From 5abf7a26f0aee91214e9307a22fbb10f124ca523 Mon Sep 17 00:00:00 2001 From: "sivan.hajbi" Date: Tue, 19 Aug 2025 14:50:40 +0300 Subject: [PATCH 1/4] add FAM classification integration resources permissions and fix network create tags permissions --- .../aws/CreateNetworkResourcesPermissions.txt | 15 +++ ...icationIntegrationResouecesPermissions.txt | 102 ++++++++++++++++++ 2 files changed, 117 insertions(+) create mode 100644 permissions_samples/aws/FAMClassificationIntegrationResouecesPermissions.txt diff --git a/permissions_samples/aws/CreateNetworkResourcesPermissions.txt b/permissions_samples/aws/CreateNetworkResourcesPermissions.txt index 966fdf2ae..b37cee5c1 100644 --- a/permissions_samples/aws/CreateNetworkResourcesPermissions.txt +++ b/permissions_samples/aws/CreateNetworkResourcesPermissions.txt @@ -89,6 +89,21 @@ } } }, + { + "Sid": "ec2CreateTagsForDefaultResources", + "Effect": "Allow", + "Action": "ec2:CreateTags", + "Resource": [ + "arn:aws:ec2:*:*:security-group/*", + "arn:aws:ec2:*:*:network-acl/*", + "arn:aws:ec2:*:*:route-table/*" + ], + "Condition": { + "StringLike": { + "aws:RequestTag/deployment_name": "imperva-dsf-*" + } + } + }, { "Sid": "RunInstancePermissions", "Effect": "Allow", diff --git a/permissions_samples/aws/FAMClassificationIntegrationResouecesPermissions.txt b/permissions_samples/aws/FAMClassificationIntegrationResouecesPermissions.txt new file mode 100644 index 000000000..0222293ac --- /dev/null +++ b/permissions_samples/aws/FAMClassificationIntegrationResouecesPermissions.txt @@ -0,0 +1,102 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "S3Permissions", + "Effect": "Allow", + "Action": [ + "s3:DeleteBucket", + "s3:DeleteObject", + "s3:CreateBucket", + "s3:PutObject", + "s3:PutObjectAcl", + "s3:PutBucketTagging", + "s3:PutObjectTagging", + "s3:PutObjectVersionTagging", + "s3:DeleteAccessPoint", + "s3:DeleteObjectVersion", + "s3:CreateAccessPoint", + "s3:PutBucketPublicAccessBlock", + "s3:PutAccountPublicAccessBlock", + "s3:PutEncryptionConfiguration", + "s3:PutBucketPolicy", + "s3:DeleteBucketPolicy", + "s3:PutBucketNotification" + ], + "Resource": [ + "arn:aws:s3:::imperva-dsf-*", + "arn:aws:s3:::imperva-dsf-*/*" + ] + }, + { + "Sid": "s3GeneralPermissions", + "Effect": "Allow", + "Action": [ + "s3:ListBucket", + "s3:ListAllMyBuckets", + "s3:ListBucketVersions", + "s3:GetBucketPolicy", + "s3:GetBucketLocation", + "s3:GetBucketCORS", + "s3:GetBucketWebsite", + "s3:GetBucketVersioning", + "s3:GetAccelerateConfiguration", + "s3:GetBucketRequestPayment", + "s3:GetBucketLogging", + "s3:GetLifecycleConfiguration", + "s3:GetReplicationConfiguration", + "s3:GetEncryptionConfiguration", + "s3:GetBucketObjectLockConfiguration", + "s3:GetObject", + "s3:GetBucketAcl", + "s3:GetObjectAcl", + "s3:GetBucketLocation", + "s3:GetBucketTagging", + "s3:GetObjectTagging", + "s3:GetAccountPublicAccessBlock", + "s3:GetBucketPublicAccessBlock", + "s3:GetBucketNotification" + ], + "Resource": [ + "arn:aws:s3:::imperva-dsf-*", + "arn:aws:s3:::imperva-dsf-*/*" + ] + }, + { + "Sid": "SQSPermissions", + "Effect": "Allow", + "Action": [ + "sqs:CreateQueue", + "sqs:DeleteQueue", + "sqs:GetQueueAttributes", + "sqs:SetQueueAttributes", + "sqs:GetQueueUrl", + "sqs:TagQueue", + "sqs:UntagQueue", + "sqs:ListQueueTags", + "sqs:AddPermission", + "sqs:RemovePermission" + ], + "Resource": [ + "arn:aws:sqs:*:*:imperva-dsf-*" + ] + }, + { + "Sid": "IAMPolicyPermissions", + "Effect": "Allow", + "Action": [ + "iam:CreatePolicy", + "iam:DeletePolicy", + "iam:GetPolicy", + "iam:GetPolicyVersion", + "iam:ListPolicyVersions", + "iam:TagPolicy", + "iam:UntagPolicy", + "iam:ListPolicyTags" + ], + "Resource": [ + "arn:aws:iam::*:policy/imperva-dsf-*" + ] + } + ] +} \ No newline at end of file From dbf6e63bfdad9b610b3f90a0a060e41f944c1207 Mon Sep 17 00:00:00 2001 From: "sivan.hajbi" Date: Wed, 20 Aug 2025 22:35:57 +0300 Subject: [PATCH 2/4] add documentation fot FAM classication integration resources --- README.md | 1 + examples/aws/poc/dsf_deployment/README.md | 2 ++ ...txt => FAMClassificationIntegrationResourcesPermissions.txt} | 0 3 files changed, 3 insertions(+) rename permissions_samples/aws/{FAMClassificationIntegrationResouecesPermissions.txt => FAMClassificationIntegrationResourcesPermissions.txt} (100%) diff --git a/README.md b/README.md index a2b1e302c..3f8b64989 100644 --- a/README.md +++ b/README.md @@ -1154,6 +1154,7 @@ The permissions are separated to different policies. Use the relevant policies a 2. In order to create network resources such as VPC, NAT Gateway, Internet Gateway etc., use the permissions specified here - [create network resources permissions](/permissions_samples/aws/CreateNetworkResourcesPermissions.txt). 3. In order to onboard a MySQL RDS with CloudWatch configured, use the permissions specified here - [onboard MySQL RDS permissions](/permissions_samples/aws/OnboardMysqlRdsPermissions.txt). 4. In order to onboard a MsSQL RDS with audit configured and with synthetic data, use the permissions specified here - [onboard MsSQL RDS with synthetic data permissions](/permissions_samples/aws/OnboardMssqlRdsWithDataPermissions.txt). +5. In order to create FAM classification integration resources such as S3 bucket, SQS, IAM policy etc., use the permissions specified here - [create FAM classification integration resources permissions](/permissions_samples/aws/FAMClassificationIntegrationResourcesPermissions.txt). **NOTE:** When running the deployment with a custom 'deployment_name' variable, you should ensure that the corresponding condition in the AWS permissions of the user who runs the deployment reflects the new custom variable.

**NOTE:** The permissions specified in option 2 are irrelevant for customers who prefer to use their own network objects, such as VPC, NAT Gateway, Internet Gateway, etc. diff --git a/examples/aws/poc/dsf_deployment/README.md b/examples/aws/poc/dsf_deployment/README.md index c103ba9ba..4061e1837 100644 --- a/examples/aws/poc/dsf_deployment/README.md +++ b/examples/aws/poc/dsf_deployment/README.md @@ -23,6 +23,7 @@ The deployment is modular and allows users to deploy one or more of the followin - Agentless audit sources (RDS instances) 6. CipherTrust Manager 7. CipherTrust Transparent Encryption (CTE) and/or Data Discovery and Classification (DDC) Agents +8. FAM classification integration resources (disabled by default) ### Deploying Specific Modules @@ -87,6 +88,7 @@ Several variables in the `variables.tf` file are important for configuring the d - `enable_dam`: Enable DAM sub-product - `enable_dra`: Enable DRA sub-product - `enable_ciphertrust`: Enable CipherTrust sub-product +- `create_fam_classification_integration_resources`: Enable FAM classification integration resources (disabled by default) ### Server Count - `dra_analytics_count`: Number of DRA Analytics servers diff --git a/permissions_samples/aws/FAMClassificationIntegrationResouecesPermissions.txt b/permissions_samples/aws/FAMClassificationIntegrationResourcesPermissions.txt similarity index 100% rename from permissions_samples/aws/FAMClassificationIntegrationResouecesPermissions.txt rename to permissions_samples/aws/FAMClassificationIntegrationResourcesPermissions.txt From cd2bd5af03ea88ab2411a32ed60e6dd2d39ec25c Mon Sep 17 00:00:00 2001 From: "sivan.hajbi" Date: Thu, 21 Aug 2025 12:19:42 +0300 Subject: [PATCH 3/4] add ciphertrust timeout error to readme Troubleshooting section --- README.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/README.md b/README.md index 3f8b64989..9cef6e559 100644 --- a/README.md +++ b/README.md @@ -1584,6 +1584,14 @@ Below is a list of possible issues and troubleshooting remediations. Connect with SSH to the Sonar node EC2 and fix the aws cli profile misconfiguration. Run, for example, 'aws sts get-caller-identity' to test it. + + CipherTrust connection timeout error + + Error: failed to set auth token Get "https://x.x.x.x/api/v1/system/services/status": dial tcp x.x.x.x:443: connect: operation timed out + + Check your network configuration. For the 'terraform destroy' command, you can set the enable_ciphertrust variable to false in order to skip the CipherTrust provider connection (in case the CipherTrust provider resources have not been created yet). + +
Azure issues From 83b2a6e5185dc9fffeb08dce3d6ed72952655602 Mon Sep 17 00:00:00 2001 From: "sivan.hajbi" Date: Thu, 21 Aug 2025 12:31:12 +0300 Subject: [PATCH 4/4] doc --- examples/aws/poc/dsf_deployment/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/aws/poc/dsf_deployment/README.md b/examples/aws/poc/dsf_deployment/README.md index 4061e1837..17cf71f1e 100644 --- a/examples/aws/poc/dsf_deployment/README.md +++ b/examples/aws/poc/dsf_deployment/README.md @@ -88,7 +88,7 @@ Several variables in the `variables.tf` file are important for configuring the d - `enable_dam`: Enable DAM sub-product - `enable_dra`: Enable DRA sub-product - `enable_ciphertrust`: Enable CipherTrust sub-product -- `create_fam_classification_integration_resources`: Enable FAM classification integration resources (disabled by default) +- `create_fam_classification_integration_resources`: Create FAM classification integration resources (disabled by default) ### Server Count - `dra_analytics_count`: Number of DRA Analytics servers