Required permissions for CWP role in the CWP account

Copy current article URL Share via email

This article (PDF) Whole documentation (PDF)

ESET Cloud Workload Protection (CWP) uses different IAM roles depending on the deployment model: single account or organization (management account, member account).

Single Account Service Role (single account deployment)

The CWP service role (CwppServiceRole) uses a custom managed policy (CwppServicePolicy) with minimal required permissions instead of AWS managed policies for enhanced security. In addition, the AWS managed policy arn:aws:iam::aws:policy/ReadOnlyAccess is attached to this role, enabling read-only access to all AWS resources. This is required for ESET Cloud Workload Protection features.

CwppServicePolicy permissions for the single account service role:

Permission Category	Actions	Resources	Purpose
IAM Access	iam:SimulatePrincipalPolicy	*	CWP will check that required actions are permitted before running live installer on client's VMs.
SSM Access	ssm:DescribeInstanceInformation ssm:SendCommand ssm:GetCommandInvocation	*	CWP checks if Systems Manager (SSM) is enabled for the instance. CWP runs commands on client's VMs to install ESET Management Agent with Live Installer and retrieves command execution status.
S3 Access	s3:ListAllMyBuckets s3:ListBucket s3:GetBucketLocation s3:GetBucketVersioning s3:GetBucketTagging s3:GetObject s3:GetObjectVersion	*	CWP lists and reads S3 buckets and objects (including AWS CloudTrail log files). CWP will provide S3 storage protection.
S3 Access	s3:DeleteBucket s3:DeleteObject s3:DeleteObjectVersion s3:ListBucketVersions	arn:aws:s3:::eset-cwpp-ct-${AWS::AccountId}-${StackUUID}arn:aws:s3:::eset-cwpp-ct-${AWS::AccountId}-${StackUUID}/* (CWP CloudTrail S3 bucket)	CWP will delete CWP CloudTrail S3 bucket and its content.
CloudTrail	cloudtrail:StartLogging cloudtrail:StopLogging cloudtrail:DeleteTrail cloudtrail:DescribeTrails	arn:aws:cloudtrail:${AWS::Region}:${AWS::AccountId}:trail/eset-cwpp-cloudtrail (CWP CloudTrail)	CWP will start, stop and delete the CWP CloudTrail.
Organizations Access	organizations:DescribeAccount organizations:DescribeOrganization	*	CWP retrieves the account details.
IAM Access	iam:DeleteRole iam:DetachRolePolicy iam:DeleteRolePolicy iam:ListAttachedRolePolicies iam:ListRolePolicies iam:UpdateAssumeRolePolicy	arn:aws:iam::${AWS::AccountId}:role/CwppServiceRole (CWP service role)	CWP revokes its access to the customer account during the integration undeploy process.

Management Account Service Role (organization deployment)

The CWP management service role (CwppManagementServiceRole) uses a custom managed policy (CwppManagementServicePolicy) with minimal required permissions instead of AWS managed policies for enhanced security. In addition, the AWS managed policy arn:aws:iam::aws:policy/ReadOnlyAccess is attached to this role, enabling read-only access to all AWS resources for <%CSPM%> features.

CwppManagementServicePolicy permissions for the management account service role:

Permission Category	Actions	Resources	Purpose
IAM Access	iam:SimulatePrincipalPolicy	*	CWP will check that required actions are permitted before running live installer on client's VMs.
SSM Access	ssm:DescribeInstanceInformation ssm:SendCommand ssm:GetCommandInvocation	*	CWP checks if Systems Manager (SSM) is enabled for the instance. CWP runs commands on client's VMs to install ESET Management Agent with live installer and retrieves command execution status.
S3 Access	s3:ListAllMyBuckets s3:ListBucket s3:GetBucketLocation s3:GetBucketVersioning s3:GetBucketTagging s3:GetObject s3:GetObjectVersion	*	CWP lists and reads S3 buckets and objects (including AWS CloudTrail log files). CWP will provide S3 storage protection.
S3 Access	s3:DeleteBucket s3:DeleteObject s3:DeleteObjectVersion s3:ListBucketVersions	arn:aws:s3:::eset-cwpp-ct-${AWS::AccountId}-${StackUUID} arn:aws:s3:::eset-cwpp-ct-${AWS::AccountId}-${StackUUID}/* (CWP CloudTrail S3 bucket)	CWP will delete CWP CloudTrail S3 bucket and its content.
CloudTrail	cloudtrail:StartLogging cloudtrail:StopLogging cloudtrail:DeleteTrail cloudtrail:DescribeTrails	arn:aws:cloudtrail:${AWS::Region}:${AWS::AccountId}:trail/eset-cwpp-cloudtrail (CWP CloudTrail)	CWP will start, stop and delete CWP CloudTrail.
Organizations Access	organizations:DescribeAccount organizations:DescribeOrganization	*	CWP retrieves the account details.
IAM Access	iam:DeleteRole iam:DetachRolePolicy iam:DeleteRolePolicy iam:ListAttachedRolePolicies iam:ListRolePolicies iam:UpdateAssumeRolePolicy	arn:aws:iam::${AWS::AccountId}:role/CwppManagementServiceRole (CWP service role)	CWP revokes its access to the customer account during the integration undeploy process.

Member Account Service Role (organization deployment)

The CWP member account service role (CwppServiceRole) uses a custom managed policy (CwppServicePolicy) with minimal required permissions instead of AWS managed policies for enhanced security. The member account service role also includes the AWS managed policy arn:aws:iam::aws:policy/ReadOnlyAccess, enabling read-only access to all AWS resources for <%CSPM%> features.

CwppServicePolicy permissions for the member account service role:

Permission Category	Actions	Resources	Purpose
IAM Access	iam:SimulatePrincipalPolicy	*	CWP will check that required actions are permitted before running live installer on client's VMs.
SSM Access	ssm:DescribeInstanceInformation ssm:SendCommand ssm:GetCommandInvocation	*	CWP checks if Systems Manager (SSM) is enabled for the instance CWP runs commands on client's VMs to install ESET Management Agent with live installer and retrieves command execution status.
S3 Access	s3:ListAllMyBuckets s3:ListBucket s3:GetBucketLocation s3:GetBucketVersioning s3:GetBucketTagging s3:GetObject s3:GetObjectVersion	*	CWP lists and reads S3 buckets and objects (including AWS CloudTrail log files). CWP will provide S3 storage protection.
IAM Access	iam:DeleteRole iam:DetachRolePolicy iam:DeleteRolePolicy iam:ListAttachedRolePolicies iam:ListRolePolicies iam:UpdateAssumeRolePolicy	arn:aws:iam::${AWS::AccountId}:role/CwppServiceRole (CWP service role)	CWP revokes its access to the customer account during the integration undeploy process.

˄˅