AWS Permissions

AWS Onboarding Version 83

High-Level Overview

This CloudFormation template provisions a set of IAM roles and managed policies that allow DSPM to securely scan AWS accounts, deploy supporting services, and perform vulnerability/data scans.

At a high level, the template does the following:

  • Creates cross-account access roles so that DSPM can assume permissions in the target account.
  • Grants SecurityAudit baseline permissions plus additional read/list access across AWS services (e.g., S3, DynamoDB, RDS, Redshift, Bedrock, Secrets Manager).
  • Defines specialized policies for:
    • Cloud scanning (inventory, cost, exposure checks)
    • Data scanning (reading S3/RDS/DynamoDB/Redshift data, tagging and restoring snapshots)
    • Snapshot management (taking and deleting snapshots for datastore scans)
    • Vulnerability scanning (creating volumes, attaching/detaching storage, scanning ECR images)
    • SaaS incremental scans (using SQS + Lambda)
    • EKS deployment (creating/maintaining EKS clusters and nodes)
    • VPC creation (building isolated VPC environments for scanning)
    • EC2 deployment and operations (launching, tagging, terminating scanning instances)
  • Scopes permissions tightly using tags and resource ARNs, ensuring actions apply only to DSPM-created resources.

DSPM has designed its cloud integration with a strict separation of duties between the DSPM platform account and the scanner components deployed inside your environment.

  • DSPM Platform / Account (NormalyzeRole):
    • Limited to inventorying resources (read-only metadata such as what buckets, databases, and instances exist).
    • Can deploy scanner infrastructure into your environment (for example, creating roles, queues, and Lambdas that are required for scanning).
    • Cannot access or read your business data directly. Its permissions stop at discovery and deployment.
  • Scanner in Your Environment (DataScanRole, VulScanRole, etc.):
    • Runs entirely inside your account / VPC under roles that you own.
    • These roles have the narrowly scoped permissions required to read your data sources (e.g., S3 objects, database contents) and to perform scans.
    • The scanner reads your data for classification, risk, or vulnerability analysis — but DSPM’s own SaaS account never has this access.

In short: DSPM can only see “what exists,” while your in-account scanners are the only components that can actually “look inside.” This ensures that sensitive data never leaves your control except through the scanner that you authorize.

Deep Dive: Permissions Breakdown

1. Normalyze Role and Policy

  • Trusts: normalyze-access role in the DSPM account, a deployer user, Lambda, and CloudFormation.
  • Grants: SecurityAudit managed policy + additional custom policies.
  • Purpose: Acts as the main cross-account role DSPM assumes to perform scans.

NormalyzeRole

  • Inherits AWS SecurityAudit managed policy → Read-only access across many AWS services for security posture evaluation (IAM, S3, EC2, RDS, etc.).
  • Additional Permissions:
    Gains more privileges via attached custom policies:
    • NormalyzeCloudScanPolicy
    • NormalyzeDataScanDeployPolicy
    • NormalyzeSnapshotManagementPolicy
    • NormalyzeRDSScanPolicy
    • NormalyzeSaasIncrementalScanDeployPolicy
    • NormalyzeCreateVPCPolicy
    • NormalyzeEC2DeployPolicy

2. Cloud Scan Policy

  • Read-only discovery across services:
    • API Gateway integrations (apigateway:GET)
    • CloudWatch metrics (cloudwatch:GetMetricStatistics)
    • MemoryDB, KeySpaces, SSO Identity Store, DLM, Bedrock models
    • Cost Explorer APIs (ce:GetCostAndUsage, ce:ListTagsForResource)
  • Purpose: Collect inventory, configuration, exposure, and cost metadata.

NormalyzeCloudScanPolicy

Read-only:

  • apigateway:GET — Read API Gateway integrations (internet exposure discovery). Impact: visibility only, no changes.
  • cloudwatch:GetMetricStatistics — Read CW metrics (e.g., S3/data metrics). Impact: metrics insights only.
  • memorydb:DescribeSubnetGroups — Inventory subnet groups. Impact: visibility only.
  • cassandra:Select — Read Keyspaces data. Impact: data read path.
  • sso:ListInstances, identitystore:ListUsers — Read SSO instances/users. Impact: identity inventory only.
  • dlm:GetLifecyclePolicies, dlm:GetLifecyclePolicy — Read DLM policies. Impact: policy visibility.
  • Bedrock (list/get):
    bedrock:GetCustomModel, bedrock:ListCustomModels, bedrock:ListDataSources, bedrock:GetDataSource, bedrock:ListKnowledgeBases, bedrock:GetKnowledgeBase, bedrock:ListAgents, bedrock:GetAgent, bedrock:GetFoundationModel, bedrock:ListFoundationModels, bedrock:GetModelInvocationLoggingConfiguration, bedrock:GetProvisionedModelThroughput, bedrock:ListProvisionedModelThroughputs, bedrock:GetModelCustomizationJob, bedrock:ListModelCustomizationJobs, bedrock:ListTagsForResource, bedrock:GetFoundationModelAvailability. Impact: Bedrock resource inventory.
  • Cost Explorer (read/tag status):
    ce:UpdateCostAllocationTagsStatus, ce:GetCostAndUsage, ce:ListCostAllocationTagBackfillHistory, ce:ListCostAllocationTags, ce:ListTagsForResource, ce:GetTags. Impact: cost visibility & tag-status adjustments (non-destructive).

3. Data Scan Role & Policy

  • Grants Lambda functions permission to:
    • Read and list S3 objects (including versions, ACLs, tags).
    • Write/read CloudWatch Logs.
    • Read/filter logs across log groups.
    • Add tags and restore RDS instances/clusters from snapshots (with KMS decryption).
    • Create/modify RDS option and parameter groups.
    • Create/delete ENIs for VPC-deployed scanners.
    • Read DynamoDB, RDS, Keyspaces, Redshift.
    • Put results into dedicated S3 buckets and read SNS attributes.
  • Purpose: Enable deep data content scanning of datastores.

NormalyzeDataScanPolicy

Read-only:

  • S3 (read/list): s3:GetObject*, s3:ListBucket*, s3:GetBucketVersioning. Impact: object inspection.
  • Logs (read): logs:FilterLogEvents, logs:GetLogEvents. Impact: read DB/service logs.
  • EC2/RDS network/describe:ec2:DescribeVpcs, ec2:DescribeSecurityGroups, rds:DescribeDBClusterSnapshots. Impact: environment inventory.
  • DynamoDB (read): dynamodb:Get*, dynamodb:BatchGet*, dynamodb:Query, dynamodb:Scan, dynamodb:Describe*, dynamodb:List*. Impact: table scan/query.
  • RDS (read/connection): rds:Describe*, rds-db:connect. Impact: metadata + connect (no schema changes).
  • Keyspaces/Redshift (read): cassandra:Select, redshift:Describe*. Impact: data/metadata reads.
  • Redshift creds (read-only access flow): redshift:GetClusterCredentials, redshift:CreateClusterUser, redshift:JoinGroup, redshift:GetClusterCredentialsWithIAM. Impact: obtain temp creds / create session user (no cluster config changes).
  • SNS (read): sns:GetSubscriptionAttributes. Impact: read subscription metadata.

Elevated (scoped):

  • Logs (write/manage own groups): logs:CreateLogGroup, logs:CreateLogStream, logs:PutLogEvents. Impact: write scanner logs (to DSPM-scoped groups).
  • Tagging: rds:AddTagsToResource with strict tag condition. Impact: apply DSPM tags only.
  • Restore DB (incl. decrypt): rds:RestoreDBInstanceFromDBSnapshot, rds:RestoreDBClusterFromSnapshot, kms:Decrypt (KMS keys in account). Impact: create temporary copies for scanning.
  • Limited restore/create (tag-gated): rds:CreateDBInstance + restores with Name tag. Impact: controlled creation for scans.
  • RDS option/parameter groups (limited create/modify, tag-gated): rds:CreateOptionGroup, rds:ModifyOptionGroup, rds:CreateDBParameterGroup, rds:ModifyDBParameterGroup. Impact: configure ephemeral scan infra.
  • KMS use for restore: kms:DescribeKey, kms:CreateGrant. Impact: enable snapshot decryption for restores.
  • ENI & tagging (scoped): ec2:CreateNetworkInterface, ec2:DeleteNetworkInterface, ec2:DescribeNetworkInterfaces, ec2:CreateTags. Impact: VPC-mode scanner networking.
  • Activity analyzer S3 (scoped bucket): s3:PutObject*, s3:GetObject*, s3:ListBucket*, upload-related list/abort. Impact: write/read only to the DSPM activity bucket.

