Roles and Permissions
Below is a list of the roles Prisma Cloud DSPM uses to access your AWS environment and the permissions they have. Permissions are used to access different types of data, or perform actions such as creating/deleting virtual machines (VMs), exporting snapshots, etc.
IMPORTANT: If your AWS account has any firewall or network restrictions in place, it is imperative to grant access to the following:
Egress Traffic
In order to allow normal communication between Scanner VMs and the Prisma Cloud DSPM components, as well as various CSP services, make sure the following traffic is permitted:
- Outbound rule:
- Type: HTTPS (Port 443)
- Destination: 0.0.0.0/0
Ingress Traffic
Allow incoming traffic from the following Prisma Cloud DSPM's IP addresses to the customer’s cloud environment. This allows for API communication between Prisma Cloud DSPM’s SaaS environments to the customer’s cloud environment:
- EU:
- 52.48.123.3
- 99.80.210.235
- 34.247.249.123
- US:
- 54.225.205.121
- 18.214.146.232
- 3.93.120.3
Standard Deployment Required Permissions
DigSecurityReadOnlyRole
Used as a read-only access to your environment, this role enables Prisma Cloud DSPM to:
- Access your assets’ metadata such as size, name and region
- Collect CloudTrail logs for DDR capabilities
This role is installed on every account monitored by Prisma Cloud DSPM, allowing us to detect and protect your assets. Prisma Cloud DSPM’s own account assumes the DigSecurityReadOnlyRole role with a unique external ID as the best practice security measure.
Permissions
Managed Policy
Scope
Purpose
AmazonMemoryDBReadOnlyAccess
All resources
Read-only access to the client’s MemoryDB resources
bedrock:GetGuardrail
The entire account
Content filtering risk assessment in AI deployments
bedrock:ListGuardrails
The entire account
Content filtering risk assessment in AI deployments
ReadOnlyAccess
All resources
Read-only access to the client's environment
DigSecurityScannerRole
This role is installed on all the scanned (monitored) accounts in your environment, as well as on the DigSecurityReadOnlyRole. It enables Prisma Cloud DSPM to detect and scan data for analysis and classification. This role can only be assumed by the DigSecurityOrchestratorRole
All sensitive data that is detected, scanned and classified by Prisma Cloud DSPM’s resources never leaves the client's environment.
Permissions
Permission
Scope
Purpose
aoss:APIAccessAll
OpenSearch Serverless in the account
Enables Prisma Cloud DSPM to get data from opensearch serverless
aoss:CreateAccessPolicy
OpenSearch Serverless in the account
Enables Prisma Cloud DSPM to create an access policy to allow only Dig Scanner to access the scanned collection
aoss:CreateSecurityPolicy
OpenSearch Serverless in the account
Enables Prisma Cloud DSPM to create a security policy to allow Orchestrator VPC endpoint to access the collection
aoss:DeleteAccessPolicy
OpenSearch Serverless in the account
Enables Prisma Cloud DSPM to delete access policies
aoss:DeleteSecurityPolicy
OpenSearch Serverless in the account
Enables Prisma Cloud DSPM to delete security policies
aoss:GetAccessPolicy
OpenSearch Serverless in the account
Enables Prisma Cloud DSPM to retrieve metadata regarding access policies
aoss:GetSecurityPolicy
OpenSearch Serverless in the account
Enables Prisma Cloud DSPM to retrieve metadata regarding security policies
bedrock:get
All resources
Describing models (and get S3 bucket information)
bedrock:list
All resources
Listing bedrock resources
dynamodb:BatchWriteItem
Only tables created by Prisma Cloud DSPM
Enables writing multiple items to a DynamoDB table in a single operation as part of the restoration process
dynamodb:CreateBackup
DynamoDB resources in the account
Enables creating backups for DynamoDB tables for restoring and classifying them later
dynamodb:CreateTable
DynamoDB resources in the account
Enables creating new DynamoDB tables as part of the restore process
dynamodb:DeleteBackup
DynamoDB resources in the account
Enables deleting DynamoDB table backups after they are created
dynamodb:DeleteItem
Only tables created by Prisma Cloud DSPM
Enables deleting a specific item from the created DynamoDB table
dynamodb:DeleteTable
Only tables created by Prisma Cloud DSPM
Enables deleting the created DynamoDB table
dynamodb:DeleteTableReplica
Only tables created by Prisma Cloud DSPM
Enables deleting a table replica in the created DynamoDB
dynamodb:Describe*
DynamoDB resources in the account
Enables getting metadata about DynamoDB resources
dynamodb:GetItem
DynamoDB resources in the account
Enables retrieving a specific item from a DynamoDB table for on-demand classification
dynamodb:GetRecords
DynamoDB resources in the account
Enables getting data records from a DynamoDB stream for on-demand classification
dynamodb:PutItem
Only tables created by Prisma Cloud DSPM
Enables inserting a new item into the DynamoDB table created as part of the restoration process
dynamodb:RestoreTableFromAwsBackup
DynamoDB resources in the account
Enables restoring a DynamoDB table from an AWS Backup job
dynamodb:RestoreTableFromBackup
DynamoDB resources in the account
Enables restoring a DynamoDB table from a specific backup
dynamodb:Scan
DynamoDB resources in the account
Enables scanning DynamoDB tables to retrieve specific items as part of the on-demand classification process
dynamodb:StartAwsBackupJob
DynamoDB resources in the account
Enables initiating AWS Backup jobs for DynamoDB tables
dynamodb:TagResource
DynamoDB resources in the account
Enables adding tags to DynamoDB resources created by Prisma Cloud DSPM
dynamodb:UntagResource
Only tables created by Prisma Cloud DSPM
Enables removing tags from the created DynamoDB tables
dynamodb:UpdateContinuousBackups
DynamoDB resources in the account
Enables modifying backup settings created by Prisma Cloud DSPM
dynamodb:UpdateItem
Only tables created by Prisma Cloud DSPM
Enables modifying an existing item in the created DynamoDB table
ec2:CopySnapshot
Snapshots in the account
Enables copying snapshots to a snapshot that Prisma Cloud DSPM can share with the scanner account
ec2:CreateSnapshots
Snapshots in the account
Enables creating an EC2 instance from multiple snapshots simultaneously, so that Prisma Cloud DSPM can start scanning for databases
ec2:CreateTags
EC2 instances in the account
Enables creating a unique tag for resources in order to find them at a later stage
ec2:DeleteSnapshot
Only snapshots created by Prisma Cloud DSPM (based on tags)
Enables deleting existing stale snapshots
ec2:DescribeAvailabilityZones
Availability zones in the account
Enables getting information about the snapshot’s availability zone and store it within the same snapshot
ec2:DescribeImages
All publicly available AWS images
Enables getting information about the available images for EC2 instances
ec2:DescribeInstances
EC2 instances in the account
Enables getting information about EC2 instances
ec2:DescribeSnapshots
Snapshots in the account
Enables getting information about snapshots in the account
ec2:ModifySnapshotAttribute
Only snapshots created by Prisma Cloud DSPM (based on tags)
Enables sharing the snapshots created in the scanner account
events:PutEvent
All events
Support DDR using EventBridge
iam:PassRole
DigSecurityScannerRole only
Enables creating export tasks for RDS snapshots
kms:CreateAlias
KMS keys in the account
Enables giving a unique alias name to keys in order to find them at a later stage
kms:CreateGrant
Only AWS services
The created EC2 instance sends a CreateGrant request to AWS KMS so that it can share the encrypted snapshot with the outpost account
kms:CreateKey
KMS keys in the account
Enables creating Dig’s CMK key to encrypt the snapshots and volume, thus ensuring that data is encrypted at every step
kms:Decrypt
No scope
Enables to decrypt the encrypted snapshots. Prisma Cloud DSPM can decrypt only encrypted snapshots that it created itself
kms:DeleteAlias
KMS keys in the account
Enables deleting the alias name for the created keys
kms:DescribeKey
KMS keys in the account
Enables getting information about the KMS keys in the account
kms:DisableKeyRotation
Only KMS keys for which Prisma Cloud DSPM created
A security measure to rotate the keys periodically
kms:EnableKeyRotation
Only KMS keys for which Prisma Cloud DSPM created
A security measure to rotate the keys periodically
kms:Encrypt
Only KMS keys for which Prisma Cloud DSPM created
Enables to encrypt the snapshot copy to ensure data is encrypted at every step
kms:GenerateDataKey
KMS keys in the account
Enables encrypting the created snapshot / backup
kms:GenerateDataKeyWithoutPlaintext
Only KMS keys created by Prisma Cloud DSPM
Enables encrypting the created snapshot
kms:GenerateRandom
KMS keys in the account
Enables encrypting the created snapshot
kms:GetKeyRotationStatus
Only KMS keys for which Prisma Cloud DSPM created
A security measure to rotate the keys periodically
kms:ListAliases
KMS keys in the account
Enables listing keys in the account in order to use Dig’s KMS key
kms:ListGrants
Only AWS services
Enables listing the grants on a specific key so that the created EC2 instance can send a CreateGrant request to AWS KMS. This enables Prisma Cloud DSPM to share the encrypted snapshot with the scanner account
kms:ListKeys
KMS keys in the account
Enables searching Prisma Cloud DSPM’s key in the account
kms:ListResourceTags
KMS keys in the account
Enables getting the tags on the KMS keys, which enables Prisma Cloud DSPM to find its own keys
kms:ReEncryptTo
KMS keys in the account
Enables encrypting the copied snapshot with the created KMS to ensure data is encrypted at every step
kms:TagResource
KMS keys in the account
Enables creating a unique tag for the created keys in order to find them at a later stage
kms:TagResource
Only KMS keys that Prisma Cloud DSPM created
Enables deleting the tag from the created key
rds:AddTagsToResource
RDS resources in the account
Enables creating a unique tag for the created RDS resourceCreateDBSnapshots in order to find them at a later stage
rds:CreateDBClusterSnapshot
RDS clusters in the account
Enables creating a snapshot for the RDS clusters that need to be scanned at a later stage
rds:CreateDBSnapshot
RDS instances in the account
Enables creating a snapshot for the RDS instances that need to be scanned at a later stage
rds:DeleteDBClusterSnapshot
Only RDS cluster snapshots created by Prisma Cloud DSPM(based on tags)
Enables deleting stale snapshots that were created
rds:DeleteDBSnapshot
Only RDS snapshots created by Prisma Cloud DSPM(based on tags)
Enables deleting stale snapshots that were created
rds:Describe*
RDS resources in the account
Describe permissions enable Prisma Cloud DSPM to get metadata information on the RDS instance
rds:List*
RDS resources in the account
List permissions enable Prisma Cloud DSPM to understand which instances and snapshots exist in the account
rds:StartExportTask
RDS snapshots in the account
Enables to export data from the snapshots to an S3 bucket
redshift-serverless:DeleteResourcePolicy
Redshift resources in the account
Enables removing policies created by Prisma Cloud DSPM
redshift-serverless:GetResourcePolicy
Redshift resources in the account
Enables retrieving the current resource policy
redshift-serverless:PutResourcePolicy
Redshift resources in the account
Enables creating and updating resource policies for Serverless sharing with the Orchestrator account
redshift:AuthorizeSnapshotAccess
Redshift resources in the account
Enables snapshot sharing with the Orchestrator account
redshift:CopyClusterSnapshot
Redshift resources in the account
Enables copying the snapshot for the Redshift clusters so that Dig will be able to use them at a later stage
redshift:CreateClusterSnapshot
Redshift resources in the account
Enables creating a snapshot for the Redshift clusters that will be scanned at a later stage
redshift:CreateTags
Redshift resources in the account
Enables creating a unique tag for the created keys in order to find them at a later stage
redshift:DeleteClusterSnapshot
Only snapshots created by Prisma Cloud DSPM
Enables deleting stale snapshots that were created
redshift:Describe*
Redshift resources in the account
Enables querying Redshift resource metadata information
redshift:EnableSnapshotCopy
Redshift resources in the account
Enables activating snapshot copy feature for backups
redshift:List*
Redshift resources in the account
Enables listing Redshift resources
redshift:RevokeSnapshotAccess
Redshift resources in the account
Enables revoking access to shared Redshift snapshots after the scan is finished
route53:AssociateVPCWithHostedZone
Opensearch resources
Enables connectivity to classify Opensearch resources
route53:ChangeResourceRecordSets
Opensearch resources
Enables connectivity to classify Opensearch resources
route53:CreateHostedZone
Opensearch resources
Enables connectivity to classify Opensearch resources
route53:DeleteHostedZone
Opensearch resources
Enables connectivity to classify Opensearch resources
s3:CreateBucket
Only the bucket Prisma Cloud DSPM created for the export task
Enables creating an S3 bucket for the export task
s3:DeleteBucket
Only the bucket Prisma Cloud DSPM created for the export task
Enables deleting an S3 bucket for the export task
s3:DeleteObject
Only the bucket Prisma Cloud DSPM created for the export task
Enables deleting stale objects that were created
s3:Get*
S3 buckets
Get permissions enable Prisma Cloud DSPM to read exported data over an S3 bucket
s3:List*
S3 buckets
List permissions enable Prisma Cloud DSPM to understand which S3 buckets exist in the account
s3:PutBucketNotification
Only the bucket Prisma Cloud DSPM created for the export task
Enables connecting the bucket to the created SNS
s3:PutBucketPolicy
Only the bucket Prisma Cloud DSPM created for the export task
Enables adding a policy to the created bucket
s3:PutBucketPublicAccessBlock
Only the bucket Prisma Cloud DSPM created for the export task
Since S3 buckets are public by default, this permission enables Dig to block public access to the created S3 bucket
s3:PutBucketTagging
Only the bucket Prisma Cloud DSPM created for the export task
Enables tagging the created bucket
s3:PutBucketVersioning
Only the bucket Prisma Cloud DSPM created for the export task
Enables versioning in the created bucket
s3:PutEncryptionConfiguration
Only the bucket Prisma Cloud DSPM created for the export task
Enables encrypting data in the bucket, which allows Dig to secure its data
s3:PutObject
Only the bucket Prisma Cloud DSPM created for the export task
Enables writing data to an object in Prisma Cloud DSPM’s bucket to export data from the RDS instances
sts:DecodeAuthorizationMessage
Errors detected in the scanner role
Enables getting information about any API errors in AWS API calls
DigSecurityOrchestratorRole
This role is installed on the side account(s) in your AWS environment. It is used to deploy Prisma Cloud DSPM’s compute resources (e.g., EC2s for AWS) for scanning and analyzing the scanned accounts. This role is also in Prisma Cloud DSPM’s computer instances to assume the DigSecurityScannerRole.
