Logging and Permissions

Details on Log Groups and Console + Agent Permissions

Platform Services

While many services are used (ECS Fargate, App Config, CloudWatch, CloudFormation, DynamoDB, SNS, SQS, IAM) to deliver the Antivirus for Amazon S3 solution, two will be called out here. CloudWatch and IAM are leveraged for logging and permissions respectively. These are the usual questions we get from customers:

How do I check the logs?
What are you doing behind the scenes (permissions wise)?

We wanted to make sure you had those bases covered with the information below.

CloudWatch Log Group Overview

Log groups for the Console

Console.AgentConfig

Logs of changes to agent configuration performed through the console.

2020-08-19T23:01:08.246-06:00 2020-08-20 05:01:08.2466|INFO|AgentConfig|Updated Configured Subnets for Agents in region 'ap-northeast-1': {"region":"ap-northeast-1","vpcId":"vpc-6902080e","subnets":[{"subnetId":"subnet-1673ac3d","availabilityZone":"ap-northeast-1d","cidrBlock":"172.31.16.0/20"},{"subnetId":"subnet-bd66b2f5","availabilityZone":"ap-northeast-1a","cidrBlock":"172.31.32.0/20"}]}
2020-08-19T23:01:08.322-06:00 2020-08-20 05:01:08.3225|INFO|AgentConfig|Updated Configured Subnets for Agents in region 'eu-west-3': {"region":"eu-west-3","vpcId":"vpc-e9677880","subnets":[{"subnetId":"subnet-232b114a","availabilityZone":"eu-west-3a","cidrBlock":"172.31.0.0/20"},{"subnetId":"subnet-266a0c6b","availabilityZone":"eu-west-3c","cidrBlock":"172.31.32.0/20"}]}
2020-08-19T23:01:08.409-06:00 2020-08-20 05:01:08.4092|INFO|AgentConfig|Updated Configured Subnets for Agents in region 'us-west-1': {"region":"us-west-1","vpcId":"vpc-1c55a17a","subnets":[{"subnetId":"subnet-b8c563de","availabilityZone":"us-west-1b","cidrBlock":"172.31.16.0/20"},{"subnetId":"subnet-3c59aa66","availabilityZone":"us-west-1a","cidrBlock":"172.31.0.0/20"}]}
2020-08-19T23:01:08.490-06:00 2020-08-20 05:01:08.4899|INFO|AgentConfig|Updated Configured Subnets for Agents in region 'us-west-2': 
{
    "region": "us-west-2",
    "vpcId": "vpc-2f007457",
    "subnets": [
        {
            "subnetId": "subnet-f6f91abc",
            "availabilityZone": "us-west-2a",
            "cidrBlock": "172.31.32.0/20"
        },
        {
            "subnetId": "subnet-f0408688",
            "availabilityZone": "us-west-2b",
            "cidrBlock": "172.31.16.0/20"
        }
    ]
}
2020-08-20 05:01:08.4899|INFO|AgentConfig|Updated Configured Subnets for Agents in region 'us-west-2': {"region":"us-west-2","vpcId":"vpc-2f007457","subnets":[{"subnetId":"subnet-f6f91abc","availabilityZone":"us-west-2a","cidrBlock":"172.31.32.0/20"},{"subnetId":"subnet-f0408688","availabilityZone":"us-west-2b","cidrBlock":"172.31.16.0/20"}]}

Console.AuditLogging

Logs audit trail entries for security-relevant user actions in the Console.

2026-03-25 21:29:21.3817|INFO|AuditLogging|Event: UserSignIn
User: admin
Details: User 'admin' signed in with password

Console.Buckets

Logs of changes to bucket protection status and any errors that may occur while trying to turn on/off buckets.

2020-08-13T10:31:12.309-06:00 2020-08-13 16:31:12.3094|INFO|Buckets|Turned on protection for bucket 'css-webinar-new-files' 
2020-08-13T10:39:55.290-06:00 2020-08-13 16:39:55.2901|INFO|Buckets|Turned off protection for bucket 'css-webinar-new-files'
2020-08-13T10:47:56.726-06:00 2020-08-13 16:47:56.7262|INFO|Buckets|Turned on protection for bucket 'css-webinar-new-files'
2020-08-13T10:59:48.397-06:00 2020-08-13 16:59:48.3969|INFO|Buckets|Turned off protection for bucket 'css-webinar-new-files'
2020-08-13T11:36:53.512-06:00 2020-08-13 17:36:53.5125|INFO|Buckets|Turned on protection for bucket 'webinar-other-account-bucket'
2020-08-13T11:36:56.921-06:00 2020-08-13 17:36:56.9212|INFO|Buckets|Turned on protection for bucket 'webinar-other-account-bucket-2'
2020-08-13T12:26:51.700-06:00 2020-08-13 18:26:51.7006|INFO|Buckets|Turned on protection for bucket 'css-webinar-existing-files'
2020-08-13T12:27:18.104-06:00 2020-08-13 18:27:18.1044|INFO|Buckets|Turned on protection for bucket 'css-webinar-new-files'
2020-08-17T15:53:25.588-06:00 2020-08-17 21:53:25.5884|INFO|Buckets|Turned off protection for bucket '100kb-bucket'
2020-08-17T15:53:25.755-06:00 2020-08-17 21:53:25.7552|INFO|Buckets|Turned off protection for bucket 'demo-destination-bucket'

Console.BlobContainers

Logs Azure Blob Container discovery and management operations.

2026-04-13 19:21:42.5627|INFO|BlobContainers|Starting Blob Containers collection
2026-04-13 19:22:04.0511|INFO|BlobContainers|Finished Blob Containers collection. Total time (ms): 21488, Total containers collected: 8. Deleted: 0
2026-04-13 19:51:42.3017|INFO|BlobContainers|Starting Blob Containers collection
2026-04-13 19:52:02.6331|INFO|BlobContainers|Finished Blob Containers collection. Total time (ms): 20331, Total containers collected: 8. Deleted: 0

Console.EbsVolumes

Logs EBS volume scanning configuration and discovery.

2026-04-13 19:54:34.6136|INFO|EbsVolumes|Updated EBS volume details for account 
2026-04-13 19:54:35.1187|ERROR|EbsVolumes|System.Net.Http.HttpRequestException: No route to host (ec2.me-south-1.amazonaws.com:443)
 ---> System.Net.Sockets.SocketException (113): No route to host
   at System.Net.Sockets.Socket.AwaitableSocketAsyncEventArgs.ThrowException(SocketError error, CancellationToken cancellationToken)
   at System.Net.Sockets.Socket.AwaitableSocketAsyncEventArgs.System.Threading.Tasks.Sources.IValueTaskSource.GetResult(Int16 token)
   at System.Net.Http.HttpConnectionPool.ConnectToTcpHostAsync(String host, Int32 port, HttpRequestMessage initialRequest, Boolean async, CancellationToken cancellationToken)

Console.EfsVolumes

Logs EFS volume scanning configuration and discovery.

2026-04-13 20:59:26.7799|INFO|EfsVolumes|Updated EFS volume details for account 
2026-04-13 21:01:05.8560|ERROR|EfsVolumes|Timed out while trying to describe EFS volumes in 'me-south-1'|System.TimeoutException: A task was canceled.
 ---> System.Threading.Tasks.TaskCanceledException: A task was canceled.
   at System.Threading.Tasks.TaskCompletionSourceWithCancellation`1.WaitWithCancellationAsync(CancellationToken cancellationToken)
   at System.Net.Http.HttpConnectionPool.SendWithVersionDetectionAndRetryAsync(HttpRequestMessage request, Boolean async, Boolean doRequestAuth, CancellationToken cancellationToken)
   at System.Net.Http.RedirectHandler.SendAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
   at System.Net.Http.HttpClient.<SendAsync>g__Core|83_0(HttpRequestMessage request, HttpCompletionOption completionOption, CancellationTokenSource cts, Boolean disposeCts, CancellationTokenSource pendingRequestsCts, CancellationToken originalCancellationToken)

Console.EcsConfig

Logs of actions taken to enable or disable Agents in a region. This includes creation of clusters, task definitions, services, sns topics, sqs queues, quarantine buckets, and autoscaling policies.