4. Data Scan Deploy Policy

  • Allows deployment/maintenance of DSPM Lambda functions:
    • iam:PassRole for scanner/remediator roles.
    • Manage CloudFormation stacks created by DSPM.
    • Delete DSPM IAM roles/policies when cleaning up.
    • Deploy/update/invoke scanner Lambdas.
    • Manage ECR images for scanner functions.
    • Create/delete DSPM S3 buckets.
    • Manage log groups and limited KMS keys.
  • Purpose: Automated deployment and lifecycle management of DSPM scanners.

NormalyzeDataScanDeployPolicy

Elevated (scoped):

  • iam:PassRole to Lambda (datascan & remediation roles). Impact: attach execution roles only to Lambda service.
  • CloudFormation (stack control): cloudformation:DeleteStack, DescribeStacks, DescribeStackEvents (only the onboarding stack). Impact: manage the DSPM onboarding stack.
  • IAM cleanup (scoped to DSPM assets): iam:DeleteRole, DeletePolicy, DeleteRolePolicy, DeletePolicyVersion, DetachRolePolicy. Impact: uninstall/cleanup only DSPM roles/policies.
  • Lambda lifecycle (DSPM functions only):
    lambda:AddPermission, CreateFunction, DeleteFunction, GetFunction, InvokeFunction, UpdateFunction*, TagResource, Get/Put/Delete/UpdateFunctionEventInvokeConfig. Impact: create/update/invoke only DSPM-prefixed functions.
  • ECR (specific repos): ecr:BatchGetImage, BatchDeleteImage, GetDownloadUrlForLayer, TagResource. Impact: pull/maintain scanner images (DSPM ECR repos).
  • ECR registry (account-level): ecr:GetAuthorizationToken, ecr:DescribeRegistry. Impact: temporary registry auth / view.
  • ECR service-linked role: iam:CreateServiceLinkedRole (replication role). Impact: allow ECR replication role creation.
  • S3 (DSPM buckets only): s3:CreateBucket, DeleteBucket, PutBucketAcl, PutBucketPublicAccessBlock, PutBucketPolicy, ListBucket, GetObject, DeleteObject, PutObject, DeleteBucketPolicy (for normalyze-storage-*, nz-activity-analyzer*). Impact: create/manage DSPM deployment buckets.
  • Logs (DSPM groups only): logs:CreateLogGroup, DeleteLogGroup, PutRetentionPolicy. Impact: manage retention & lifecycle of scanner log groups.
  • KMS (DSPM-tagged keys): kms:DescribeKey, kms:CreateGrant on key/* with Name tag. Impact: permit decrypt grants for scanner flows.

5. Snapshot Management Policy

  • Permissions for taking, tagging, and deleting datastore snapshots:
    • RDS, EC2 (EBS), ElastiCache, Redshift.
    • Restores snapshots only if tagged for DSPM.
  • Purpose: Allows snapshot-based scans while preventing arbitrary snapshot tampering.

NormalyzeSnapshotManagementPolicy

Read-only (inventory for snapshot ops):

  • rds:Describe*, ec2:Describe*, elasticache:Describe*. Impact: find resources/snapshots.

Elevated (scoped):

  • Redshift restore & mgmt:
    redshift:RestoreFromClusterSnapshot, CreateClusterSubnetGroup, DeleteClusterSubnetGroup, CreateTags (DSPM subnet groups), ModifyCluster, DeleteCluster (tag-gated), createTags (on DSPM-named clusters). Impact: create/modify/delete DSPM-managed restored clusters only.
  • RDS/EC2/ElastiCache snapshots:
    rds:CreateDBSnapshot, ec2:CreateSnapshots, ec2:CreateSnapshot, elasticache:CreateServerlessCacheSnapshot. Impact: create point-in-time copies.
  • Tag snapshots (DSPM-created): rds:AddTagsToResource, ec2:CreateTags, elasticache:AddTagsToResource on snapshot:Normalyze-*. Impact: governance/traceability tags.
  • Delete DSPM snapshots: rds:DeleteDBSnapshot, elasticache:DeleteSnapshot, ec2:DeleteSnapshot (only DSPM snapshots). Impact: cleanup.