Permissions
Permission
Purpose
Scope
aoss:DeleteVpcEndpoint
Orchestrator account
Used for scanning OpenSearch Serverless instances
ec2:AllocateAddress
Addresses in the account
Enables Dig to create a address for its EC2
ec2:AssociateAddress
Addresses in the account
Enables associating the created addresses
ec2:AssociateRouteTable
Route tables in the account
Enables attaching the route table created for Prisma Cloud DSPM’s EC2 instance
ec2:AttachInternetGateway
Internet gateways in the account
Enables attaching the Internet gateway created for Prisma Cloud DSPM’s EC2 instance
ec2:AuthorizeSecurityGroupEgress
Security groups in the account
Enables attaching a security group to the EC2 instance
ec2:AuthorizeSecurityGroupIngress
Security groups in the account
Enables attaching a security group to the EC2 instance
ec2:CreateInternetGateway
Internet gateways in the account - only those with a "Dig-Security" tag
Enables creating an Internet gateway for Prisma Cloud DSPM’s EC2 to communicate with the Internet
ec2:CreateNatGateway
Nat gateways in the account
Enables creating a Nat gateway for Prisma Cloud DSPM’s EC2 to communicate with the Internet
ec2:CreateRoute
Route instances in the account
Enables creating a route table for routing the network from the created Internet gateway
ec2:CreateRouteTable
Route tables in the account
Enables creating a route table with relevant routes for Prisma Cloud DSPM’s EC2
ec2:CreateSecurityGroup
Security groups in the account
Enables creating a security group attached to the EC2 instance
ec2:CreateSubnet
Subnets in the account
Enables creating a subnet to be used by Prisma Cloud DSPM’s EC2 instance
ec2:CreateTags
EC2 resources in the account
Enables creating tags on resources for identifying Prisma Cloud DSPM's resources in the account
ec2:CreateVpc
Only VPC with a "Dig-Security" tag
Enables creating a VPC to be used by Prisma Cloud DSPM's EC2 instance
ec2:DeleteInternetGateway
Only Prisma Cloud DSPM’s InternetGateway
Enables deleting stale internet gateways created in the process
ec2:DeleteNatGateway
Only Prisma Cloud DSPM’s NatGateway
Enables deleting stale gateways created in the process
ec2:DeleteRoute
Only Prisma Cloud DSPM’s Route
Enables deleting the stale routes created in the process
ec2:DeleteRouteTable
Only Prisma Cloud DSPM’s RouteTable
Enables deleting the stale route tables created in the process
ec2:DeleteSecurityGroup
Only Prisma Cloud DSPM’s SecurityGroup
Enables deleting the stale security groups created in the process
ec2:DeleteSubnet
Only Prisma Cloud DSPM’s Subnet
Enables deleting the stale subnets created in the process
ec2:DeleteVpc
Only Prisma Cloud DSPM’s VPC
Enables deleting the stale VPCs created in the process
ec2:DeleteVpcEndpoint
Resources tagged with 'dig-security’
Used for scanning OpenSearch Serverless instances
ec2:DetachInternetGateway
Only Prisma Cloud DSPM’s InternetGateway and VPC
Enables detaching the stale Internet gateways from VPCs created in the process
ec2:ModifySecurityGroupRules
Only security group resources created by Prisma Cloud DSPM
Enables attaching security rules to the security group created
ec2:RunInstances
Instances in the account
Enables creating EC2 instances
ec2:TerminateInstances
All EC2 resources created by Prisma Cloud DSPM (based on tags)
Enables deleting the stale EC2 instances created in the process
elasticfilesystem:ClientMount
All resources
Mounting an efs filesystem as readonly
iam:CreateServiceLinkedRole
All resources
Enables creating service-linked roles for AWS services, to access Redshift Serverless namespace in Orchestrator accounts for the first time
iam:PassRole
DigSecurityOrchestratorRole role only
Enables creating EC2 instances with an attached DigSecurityOrchestratorRole
kms:CreateGrant
Only Prisma Cloud DSPM’s KMS keys and only for AWS Services
A created EC2 instance sends a CreateGrant request to AWS KMS so that it can encrypt the volume created from the snapshot
kms:Decrypt
Only Prisma Cloud DSPM’s KMS keys
Enables attaching the volumes to be scanned
kms:DisableKeyRotation
Only KMS keys for which Prisma Cloud DSPM created
A security measure to rotate the keys periodically
kms:EnableKeyRotation
Only KMS keys for which Prisma Cloud DSPM created
A security measure to rotate the keys periodically
kms:Encrypt
Only Prisma Cloud DSPM’s KMS keys
Enables attaching the volumes to be scanned to ensure they are encrypted
kms:GenerateDataKeyWithoutPlaintext
Only Prisma Cloud DSPM’s KMS keys
AWS uses KMS to encrypt and decrypt encrypted volumes. The KMS generates a new data key, and encrypts it using the KMS key specified by Prisma Cloud DSPM in case the volume is encrypted with another KMS key. The encrypted data key is sent to the EBS to be stored with the volume metadata
kms:GetKeyRotationStatus
Only KMS keys for which Prisma Cloud DSPM created
A security measure to rotate the keys periodically
kms:ReEncryptFrom
Only Prisma Cloud DSPM’s KMS keys
Enables attaching the volumes to be scanned to ensure they are encrypted
ReadOnlyAccess
All resources
Read-only access in the client’s environment
redshift-data:BatchExecuteStatement
Only Prisma Cloud DSPM’s resources (by tags)
Enables executing multiple SQL statements in Redshift concurrently for the scanning process
redshift-data:CancelStatement
Only Prisma Cloud DSPM’s resources (by tags)
