Please note this article applies only to BYO AWS clouds, and not AWS from Telstra. |
You need to follow the steps documented below if you're seeing a 'Missing extension permissions' error against your compliance feature on a BYO AWS account (a cloud you've purchased from a provider other than Telstra).
Pre-requisites
You need to have a Telstra Cloud Sight provider role deployed to your AWS account. You may have already followed instructions to deploy it by running a CloudFormation script.
Giving Cloud Sight permission to enable compliance monitoring
1. Log into your AWS console and navigate to 'IAM'. You can type 'IAM' into the search bar to find this.
2. Within the IAM page, select 'Roles'
3. Click on the 'TelstraCloudSightComplianceMonitoringRole'
Note: If you can't find a role with the name 'TelstraCloudSightComplianceMonitoringRole', you could instead have a role called ‘Dome9-ComplianceMonitoring’ or ‘Dome9ReadOnlyAccess’. Click on either of those.
4. In the 'Permissions' tab, check that the ‘SecurityAudit’ managed policy is assigned to the role.
If the 'SecurityAudit' managed policy hasn't been assigned:
4.1 Click on the Attach policies button
4.2. Enter ‘SecurityAudit’ in the search field. Select the ‘SecurityAudit’ managed policy checkbox.
4.3. Click Attach policy. You'll return to the 'Permissions' tab where you'll now see the 'SecurityAudit' policy.
5. Expand 'Permissions Policies'. Under it you'll find 'TelstraCloudSightComplianceMonitoringPolicy'. Expand this as well.
Note: Your policy name may differ, depending on the role name. Please continue regardless of the name.
6. Click on the Edit Policy button and select the 'JSON' tab.
7. Replace the contents of the JSON text with the following:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"apigateway:GET",
"athena:GetQueryExecution",
"athena:GetWorkGroup",
"cognito-identity:DescribeIdentityPool",
"cognito-idp:DescribeUserPool",
"cognito-idp:DescribeRiskConfiguration",
"dynamodb:ListTagsOfResource",
"ec2:SearchTransitGatewayRoutes",
"elasticfilesystem:Describe*",
"elasticache:ListTagsForResource",
"es:ListTags",
"eks:DescribeNodegroup",
"eks:ListNodegroups",
"glue:GetConnections",
"glue:GetSecurityConfigurations",
"kafka:ListClusters",
"kinesis:List*",
"kinesis:Describe*",
"kinesisvideo:Describe*",
"kinesisvideo:List*",
"logs:Get*",
"logs:FilterLogEvents",
"logs:ListLogDeliveries",
"mq:DescribeBroker",
"mq:ListBrokers",
"network-firewall:DescribeFirewall",
"network-firewall:DescribeLoggingConfiguration",
"network-firewall:ListFirewalls",
"personalize:DescribeDatasetGroup",
"personalize:ListDatasetGroups",
"s3:List*",
"secretsmanager:DescribeSecret",
"sns:ListSubscriptions",
"sns:ListTagsForResource",
"sns:GetPlatformApplicationAttributes",
"sns:ListPlatformApplications",
"states:DescribeStateMachine",
"transcribe:Get*",
"transcribe:List*",
"translate:GetTerminology",
"waf-regional:ListResourcesForWebACL",
"wafv2:ListWebACLs",
"wafv2:ListResourcesForWebACL"
],
"Resource": "*",
"Effect": "Allow"
}
]
}
8. Click on the Review Policy button at the bottom of the screen.
9. On the 'Review policy' screen, click on Save changes.
Once you've completed these steps, return to your details page on Cloud Sight and hit the check status button. If the error continues to appear, please contact us.