Skip to main content
Skip table of contents

Requirements

AWS Regions Supported For Installation

Dash ComplyOps is installed into a client’s AWS environment via installing a CloudFormation template. This template provisions the Dash application within your AWS environment.

Currently, Dash ComplyOps can be installed in the following AWS regions:

us-east-1
us-east-2
us-west-1
us-west-2
ap-northeast-1
ap-northeast-2
ap-southeast-1
ap-southeast-2
eu-central-1
eu-west-1
eu-west-2

Please Note: AWS GovCloud and AWS China Regions are currently not supported for Dash ComplyOps installation.

Dash Monitoring Supported Regions

Once installed, Dash automatically monitors your AWS cloud environment across all regions within your AWS account (regardless of which region it is installed into).

Please Note: AWS GovCloud and AWS China Regions are currently not supported for monitoring by the Dash ComplyOps application.

AWS User Requirements

Dash ComplyOps can be installed by a user with basic AWS skills and familiarity with CloudFormation…

In order to install Dash ComplyOps, An AWS user with appropriate permissions must install the Dash CloudFormation template. This should typically be a AWS Administrator or privileged user with the following AWS capabilities:

  1. A current AWS User and login for the “Master” AWS Account

  2. Access to the desired region to install the CF template.

  3. IAM user permissions to install CloudFormation templates and perform the following AWS functions:

    1. Create EC2 instances

    2. Create/Edit S3 buckets

    3. Create EFS resources

    4. Create IAM roles (roles shown in this section)

Users with the correct permissions to install Dash can read the documentation for Installing Dash.

IAM Permissions Required For Installation

AWS Monitoring Permissions

The following permissions are used to scan and monitor your AWS account for security issues. These permissions are are also used with any connect AWS accounts with the Dash application:


"arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess",
"arn:aws:iam::aws:policy/AmazonVPCReadOnlyAccess",
"arn:aws:iam::aws:policy/SecurityAudit",
"arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess",
"arn:aws:iam::aws:policy/AmazonRDSReadOnlyAccess",
"arn:aws:iam::aws:policy/AWSLambda_ReadOnlyAccess",
"arn:aws:iam::aws:policy/IAMReadOnlyAccess"

Installed IAM Role and Permissions

The Dash ComplyOps CloudFormation template provisions resources including an IAM role. This IAM role grants Dash permissions to read AWS configuration information within your environment.

Permissions are granted to enable Dash ComplyOps to perform the following actions:

  • Automatic backups (of Dash data to an S3 bucket)

  • Connecting/viewing findings from AWS Config

  • Optional Auto-remediations

The following IAM role permissions are created when installing Dash via CloudFormation template:

CODE
{
  "Effect": "Allow",
  "Action": [
    "s3:CreateBucket",
    "s3:DeleteObject",
    "s3:ListAllMyBuckets",
    "s3:ListBucket",
    "s3:PutObject",
    "s3:PutObjectAcl",
    "s3:GetObject",
    "s3:GetBucketPolicy"
  ],
  "Resource": "arn:aws:s3:::*"
},
{
  "Effect": "Allow",
  "Action": [
    "rds:ModifyDBInstance",
    "rds:describeDBInstances"
  ],
  "Resource": "*"
},
{
  "Effect": "Allow",
  "Action": [
    "cloudformation:ListStackResources"
  ],
  "Resource": "*"
},
{
  "Effect": "Allow",
  "Action": [
    "s3:PutBucketLogging",
    "s3:GetBucketLogging",
    "s3:PutBucketAcl",
    "s3:GetBucketAcl"
  ],
  "Resource": "arn:aws:s3:::*"
},
{
  "Effect": "Allow",
  "Action": [
    "ec2:RevokeSecurityGroupIngress",
    "ec2:AuthorizeSecurityGroupIngress",
    "ec2:Describe*",
    "ec2:CreateSnapshot",
    "ec2:CreateTags",
    "ec2:DeleteSnapshot",
    "ec2:CreateFlowLogs",
    "ec2:DeleteFlowLogs"
  ],
  "Resource": "*"
},
{
  "Effect": "Allow",
  "Action": [
    "iam:UpdateAccountPasswordPolicy",
    "iam:GenerateCredentialReport",
    "iam:GenerateServiceLastAccessedDetails",
    "iam:Get*",
    "iam:List*",
    "iam:SimulateCustomPolicy",
    "iam:SimulatePrincipalPolicy"
  ],
  "Resource": "*"
},
{
  "Effect": "Allow",
  "Action": [
    "organizations:Describe*",
    "organizations:List*"
  ],
  "Resource": "*"
},
{
  "Effect": "Allow",
  "Action": [
    "cloudwatch:PutMetricData"
  ],
  "Resource": "*"
},
{
  "Effect": "Allow",
  "Action": [
    "events:PutEvents",
    "events:listRules"
  ],
  "Resource": "*"
},
{
  "Effect": "Allow",
  "Action": [
    "config:describeDeliveryChannels",
    "config:describeConfigRules",
    "config:putDeliveryChannel",
    "config:DeleteEvaluationResults",
    "config:StartConfigRulesEvaluation",
    "config:PutConfigRule",
    "config:DeleteConfigRule"
  ],
  "Resource": "*"
},
{
  "Effect": "Allow",
  "Action": [
    "sns:ListSubscriptionsByTopic",
    "sns:listTopics",
    "sns:createTopic",
    "sns:subscribe",
    "sns:unsubscribe",
    "sns:confirmSubscription"
  ],
  "Resource": "*"
},
{
  "Effect": "Allow",
  "Action": [
    "logs:PutLogEvents",
    "logs:DescribeLogGroups",
    "logs:DescribeLogStreams",
    "logs:CreateLogGroup",
    "logs:CreateLogStream"
  ],
  "Resource": "*"
},
{
  "Effect": "Allow",
  "Action": [
    "autoscaling:DescribeAutoScalingGroups",
    "autoscaling:DescribeLaunchConfigurations"
  ],
  "Resource": "*"
},
{
  "Effect": "Allow",
  "Action": [
    "lambda:ListFunctions"
  ],
  "Resource": "*"
},
{
  "Effect": "Allow",
  "Action": [
    "glacier:listVaults"
  ],
  "Resource": "*"
},
{
  "Effect": "Allow",
  "Action": [
    "cloudtrail:DescribeTrails"
  ],
  "Resource": "*"
},
{
  "Effect": "Allow",
  "Action": [
    "elasticloadbalancing:DescribeLoadBalancers",
    "kms:ListKeys",
    "dynamodb:ListTables"
  ],
  "Resource": "*"
},
{
  "Effect": "Allow",
  "Action": [
    "kms:ListKeys",
    "dynamodb:ListTables"
  ],
  "Resource": "*"
},
{
  "Effect": "Allow",
  "Action": [
    "dynamodb:ListTables"
  ],
  "Resource": "*"
},
{
  "Effect": "Allow",
  "Action": [
    "sts:AssumeRole"
  ],
  "Resource": "*"
}

 

 

 

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.