2020-08-21T13:19:45.296-06:00 2020-08-21 19:19:45.2960|INFO|EcsConfig|Put a new metric alarm for CloudStorageSecLargeQueue-pk913wa.
2020-08-21T13:19:45.296-06:00 2020-08-21 19:19:45.2960|INFO|EcsConfig|Set Large Queue threshold to '1' in us-west-1
2020-08-21T13:19:45.331-06:00 2020-08-21 19:19:45.3307|INFO|EcsConfig|Setting Large Queue threshold to '1' in ap-northeast-1
2020-08-21T13:19:45.331-06:00 2020-08-21 19:19:45.3307|INFO|EcsConfig|Putting a new metric alarm for CloudStorageSecLargeQueue-pk913wa.
2020-08-21T13:19:46.136-06:00 2020-08-21 19:19:46.1364|INFO|EcsConfig|Put a new metric alarm for CloudStorageSecLargeQueue-pk913wa.
2020-08-21T13:19:46.136-06:00 2020-08-21 19:19:46.1364|INFO|EcsConfig|Set Large Queue threshold to '1' in ap-northeast-1 
2020-08-21T13:19:46.195-06:00 2020-08-21 19:19:46.1947|INFO|EcsConfig|Setting Large Queue threshold to '1' in us-west-2
2020-08-21T13:19:46.195-06:00 2020-08-21 19:19:46.1947|INFO|EcsConfig|Putting a new metric alarm for CloudStorageSecLargeQueue-pk913wa.
2020-08-21T13:19:46.556-06:00 2020-08-21 19:19:46.5567|INFO|EcsConfig|Put a new metric alarm for CloudStorageSecLargeQueue-pk913wa.
2020-08-21T13:19:46.556-06:00 2020-08-21 19:19:46.5567|INFO|EcsConfig|Set Large Queue threshold to '1' in us-west-2
2020-08-21T13:19:58.631-06:00 2020-08-21 19:19:58.6311|INFO|EcsConfig|Setting Min and Max agents to '0' and '3' respectively in us-east-1
2020-08-21T13:19:58.908-06:00 2020-08-21 19:19:58.9080|INFO|EcsConfig|Set Min and Max agents to '0' and '3' respectively in us-east-1
2020-08-21T13:20:09.553-06:00 2020-08-21 19:20:09.5536|INFO|EcsConfig|Setting Min and Max agents to '0' and '1' respectively in us-east-1
2020-08-21T13:20:09.826-06:00 2020-08-21 19:20:09.8262|INFO|EcsConfig|Set Min and Max agents to '0' and '1' respectively in us-east-1

Console.Error

Logs of when activities and actions intitiated by the Console encounter an error.

2025-04-18 19:54:25.5953|ERROR|Buckets|Error trying to track newly discovered bucket 'blocked-bucket' in account '123456789/Primary'|Amazon.S3.AmazonS3Exception: User: arn:aws:sts::123456789:assumed-role/CloudStorageSecConsoleRole-abcdefg/3558581af7224d5289fbc82a18ec0444 is not authorized to perform: s3:GetBucketLocation on resource: "arn:aws:s3:::blocked-bucket" with an explicit deny in a resource-based policy

Console.FsxVolumes

Logs of when activities and actions intitiated by the Console encounter an error.

2025-04-18 19:54:25.5953|ERROR|Buckets|Error trying to track newly discovered bucket 'blocked-bucket' in account '123456789/Primary'|Amazon.S3.AmazonS3Exception: User: arn:aws:sts::123456789:assumed-role/CloudStorageSecConsoleRole-abcdefg/3558581af7224d5289fbc82a18ec0444 is not authorized to perform: s3:GetBucketLocation on resource: "arn:aws:s3:::blocked-bucket" with an explicit deny in a resource-based policy

Console.GcpBuckets

Logs GCP bucket disvovery and management operations.

2026-04-08 05:20:25.4175|INFO|GcpBuckets|Starting GcpBucketsDiscoveryService

Console.Metering

Logs of when metering is submitted, and any errors that may occur during metering.

2020-08-21T14:03:01.665-06:00 2020-08-21 20:03:01.6647|INFO|Metering|Metering submitted at 08/21/2020 20:03:01 for Dimension FreeTrial and Quantity 43
2020-08-21T15:03:00.950-06:00 2020-08-21 21:03:00.9503|INFO|Metering|Metering submitted at 08/21/2020 21:03:00 for Dimension FreeTrial and Quantity 43
2020-08-21T16:03:00.108-06:00 2020-08-21 22:03:00.1084|INFO|Metering|Metering submitted at 08/21/2020 22:03:00 for Dimension FreeTrial and Quantity 44
2020-08-21T17:03:00.290-06:00 2020-08-21 23:03:00.2903|INFO|Metering|Metering submitted at 08/21/2020 23:03:00 for Dimension FreeTrial and Quantity 44
2020-08-21T18:03:00.539-06:00 2020-08-22 00:03:00.5393|INFO|Metering|Metering submitted at 08/22/2020 00:03:00 for Dimension FreeTrial and Quantity 1
2020-08-21T19:03:00.782-06:00 2020-08-22 01:03:00.7815|INFO|Metering|Metering submitted at 08/22/2020 01:03:00 for Dimension GoFwdTier1 and Quantity 0

Console.Metrics

Logs of when cache for Console dashboard chart data is updated.

2020-08-21T13:19:01.171-06:00 2020-08-21 19:19:01.1714|INFO|Metrics|Getting chart values for time window: 08/20/2020 19:19:01-08/21/2020 19:19:01
2020-08-21T13:19:08.774-06:00 2020-08-21 19:19:08.7737|INFO|Metrics|Updated cache for time window: 08/20/2020 19:19:01-08/21/2020 19:19:01
2020-08-21T13:19:09.932-06:00 2020-08-21 19:19:09.9316|INFO|Metrics|Getting chart values for time window: 08/21/2020 18:19:09-08/21/2020 19:19:09
2020-08-21T13:19:09.971-06:00 2020-08-21 19:19:09.9708|INFO|Metrics|Updated cache for time window: 08/21/2020 18:19:09-08/21/2020 19:19:09
2020-08-21T13:19:09.972-06:00 2020-08-21 19:19:09.9708|INFO|Metrics|Getting chart values for time window: 08/14/2020 19:19:09-08/21/2020 19:19:09
2020-08-21T13:19:10.566-06:00 2020-08-21 19:19:10.5661|INFO|Metrics|Getting chart values for time window: 08/14/2020 19:19:10-08/21/2020 19:19:10
2020-08-21T13:19:10.678-06:00 2020-08-21 19:19:10.6781|INFO|Metrics|Updated cache for time window: 08/14/2020 19:19:09-08/21/2020 19:19:09
2020-08-21T13:19:10.679-06:00 2020-08-21 19:19:10.6781|INFO|Metrics|Getting chart values for time window: 07/22/2020 19:19:10-08/21/2020 19:19:10
2020-08-21T13:19:10.680-06:00 2020-08-21 19:19:10.6781|INFO|Metrics|Getting chart values for time window: 07/22/2020 19:19:10-08/21/2020 19:19:10
2020-08-21T13:19:11.355-06:00 2020-08-21 19:19:11.3548|INFO|Metrics|Updated cache for time window: 07/22/2020 19:19:10-08/21/2020 19:19:10

Console.Notifications

Logs notification configuration changes and dispatch events from the Console.

2025-09-19 00:58:09.9152|ERROR|Notifications|Error trying to get security hub findings: Amazon.SecurityHub.Model.InvalidInputException: InvalidInputException: Invalid NextToken: Input Query has changed

Console.RetroScan

Logs of when retro scanning starts and finishes per bucket as well as when queue entries are added.