6. RDS Scan Policy

  • Allows delete/modify RDS resources only if tagged with DSPM identifiers.
  • Purpose: Restricts destructive RDS actions to resources created for scanning.

NormalyzeRDSScanPolicy

Elevated (strictly tag-scoped):

  • rds:DeleteDBInstance, DeleteDBSnapshot, ModifyDBInstance, DeleteDBCluster, DeleteDBClusterSnapshot, ModifyDBCluster, DeleteOptionGroup, DeleteDBParameterGrouponly on resources with the Normalyze Name tag. Impact: tear-down/modify only DSPM-created/-tagged RDS assets; prevents collateral changes.

7. Secrets Manager Policy

  • Grants read (secretsmanager:GetSecretValue) for all Secrets Manager secrets.
  • Used by data scanners, SaaS EKS pods, and vulnerability scanners.
  • Purpose: Credential access for datastore connections.

NormalyzeSecretMgrFullAccessPolicy

Read-only:

  • secretsmanager:GetSecretValue — read secrets to scan for exposures/usage. Impact: secret content access; no secret mutation.

8. SaaS Incremental Scan Policies

  • Create and manage SQS queues and Lambda event source mappings.
  • Allow queue access (send, receive, purge) but only on tagged DSPM queues.
  • Purpose: Enable incremental SaaS datastore scans.

NormalyzeSaasIncrementalScanDeployPolicy

Read-only / list:

  • sqs:ListQueues (tag-filtered) — Needed to resolve queue URLs from names. Impact: discovery only.

Elevated (scoped to DSPM queues/functions):

  • Create/manage queues:sqs:CreateQueue, sqs:GetQueueAttributes, sqs:SetQueueAttributes, sqs:GetQueueUrl, sqs:ListQueueTags, sqs:TagQueue, sqs:DeleteQueue on nz-saas-incr-scan-*-duoec48r5f1kxb2y867k(.fifo); tag-scoped. Impact: lifecycle of only DSPM SaaS incremental queues.
  • Queue access:sqs:SendMessage, sqs:GetQueueAttributes, sqs:GetQueueUrl, sqs:DeleteMessage, sqs:ReceiveMessage, sqs:ChangeMessageVisibility, sqs:PurgeQueue on those same queues; tag-scoped. Impact: produce/consume scan tasks.
  • Lambda event source mappings:lambda:CreateEventSourceMapping, lambda:DeleteEventSourceMapping, lambda:GetEventSourceMapping, lambda:ListEventSourceMappings, lambda:UpdateEventSourceMapping (scoped via lambda:FunctionArn to saas_crawler_lambda_duoec48r5f1kxb2y867k). Impact: wire SQS queues to the crawler Lambda only.

NormalyzeSaasCrawlerLambdaQueueAccessPolicy

Lets crawler Lambda consume SaaS queues.

Elevated (scoped to DSPM queues):

  • sqs:ReceiveMessage, sqs:DeleteMessage, sqs:ChangeMessageVisibility, sqs:PurgeQueue on nz-saas-incr-scan-*-duoec48r5f1kxb2y867k(.fifo); tag-scoped. Impact: lets the crawler Lambda drain and manage only DSPM-created incremental queues.

9. Vulnerability Scan Role & Policy

  • Attached to EC2 instances used for vulnerability scanning.
  • Grants:
    • Create/attach/delete EBS volumes (only tagged volumes).
    • Pull images from ECR (for container scanning).
    • Use KMS keys to decrypt/re-encrypt storage.
    • Modify/restore RDS clusters with DSPM tags.
    • Connect to RDS databases.
  • Purpose: Enables workload and image vulnerability scanning.

NormalyzeVulnerabilityScanPolicy

Read-only:

  • ec2:DescribeVolumes — check status (no resource type available, so *). Impact: inventory/status only.

Elevated (scoped):

  • Create volumes: ec2:CreateVolume from snapshots; tag-gated. Impact: build analysis copies.
  • Use snapshots: ec2:CreateVolume on arn:aws:ec2:*::snapshot/*. Impact: restore volumes from snapshots.
  • Attach/Detach/Delete volumes (DSPM-tagged instances/volumes): ec2:AttachVolume, DetachVolume, DeleteVolume. Impact: mount analysis volumes to scanner instance.

