This article provides specific information on how we set up compliance reporting on your cloud.
Learn more about compliance reporting
Compliance reporting is a partnership between Telstra and Checkpoint CloudGuard Dome9. To expose information on your compliance posture via Cloud Sight, we've provided CloudGuard Dome9 with 'Read' access to your cloud. The permissions provided to CloudGuard Dome9 depend on the type of cloud:
- For Azure subscriptions this is generic 'Reader' access
- For AWS we'll create a new IAM role and deploy it to your cloud. There are 3 policies applied to this IAM role. Two of these are the 'AWS managed policies':
- SecurityAudit
- AmazonInspectorReadOnlyAccess
The third policy is a 'Customer managed policy' we've created. See the code snippet below for the specific permissions applied.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Dome9ReadOnly",
"Action": [
"cloudtrail:LookupEvents",
"cognito-identity:DescribeIdentityPool",
"cognito-idp:DescribeUserPool",
"cognito-idp:DescribeRiskConfiguration",
"dynamodb:DescribeTable",
"dynamodb:ListTagsOfResource",
"ec2:SearchTransitGatewayRoutes",
"elasticfilesystem:Describe*",
"elasticache:ListTagsForResource",
"es:ListTags",
"firehose:Describe*",
"firehose:List*",
"guardduty:Get*",
"guardduty:List*",
"kinesis:List*",
"kinesis:Describe*",
"kinesisvideo:Describe*",
"kinesisvideo:List*",
"logs:Describe*",
"logs:Get*",
"logs:FilterLogEvents",
"lambda:List*",
"s3:List*",
"glue:GetSecurityConfigurations",
"secretsmanager:DescribeSecret",
"sns:ListSubscriptions",
"sns:ListSubscriptionsByTopic",
"sns:ListTagsForResource",
"waf-regional:ListResourcesForWebACL",
"eks:ListNodegroups",
"eks:DescribeNodegroup"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
See the CloudGuard Dome9 article on AWS policies and permission for more information on this policy.