Enables canceling the run of SQL statements in the Redshift cluster created by Prisma Cloud DSPM
redshift-data:Describe*
All resources
Enables querying Redshift data resources metadata information
redshift-data:ExecuteStatement
Only Prisma Cloud DSPM’s resources (by tags)
Enables executing multiple SQL statements in Redshift concurrently for the scanning process
redshift-data:GetStatementResult
All resources
Enables retrieving SQL command results executed by Prisma Cloud DSPM on the Redshift namespace that were created
redshift-data:List*
All resources
Enables listing Redshift data resources
redshift-serverless:CreateNamespace
All resources
Enables creating Redshift Serverless namespaces from the shared snapshot
redshift-serverless:CreateWorkgroup
All resources
Enables creating Redshift Serverless workgroups
redshift-serverless:DeleteNamespace
Only Prisma Cloud DSPM’s resources (by tags)
Enables deleting Redshift Serverless namespaces created by Prisma Cloud DSPM
redshift-serverless:DeleteWorkgroup
Only Prisma Cloud DSPM’s resources (by tags)
Enables deleting Redshift Serverless workgroups created by Prisma Cloud DSPM
redshift-serverless:GetCredentials
Only Prisma Cloud DSPM’s resources (by tags)
Enables retrieving Prisma Cloud DSPM’s Redshift Serverless credentials for access management
redshift-serverless:GetNamespace
All resources
Enables retrieving Redshift Serverless namespace details
redshift-serverless:GetWorkgroup
All resources
Enables retrieving Redshift Serverless workgroup details
redshift-serverless:ListNamespaces
All resources
Enables listing all Redshift Serverless namespaces
redshift-serverless:RestoreFromSnapshot
All resources
Enables restoring a namespace from the shared snapshot
redshift-serverless:TagResource
All resources
Enables creating tags on resources for identifying Prisma Cloud DSPM’s resources in the account
secretsmanager:CreateSecret
Only secrets tagged with Dig-Secuity:true
Enables Prisma Cloud DSPM to create a secret necessary for interacting with password-enabled services
secretsmanager:GetSecretValue
Only secrets tagged with DigSecuity:true
Enables Prisma Cloud DSPM to pull the secret required for scanning
secretsmanager:PutSecretValue
Only secrets tagged with Dig-Secuity:true
Enables Prisma Cloud DSPM to create the secret required for scanning
secretsmanager:TagResource
Only secrets tagged with Dig-Secuity:true
Allows Prisma Cloud DSPM to tag the secrets and enable right-sized permissions
sts:AssumeRole
DigSecurityScannerRole only
Enables assuming DigSecurityScannerRole to perform the scan logic in the monitored accounts
sts:DecodeAuthorizationMessage
Errors of Prisma Cloud DSPM’s Orchestrator role that were detected
Enables assuming DigSecurityScannerRole to perform the scan logic in the monitored accounts
Custom Network Resources Deployment Required Permissions
DigSecurityReadOnlyRole
Used as a read-only access to your environment, this role enables Prisma Cloud DSPM to:
- Access your assets’ metadata such as size, name and region
- Collect CloudTrail logs for DDR capabilities
This role is installed on every account monitored by Prisma Cloud DSPM, allowing us to detect and protect your assets. Prisma Cloud DSPM’s own account assumes the DigSecurityReadOnlyRole role with a unique external ID as the best practice security measure.
Permissions
Permission
Scope
Purpose
AmazonMemoryDBReadOnlyAccess
All resources
Read-only access to the client’s MemoryDB resources
bedrock:GetGuardrail
The entire account
Content filtering risk assessment in AI deployments
bedrock:ListGuardrails
The entire account
Content filtering risk assessment in AI deployments
ReadOnlyAccess
All resources
Read-only access to the client's environment
DigSecurityScannerRole
This role is installed on all the scanned (monitored) accounts in your environment, as well as on the DigSecurityReadOnlyRole. It enables Prisma Cloud DSPM to detect and scan data for analysis and classification. This role can only be assumed by the DigSecurityOrchestratorRole
All sensitive data that is detected, scanned and classified by Prisma Cloud DSPM’s resources never leaves the client's environment.
Permissions
Permission
Scope
Purpose
aoss:APIAccessAll
OpenSearch Serverless in the account
Enables Prisma Cloud DSPM to get data from opensearch serverless
aoss:CreateAccessPolicy
OpenSearch Serverless in the account
Enables Prisma Cloud DSPM to create an access policy to allow only Dig Scanner to access the scanned collection
aoss:CreateSecurityPolicy
OpenSearch Serverless in the account
Enables Prisma Cloud DSPM to create a security policy to allow Orchestrator VPC endpoint to access the collection
aoss:DeleteAccessPolicy
OpenSearch Serverless in the account
Enables Prisma Cloud DSPM to delete access policies
aoss:DeleteSecurityPolicy
OpenSearch Serverless in the account
Enables Prisma Cloud DSPM to delete security policies
aoss:GetAccessPolicy
OpenSearch Serverless in the account
Enables Prisma Cloud DSPM to retrieve metadata regarding access policies
aoss:GetSecurityPolicy
OpenSearch Serverless in the account
Enables Prisma Cloud DSPM to retrieve metadata regarding security policies
bedrock:get
All resources
Describing models (and get S3 bucket information)
bedrock:list
All resources
Listing bedrock resources
dynamodb:BatchWriteItem
Only tables created by Prisma Cloud DSPM