10. EKS Deployment & Node Roles

  • Deployment Role: Create/manage EKS clusters, networking, and IAM role passing.
  • Cluster Role: Standard AmazonEKS* policies for cluster lifecycle.
  • Node Role: Minimal worker node and ECR image pull permissions.
  • Pod Role: Provides pod-level IAM access with AmazonEKSClusterPolicy.
  • Purpose: Supports DSPM SaaS mode EKS clusters for running scans.

NormalyzeSaaSEKSDeploymentPolicy

Elevated (scoped to cluster/normalyze-*):

  • EKS cluster lifecycle: eks:CreateCluster, DeleteCluster, DescribeCluster, ListClusters, TagResource, UpdateClusterVersion, UpdateClusterConfig, CreateAccessEntry, CreatePodIdentityAssociation, DeletePodIdentityAssociation. Impact: create/configure DSPM EKS clusters.
  • Pass roles to EKS/services: iam:PassRole to eks.amazonaws.com, ec2.amazonaws.com, pods.eks.amazonaws.com (DSPM roles). Impact: bind right IAM roles to cluster services/pods.
  • EKS access entries (scoped): eks:* on access-entry/normalyze-*. Impact: manage EKS access entries for the cluster.

Read-only (supporting describes):

  • iam:GetRole, ec2:DescribeSubnets, DescribeVpcs, DescribeSecurityGroups, DescribeNetworkInterfaces. Impact: prerequisite discovery.

NormalyzeSaaSEKSClusterPolicy

Elevated (service-linked role):

  • iam:CreateServiceLinkedRole (EKS). Impact: enable EKS SLRs.
    Read-only:
  • ec2:DescribeAccountAttributes. Impact: capacity/limits checks.

11. VPC Creation Policy

  • Grants ability to create and manage DSPM-specific VPCs:
    • VPCs, subnets, gateways, NACLs, route tables, security groups, RDS subnet groups.
    • Modify/delete only if tagged with DSPM identifiers.
  • Purpose: Create isolated scanning environments.

NormalyzeCreateVPCPolicy

Elevated (scoped):

  • Create core networking: ec2:CreateVpc, CreateSubnet, CreateSecurityGroup, CreateRouteTable, CreateInternetGateway, CreateNetworkAcl, AllocateAddress, rds:CreateDBSubnetGroup. Impact: stand up an isolated VPC for scanners (DSPM-tagged).
  • Create NAT: ec2:CreateNatGateway (and associated resources). Impact: egress for scanner workloads.
  • Modify/Delete VPC & deps (tag-gated to DSPM VPC): route tables, IGWs, SGs, subnets, NACLs, NAT GW, EIPs, etc. (AssociateRouteTable, Attach/Detach/Delete*, Modify*, Revoke*, ReplaceNetworkAclAssociation, ReleaseAddress). Impact: maintain/tear-down only DSPM VPC.
  • Tagging controls (create-time and update): ec2:CreateTags, rds:AddTagsToResource with strict Name/version conditions; includes default NACL tagging to break default associations. Impact: enforce governance of only DSPM resources.

12. EC2 Deployment Policy

  • Allows:
    • Launching EC2 instances (Ubuntu AMIs, tagged VPC subnets/SGs).
    • Tagging instances with scan type (vuln-scan, rds-scan).
    • Attaching/removing volumes.
    • Sending SSM commands to scanning EC2 instances.
    • Cleanup (delete IAM instance profiles).
  • Purpose: Controlled EC2 deployment and management for vulnerability/data scans.

NormalyzeEC2DeployPolicy

Elevated (scoped):

  • iam:PassRole to EC2 (scanner role nz-vulscan-*). Impact: attach instance profile for scanner EC2.
  • ec2:RunInstances on AMI/snapshot/ENI resources + on DSPM-tagged SGs/subnets (Name tag). Impact: start scanner hosts only in DSPM network.

Summary

This CloudFormation template sets up a least-privilege but extensive IAM environment for DSPM. It balances broad read-only discovery (for scanning and inventory) with tightly scoped write/modify permissions (only on DSPM-created, tagged, or scanning resources).

This ensures that DSPM can perform its data security posture management functions—cloud scan, data scan, vulnerability scan, and SaaS scan—without introducing excessive permissions outside its controlled scope.