2020-08-13T11:37:05.123-06:00 2020-08-13 17:37:05.1233|INFO|RetroScan|Starting to crawl bucket 'webinar-other-account-bucket-2' in region 'us-east-1' for account '7xxxxxxxxxx7'
2020-08-13T11:37:05.187-06:00 2020-08-13 17:37:05.1871|INFO|RetroScan|Fetching next set of objects from 'webinar-other-account-bucket-2' in region 'us-east-1'
2020-08-13T11:37:05.247-06:00 2020-08-13 17:37:05.2463|INFO|RetroScan|Finished crawling bucket 'webinar-other-account-bucket-2' in region 'us-east-1'
2020-08-13T12:26:59.689-06:00 2020-08-13 18:26:59.6883|INFO|RetroScan|Starting to crawl bucket 'css-webinar-existing-files' in region 'us-east-1' for account '7xxxxxxxxxx8'
2020-08-13T12:26:59.712-06:00 2020-08-13 18:26:59.7125|INFO|RetroScan|Fetching next set of objects from 'css-webinar-existing-files' in region 'us-east-1'
2020-08-13T12:26:59.774-06:00 2020-08-13 18:26:59.7742|INFO|RetroScan|Sending message to queue 'https://sqs.us-east-1.amazonaws.com/7xxxxxxxxxx8/CloudStorageSecRetroQueu

Console.ScheduledScans

Logs scheduled AV scan job configuration and trigger events.

2026-04-13 06:00:00.0011|INFO|ScheduledScans|Running schedule 'Daily Scan of Files' now.
2026-04-13 06:00:00.0011|INFO|ScheduledScans|Running scheduling 'Daily Scan of Files'
2026-04-13 06:00:00.0484|INFO|ScheduledScans|Refreshing resources on schedule 'Daily Scan of Files'

Console.ScheduledClassifications

Logs scheduled Classification scan job configuration and trigger events.

2026-04-11 23:59:59.9986|INFO|ScheduledClassifications|Running schedule '2dca14ac-b10e-44ef-b3b4-f8598ae8d354 - One time scan'
2026-04-12 00:02:06.9281|INFO|ScheduledClassifications|Run schedule '2dca14ac-b10e-44ef-b3b4-f8598ae8d354 - One time scan'
2026-04-12 00:02:08.1615|INFO|ScheduledClassifications|Saving modified schedule '2dca14ac-b10e-44ef-b3b4-f8598ae8d354 - One time scan'

Console.StorageAssessment

Logs storage assessment orchestration and result processing from the Console.

2026-03-11 19:18:18.2443|INFO|StorageAssessment|y6uajej - dontscanme-lfs-on-fargate-test-eu-1 has had inventory config deleted
2026-03-11 19:18:18.5769|INFO|StorageAssessment|y6uajej - dcapiscanningresults has had inventory config deleted
2026-03-11 19:18:19.0328|INFO|StorageAssessment|y6uajej - telavivlargefiles has had inventory config deleted
2026-03-11 19:18:19.4330|INFO|StorageAssessment|y6uajej - css-bucket-stockholm-01 has had inventory config deleted

Console.Subdomain

Logs of each time the console is assigned a new IP and when the subdomain is renamed.

2020-08-17T13:03:28.291-06:00 2020-08-17 19:03:28.2911|INFO|Subdomain|Updating IP address for console subdomain
2020-08-17T13:03:32.106-06:00 2020-08-17 19:03:32.1056|INFO|Subdomain|Updated IP address for console subdomain
2020-08-17T13:16:49.080-06:00 2020-08-17 19:16:49.0797|INFO|Subdomain|Checking if 'preview' is available.
2020-08-17T13:26:13.256-06:00 2020-08-17 19:26:13.2559|INFO|Subdomain|Checking if 'preview' is available.
2020-08-17T13:26:20.703-06:00 2020-08-17 19:26:20.7027|INFO|Subdomain|Checking if 'preview' is available.
2020-08-17T13:28:07.726-06:00 2020-08-17 19:28:07.7258|INFO|Subdomain|Checking if 'preview' is available.
2020-08-17T13:28:10.089-06:00 2020-08-17 19:28:10.0888|INFO|Subdomain|Setting console subdomain to 'preview'
2020-08-17T13:28:13.710-06:00 2020-08-17 19:28:13.7098|INFO|Subdomain|Set console subdomain to 'preview'

Console.System

Logs of general Console system information and errors and the return of the entitlement verification.

2020-08-21T13:25:58.374-06:00 2020-08-21 19:25:58.3713|INFO|System|Entitlement Verified.

Console.Updates

Logs of what updates are available and when an update is being performed.

2020-08-21T13:19:00.532-06:00 2020-08-21 19:19:00.5309|INFO|Updates|Getting version of CloudStorageSecAgentService-pk913wa
2020-08-21T13:19:00.532-06:00 2020-08-21 19:19:00.5309|INFO|Updates|CloudStorageSecAgentService-pk913wa is version v3.01.003
2020-08-21T13:19:00.533-06:00 2020-08-21 19:19:00.5309|INFO|Updates|Getting version of CloudStorageSecConsoleService-pk913wa
2020-08-21T13:19:00.585-06:00 2020-08-21 19:19:00.5847|INFO|Updates|CloudStorageSecConsoleService-pk913wa is version v3.02.005
2020-08-21T13:19:00.586-06:00 2020-08-21 19:19:00.5865|INFO|Updates|Looking for minor or patch update of CloudStorageSecAgentService-pk913wa greater than v3.01.003
2020-08-21T13:19:00.631-06:00 2020-08-21 19:19:00.6313|INFO|Updates|No minor or patch update available
2020-08-21T13:19:00.631-06:00 2020-08-21 19:19:00.6313|INFO|Updates|Looking for minor or patch update of CloudStorageSecConsoleService-pk913wa greater than v3.02.005
2020-08-21T13:19:00.664-06:00 2020-08-21 19:19:00.6644|INFO|Updates|No minor or patch update available
2020-08-21T13:19:00.665-06:00 2020-08-21 19:19:00.6644|INFO|Updates|Looking for major update greater than v3.02.005
2020-08-21T13:19:00.685-06:00 2020-08-21 19:19:00.6853|INFO|Updates|No major update available

Console.Users

Logs of all user activity including user creates/deletes, password resets, role changes.

2020-06-17T12:44:19.526-06:00 2020-06-17 18:44:19.5262|INFO|Users|Password changed for user 'admin'.
2020-06-17T20:06:32.240-06:00 2020-06-18 02:06:32.2403|INFO|Users|User 'aaron' created.
2020-06-17T23:57:25.905-06:00 2020-06-18 05:57:25.9051|INFO|Users|User 'ed' created.
2020-06-17T23:58:41.204-06:00 2020-06-18 05:58:41.2038|INFO|Users|Password changed for user 'ed'.
2020-06-17T23:58:58.252-06:00 2020-06-18 05:58:58.2527|INFO|Users|Submitted forgot password request for ed
2020-06-18T00:00:17.405-06:00 2020-06-18 06:00:17.4055|INFO|Users|Password reset for user 'ed'.

Log groups for the Agent

Agent.ClassificationResults

Records the outcome of each individual data classification scan, split into four streams: matching, non-matching, error, and unclassifiable.

2026-01-31 01:09:22.3268|INFO|ClassifyDiscoveredFilesJob_2026-01-31T00:01:56.7619987Z|NonMatchingClassificationResults|
{
    "date": "2026-01-31",
    "guid": "c909804b-0348-46f2-b6be-8ad248c18d13",
    "dateTime": "2026-01-31T01:09:22.2996548Z",
    "scanningAgentId": null,
    "accountId": "",
    "region": "us-east-1",
    "container": "classification-scaling",
    "objectPath": "740_SourceCodeExample.docx",
    "processedSize": 5616,
    "innerFilePath": null,
    "textMatchingSet": [],
    "error": null,
    "resultType": "NonMatching",
    "isUnscannable": false,
    "resultKind": "NotApplicable",
    "result": 0,
    "accountIdResultType": "#0",
    "dateScanned": "2026-01-31T01:09:22.2996548Z",
    "message": [
        null
    ],
    "trueFileType": "Unknown",
    "isMatch": false,
    "isError": false
}

Agent.ClassificationStatistics

Logs aggregated per-bucket data classification object and byte counts, flushed on a configurable checkpoint interval.