Enables writing multiple items to a DynamoDB table in a single operation as part of the restoration process
dynamodb:CreateBackup
DynamoDB resources in the account
Enables creating backups for DynamoDB tables for restoring and classifying them later
dynamodb:CreateTable
DynamoDB resources in the account
Enables creating new DynamoDB tables as part of the restore process
dynamodb:DeleteBackup
DynamoDB resources in the account
Enables deleting DynamoDB table backups after they are created
dynamodb:DeleteItem
Only tables created by Prisma Cloud DSPM
Enables deleting a specific item from the created DynamoDB table
dynamodb:DeleteTable
Only tables created by Prisma Cloud DSPM
Enables deleting the created DynamoDB table
dynamodb:DeleteTableReplica
Only tables created by Prisma Cloud DSPM
Enables deleting a table replica in the created DynamoDB
dynamodb:Describe*
DynamoDB resources in the account
Enables getting metadata about DynamoDB resources
dynamodb:GetItem
DynamoDB resources in the account
Enables retrieving a specific item from a DynamoDB table for on-demand classification
dynamodb:GetRecords
DynamoDB resources in the account
Enables getting data records from a DynamoDB stream for on-demand classification
dynamodb:PutItem
Only tables created by Prisma Cloud DSPM
Enables inserting a new item into the DynamoDB table created as part of the restoration process
dynamodb:RestoreTableFromAwsBackup
DynamoDB resources in the account
Enables restoring a DynamoDB table from an AWS Backup job
dynamodb:RestoreTableFromBackup
DynamoDB resources in the account
Enables restoring a DynamoDB table from a specific backup
dynamodb:Scan
DynamoDB resources in the account
Enables scanning DynamoDB tables to retrieve specific items as part of the on-demand classification process
dynamodb:StartAwsBackupJob
DynamoDB resources in the account
Enables initiating AWS Backup jobs for DynamoDB tables
dynamodb:TagResource
DynamoDB resources in the account
Enables adding tags to DynamoDB resources created by Prisma Cloud DSPM
dynamodb:UntagResource
Only tables created by Prisma Cloud DSPM
Enables removing tags from the created DynamoDB tables
dynamodb:UpdateContinuousBackups
DynamoDB resources in the account
Enables modifying backup settings created by Prisma Cloud DSPM
dynamodb:UpdateItem
Only tables created by Prisma Cloud DSPM
Enables modifying an existing item in the created DynamoDB table
ec2:CopySnapshot
Snapshots in the account
Enables copying snapshots to a snapshot that Prisma Cloud DSPM can share with the scanner account
ec2:CreateSnapshots
Snapshots in the account
Enables creating an EC2 instance from multiple snapshots simultaneously, so that Prisma Cloud DSPM can start scanning for databases
ec2:CreateTags
EC2 instances in the account
Enables creating a unique tag for resources in order to find them at a later stage
ec2:DeleteSnapshot
Only snapshots created by Prisma Cloud DSPM (based on tags)
Enables deleting existing stale snapshots
ec2:DescribeAvailabilityZones
Availability zones in the account
Enables getting information about the snapshot’s availability zone and store it within the same snapshot
ec2:DescribeImages
All publicly available AWS images
Enables getting information about the available images for EC2 instances
ec2:DescribeInstances
EC2 instances in the account
Enables getting information about EC2 instances
ec2:DescribeSnapshots
Snapshots in the account
Enables getting information about snapshots in the account
ec2:ModifySnapshotAttribute
Only snapshots created by Prisma Cloud DSPM (based on tags)
Enables sharing the snapshots created in the scanner account
iam:PassRole
DigSecurityScannerRole role only
Enables creating export tasks for RDS snapshots
kms:CreateAlias
KMS keys in the account
Enables giving a unique alias name to keys in order to find them at a later stage
kms:CreateGrant
Only AWS services
The created EC2 instance sends a CreateGrant request to AWS KMS so that it can share the encrypted snapshot with the outpost account
kms:CreateKey
KMS keys in the account
Enables creating Dig’s CMK key to encrypt the snapshots and volume, thus ensuring that data is encrypted at every step
kms:Decrypt
No scope
Enables to decrypt the encrypted snapshots. Prisma Cloud DSPM can decrypt only encrypted snapshots that it created itself
kms:DeleteAlias
KMS keys in the account
Enables deleting the alias name for the created keys
kms:DescribeKey
KMS keys in the account
Enables getting information about the KMS keys in the account
kms:Encrypt
Only KMS keys for which Prisma Cloud DSPM created ListGrants
Enables to encrypt the snapshot copy to ensure data is encrypted at every step
kms:GenerateDataKey
KMS keys in the account
Enables encrypting the created snapshot / backup
kms:GenerateDataKeyWithoutPlaintext
Only KMS keys created by Prisma Cloud DSPM
Enables encrypting the created snapshot
kms:GenerateRandom
KMS keys in the account
Enables encrypting the created snapshot
kms:ListAliases
KMS keys in the account
Enables listing keys in the account in order to use Dig’s KMS key
kms:ListGrants
Only AWS services
Enables listing the grants on a specific key so that the created EC2 instance can send a CreateGrant request to AWS KMS. This enables Prisma Cloud DSPM to share the encrypted snapshot with the scanner account
kms:ListKeys
KMS keys in the account
Enables searching Prisma Cloud DSPM’s key in the account
