The following granulized permissions accommodate your requirements
and security permissions. These permissions provide a detailed
explanation for the API calls made from the plugin. The permissions
are granulized to accommodate every action that will be called from
the CFT and plugin backend code for both Security VPC and
cross-account Application VPC.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"ec2:AuthorizeSecurityGroupIngress",
"cloudwatch:PutMetricData",
"ec2:Describe*",
"cloudwatch:DeleteAlarms",
"autoscaling:DescribePolicies",
"ec2:DeleteVpcEndpoints",
"ec2:AttachInternetGateway",
"ec2:AcceptTransitGatewayVpcAttachment",
"autoscaling:ExecutePolicy",
"ec2:DeleteRouteTable",
"sts:GetSessionToken",
"cloudformation:DescribeStackEvents",
"ec2:RevokeSecurityGroupEgress",
"ec2:CreateRoute",
"ec2:CreateInternetGateway",
"cloudformation:UpdateStack",
"ec2:DeleteInternetGateway",
"iam:ListRolePolicies",
"autoscaling:TerminateInstanceInAutoScalingGroup",
"iam:ListPolicies",
"ec2:DisassociateTransitGatewayRouteTable",
"iam:GetRole",
"iam:GetPolicy",
"ec2:CreateTags",
"elasticloadbalancing:CreateTargetGroup",
"ec2:RunInstances",
"ec2:DisassociateRouteTable",
"ec2:CreateVpcEndpointServiceConfiguration",
"ec2:CreateTransitGatewayRoute",
"ec2:CreateTransitGatewayVpcAttachment",
"elasticloadbalancing:DescribeAccountLimits",
"elasticloadbalancing:AddTags",
"cloudformation:DeleteStack",
"cloudwatch:DescribeAlarms",
"ec2:DeleteNatGateway",
"ram:AssociateResourceShare",
"autoscaling:DeleteAutoScalingGroup",
"ec2:CreateSubnet",
"elasticloadbalancing:ModifyLoadBalancerAttributes",
"iam:GetRolePolicy",
"ec2:ModifyVpcEndpoint",
"ec2:DisassociateAddress",
"autoscaling:DescribeAutoScalingInstances",
"ec2:ModifyVpcEndpointServicePermissions",
"ec2:CreateNatGateway",
"ec2:CreateVpc",
"ec2:ModifySubnetAttribute",
"iam:PassRole",
"autoscaling:DescribeScalingActivities",
"sts:DecodeAuthorizationMessage",
"autoscaling:DescribeLoadBalancerTargetGroups",
"iam:ListAttachedGroupPolicies",
"ec2:DeleteLaunchTemplateVersions",
"sts:GetServiceBearerToken",
"iam:ListAccessKeys",
"ram:DisassociateResourceShare",
"ec2:ReleaseAddress",
"ec2:DeleteLaunchTemplate",
"elasticloadbalancing:CreateLoadBalancer",
"ec2:AcceptVpcEndpointConnections",
"iam:ListGroupPolicies",
"iam:ListRoles",
"elasticloadbalancing:DeleteTargetGroup",
"ram:AssociateResourceSharePermission",
"ec2:CreateLaunchTemplate",
"elasticloadbalancing:DescribeTargetGroups",
"elasticloadbalancing:DeleteListener",
"ram:UpdateResourceShare",
"iam:GetPolicyVersion",
"ec2:DeleteSubnet",
"ec2:ModifyVpcEndpointServiceConfiguration",
"ec2:CreateTransitGatewayRouteTable",
"ec2:ModifyTransitGateway",
"cloudformation:DescribeStackResource",
"ec2:AssociateRouteTable",
"elasticloadbalancing:DeleteLoadBalancer",
"elasticloadbalancing:DescribeLoadBalancers",
"logs:CreateLogStream",
"ec2:GetLaunchTemplateData",
"ec2:DeleteTransitGatewayVpcAttachment",
"autoscaling:DescribeAutoScalingGroups",
"iam:ListAttachedRolePolicies",
"logs:GetLogEvents",
"autoscaling:UpdateAutoScalingGroup",
"ec2:AssociateTransitGatewayRouteTable",
"elasticloadbalancing:ModifyTargetGroupAttributes",
"autoscaling:SetDesiredCapacity",
"cloudformation:DescribeStackResources",
"ec2:CreateRouteTable",
"ec2:DetachInternetGateway",
"cloudformation:DescribeStacks",
"ec2:DeleteTransitGatewayRouteTable",
"sts:AssumeRole",
"ec2:DeleteTransitGatewayRoute",
"iam:GetUserPolicy",
"iam:ListGroupsForUser",
"ec2:DeleteVpc",
"iam:GetGroupPolicy",
"ec2:AssociateAddress",
"autoscaling:CreateAutoScalingGroup",
"ram:AcceptResourceShareInvitation",
"ec2:DeleteTags",
"logs:DescribeLogStreams",
"ec2:DeleteVpcEndpointServiceConfigurations",
"autoscaling:DeletePolicy",
"elasticloadbalancing:RemoveTags",
"elasticloadbalancing:CreateListener",
"elasticloadbalancing:DescribeListeners",
"autoscaling:PutScalingPolicy",
"ec2:CreateSecurityGroup",
"iam:ListAttachedUserPolicies",
"ec2:ModifyVpcAttribute",
"ec2:ModifyInstanceAttribute",
"ec2:GetTransitGatewayRouteTableAssociations",
"ram:DeleteResourceShare",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:ModifyTransitGatewayVpcAttachment",
"iam:GetInstanceProfile",
"ram:DisassociateResourceSharePermission",
"elasticloadbalancing:DescribeTags",
"ec2:DeleteRoute",
"iam:ListUserPolicies",
"logs:PutLogEvents",
"ec2:AllocateAddress",