2026-01-31 01:03:47.6242|INFO|ClassifyDiscoveredFilesJob_2026-01-31T00:01:56.7619987Z|ClassificationStatistics|
{
    "bucketName": "classification-scaling",
    "date": "2026-01-31T00:00:00Z",
    "accountId": "",
    "appId": "",
    "numObjectsClassified": 5545,
    "numObjectsClassifiedMatching": 2075,
    "numObjectsClassifiedNonMatching": 3470,
    "numObjectsClassifiedError": 0,
    "numFilesClassifiedMatching": 2765,
    "numFilesClassifiedNonMatching": 4848,
    "numFilesClassifiedError": 0,
    "numObjectsClassifiedUnclassifiable": 0,
    "totalBytesClassified": 2957222491
}

Agent.Jobs

Logs job lifecycle events: creation, config, progress, and completion across both AV and Classification jobs.

2026-04-13 21:14:55.1873|INFO|ScanQueueJob_2026-04-13T21:12:46.5062498Z|Jobs|Gathering Remote Store Agent Config

Agent.Notifications

Logs outbound notifications sent to SNS topics, webhooks, and SecurityHub.

2025-10-20 07:49:18.3383|ERROR||Notifications|Unable to refresh subscriptions cache. Amazon.SimpleNotificationService.Model.InternalErrorException: Request could not be completed

Agent.ScanConfig

Scan settings for the agent.

Settings include, but are not limited to:

Tags for the objects scanned
Actions taken on objects
Scan and skip lists
Bucket handling configuration
Classification Rules configuration for DLP

Note that the following snippet below has been shortened for brevity.

2024-07-23 18:07:31.9485|INFO|ScanConfig|
{
    "scanTaggingEnabled": true,
    "scanTagsExcluded": [],
    "classificationTaggingEnabled": true,
    "classificationTagsExcluded": [],
    "objectTagKeys": {
        "result": "scan-result",
        "dateScanned": "date-scanned",
        "virusName": "virus-name",
        "virusUploadedBy": "uploaded-by",
        "errorMessage": "message",
        "classificationResult": "classification-result",
        "dateClassified": "date-classified",
        "classificationMatches": "classification-matches",
        "classificationErrorMessage": "classification-message"
    },
    "quarantine": {
        "action": "Move",
        "moveBucketPrefix": "cloudstoragesecquarantine-aocxfe6"
    },
    "scanList": {},
    "skipList": {},
    "classifyList": {},
    "classifySkipList": {},
    "avEventProtectedBuckets": [
        "my-bucket"
    ],
    "classificationCustomRulesLastUpdated": "0001-01-01T00:00:00.0000000Z",
    "classificationRuleSets": {
        "canadian health service": [
            "PersonalhealthnumberBCCanada",
            "PersonalhealthnumberBCnearDOBCanada"
        ],
        "document classification": [
            "ConfidentialdocumentmarkersAustralia",
            "ConfidentialdocumentmarkersBelgium"
        ]
    },
    "dcEventBucketRuleSets": {},
    "dcScheduledBucketRuleSets": {},
    "efsClassificationRuleSets": {},
    "ebsClassificationRuleSets": {},
    "fsxClassificationRuleSets": {},
    "twoBucketConfig": {
        "regions": {},
        "buckets": {
            "my-bucket": {
                "destinationBucket": "destination-bucket"
            }
        }
    }
}

Agent.ScanResults

Scan results for clean, infected, error, or unscannable files.

Infected:

2020-08-24T15:15:33.067-06:00 2020-08-24 21:15:33.0672|INFO|InfectedScanResults|{"guid":"e132dc70-4582-476a-bb52-c57425c9792e","dateScanned":"2020-08-24T21:15:32.7952943Z","bucketName":"demo-destination-bucket","key":"virus/7hXNy9okVjpszoFP_virus_388_eicarcom2.zip","scanResult":"Infected","actionTaken":"Move","detectedVirus":"Win.Test.EICAR_HDB-1","virusUploadedBy":"AWS:AROA3K5IVNMVEDVQSN5PM:demo-bucket-transfer","errorMessage":"","fileExists":true,"movedTo":"cloudstoragesecquarantine-y6uajej-7xxxxxxxxxxx8-us-east-1","region":"us-east-1","accountId":"7xxxxxxxxxxx8"}

2020-08-24T15:15:33.067-06:00 2020-08-24 21:15:33.0672|INFO|InfectedScanResults|
{
    "guid": "e132dc70-4582-476a-bb52-c57425c9792e",
    "dateScanned": "2020-08-24T21:15:32.7952943Z",
    "bucketName": "demo-destination-bucket",
    "key": "virus/7hXNy9okVjpszoFP_virus_388_eicarcom2.zip",
    "scanResult": "Infected",
    "actionTaken": "Move",
    "detectedVirus": "Win.Test.EICAR_HDB-1",
    "virusUploadedBy": "AWS:AROA3K5IVNMVEDVQSN5PM:demo-bucket-transfer",
    "errorMessage": "",
    "fileExists": true,
    "movedTo": "cloudstoragesecquarantine-y6uajej-7xxxxxxxxxxx8-us-east-1",
    "region": "us-east-1",
    "accountId": "7xxxxxxxxxxx8"
}

Clean:

2020-08-24T15:15:33.243-06:00 2020-08-24 21:15:33.2432|INFO|CleanScanResults|{"guid":"5cab2514-5982-4323-bdbc-77540dca973d","dateScanned":"2020-08-24T21:15:33.186175Z","bucketName":"demo-destination-bucket","key":"1mb/xglRNavTNgA67qim_temp_1mb_file94857.txt","scanResult":"Clean","actionTaken":"None","detectedVirus":"","virusUploadedBy":"","errorMessage":"","fileExists":true,"movedTo":"","region":"us-east-1","accountId":"7xxxxxxxxxxx8"}

2020-08-24T15:15:33.344-06:00 2020-08-24 21:15:33.3444|INFO|CleanScanResults|
{
    "guid": "b589b129-ac54-493c-886c-30016899f3b9",
    "dateScanned": "2020-08-24T21:15:33.2737108Z",
    "bucketName": "demo-destination-bucket",
    "key": "1mb/xRP72vFa1Ays2Qr9_temp_1mb_file94075.txt",
    "scanResult": "Clean",
    "actionTaken": "None",
    "detectedVirus": "",
    "virusUploadedBy": "",
    "errorMessage": "",
    "fileExists": true,
    "movedTo": "",
    "region": "us-east-1",
    "accountId": "7xxxxxxxxxxx8"
}

Error:

2020-08-24T15:15:00.132-06:00 2020-08-24 21:15:00.1314|INFO|ErrorScanResults|{"guid":"5806ced2-688a-45d0-a2cb-71717176e66e","dateScanned":"2020-08-24T21:14:59.6058615Z","bucketName":"webinar-other-account-bucket-2","key":"ConsoleCloudFormationTemplate.yaml","scanResult":"Error","actionTaken":"None","detectedVirus":"","virusUploadedBy":"","errorMessage":"Unable to access the remote account.","fileExists":true,"movedTo":"","region":"us-east-1","accountId":"7xxxxxxxxxxx7"}

2020-08-24T15:15:00.206-06:00 2020-08-24 21:15:00.2055|INFO|ErrorScanResults|
{
    "guid": "c95dfbb1-2853-49e1-ace9-c2ae05bbf32a",
    "dateScanned": "2020-08-24T21:14:59.6058615Z",
    "bucketName": "webinar-other-account-bucket-2",
    "key": "ConsoleCloudFormationTemplate.yaml",
    "scanResult": "Error",
    "actionTaken": "None",
    "detectedVirus": "",
    "virusUploadedBy": "",
    "errorMessage": "Unable to access the remote account.",
    "fileExists": true,
    "movedTo": "",
    "region": "us-east-1",
    "accountId": "7xxxxxxxxxx7"
}

Agent.ScanStatistics

Every-hour statistics of an agents activity for each bucket being monitored. These include the number of files scanned, the number of clean/infected/error files, and the total bytes scanned.