kms:ListResourceTags
KMS keys in the account
Enables getting the tags on the KMS keys, which enables Prisma Cloud DSPM to find its own keys
kms:ReEncryptTo
KMS keys in the account
Enables encrypting the copied snapshot with the created KMS to ensure data is encrypted at every step
kms:TagResource
KMS keys in the account
Enables creating a unique tag for the created keys in order to find them at a later stage
kms:TagResource
Only KMS keys that Prisma Cloud DSPM created
Enables deleting the tag from the created key
rds:AddTagsToResource
RDS resources in the account
Enables creating a unique tag for the created RDS resourceCreateDBSnapshots in order to find them at a later stage
rds:CreateDBClusterSnapshot
RDS clusters in the account
Enables creating a snapshot for the RDS clusters that need to be scanned at a later stage
rds:CreateDBSnapshot
RDS instances in the account
Enables creating a snapshot for the RDS instances that need to be scanned at a later stage
rds:DeleteDBClusterSnapshot
Only RDS cluster snapshots created by Prisma Cloud DSPM(based on tags)
Enables deleting stale snapshots that were created
rds:DeleteDBSnapshot
Only RDS snapshots created by Prisma Cloud DSPM(based on tags)
Enables deleting stale snapshots that were created
rds:Describe*
RDS resources in the account
Describe permissions enable Prisma Cloud DSPM to get metadata information on the RDS instance
rds:List*
RDS resources in the account
List permissions enable Prisma Cloud DSPM to understand which instances and snapshots exist in the account
rds:StartExportTask
RDS snapshots in the account
Enables to export data from the snapshots to an S3 bucket
redshift-serverless:DeleteResourcePolicy
Redshift resources in the account
Enables removing policies created by Prisma Cloud DSPM
redshift-serverless:GetResourcePolicy
Redshift resources in the account
Enables retrieving the current resource policy
redshift-serverless:PutResourcePolicy
Redshift resources in the account
Enables creating and updating resource policies for Serverless sharing with the Orchestrator account
redshift:AuthorizeSnapshotAccess
Redshift resources in the account
Enables snapshot sharing with the Orchestrator account
redshift:CopyClusterSnapshot
Redshift resources in the account
Enables copying the snapshot for the Redshift clusters so that Dig will be able to use them at a later stage
redshift:CreateClusterSnapshot
Redshift resources in the account
Enables creating a snapshot for the Redshift clusters that will be scanned at a later stage
redshift:CreateTags
Redshift resources in the account
Enables creating a unique tag for the created keys in order to find them at a later stage
redshift:DeleteClusterSnapshot
Only snapshots created by Prisma Cloud DSPM
Enables deleting stale snapshots that were created
redshift:Describe*
Redshift resources in the account
Enables querying Redshift resource metadata information
redshift:EnableSnapshotCopy
Redshift resources in the account
Enables activating snapshot copy feature for backups
redshift:List*
Redshift resources in the account
Enables listing Redshift resources
redshift:RevokeSnapshotAccess
Redshift resources in the account
Enables revoking access to shared Redshift snapshots after the scan is finished
s3:CreateBucket
Only the bucket Prisma Cloud DSPM created for the export task
Enables creating an S3 bucket for the export task
s3:DeleteBucket
Only the bucket Prisma Cloud DSPM created for the export task
Enables deleting an S3 bucket for the export task
s3:DeleteObject
Only the bucket Prisma Cloud DSPM created for the export task
Enables deleting stale objects that were created
s3:Get*
S3 buckets
Get permissions enable Prisma Cloud DSPM to read exported data over an S3 bucket
s3:List*
S3 buckets
List permissions enable Prisma Cloud DSPM to understand which S3 buckets exist in the account
s3:PutBucketNotification
Only the bucket Prisma Cloud DSPM created for the export task
Enables connecting the bucket to the created SNS
s3:PutBucketPolicy
Only the bucket Prisma Cloud DSPM created for the export task
Enables adding a policy to the created bucket
s3:PutBucketPublicAccessBlock
Only the bucket Prisma Cloud DSPM created for the export task
Since S3 buckets are public by default, this permission enables Dig to block public access to the created S3 bucket
s3:PutBucketTagging
Only the bucket Prisma Cloud DSPM created for the export task
Enables tagging the created bucket
s3:PutBucketVersioning
Only the bucket Prisma Cloud DSPM created for the export task
Enables versioning in the created bucket
s3:PutEncryptionConfiguration
Only the bucket Prisma Cloud DSPM created for the export task
Enables encrypting data in the bucket, which allows Dig to secure its data
s3:PutObject
Only the bucket Prisma Cloud DSPM created for the export task
Enables writing data to an object in Prisma Cloud DSPM’s bucket to export data from the RDS instances
sts:DecodeAuthorizationMessage
Errors detected in the scanner role
Enables getting information about any API errors in AWS API calls
DigSecurityOrchestratorRole
This role is installed on the side account(s) in your AWS environment. It is used to deploy Prisma Cloud DSPM’s compute resources (e.g., EC2s for AWS) for scanning and analyzing the scanned accounts. This role is also in Prisma Cloud DSPM’s computer instances to assume the DigSecurityScannerRole.