"ec2:CreateLaunchTemplateVersion",
"cloudwatch:PutMetricAlarm",
"cloudformation:CreateStack",
"ec2:CreateVpcEndpoint",
"ec2:DeleteSecurityGroup",
"ec2:StartVpcEndpointServicePrivateDnsVerification",
"ec2:ModifyLaunchTemplate",
"iam:ListUsers",
"ram:CreateResourceShare"
],
"Resource": "*"
}
]
}
For Application Account—An AWS account other than the Security
account that hosts either TGW or the applications that need to be
protected. Within this account you must create a RoleARN with the
following permissions.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ec2:Describe*",
"ec2:DisassociateTransitGatewayRouteTable",
"ec2:CreateTransitGatewayRoute",
"ec2:CreateTransitGatewayRouteTable",
"ec2:AssociateTransitGatewayRouteTable",
"ec2:DeleteTransitGatewayRouteTable",
"ec2:DeleteTransitGatewayRoute",
"ec2:GetTransitGatewayRouteTableAssociations"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"iam:Get*",
"iam:List*"
],
"Resource": "*",
"Effect": "Allow"
}
]
}
Dedicated CIDR block—A CIDR block reserved for
the Security VPC. The plugin manages this CIDR block, using it to launch
firewalls, load balancers, and other deployment resources for the
Security VPC.AWS transit gateway—Create a TGW and ensure that
the selected AWS user has permission to configure the TGW
resources.The AWS account must have the following two IAM roles:
- AWSServiceRoleForElasticLoadBalancing
- AWSServiceRoleForAutoScaling
- Panorama
- Panorama Plugin for AWS—Version 3.0.1
or later.
- VM-Series Plugin—Version 2.0.6 or later.
- PanOS—Version 10.0.5 or later.
- Create a valid license API key configured on Panorama for delicensing
the firewalls.
- Create an IAM role on the plugin under . This configuration
needs the Access Key and Secret Key associated with the user you
created in your AWS account.
Configure IAM Roles for AWS Plugin in Panorama
With the AWS plugin 3.0.1 or later, you can use IAM roles to enable Panorama to authenticate and
retrieve metadata on the resources deployed within your AWS account. When your
Panorama is not deployed on AWS, you have two options. You can either provide
the long-term IAM credentials for the AWS accounts, or set up an
Assume Role on AWS to allow access to
the defined AWS resources within the same AWS account or cross-accounts. An
Assume Role is recommended as the more secure option.
To validate the AWS user credentials created for
Security VPC, go to .
Click
Add and enter the following
details under
Security Account Detail.
- Enter a name for the IAM role and an optional description.
- Enter the AWS access key and secret key to validate permissions. Reenter the secret key to
confirm the secret access key.
- Select an account type—Instance Profile or AWS Account
Credentials. If your Panorama is deployed on AWS, you
can choose to either attach an instance profile with the correct
permissions to your Panorama or add the credentials associated with the
IAM role on Panorama. If your Panorama isn’t deployed on AWS, you must
enter the credentials for the IAM role locally on Panorama.
Under
Application Account Details,
search and select the needed RoleARNs to provide valid permissions
to the Security account to access the resources in the Application
VPC.
The status of validity of monitoring and deployment is color-coded for ease of
identification.
- Valid (Green)—Indicates
that the secret key and access key are valid. Also, all RoleARNs
entered for application account access have valid permissions to
do necessary action.
- Partially valid (Orange)—Indicates that the secret key and access key are valid but one or more
RoleARNs entered for application account access don’t have valid
permissions to do the necessary action. Click the status hyperlink
to open the IAM and see which specific RoleARNs don’t comply.
- Invalid (Red)—Indicates that the secret key and access key entered are either invalid or don’t
have permissions to do the necessary action.
- Commit Required (Gray)—Indicates that a commit is required for
the role.
- Validating (Gray)—Indicates that the plugin is trying to connect
to AWS to check the necessary requirements. If this status continues
for more than a few seconds, verify if the connection to AWS is
established.
Only the IAM roles with green or orange
status are allowed for further deployment configuration.