2020-08-24T15:47:05.224-06:00 2020-08-24 21:47:05.2239|INFO|ScanStatistics|
{
    "bucketName": "preview-destination-bucket",
    "accountId": "7xxxxxxxxxx8",
    "numFilesScanned": 98,
    "numCleanFiles": 95,
    "numInfectedFiles": 3,
    "numErrors": 0,
    "totalBytesScanned": 9500560
}

Agent.StorageAssessment

Every-hour statistics of an agents activity for each bucket being monitored. These include the number of files scanned, the number of clean/infected/error files, and the total bytes scanned.

2020-08-24T15:47:05.224-06:00 2020-08-24 21:47:05.2239|INFO|ScanStatistics|
{
    "bucketName": "preview-destination-bucket",
    "accountId": "7xxxxxxxxxx8",
    "numFilesScanned": 98,
    "numCleanFiles": 95,
    "numInfectedFiles": 3,
    "numErrors": 0,
    "totalBytesScanned": 9500560
}

Agent.SystemEvents

Logs of general Agent system information and errors.

2020-08-24T15:24:35.368-06:00 2020-08-24 21:24:35.3568|INFO|SystemEvents|{"event":"Scanner Started","details":"Scanner is online and able to process files. ClamAV 0.102.3/25909/Mon Aug 24 13:26:24 2020","instanceId":"arn:aws:ecs:us-east-1:779353418538:task/7965e996-d967-4d7f-be11-e05679534f2e","eventDate":"2020-08-24T21:24:35.2518636Z"}

2020-08-24T15:28:09.355-06:00 2020-08-24 21:28:09.3554|INFO|SystemEvents|
{
    "event": "Scanner Stopped",
    "details": "Scanner is going offline.",
    "instanceId": "arn:aws:ecs:us-east-1:779353418538:task/7965e996-d967-4d7f-be11-e05679534f2e",
    "eventDate": "2020-08-24T21:28:09.3554279Z"
}

Log groups for ECS

As of version 6.06 we enable ECS logging by default. These logs will be shown in the following log groups.

For each of these log groups you will see your seven character application ID in the title of each log group as noted below by the AppID between the ECS and type of ECS service the log is for.

ECS.AppID.API

Log groups related to the ECS API Agent Service

ECS.AppID.Console

Log groups related to the ECS Console Service

ECS.AppID.AVEvent

Log groups related to the ECS AV Event Agent Service

ECS.AppID.DCEvent

Log groups related to the ECS DC Event Agent Service

ECS.AppID.LargeFile

Log groups related to the Large File scan jobs

IAM Permissions Review

We have been able to simplify the management and delivery of the solution such that there are very few tasks the administrator is required to perform inside the AWS Console. As a result, the Console and EventAgent have a number of permissions assigned to them within their respective roles to allow them to perform the actions needed on your behalf. In all cases, we went with a least privilege model wherever possible. There are a few instances where we have assigned * when it is required. Below you will find a review of the two IAM Roles we create and assign to the Console and scanning Agents.

Please review and Contact Us if you have any questions we can clear up for you.

The permission descriptions below follow the format:

- system-name
    - permission 1
        - reason it is needed
    - ...
        - reason it is needed
    - permission n
        - reason it is needed

Console Roles (All Resources)

* application-autoscaling
    * PutScalingPolicy
        * For attaching auto scaling policies to the Agent services
    * RegisterScalableTarget
        * For allowing Agent services to be scalable
* aws-marketplace
    * MeterUsage
        * For submitting application data usage
* cloudwatch
    * GetMetricStatistics
        * For getting bucket size information
* ec2
    * CreateSecurityGroup
        * For creating a security group for the Agent services
    * DescribeNetworkInterfaces
        * For getting the IP of the new Console after an update has been applied
    * DescribeSubnets
        * For getting the list of subnets for Agent service configuration
    * DescribeVpcs
        * For getting the list of VPCs for Agent service configuration
* ecs
    * CreateCluster
        * For creating clusters in regions other than the region the console is in, for Agent services in those regions
    * DescribeTaskDefinition
        * For checking the current version of the Console and Agents
    * DescribeTasks
        * For getting the details of a new console task while applying updates
    * ListTasks
        * For getting the list of running console tasks while applying updates
    * RegisterTaskDefinition
        * For creating new Agent services and applying updates to the Console and Agents
* logs (all of the below are needed for creating and monitoring cloudwatch logs)
    * CreateLogStream
    * DescribeLogGroups
    * DescribeLogStreams
    * GetLogEvents
    * GetLogRecord
    * GetQueryResults
    * PutLogEvents
    * StartQuery
    * StopQuery
* s3
    * CreateBucket
        * For creating a quarantine bucket in each region that has protected buckets
    * GetBucketAcl
        * For checking if a bucket is public
    * GetBucketLocation
        * For finding the region of the bucket
    * GetBucketNotification
        * For detecting events attached to the bucket
    * GetBucketPolicy
        * For checking if a bucket is public
    * GetBucketPolicyStatus
        * For checking if a bucket is public
    * GetObjectAcl
        * For checking if objects are public
    * ListAllMyBuckets
        * For listing buckets in the Console
    * ListBucket
        * For identifying files to scan
    * PutBucketAcl
        * For making buckets non-public
    * PutBucketNotification
        * For setting events on buckets to enable protection
    * PutBucketPolicy
        * For making buckets non-public
    * PutBucketPublicAccessBlock
        * For making buckets non-public
    * PutObjectAcl
        * For making objects non-public
* sns
    * ListSubscriptions
        * For unsubscribing the CloudStorageSec SQS Queue from a non CloudStorageSec SNS Topic
    * ListSubscriptionsByTopic
        * For unsubscribing the CloudStorageSec SQS Queue from a non CloudStorageSec SNS Topic
    * ListTopics
        * For unsubscribing the CloudStorageSec SQS Queue from a non CloudStorageSec SNS Topic
    * Subscribe
        * For subscribing the CloudStorageSec SQS Queue to a SNS Topic
    * Unsubscribe
        * For unsubscribing the CloudStorageSec SQS Queue from a SNS Topic
* ssm
    * CreateDocument
        * For creating the initial AppConfig document for CloudStorageSec Agents
    * ListDocuments
        * For creating the initial AppConfig document for CloudStorageSec Agents

Console Permissions (Targeted Resources)

* appconfig
    * CreateConfigurationProfile
        * For one-time creation of Configuration Profile for CloudStorageSec Agents
    * ListConfigurationProfiles
        * For retreiving the Configuration Profile ID upon Console startup
    * StartDeployment
        * For deploying new version of Agent configuration
* cloudwatch
    * PutMetricAlarm
        * For creating Agent autoscaling alarm based on SQS queue size
* dynamodb (all of the below are needed for various dynamodb operations on CloudStorageSec tables)
    * DeleteItem
    * DescribeTable
    * GetItem
    * PutItem
    * Query
    * Scan
    * UpdateItem
* ecr
    * ListImages
        * For checking if there are new versions of the Console or Agent available
* ecs
    * CreateService
        * For creating the Agent service in a region that did not previously have any protected buckets
    * DescribeClusters
        * For checking if a cluster for Agents already exists in a given region
    * DescribeServices
        * For checking if the Agent service already exists in a given cluster
    * UpdateService
        * For updating the Console or Agent service(s) to point at a new application version
* iam
    * PassRole
        * For assigning the appropriate role to the created AppConfig Document
* sns
    * AddPermission
        * For allowing S3 buckets to send messages to the CloudStorageSec SNS Topic
    * CreateTopic
        * For creating the CloudStorageSec SNS Topic
    * SetTopicAttributes
        * For attaching the policy allowing S3 buckets to send messages to the CloudStorageSec SNS Topic
* sqs
    * CreateQueue
        * For creating the CloudStorageSec SQS Queue
    * GetQueueAttributes
        * For getting the ARN and current Policy of the CloudStorageSec SQS Queue
    * SendMessage
        * For adding messages to the CloudStorageSec SQS Queue
    * SendMessageBatch
        * For batch adding messages to the CloudStorageSec SQS Queue 
    * SetQueueAttributes
        * For setting the Policy
* ssm (all of the below are for updating the Agent config document)
    * DescribeDocument
    * GetDocument
    * UpdateDocument

