Overview of AWS SecurityAudit Role
- Himanshu Dwivedi
The following article provides detailed documentation of the AWS Audit Resource Role. More information can be found from AWS’s documentation site: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html#jf_security-auditor
The “SecurityAudit” is an AWS created role to solely monitor compliance with security requirements. This role cannot read any data, cannot make any changes, and cannot perform any actions that are not logged to the event log (Cloudtrail). The role can only access logs and events to investigate potential security breaches or potential malicious activity. The “AWS managed policy name” is SecurityAudit. Data Theorem only requires read-only access to this role.
To obtain details on the access level privileges of the SecurityAudit role (as of the version 26 policy), please access the following link from AWS:
For your convenience, this information is also outlined in the following pages. The services highlighted in yellow, are the ones we currently use:
Service | Access level | Resource | Request condition |
API Gateway | Full: Read | Multiple | None |
App Mesh | Full: List, Read | All resources | None |
Application Auto Scaling | Full: Read | All resources | None |
AppSync | Full: List | All resources | None |
Athena | Full: List Limited: Read | All resources | None |
Batch | Limited: Read | All resources | None |
Certificate Manager | Full: List Limited: Read | All resources | None |
Chime | Limited: List, Read | All resources | None |
Cloud Directory | Limited: List | All resources | None |
Cloud9 | Limited: Read | All resources | None |
CloudFormation | Limited: List, Read | All resources | None |
CloudFront | Full: List, Read | All resources | None |
CloudHSM | Limited: List | All resources | None |
CloudSearch | Limited: List, Read | All resources | None |
CloudTrail | Full: List Limited: Read | All resources | None |
CloudWatch | Limited: Read | All resources | None |
CloudWatch Events | Full: List Limited: Read | All resources | None |
CloudWatch Logs | Limited: List | All resources | None |
CodeBuild | Limited: List | All resources | None |
CodeCommit | Full: List Limited: Read | All resources | None |
CodeDeploy | Full: List, Read | All resources | None |
CodePipeline | Limited: List | All resources | None |
CodeStar | Limited: List, Read | All resources | None |
Cognito Identity | Limited: List | All resources | None |
Cognito Sync | Full: List Limited: Read | All resources | None |
Cognito User Pools | Limited: List | All resources | None |
Comprehend | Full: List Limited: Read | All resources | None |
Config | Limited: List, Read | All resources | None |
Data Pipeline | Full: Read Limited: List | All resources | None |
DataSync | Full: List, Read | All resources | None |
Direct Connect | Limited: Read | All resources | None |
Directory Service | Limited: List | All resources | None |
DMS | Full: List Limited: Read | All resources | None |
DynamoDB | Full: List Limited: Read | All resources | None |
DynamoDBAccelerator | Full: List Limited: Read | All resources | None |
EC2 | Limited: List, Read | All resources | None |
EC2 Auto Scaling | Full: List, Read | All resources | None |
EFS | Full: List | All resources | None |
EKS | Limited: List, Read | All resources | None |
Elastic Beanstalk | Limited: List, Read | All resources | None |
Elastic Container Registry | Limited: List, Read | All resources | None |
Elastic Container Service | Full: List, Read | All resources | None |
ElastiCache | Limited: List | All resources | None |
Elasticsearch Service | Limited: List, Read | All resources | None |
ELB | Full: List, Read | All resources | None |
ELB v2 | Full: Read | All resources | None |
EMR | Limited: List, Read | All resources | None |
Firehose | Full: List | All resources | None |
FSx | Full: Read | All resources | None |
GameLift | Limited: List | All resources | None |
Glacier | Limited: List, Read | All resources | None |
GlobalAccelerator | Full: List, Read | All resources | None |
Greengrass | Full: List | All resources | None |
GuardDuty | Full: List, Read | All resources | None |
IAM | Full: List, Read | All resources | None |
Inspector | Full: List, Read | All resources | None |
IoT | Full: List Limited: Read | All resources | None |
Kinesis | Limited: List, Read | All resources | None |
Kinesis Analytics | Full: List | All resources | None |
