Recent Searches

No recent searches

    Popular Articles

      Articles
      View all
        Topics
        View all
          Tickets
          View all
            no results

            Sorry! nothing found for

            Transilience Role Details on Security Audit (Read), Logs (Read), SSM (Write)

            Created by Venkat Pothamsetty, Modified on Wed, 11 Mar at 6:55 PM by Venkat Pothamsetty


            9 policies attached  ·  1 write policy  ·  8 read-only policies


            Role purpose: Collecting compliance evidence from AWS accounts and monitoring — this role is assumed by the Transilience platform to assess security posture, gather audit artifacts, and run configuration checks across your AWS environment.



            PolicyAccessPurposeRead PermissionsWrite PermissionsScope
            SecurityAudit
            AWS Managed
            		READCollect compliance evidence across AWS services for monitoring and audit
            • IAM, EC2, RDS, Lambda, Config
            • S3, CloudFormation, CloudWatch
            • Broad read across most AWS services
            		noneResource: *
            Transilience-ECR-S3-Read
            Customer Managed
            		READVulnerability scanning of container images and reading S3 bucket configurations
            • ECR: auth token, images, repos, scan findings, lifecycle & repo policies
            • S3: bucket location, policy, ACL, versioning, tagging, logging, encryption, CORS, replication, object lock
            • S3: ListBucket, ListAllMyBuckets
            		noneResource: *
            Transilience-Logs-VPC-Read
            Customer Managed
            		READReading logs for compliance monitoring and network configuration evidence
            • CloudWatch Logs: log groups, streams, events, metric filters, subscriptions
            • EC2/VPC: flow logs, VPCs, subnets, security groups, NACLs, route tables
            • EC2/VPC: NAT/internet gateways, transit gateways, instances, tags
            		noneResource: *
            Transilience-Security-Services-Read
            Customer Managed
            		READCollecting compliance evidence from AWS security services
            • Inspector v2: findings, coverage, members, config
            • Security Hub: findings, insights, standards, controls
            • GuardDuty: findings, detectors, members
            • Macie: findings, bucket stats, session
            • Access Analyzer & Detective: list/get all
            • Account: alternate contacts
            		noneResource: *
            Transilience-CloudTrail-Read
            Customer Managed
            		READSecurity — auditing API activity and account-level events
            • CloudTrail: describe/get/list trails
            • Event selectors, insight selectors
            • Event data stores, queries
            		noneResource: *
            Transilience-SSM-Read
            Customer Managed
            		READReading instance configuration and patch state as compliance evidence
            • Instances: describe info, properties, connection status
            • Inventory: get inventory, schema, entries
            • Patches: instance patches, patch states, baselines, patch groups
            • Commands: list commands & invocations, get invocation
            • Sessions: describe sessions
            • Documents: list, describe, get documents
            • Parameters: get/describe parameters & history
            • Associations: list, describe, execution details
            • Automation: describe/get executions & steps
            • Maintenance Windows: describe/get windows, targets, tasks, executions
            • Compliance: resource summaries, items, compliance summaries
            		noneResource: *
            Transilience-SSM-Write
            Customer Managed
            		WRITERunning configuration scripts to collect  configurations on instances, such as SSH, FIM.none
            • Run Command: SendCommand, CancelCommand
            • Sessions: StartSession, TerminateSession, ResumeSession
            • Patches: create/update/delete patch baselines & groups
            • Maintenance Windows: create/update/delete windows, targets, tasks
            • Inventory: PutInventory, DeleteInventory
            • Associations: create/update/delete associations
            • Documents: create/update/delete documents
            • Parameters: PutParameter, DeleteParameter, tag resources
            • IAM PassRole ssm.amazonaws.com only
            		Resource: *

            PassRole: TransilienceComplianceRole
            Transilience-Cost-Explorer
            Customer Managed
            		READCost analysis of compliance runs and service usage
            • Cost Explorer: cost/usage, forecasts, reservations, savings plans, anomalies, tags
            • Cost & Usage Reports: describe report definitions
            • Budgets: view budgets, describe actions & history
            • Billing: data, details, preferences, credits, IAM access
            		noneResource: *
            TransilienceCloudTrailS3Access
            Inline · Dynamic
            		READSecurity — reading CloudTrail log files from S3 for audit evidence
            • S3: GetBucketLocation, GetBucketAcl, ListBucket, GetBucketPolicy, GetBucketTagging CloudTrail buckets only
            • S3: GetObject, GetObjectVersion, GetObjectTagging CloudTrail objects only
            		noneCloudTrail buckets

            Dynamic — resolved at deploy time
            READ Read-only access
            WRITE Write access
            scoped Resource-scoped permission

            Was this article helpful?

            That’s Great!

            Thank you for your feedback

            Sorry! We couldn't be helpful

            Thank you for your feedback

            Let us know how can we improve this article!

            Select at least one of the reasons
            CAPTCHA verification is required.

            Feedback sent

            We appreciate your effort and will try to fix the article

            Preview
            0 of 0