Agent Permissions (All Resources)

* appconfig (all of the below are for requesting an Agent config deployment)
    * ListApplications
    * ListDeploymentStrategies
* s3
    * DeleteObject
        * For deleting infected objects
    * GetObject
        * For getting objects to scan
    * GetObjectTagging
        * For getting current tags of an object (needed when moving objects to quarantine)
    * ListBucket
        * For listing objects in a bucket
    * PutObject
        * For copying object to quarantine
    * PutObjectAcl
        * For copying object ACLs to quarantine
    * PutObjectTagging
        * For tagging objects with scan results (and when moving an object to quarantine)
* ssm
    * ListDocuments
        * For requesting an Agent config deployment

Agent Permissions (Targeted Resources)

* appconfig (the below are for receiving Agent configuration)
    * GetApplication
    * GetConfiguration
    * GetConfigurationProfile
    * GetDeploymentStrategy
    * GetEnvironment
    * ListConfigurationProfiles
    * ListDeployments
    * ListEnvironments
* dynamodb (the below are for submitting agent scan data into the Agent tables for the console)
    * DescribeTable
    * PutItem
    * UpdateItem
* logs (the below are needed for creating cloudwatch logs)
    * CreateLogStream
    * DescribeLogGroups
    * PutLogEvents
* sqs (the below are for processing the CloudStorageSec SQS queue)
    * DeleteMessage
    * GetQueueAttributes
    * ReceiveMessage
* ssm
    * GetDocument
        * For accessing the app config document for Agent configuration

Permissions Policies

Console Role

Trust Relationships

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": [
                    "ecs.amazonaws.com",
                    "ecs-tasks.amazonaws.com"
                ]
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

Console Role Customer Inline Policies

PoliciesCreation

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "iam:TagPolicy",
                "iam:UntagPolicy",
                "iam:CreatePolicy",
                "iam:DeletePolicy",
                "iam:DeletePolicyVersion",
                "iam:ListPolicyVersions",
                "iam:CreatePolicyVersion"
            ],
            "Resource": [
                "arn:aws:iam::{AwsAccount}:policy/CloudStorageSecConsolePolicy-i401ajc-EC2-Management-Policy",
                "arn:aws:iam::{AwsAccount}:policy/CloudStorageSecConsolePolicy-i401ajc-Infrastructure-Management-Policy",
                "arn:aws:iam::{AwsAccount}:policy/CloudStorageSecConsolePolicy-i401ajc-Logging-And-Monitoring-Policy",
                "arn:aws:iam::{AwsAccount}:policy/CloudStorageSecConsolePolicy-i401ajc-Application-Resources-Policy",
                "arn:aws:iam::{AwsAccount}:policy/CloudStorageSecConsolePolicy-i401ajc-Security-And-Access-Policy"
            ],
            "Effect": "Allow",
            "Sid": "IAMCSSPoliciesAction"
        }
    ]
}

ApiLb

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "ec2:DescribeAccountAttributes",
                "elasticloadbalancing:DescribeListeners",
                "elasticloadbalancing:DescribeLoadBalancers",
                "elasticloadbalancing:DescribeTargetGroups"
            ],
            "Resource": "*",
            "Effect": "Allow",
            "Sid": "AllResources"
        },
        {
            "Action": [
                "elasticloadbalancing:Create*",
                "elasticloadbalancing:Delete*",
                "elasticloadbalancing:Modify*",
                "elasticloadbalancing:*Tags",
                "elasticloadbalancing:SetSubnets",
                "iam:CreateServiceLinkedRole"
            ],
            "Resource": [
                "arn:aws:elasticloadbalancing:*:*:listener/*/*{console-appid}/*",
                "arn:aws:elasticloadbalancing:*:*:loadbalancer/*/*{console-appid}/*",
                "arn:aws:elasticloadbalancing:*:*:targetgroup/*i{console-appid}/*",
                "arn:aws:iam::*:role/aws-service-role/elasticloadbalancing.amazonaws.com/AWSServiceRoleForElasticLoadBalancing"
            ],
            "Effect": "Allow",
            "Sid": "RestrictedResources"
        }
    ]
}

AwsLicensing

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "license-manager:CheckoutLicense",
                "license-manager:ListReceivedLicenses"
            ],
            "Resource": "*",
            "Effect": "Allow",
            "Sid": "AllResources"
        }
    ]
}

CloudTrailLake

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "cloudtrail:*DataStore*",
                "cloudtrail:*Quer*",
                "cloudtrail:*Channel*",
                "cloudtrail-data:*Audit*",
                "iam:ListRoles",
                "iam:GetRolePolicy",
                "iam:GetUser"
            ],
            "Resource": "*",
            "Effect": "Allow",
            "Sid": "CloudTrail"
        },
        {
            "Condition": {
                "StringEquals": {
                    "iam:PassedToService": "cloudtrail.amazonaws.com"
                }
            },
            "Action": [
                "iam:PassRole"
            ],
            "Resource": "*",
            "Effect": "Allow",
            "Sid": "PassRole"
        }
    ]
}

Console Role Customer Managed Policies

Application-Resources-Policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "s3:CreateBucket",
                "s3:PutObject",
                "s3:PutObjectTagging",
                "s3:DeleteBucket",
                "s3:ListBucket",
                "s3:DeleteObject",
                "s3:DeleteObjectTagging",
                "s3:PutBucketTagging",
                "s3:GetBucketTagging"
            ],
            "Resource": [
                "arn:aws:s3:::{applicaction-Bucket}",
                "arn:aws:s3:::{applicaction-Bucket}/*"
            ],
            "Effect": "Allow",
            "Sid": "CloudStorageSecS3Bucket"
        },
        {
            "Action": [
                "s3:CreateBucket",
                "s3:DeleteBucket",
                "s3:ListBucket",
                "s3:PutLifecycleConfiguration",
                "s3:PutEncryptionConfiguration",
                "s3:PutBucketTagging",
                "s3:GetBucketTagging",
                "s3:GetObject",
                "s3:GetObjectTagging",
                "s3:GetObjectAttributes",
                "s3:PutObjectTagging",
                "s3:DeleteObject",
                "s3:DeleteObjectTagging",
                "s3:DeleteObjectVersion",
                "s3:DeleteObjectVersionTagging",
                "s3:DeleteBucketPolicy",
                "s3:PutBucketPolicy"
            ],
            "Resource": [
                "arn:aws:s3:::{quarantine-Bucket}-*"
            ],
            "Effect": "Allow",
            "Sid": "CloudStorageSecS3QuarantineBucket"
        },
        {
            "Action": [
                "dynamodb:BatchWriteItem",
                "dynamodb:CreateTable",
                "dynamodb:DeleteItem",
                "dynamodb:DeleteTable",
                "dynamodb:DescribeContinuousBackups",
                "dynamodb:DescribeTable",
                "dynamodb:GetItem",
                "dynamodb:ListTagsOfResource",
                "dynamodb:PutItem",
                "dynamodb:Query",
                "dynamodb:Scan",
                "dynamodb:TagResource",
                "dynamodb:UntagResource",
                "dynamodb:UpdateContinuousBackups",
                "dynamodb:UpdateItem",
                "dynamodb:UpdateTable"
            ],
            "Resource": [
                "arn:aws:dynamodb:{Aws-Region}:{AwsAccount}:table/{appId}.*"
            ],
            "Effect": "Allow",
            "Sid": "DynamoDb"
        },
        {
            "Action": [
                "sqs:CreateQueue",
                "sqs:DeleteQueue",
                "sqs:DeleteMessage",
                "sqs:GetQueueAttributes",
                "sqs:GetQueueUrl",
                "sqs:ListQueueTags",
                "sqs:ListQueues",
                "sqs:SetQueueAttributes",
                "sqs:SendMessage",
                "sqs:TagQueue",
                "sqs:ReceiveMessage",
                "sqs:UntagQueue"
            ],
            "Resource": [
                "arn:aws:sqs:*:{AwsAccount}:CloudStorageSecQueue-{appId}*",
                "arn:aws:sqs:*:{AwsAccount}:CloudStorageSecQueue-DC-{appId}*",
                "arn:aws:sqs:*:{AwsAccount}:CloudStorageSecQueue-EFS-{appId}*",
                "arn:aws:sqs:*:{AwsAccount}:CloudStorageSecQueue-FSx-{appId}*",
                "arn:aws:sqs:*:{AwsAccount}:CloudStorageSecQueue-ScannedItems-{appId}*",
                "arn:aws:sqs:*:{AwsAccount}:CloudStorageSecRetroQueue-{appId}*"
            ],
            "Effect": "Allow",
            "Sid": "SQS"
        },
        {
            "Action": [
                "elasticfilesystem:CreateTags",
                "elasticfilesystem:CreateMountTarget",
                "elasticfilesystem:CreateAccessPoint",
                "elasticfilesystem:DescribeFileSystems",
                "elasticfilesystem:DescribeMountTargets",
                "elasticfilesystem:DescribeMountTargetSecurityGroups",
                "elasticfilesystem:DescribeTags",
                "elasticfilesystem:TagResource",
                "elasticfilesystem:UntagResource",
                "elasticfilesystem:ListTagsForResource",
                "elasticfilesystem:ModifyMountTargetSecurityGroups"
            ],
            "Resource": [
                "arn:aws:elasticfilesystem:*:*:file-system/*"
            ],
            "Effect": "Allow",
            "Sid": "EFSActions"
        },
        {
            "Action": [
                "elasticfilesystem:DeleteAccessPoint",
                "elasticfilesystem:DescribeAccessPoints"
            ],
            "Resource": [
                "arn:aws:elasticfilesystem:*:*:file-system/*",
                "arn:aws:elasticfilesystem:*:*:access-point/*"
            ],
            "Effect": "Allow",
            "Sid": "EFSAccessPointsActions"
        },
        {
            "Action": [
                "ecr:ListImages"
            ],
            "Resource": [
                "arn:aws:ecr:{Aws-region}:564477214187:repository/cloudstoragesecurity/*"
            ],
            "Effect": "Allow",
            "Sid": "ECR"
        },
        {
            "Action": [
                "bedrock:InvokeModel",
                "bedrock:GetFoundationModel",
                "bedrock:ListFoundationModels"
            ],
            "Resource": "arn:aws:bedrock:*::foundation-model/*",
            "Effect": "Allow",
            "Sid": "Bedrock"
        }
    ]
}