KMS | Full: List, Read | All resources | None |
Lambda | Full: List Limited: Read | All resources | None |
License Manager | Limited: List | All resources | None |
Machine Learning | Limited: List | All resources | None |
MediaConnect | Full: List, Read | All resources | None |
MediaStore | Limited: List, Read | All resources | None |
OpsworksCM | Limited: List | All resources | None |
Organizations | Full: List, Read | All resources | None |
QuickSight | Full: List Limited: Read | All resources | None |
RDS | Full: List Limited: Read | All resources | None |
Redshift | Limited: List, Read, Write | All resources | None |
Rekognition | Full: List Limited: Read | All resources | None |
Resource Access Manager | Full: List | All resources | None |
Resource Group Tagging | Limited: Read | All resources | None |
RoboMaker | Full: List Limited: Read | All resources | None |
Route 53 | Full: List Limited: Read | All resources | None |
Route 53 Resolver | Full: List Limited: Read | All resources | None |
Route53 Domains | Full: List Limited: Read | All resources | None |
S3 | Limited: List, Read | All resources | None |
SageMaker | Full: List Limited: Read | All resources | None |
Secrets Manager | Full: List Limited: Read | All resources | None |
SecurityHub | Full: List, Read | All resources | None |
Serverless Application Repository | Full: List Limited: Read | All resources | None |
SES | Limited: List, Read | All resources | None |
Shield | Full: List Limited: Read | All resources | None |
SimpleDB | Full: List Limited: Read | All resources | None |
Snowball | Limited: List | All resources | None |
SNS | Limited: List, Read | All resources | None |
SQS | Full: List Limited: Read | All resources | None |
Step Functions | Limited: List | All resources | None |
Storage Gateway | Full: List Limited: Read | All resources | None |
Systems Manager | Limited: List, Read | All resources | None |
Transfer | Full: List Limited: Read | All resources | None |
Translate | Limited: Read | All resources | None |
Trusted Advisor | Full: List | All resources | None |
WAF | Limited: List | All resources | None |
WAF Regional | Limited: List | All resources | None |
WorkSpaces | Full: Read Limited: List | All resources | None |
The SecurityAudit role does not have any access enabled for the following Services:
Service | Access level |
Account | None |
Alexa for Business | None |
Amplify | None |
Application Discovery | None |
AppStream 2.0 | None |
Artifact | None |
Auto Scaling | None |
Backup | None |
Billing | None |
Budget | None |
Certificate Manager Private Certificate Authority | None |
Cloud Map | None |
ComprehendMedical | None |
Connect | None |
Cost and Usage Report | None |
Cost Explorer Service | None |
Data Lifecycle Manager | None |
DeepLens | None |
Device Farm | None |
EC2 Messages | None |
EI | None |
Elastic Transcoder | None |
ExecuteAPI | None |
Firewall Manager | None |
FreeRTOS | None |
Glue | None |
GroundTruth Labeling | None |
Health | None |
Import/Export | None |
IoT 1-Click | None |
IoT Analytics | None |
IoT Events | None |
IoT SiteWise | None |
Kinesis Video Streams | None |
Lex | None |
Lightsail | None |
Macie | None |
Marketplace | None |
Marketplace Metering | None |
Marketplace Portal | None |
MechanicalTurk | None |
MediaConvert | None |
MediaLive | None |
MediaPackage | None |
MediaTailor | None |
Migration Hub | None |
Mobile Analytics | None |
Mobile Hub | None |
MQ | None |
MSK | None |
Neptune | None |
OpsWorks | None |
Performance Insights | None |
Pinpoint | None |
Pinpoint SMS Voice | None |
Polly | None |
Price List | None |
Private Marketplace | None |
Resource Groups | None |
ServerMigrationService | None |
Service Catalog | None |
Signer | None |
SSM Messages | None |
SSO | None |
SSO Directory | None |
STS | None |
Sumerian | None |
Support | None |
SWF | None |
Textract | None |
Transcribe | None |
WAM | None |
Well-Architected Tool | None |
WorkDocs | None |
WorkLink | None |
WorkMail | None |
X-Ray | None |
In closing, here are some important points to consider:
The SecurityAudit role was created by Amazon for 3rd-Party read-only access for security monitoring.
Data Theorem cannot see any data within the cloud.
Data Theorem cannot make any changes with this role.
Data Theorem activities within AWS are logged via CloudTrail for tracking and auditing purposes.