Security
When you build systems on AWS infrastructure, security responsibilities are shared between you and AWS. This shared responsibility model
IAM roles
            AWS Identity and Access Management
Permissions required by the Prerequisite stack
The appropriate IAM permissions are required to fulfill the prerequisites. These permissions include allowing trusted access for AWS services with AWS Organizations, creating and deleting stack set instances to configure AWS Config in member accounts, configuring the Firewall Manager admin, and recording Lambda events in CloudWatch Logs.
Permissions required by the Primary stack
The following IAM permissions are required for the solution to automatically maintain Firewall Manager security policies:
- 
                  Creating and deleting Firewall Manager policies for AWS WAF, Shield, VPC Security Groups, and DNS Firewall 
- 
                  Reading and writing DynamoDB tables with policy metadata 
- 
                  Reading Systems Manager parameter information 
- 
                  Recording Lambda events in CloudWatch Logs 
- 
                  Publishing to the solution’s Amazon SNS topic 
- 
                  Reading and writing to X-Ray 
Additionally, the ComplianceGenerator Lambda function needs permission to describe all Firewall Manager policies, generate compliance reports, and upload them in an S3 bucket.
Permissions required by the Automations for Shield Advanced Prerequisite stack
The appropriate IAM permissions are required to enable Shield Advanced health-based detection. These permissions are deployed to member accounts in your AWS Organization and include:
- 
                  Creating and deleting Route 53 health checks 
- 
                  Creating and deleting CloudWatch metric alarms 
- 
                  Modifying Shield Advanced protections 
- 
                  Reading and writing evaluations in AWS Config 
Permissions required by the Automations for Shield Advanced stacks
The appropriate IAM permissions are required for the solution to enable Shield Advanced health-based detection across an AWS Organization. These permissions include:
- 
                  Assuming the cross-account IAM role created by the aws-fms-shield-automations-prereqstack in your AWS Organization’s member accounts
- 
                  Reading and writing to the solution’s Amazon SQS queue 
- 
                  Publishing to the solution’s Amazon SNS topic 
- 
                  Retrieving the state of your account’s Shield Advanced subscription 
- 
                  Reading and writing to X-Ray 
Additionally, the aws-fms-proactive-event-response stack deploys an IAM role with service-managed permissions if you choose to grant permissions for the SRT to access accounts in your AWS Organization. These permissions are required to enable SRT support. For more information see the AWSShieldDRTAccessPolicy.
AWS Systems Manager Parameter Store
This solution uses Parameter Store to initiate create, read, update, and delete (CRUD) operations to the Firewall Manager policies. Systems Manager parameters created by this solution must be secured. Access should only be granted to a specific principal or user. An unexpected user that has access to these parameters can cause undesirable Firewall Manager policy operations, such as deleting policies. Such operations could be initiated across several member accounts in AWS Organizations.
By default, an IAM user or role must be explicitly authorized to perform an action on the Systems Manager parameters created by the solution. Unless a user receives explicit permission to access these Systems Manager parameters, changes cannot be made to update Firewall Manager security policies. Additionally, you can use explicit deny to prevent further access to these resources as shown in the following example policy. This example policy can be assigned to users to prevent access to the DynamoDB table and Systems Manager parameters resources.
{ "Version": "2012-10-17", "Statement": [{ "Action": [ "dynamodb:*" ], "Resource": "arn:aws:dynamodb: