add FAM classification integration resources permissions and fix netw…

README.md

@@ -1154,6 +1154,7 @@ The permissions are separated to different policies. Use the relevant policies a
 2. In order to create network resources such as VPC, NAT Gateway, Internet Gateway etc., use the permissions specified here - [create network resources permissions](/permissions_samples/aws/CreateNetworkResourcesPermissions.txt).
 3. In order to onboard a MySQL RDS with CloudWatch configured, use the permissions specified here - [onboard MySQL RDS permissions](/permissions_samples/aws/OnboardMysqlRdsPermissions.txt).
 4. In order to onboard a MsSQL RDS with audit configured and with synthetic data, use the permissions specified here - [onboard MsSQL RDS with synthetic data permissions](/permissions_samples/aws/OnboardMssqlRdsWithDataPermissions.txt).
+5. In order to create FAM classification integration resources such as S3 bucket, SQS, IAM policy etc., use the permissions specified here - [create FAM classification integration resources permissions](/permissions_samples/aws/FAMClassificationIntegrationResourcesPermissions.txt).
 
 **NOTE:** When running the deployment with a custom 'deployment_name' variable, you should ensure that the corresponding condition in the AWS permissions of the user who runs the deployment reflects the new custom variable.</br></br>
 **NOTE:** The permissions specified in option 2 are irrelevant for customers who prefer to use their own network objects, such as VPC, NAT Gateway, Internet Gateway, etc.
@@ -1583,6 +1584,14 @@ Below is a list of possible issues and troubleshooting remediations.
    <td>Connect with SSH to the Sonar node EC2 and fix the aws cli profile misconfiguration. Run, for example, 'aws sts get-caller-identity' to test it.  
    </td>
   </tr>
+  <tr>
+   <td>CipherTrust connection timeout error
+   </td>
+   <td>Error: failed to set auth token Get "https://x.x.x.x/api/v1/system/services/status": dial tcp x.x.x.x:443: connect: operation timed out
+   </td>
+   <td>Check your network configuration. For the 'terraform destroy' command, you can set the enable_ciphertrust variable to false in order to skip the CipherTrust provider connection (in case the CipherTrust provider resources have not been created yet).
+   </td>
+  </tr>
  </table></details>
 <details>
  <summary>Azure issues</summary>

examples/aws/poc/dsf_deployment/README.md

@@ -23,6 +23,7 @@ The deployment is modular and allows users to deploy one or more of the followin
    - Agentless audit sources (RDS instances)
 6. CipherTrust Manager
 7. CipherTrust Transparent Encryption (CTE) and/or Data Discovery and Classification (DDC) Agents
+8. FAM classification integration resources (disabled by default)
 
 
 ### Deploying Specific Modules
@@ -87,6 +88,7 @@ Several variables in the `variables.tf` file are important for configuring the d
 - `enable_dam`: Enable DAM sub-product
 - `enable_dra`: Enable DRA sub-product
 - `enable_ciphertrust`: Enable CipherTrust sub-product
+- `create_fam_classification_integration_resources`: Create FAM classification integration resources (disabled by default)
 
 ### Server Count
 - `dra_analytics_count`: Number of DRA Analytics servers

permissions_samples/aws/CreateNetworkResourcesPermissions.txt

@@ -89,6 +89,21 @@
                 }
             }
         },
+        {
+            "Sid": "ec2CreateTagsForDefaultResources",
+            "Effect": "Allow",
+            "Action": "ec2:CreateTags",
+            "Resource": [
+                "arn:aws:ec2:*:*:security-group/*",
+                "arn:aws:ec2:*:*:network-acl/*",
+                "arn:aws:ec2:*:*:route-table/*"
+            ],
+            "Condition": {
+                "StringLike": {
+                    "aws:RequestTag/deployment_name": "imperva-dsf-*"
+                }
+            }
+        },
         {
             "Sid": "RunInstancePermissions",
             "Effect": "Allow",

permissions_samples/aws/FAMClassificationIntegrationResourcesPermissions.txt

@@ -0,0 +1,102 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Sid": "S3Permissions",
+      "Effect": "Allow",
+      "Action": [
+        "s3:DeleteBucket",
+        "s3:DeleteObject",
+        "s3:CreateBucket",
+        "s3:PutObject",
+        "s3:PutObjectAcl",
+        "s3:PutBucketTagging",
+        "s3:PutObjectTagging",
+        "s3:PutObjectVersionTagging",
+        "s3:DeleteAccessPoint",
+        "s3:DeleteObjectVersion",
+        "s3:CreateAccessPoint",
+        "s3:PutBucketPublicAccessBlock",
+        "s3:PutAccountPublicAccessBlock",
+        "s3:PutEncryptionConfiguration",
+        "s3:PutBucketPolicy",
+        "s3:DeleteBucketPolicy",
+        "s3:PutBucketNotification"
+      ],
+      "Resource": [
+        "arn:aws:s3:::imperva-dsf-*",
+        "arn:aws:s3:::imperva-dsf-*/*"
+      ]
+    },
+    {
+        "Sid": "s3GeneralPermissions",
+        "Effect": "Allow",
+        "Action": [
+            "s3:ListBucket",
+            "s3:ListAllMyBuckets",
+            "s3:ListBucketVersions",
+            "s3:GetBucketPolicy",
+            "s3:GetBucketLocation",
+            "s3:GetBucketCORS",
+            "s3:GetBucketWebsite",
+            "s3:GetBucketVersioning",
+            "s3:GetAccelerateConfiguration",
+            "s3:GetBucketRequestPayment",
+            "s3:GetBucketLogging",
+            "s3:GetLifecycleConfiguration",
+            "s3:GetReplicationConfiguration",
+            "s3:GetEncryptionConfiguration",
+            "s3:GetBucketObjectLockConfiguration",
+            "s3:GetObject",
+            "s3:GetBucketAcl",
+            "s3:GetObjectAcl",
+            "s3:GetBucketLocation",
+            "s3:GetBucketTagging",
+            "s3:GetObjectTagging",
+            "s3:GetAccountPublicAccessBlock",
+            "s3:GetBucketPublicAccessBlock",
+            "s3:GetBucketNotification"
+        ],
+        "Resource": [
+            "arn:aws:s3:::imperva-dsf-*",
+            "arn:aws:s3:::imperva-dsf-*/*"
+        ]
+    },
+    {
+      "Sid": "SQSPermissions",
+      "Effect": "Allow",
+      "Action": [
+        "sqs:CreateQueue",
+        "sqs:DeleteQueue",
+        "sqs:GetQueueAttributes",
+        "sqs:SetQueueAttributes",
+        "sqs:GetQueueUrl",
+        "sqs:TagQueue",
+        "sqs:UntagQueue",
+        "sqs:ListQueueTags",
+        "sqs:AddPermission",
+        "sqs:RemovePermission"
+      ],
+      "Resource": [
+        "arn:aws:sqs:*:*:imperva-dsf-*"
+      ]
+    },
+    {
+      "Sid": "IAMPolicyPermissions",
+      "Effect": "Allow",
+      "Action": [
+        "iam:CreatePolicy",
+        "iam:DeletePolicy",
+        "iam:GetPolicy",
+        "iam:GetPolicyVersion",
+        "iam:ListPolicyVersions",
+        "iam:TagPolicy",
+        "iam:UntagPolicy",
+        "iam:ListPolicyTags"
+      ],
+      "Resource": [
+        "arn:aws:iam::*:policy/imperva-dsf-*"
+      ]
+    }
+  ]
+}