Skip to content

Commit d55b27a

Browse files
Carolyn135Carolyn135
authored
Merge pull request #2561 from EyalGur74/docs-editor/containers-permissions-1772093965
Update containers-permissions.md
2 parents 7451ef3 + 9cfbf73 commit d55b27a

1 file changed

Lines changed: 27 additions & 34 deletions

File tree

articles/defender-for-cloud/containers-permissions.md

Lines changed: 27 additions & 34 deletions
Original file line numberDiff line numberDiff line change
@@ -44,45 +44,38 @@ The Azure Arc built-in role **Defender Kubernetes Agent Operator** to provision
4444

4545
## AWS Agentless threat protection permissions
4646

47-
- AzureDefenderKubernetesRole:
48-
- sts:AssumeRole
49-
- sts:AssumeRoleWithWebIdentity
50-
- logs:PutSubscriptionFilter
51-
- logs:DescribeSubscriptionFilters
52-
- logs:DescribeLogGroups
53-
- logs:PutRetentionPolicy
54-
- firehose:*
55-
- iam:PassRole
56-
- eks:UpdateClusterConfig
57-
- eks:DescribeCluster
58-
- eks:CreateAccessEntry
59-
- eks:ListAccessEntries
60-
- eks:AssociateAccessPolicy
61-
- eks:ListAssociatedAccessPolicies
62-
- sqs:*
63-
- s3:*
47+
- AzureDefenderKubernetesRole (default role name: **MDCContainersK8sRole**):
6448

65-
- AzureDefenderKubernetesScubaReaderRole (default role name: **MDCContainersK8sDataCollectionRole**):
6649
- sts:AssumeRole
6750
- sts:AssumeRoleWithWebIdentity
68-
- sqs:ReceiveMessage
69-
- sqs:DeleteMessage
70-
- s3:GetObject
71-
- s3:GetBucketLocation
72-
73-
- AzureDefenderCloudWatchToKinesisRole (default role name: **MDCContainersK8sCloudWatchToKinesisRole**):
74-
- sts:AssumeRole
51+
- logs:PutSubscriptionFilter
52+
- logs:DescribeSubscriptionFilters
53+
- logs:DescribeLogGroups
54+
- logs:PutRetentionPolicy
7555
- firehose:*
56+
- iam:PassRole
57+
- eks:UpdateClusterConfig
58+
- eks:DescribeCluster
59+
- eks:CreateAccessEntry
60+
- eks:ListAccessEntries
61+
- eks:AssociateAccessPolicy
62+
- eks:ListAssociatedAccessPolicies
63+
- sqs:*
64+
- s3:*
7665

77-
- AzureDefenderKinesisToS3Role (default role name: **MDCContainersK8sKinesisToS3Role**):
78-
- sts:AssumeRole
79-
- s3:AbortMultipartUpload
80-
- s3:GetBucketLocation
81-
- s3:GetObject
82-
- s3:ListBucket
83-
- s3:ListBucketMultipartUploads
84-
- s3:PutObject
66+
- AzureDefenderKubernetesScubaReaderRole (default role name: **MDCContainersK8sDataCollectionRole**):
67+
- sts:AssumeRole
68+
- sts:AssumeRoleWithWebIdentity
69+
- sqs:ReceiveMessage
70+
- sqs:DeleteMessage
71+
- s3:GetObject
72+
- s3:GetBucketLocation
8573

74+
- AzureDefenderCloudWatchToKinesisRole (default role name: **MDCContainersK8sCloudWatchToKinesisRole**):
75+
- sts:AssumeRole
76+
- firehose:*
77+
78+
- AzureDefenderKinesisToS3Role (default role name: **MDCContainersK8sKinesisToS3Role**):
8679
- MDCContainersAgentlessDiscoveryK8sRole
8780
- sts:AssumeRoleWithWebIdentity
8881
- eks:UpdateClusterConfig
@@ -179,4 +172,4 @@ The following tables show the permissions granted to certain Defender for Contai
179172

180173
## Next steps
181174

182-
- [Containers support matrix in Defender for Cloud](support-matrix-defender-for-containers.md)
175+
- [Containers support matrix in Defender for Cloud](support-matrix-defender-for-containers.md)

0 commit comments

Comments
 (0)