "cloudwatch:PutMetricAlarm"
ec2:AllocateAddress", "ec2:AssociateAddress", "ec2:AssociateRouteTable", "ec2:AssociateTransitGatewayRouteTable", "ec2:AttachInternetGateway", "ec2:AuthorizeSecurityGroupEgress", "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateInternetGateway", "ec2:CreateLaunchTemplate", "ec2:CreateLaunchTemplateVersion", "ec2:CreateNatGateway", "ec2:CreateNetworkInterface", "ec2:CreateRoute", "ec2:CreateRouteTable", "ec2:CreateSecurityGroup", "ec2:CreateSubnet", "ec2:CreateTags", "ec2:CreateTransitGateway", "ec2:CreateTransitGatewayRoute", "ec2:CreateTransitGatewayRouteTable", "ec2:CreateTransitGatewayVpcAttachment", "ec2:CreateVpc", "ec2:CreateVpcEndpoint", "ec2:CreateVpcEndpointServiceConfiguration", "ec2:DeleteInternetGateway", "ec2:DeleteLaunchTemplate", "ec2:DeleteNatGateway", "ec2:DeleteNetworkInterface", "ec2:DeleteRoute", "ec2:DeleteRouteTable", "ec2:DeleteSecurityGroup", "ec2:DeleteSubnet", "ec2:DeleteTransitGateway", "ec2:DeleteTransitGatewayRoute", "ec2:DeleteTransitGatewayRouteTable", "ec2:DeleteTransitGatewayVpcAttachment", "ec2:DeleteVpc", "ec2:DeleteVpcEndpoints", "ec2:DeleteVpcEndpointServiceConfigurations", "ec2:DescribeAddresses", "ec2:DescribeAddressesAttribute", "ec2:DescribeAvailabilityZones", "ec2:DescribeImages", "ec2:DescribeInstanceAttribute", "ec2:DescribeInstances", "ec2:DescribeInstanceTypes", "ec2:DescribeInternetGateways", "ec2:DescribeLaunchTemplates", "ec2:DescribeLaunchTemplateVersions", "ec2:DescribeNatGateways", "ec2:DescribeNetworkAcls", "ec2:DescribeNetworkInterfaceAttribute", "ec2:DescribeNetworkInterfaces", "ec2:DescribePrefixLists", "ec2:DescribeRouteTables", "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ec2:DescribeTags", "ec2:DescribeTransitGatewayRouteTables", "ec2:DescribeTransitGateways", "ec2:DescribeTransitGatewayVpcAttachments", "ec2:DescribeVolumes", "ec2:DescribeVpcAttribute", "ec2:DescribeVpcEndpoints", "ec2:DescribeVpcEndpointServiceConfigurations", "ec2:DescribeVpcEndpointServicePermissions", "ec2:DescribeVpcEndpointServices", "ec2:DescribeVpcs", "ec2:DetachInternetGateway", "ec2:DetachNetworkInterface", "ec2:DisableTransitGatewayRouteTablePropagation", "ec2:DisassociateAddress", "ec2:DisassociateRouteTable", "ec2:DisassociateTransitGatewayRouteTable", "ec2:EnableTransitGatewayRouteTablePropagation", "ec2:GetEbsDefaultKmsKeyId", "ec2:GetTransitGatewayRouteTableAssociations", "ec2:GetTransitGatewayRouteTablePropagations", "ec2:ModifyInstanceAttribute", "ec2:ModifyLaunchTemplate", "ec2:ModifyVpcAttribute", "ec2:ModifyVpcEndpointServicePermissions", "ec2:ReleaseAddress", "ec2:RevokeSecurityGroupEgress", "ec2:RunInstances", "ec2:SearchTransitGatewayRoutes", "ec2:TerminateInstances"
"elasticloadbalancing:AddTags", "elasticloadbalancing:CreateListener", "elasticloadbalancing:CreateLoadBalancer", "elasticloadbalancing:CreateTargetGroup", "elasticloadbalancing:DeleteListener", "elasticloadbalancing:DeleteLoadBalancer", "elasticloadbalancing:DeleteTargetGroup", "elasticloadbalancing:DescribeListeners", "elasticloadbalancing:DescribeLoadBalancerAttributes", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeTags", "elasticloadbalancing:DescribeTargetGroupAttributes", "elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:DescribeTargetHealth", "elasticloadbalancing:ModifyLoadBalancerAttributes", "elasticloadbalancing:ModifyTargetGroupAttributes"
"events:DeleteRule", "events:DescribeRule", "events:ListTagsForResource", "events:ListTargetsByRule", "events:PutRule", "events:PutTargets", "events:RemoveTargets", "events:TagResource"
"iam:AddRoleToInstanceProfile", "iam:AttachRolePolicy", "iam:CreateInstanceProfile", "iam:CreateRole", "iam:DeleteInstanceProfile", "iam:DeleteRole", "iam:DeleteRolePolicy", "iam:GetInstanceProfile", "iam:GetPolicy", "iam:GetPolicyVersion", "iam:GetRole", "iam:GetRolePolicy", "iam:ListAttachedRolePolicies", "iam:ListInstanceProfilesForRole", "iam:ListRolePolicies", "iam:PassRole", "iam:PutRolePolicy", "iam:RemoveRoleFromInstanceProfile", "iam:TagRole"
"kms:DescribeKey", "kms:ListAliases"
"lambda:AddPermission", "lambda:CreateFunction", "lambda:DeleteFunction", "lambda:GetFunction", "lambda:GetFunctionCodeSigningConfig", "lambda:GetPolicy", "lambda:ListVersionsByFunction", "lambda:RemovePermission", "lambda:TagResource"
"eks:AccessKubernetesApi", "eks:DescribeCluster", "eks:ListClusters"
Traffic Redirection
"ec2:AssociateRouteTable", "ec2:CreateRoute", "ec2:CreateRouteTable", "ec2:CreateSubnet", "ec2:CreateTags", "ec2:CreateTransitGatewayRoute", "ec2:CreateTransitGatewayRouteTable", "ec2:CreateTransitGatewayVpcAttachment", "ec2:CreateVpcEndpoint", "ec2:DeleteRoute", "ec2:DeleteSubnet", "ec2:DeleteTransitGatewayRouteTable", "ec2:DeleteTransitGatewayVpcAttachment", "ec2:DeleteVpcEndpoints", "ec2:DescribeAvailabilityZones", "ec2:DescribeSecurityGroups", "ec2:EnableTransitGatewayRouteTablePropagation", "ec2:ModifyTransitGatewayVpcAttachment", "ec2:ReplaceRoute", "ec2:ReplaceTransitGatewayRoute", "ram:AssociateResourceShare", "ram:CreateResourceShare", "ram:DeleteResourceShare", "ram:DisassociateResourceShare", "ram:GetResourceShareAssociations", "ram:GetResourceShares", "ram:ListResourceSharePermissions", "ram:TagResource"
"ec2:DescribeInternetGateways", "ec2:DescribeRouteTables", "ec2:DescribeSubnets", "ec2:DescribeTransitGatewayAttachments", "ec2:DescribeTransitGatewayRouteTables", "ec2:DescribeTransitGateways", "ec2:DescribeTransitGatewayVpcAttachments", "ec2:DescribeVpcEndpoints", "ec2:DescribeVpcs", "ec2:GetTransitGatewayRouteTableAssociations", "ec2:SearchTransitGatewayRoutes"