Permissions
Permission
Purpose
Scope
ec2:AssociateAddress
Addresses in the account
Enables associating the created addresses
ec2:CreateTags
EC2 resources in the account
Enables creating tags on resources for identifying Prisma Cloud DSPM's resources in the account
ec2:RunInstances
Instances in the account
Enables creating EC2 instances
ec2:TerminateInstances
All EC2 resources created by Prisma Cloud DSPM (based on tags)
Enables deleting the stale EC2 instances created in the process
elasticfilesystem:ClientMount
All resources
Mounting an efs filesystem as readonly
iam:CreateServiceLinkedRole
All resources
Enables creating service-linked roles for AWS services, to access Redshift Serverless namespace in Orchestrator accounts for the first time
iam:PassRole
DigSecurityOrchestratorRole role only
Enables creating EC2 instances with an attached DigSecurityOrchestratorRole
kms:CreateGrant
Only Prisma Cloud DSPM’s KMS keys and only for AWS Services
A created EC2 instance sends a CreateGrant request to AWS KMS so that it can encrypt the volume created from the snapshot
kms:Decrypt
Only Prisma Cloud DSPM’s KMS keys
Enables attaching the volumes to be scanned
kms:Encrypt
Only Prisma Cloud DSPM’s KMS keys
Enables attaching the volumes to be scanned to ensure they are encrypted
kms:GenerateDataKeyWithoutPlaintext
Only Prisma Cloud DSPM’s KMS keys
AWS uses KMS to encrypt and decrypt encrypted volumes. The KMS generates a new data key, and encrypts it using the KMS key specified by Prisma Cloud DSPM in case the volume is encrypted with another KMS key. The encrypted data key is sent to the EBS to be stored with the volume metadata
kms:ReEncryptFrom
Only Prisma Cloud DSPM’s KMS keys
Enables attaching the volumes to be scanned to ensure they are encrypted
ReadOnlyAccess
All resources
Read-only access in the client’s environment
redshift-data:BatchExecuteStatement
Only Prisma Cloud DSPM’s resources (by tags)
Enables executing multiple SQL statements in Redshift concurrently for the scanning process
redshift-data:CancelStatement
Only Prisma Cloud DSPM’s resources (by tags)
Enables canceling the run of SQL statements in the Redshift cluster created by Prisma Cloud DSPM
redshift-data:Describe*
All resources
Enables querying Redshift data resources metadata information
redshift-data:ExecuteStatement
Only Prisma Cloud DSPM’s resources (by tags)
Enables executing multiple SQL statements in Redshift concurrently for the scanning process
redshift-data:GetStatementResult
All resources
Enables retrieving SQL command results executed by Prisma Cloud DSPM on the Redshift namespace that were created
redshift-data:List*
All resources
Enables listing Redshift data resources
redshift-serverless:CreateNamespace
All resources
Enables creating Redshift Serverless namespaces from the shared snapshot
redshift-serverless:CreateWorkgroup
All resources
Enables creating Redshift Serverless workgroups
redshift-serverless:DeleteNamespace
Only Prisma Cloud DSPM’s resources (by tags)
Enables deleting Redshift Serverless namespaces created by Prisma Cloud DSPM
redshift-serverless:DeleteWorkgroup
Only Prisma Cloud DSPM’s resources (by tags)
Enables deleting Redshift Serverless workgroups created by Prisma Cloud DSPM
redshift-serverless:GetCredentials
Only Prisma Cloud DSPM’s resources (by tags)
Enables retrieving Prisma Cloud DSPM’s Redshift Serverless credentials for access management
redshift-serverless:GetNamespace
All resources
Enables retrieving Redshift Serverless namespace details
redshift-serverless:GetWorkgroup
All resources
Enables retrieving Redshift Serverless workgroup details
redshift-serverless:ListNamespaces
All resources
Enables listing all Redshift Serverless namespaces
redshift-serverless:RestoreFromSnapshot
All resources
Enables restoring a namespace from the shared snapshot
redshift-serverless:TagResource
All resources
Enables creating tags on resources for identifying Prisma Cloud DSPM’s resources in the account
route53:AssociateVPCWithHostedZone
Opensearch resources
Enables connectivity to classify Opensearch resources
route53:ChangeResourceRecordSets
Opensearch resources
Enables connectivity to classify Opensearch resources
route53:CreateHostedZone
Opensearch resources
Enables connectivity to classify Opensearch resources
route53:DeleteHostedZone
Opensearch resources
Enables connectivity to classify Opensearch resources
secretsmanager:CreateSecret
Only secrets tagged with Dig-Secuity:true
Enables Prisma Cloud DSPM to create a secret necessary for interacting with password-enabled services
secretsmanager:GetSecretValue
Only secrets tagged with DigSecuity:true
Enables Prisma Cloud DSPM to pull the secret required for scanning
secretsmanager:PutSecretValue
Only secrets tagged with Dig-Secuity:true
Enables Prisma Cloud DSPM to create the secret required for scanning
secretsmanager:TagResource
Only secrets tagged with Dig-Secuity:true
Allows Prisma Cloud DSPM to tag the secrets and enable right-sized permissions
sts:AssumeRole
DigSecurityScannerRole only
Enables assuming DigSecurityScannerRole to perform the scan logic in the monitored accounts
sts:DecodeAuthorizationMessage
Errors of Prisma Cloud DSPM’s Orchestrator role that were detected
Enables assuming DigSecurityScannerRole to perform the scan logic in the monitored accounts
Note: For additional details about the architecture of Prisma Cloud DSPM, please consult with your account team.