EC2-Management-Policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Condition": {
                "StringEquals": {
                    "ec2:ResourceTag/CloudStorageSecExtraLargeFileScanning": "ExtraLargeFileScanning"
                }
            },
            "Action": [
                "ec2:DeleteVolume",
                "ec2:TerminateInstances"
            ],
            "Resource": "arn:aws:ec2:*:*:*",
            "Effect": "Allow",
            "Sid": "DeleteLargeFileScanningVolumes"
        },
        {
            "Condition": {
                "StringEquals": {
                    "aws:RequestTag/CloudStorageSec-i401ajc": "Snapshot"
                }
            },
            "Action": [
                "ec2:CreateTags",
                "ec2:CreateSnapshot"
            ],
            "Resource": [
                "arn:aws:ec2:*::snapshot/*"
            ],
            "Effect": "Allow",
            "Sid": "EC2CreateSnapshot"
        },
        {
            "Action": [
                "ec2:CreateSnapshot"
            ],
            "Resource": [
                "arn:aws:ec2:*:*:volume/*"
            ],
            "Effect": "Allow",
            "Sid": "EC2CreateSnapshotForAnyVolume"
        },
        {
            "Condition": {
                "StringEquals": {
                    "aws:ResourceTag/CloudStorageSec-{appId}": "Snapshot"
                }
            },
            "Action": [
                "ec2:DeleteSnapshot"
            ],
            "Resource": [
                "arn:aws:ec2:*::snapshot/*"
            ],
            "Effect": "Allow",
            "Sid": "EC2DeleteSnapshot"
        },
        {
            "Condition": {
                "StringEquals": {
                    "aws:RequestTag/CloudStorageSec-{appId}": "Volume"
                }
            },
            "Action": [
                "ec2:CreateTags",
                "ec2:CreateVolume"
            ],
            "Resource": [
                "arn:aws:ec2:*:*:volume/*"
            ],
            "Effect": "Allow",
            "Sid": "EC2VolumeCreate"
        },
        {
            "Condition": {
                "StringEquals": {
                    "ec2:ResourceTag/CloudStorageSec-{appId}": "Volume"
                }
            },
            "Action": [
                "ec2:DeleteVolume"
            ],
            "Resource": [
                "arn:aws:ec2:*:*:volume/*"
            ],
            "Effect": "Allow",
            "Sid": "EC2VolumeDelete"
        },
        {
            "Condition": {
                "StringEquals": {
                    "aws:RequestTag/CloudStorageSec-{appId}": "SecurityGroupRule"
                }
            },
            "Action": [
                "ec2:CreateTags",
                "ec2:AuthorizeSecurityGroupIngress"
            ],
            "Resource": [
                "arn:aws:ec2:*:{awsAccount}:security-group-rule/*"
            ],
            "Effect": "Allow",
            "Sid": "EC2CreateSecurityGroupRule"
        },
        {
            "Action": [
                "ec2:CreateTags",
                "ec2:DeleteTags",
                "ec2:AuthorizeSecurityGroupIngress",
                "ec2:ModifyNetworkInterfaceAttribute",
                "ec2:RevokeSecurityGroupIngress"
            ],
            "Resource": [
                "arn:aws:ec2:*:*:{awsAccount}:security-group/*",
                "arn:aws:ec2:*:*:{awsAccount}:network-interface/*"
            ],
            "Effect": "Allow",
            "Sid": "EC2CreateSecurityGroupRuleIngress"
        },
        {
            "Condition": {
                "StringEquals": {
                    "aws:RequestTag/CloudStorageSec-{appId}": "SecurityGroup"
                }
            },
            "Action": [
                "ec2:CreateTags",
                "ec2:CreateSecurityGroup"
            ],
            "Resource": [
                "arn:aws:ec2:*:*:{awsAccount}:security-group/*"
            ],
            "Effect": "Allow",
            "Sid": "EC2CreateSecurityGroup"
        },
        {
            "Action": [
                "ec2:CreateTags",
                "ec2:CreateSecurityGroup"
            ],
            "Resource": [
                "arn:aws:ec2:*:*:{awsAccount}:vpc/*"
            ],
            "Effect": "Allow",
            "Sid": "EC2CreateSecurityGroupVPC"
        },
        {
            "Action": [
                "ec2:RunInstances"
            ],
            "Resource": [
                "arn:aws:ec2:*:*:{awsAccount}:security-group/*",
                "arn:aws:ec2:*:*:{awsAccount}:subnet/*",
                "arn:aws:ec2:*::image/*"
            ],
            "Effect": "Allow",
            "Sid": "EC2RunInstanceInfrastructure"
        },
        {
            "Condition": {
                "StringEquals": {
                    "aws:RequestTag/CloudStorageSec-{appId}": "EC2Instance"
                }
            },
            "Action": [
                "ec2:RunInstances",
                "ec2:CreateTags",
                "iam:PassRole",
                "ssm:GetParameters"
            ],
            "Resource": [
                "arn:aws:ec2:*:*:{awsAccount}:instance/*",
                "arn:aws:ec2:*:*:{awsAccount}:network-interface/*",
                "arn:aws:ec2:*:*:{awsAccount}:volume/*"
            ],
            "Effect": "Allow",
            "Sid": "EC2RunInstance"
        },
        {
            "Condition": {
                "StringEquals": {
                    "ec2:ResourceTag/CloudStorageSec-{appId}": "EC2Instance"
                }
            },
            "Action": [
                "ec2:TerminateInstances"
            ],
            "Resource": [
                "arn:aws:ec2:*:*:{awsAccount}:instance/*"
            ],
            "Effect": "Allow",
            "Sid": "EC2TerminateInstance"
        }
    ]
}

