Requirements
AWS Regions Supported For Installation
Dash ComplyOps is installed into a client’s AWS environment via installing a CloudFormation template. This template provisions the Dash application within your AWS environment.
Currently, Dash ComplyOps can be installed in the following AWS regions:
us-east-1us-east-2us-west-1us-west-2ap-northeast-1ap-northeast-2ap-southeast-1ap-southeast-2eu-central-1eu-west-1eu-west-2
Please Note: AWS GovCloud and AWS China Regions are currently not supported for Dash ComplyOps installation.
Dash Monitoring Supported Regions
Once installed, Dash automatically monitors your AWS cloud environment across all regions within your AWS account (regardless of which region it is installed into).
Please Note: AWS GovCloud and AWS China Regions are currently not supported for monitoring by the Dash ComplyOps application.
AWS User Requirements
Dash ComplyOps can be installed by a user with basic AWS skills and familiarity with CloudFormation…
In order to install Dash ComplyOps, An AWS user with appropriate permissions must install the Dash CloudFormation template. This should typically be a AWS Administrator or privileged user with the following AWS capabilities:
A current AWS User and login for the “Master” AWS Account
Access to the desired region to install the CF template.
IAM user permissions to install CloudFormation templates and perform the following AWS functions:
Create EC2 instances
Create/Edit S3 buckets
Create EFS resources
Create IAM roles (roles shown in this section)
Users with the correct permissions to install Dash can read the documentation for Installing Dash.
IAM Permissions Required For Installation
AWS Monitoring Permissions
The following permissions are used to scan and monitor your AWS account for security issues. These permissions are are also used with any connect AWS accounts with the Dash application:
"arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess","arn:aws:iam::aws:policy/AmazonVPCReadOnlyAccess","arn:aws:iam::aws:policy/SecurityAudit","arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess","arn:aws:iam::aws:policy/AmazonRDSReadOnlyAccess","arn:aws:iam::aws:policy/AWSLambda_ReadOnlyAccess","arn:aws:iam::aws:policy/IAMReadOnlyAccess"
Installed IAM Role and Permissions
The Dash ComplyOps CloudFormation template provisions resources including an IAM role. This IAM role grants Dash permissions to read AWS configuration information within your environment.
Permissions are granted to enable Dash ComplyOps to perform the following actions:
Automatic backups (of Dash data to an S3 bucket)
Connecting/viewing findings from AWS Config
Optional Auto-remediations
The following IAM role permissions are created when installing Dash via CloudFormation template:
{
"Effect": "Allow",
"Action": [
"s3:CreateBucket",
"s3:DeleteObject",
"s3:ListAllMyBuckets",
"s3:ListBucket",
"s3:PutObject",
"s3:PutObjectAcl",
"s3:GetObject",
"s3:GetBucketPolicy"
],
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": [
"rds:ModifyDBInstance",
"rds:describeDBInstances"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"cloudformation:ListStackResources"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:PutBucketLogging",
"s3:GetBucketLogging",
"s3:PutBucketAcl",
"s3:GetBucketAcl"
],
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": [
"ec2:RevokeSecurityGroupIngress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:Describe*",
"ec2:CreateSnapshot",
"ec2:CreateTags",
"ec2:DeleteSnapshot",
"ec2:CreateFlowLogs",
"ec2:DeleteFlowLogs"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"iam:UpdateAccountPasswordPolicy",
"iam:GenerateCredentialReport",
"iam:GenerateServiceLastAccessedDetails",
"iam:Get*",
"iam:List*",
"iam:SimulateCustomPolicy",
"iam:SimulatePrincipalPolicy"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"organizations:Describe*",
"organizations:List*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"cloudwatch:PutMetricData"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"events:PutEvents",
"events:listRules"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"config:describeDeliveryChannels",
"config:describeConfigRules",
"config:putDeliveryChannel",
"config:DeleteEvaluationResults",
"config:StartConfigRulesEvaluation",
"config:PutConfigRule",
"config:DeleteConfigRule"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"sns:ListSubscriptionsByTopic",
"sns:listTopics",
"sns:createTopic",
"sns:subscribe",
"sns:unsubscribe",
"sns:confirmSubscription"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"logs:PutLogEvents",
"logs:DescribeLogGroups",
"logs:DescribeLogStreams",
"logs:CreateLogGroup",
"logs:CreateLogStream"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeLaunchConfigurations"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"lambda:ListFunctions"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"glacier:listVaults"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"cloudtrail:DescribeTrails"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"elasticloadbalancing:DescribeLoadBalancers",
"kms:ListKeys",
"dynamodb:ListTables"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"kms:ListKeys",
"dynamodb:ListTables"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"dynamodb:ListTables"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"sts:AssumeRole"
],
"Resource": "*"
}