Infrastructure-Management-Policy

/{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "cloudformation:DescribeStacks",
                "cloudformation:UpdateStack"
            ],
            "Resource": [
                "arn:aws:cloudformation:{Aws-Region}:*:stack/{CloudFormationStack-name}/*"
            ],
            "Effect": "Allow",
            "Sid": "CloudFormation"
        },
        {
            "Action": [
                "ecs:TagResource",
                "ecs:ListTagsForResource",
                "ecs:UntagResource",
                "ecs:CreateCluster",
                "ecs:DeleteCluster",
                "ecs:DescribeClusters",
                "ecs:ListContainerInstances",
                "ecs:CreateService",
                "ecs:DeleteService",
                "ecs:DescribeServices",
                "ecs:UpdateService",
                "ecs:ListTasks",
                "ecs:DescribeTasks"
            ],
            "Resource": [
                "arn:aws:ecs:*:{AwsAccount}:cluster/CloudStorageSecCluster-{appId}",
                "arn:aws:ecs:*:{AwsAccount}:service/CloudStorageSecCluster-{appId}/*",
                "arn:aws:ecs:*:{AwsAccount}:container-instance/CloudStorageSecCluster-{appId}/*",
                "arn:aws:ecs:*:{AwsAccount}:task/CloudStorageSecCluster-{appId}/*"
            ],
            "Effect": "Allow",
            "Sid": "ECSCluster"
        },
        {
            "Condition": {
                "ForAnyValue:StringEquals": {
                    "aws:RequestTag/CloudStorageSec-{appId}": [
                        "TaskDefinition",
                        "ConsoleTaskDefinition"
                    ]
                }
            },
            "Action": [
                "ecs:TagResource",
                "ecs:RegisterTaskDefinition"
            ],
            "Resource": "*",
            "Effect": "Allow",
            "Sid": "ECSRegisterTask"
        },
        {
            "Condition": {
                "ForAnyValue:StringEquals": {
                    "aws:ResourceTag/CloudStorageSec-{appId}": [
                        "TaskDefinition",
                        "ConsoleTaskDefinition"
                    ]
                }
            },
            "Action": [
                "ecs:TagResource",
                "ecs:ListTagsForResource",
                "ecs:UntagResource",
                "ecs:RunTask",
                "ecs:DeleteTaskDefinitions"
            ],
            "Resource": "arn:aws:ecs:*:{Aws-Account}:task-definition/CloudStorageSec*-{appId}:*",
            "Effect": "Allow",
            "Sid": "ECSRunDeleteTask"
        },
        {
            "Condition": {
                "StringEquals": {
                    "application-autoscaling:scalable-dimension": "ecs:service:DesiredCount"
                }
            },
            "Action": [
                "application-autoscaling:DeregisterScalableTarget",
                "application-autoscaling:PutScalingPolicy",
                "application-autoscaling:RegisterScalableTarget"
            ],
            "Resource": [
                "arn:aws:application-autoscaling:*:{Aws-Account}:scalable-target/*"
            ],
            "Effect": "Allow",
            "Sid": "ApplicationAutoscaling"
        },
        {
            "Condition": {
                "ForAllValues:StringEquals": {
                    "aws:TagKeys": "CloudStorageSec-{appId}"
                }
            },
            "Action": [
                "application-autoscaling:TagResource",
                "application-autoscaling:UntagResource"
            ],
            "Resource": [
                "arn:aws:application-autoscaling:*:{Aws-Account}:scalable-target/*"
            ],
            "Effect": "Allow",
            "Sid": "ApplicationAutoscalingTagging"
        },
        {
            "Action": [
                "appconfig:DeleteConfigurationProfile",
                "appconfig:GetLatestConfiguration",
                "appconfig:ListConfigurationProfiles",
                "appconfig:StartDeployment",
                "appconfig:StartConfigurationSession",
                "appconfig:TagResource",
                "appconfig:UpdateApplication",
                "appconfig:UpdateConfigurationProfile",
                "appconfig:UpdateDeploymentStrategy",
                "appconfig:UpdateEnvironment",
                "appconfig:UntagResource"
            ],
            "Resource": [
                "arn:aws:appconfig:*:{Aws-Account}:application/{appId}/*",
                "arn:aws:appconfig:*:{Aws-Account}:application/{appId}",
                "arn:aws:appconfig:*:{Aws-Account}:deploymentstrategy/ob3q2x1"
            ],
            "Effect": "Allow",
            "Sid": "AppConfig"
        },
        {
            "Action": [
                "ssm:AddTagsToResource",
                "ssm:ListTagsForResource",
                "ssm:RemoveTagsFromResource",
                "ssm:CreateDocument",
                "ssm:DeleteDocument",
                "ssm:DescribeDocument",
                "ssm:DescribeDocumentParameters",
                "ssm:DescribeDocumentPermission",
                "ssm:ModifyDocumentPermission",
                "ssm:GetDocument",
                "ssm:ListDocuments",
                "ssm:UpdateDocument",
                "ssm:UpdateDocumentDefaultVersion",
                "ssm:UpdateDocumentMetadata",
                "ssm:DeleteParameter",
                "ssm:DeleteParameters",
                "ssm:DescribeParameters",
                "ssm:GetParameter",
                "ssm:GetParameterHistory",
                "ssm:GetParameters",
                "ssm:GetParametersByPath",
                "ssm:LabelParameterVersion",
                "ssm:PutParameter",
                "ssm:UnlabelParameterVersion",
                "secretsmanager:CreateSecret",
                "secretsmanager:DeleteSecret",
                "secretsmanager:DescribeSecret",
                "secretsmanager:GetSecretValue",
                "secretsmanager:PutSecretValue",
                "secretsmanager:RestoreSecret",
                "secretsmanager:TagResource"
            ],
            "Resource": [
                "arn:aws:ssm:*:{AwsAccount}:parameter/aws/service/ecs/optimized-ami/amazon-linux*/recommended/image_id",
                "arn:aws:ssm:*:{AwsAccount}:document/*{appId}",
                "arn:aws:ssm:*:{AwsAccount}:parameter/*{appId}/*",
                "arn:aws:ssm:*:{AwsAccount}:parameter/*{appId}",
                "arn:aws:ssm:*::parameter/aws/service/ecs/optimized-ami/amazon-linux-2/recommended/image_id",
                "arn:aws:secretsmanager:{Aws-Region}:*:secret:cloudstoragesec/*"
            ],
            "Effect": "Allow",
            "Sid": "SSMActions"
        },
        {
            "Action": [
                "events:CreateEventBus",
                "events:DeleteEventBus",
                "events:DeleteRule",
                "events:DescribeEventBus",
                "events:DescribeRule",
                "events:DisableRule",
                "events:EnableRule",
                "events:ListRuleNamesByTarget",
                "events:ListRules",
                "events:ListTagsForResource",
                "events:PutPermission",
                "events:PutRule",
                "events:PutTargets",
                "events:RemovePermission",
                "events:RemoveTargets",
                "events:TagResource",
                "events:UntagResource",
                "events:UpdateEventBus"
            ],
            "Resource": [
                "arn:aws:events:*:*:*/*{appId}*",
                "arn:aws:events:*:*:*/default",
                "arn:aws:events:*:*:rule/*"
            ],
            "Effect": "Allow",
            "Sid": "EventBridgeActions"
        }
    ]
}

Logging-And-Monitoring-Policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "logs:CreateLogStream",
                "logs:GetLogEvents",
                "logs:PutLogEvents"
            ],
            "Resource": "arn:aws:logs:*:{AwsAccount}:log-group:CloudStorageSecurity.*:log-stream:*",
            "Effect": "Allow",
            "Sid": "CloudWatchLogStream"
        },
        {
            "Action": [
                "logs:ListTagsForResource",
                "logs:TagResource",
                "logs:DescribeLogStreams",
                "logs:FilterLogEvents",
                "logs:CreateLogGroup",
                "logs:DeleteLogGroup",
                "logs:PutRetentionPolicy",
                "logs:TagLogGroup",
                "logs:UntagLogGroup",
                "logs:UntagResource"
            ],
            "Resource": [
                "arn:aws:logs:*:{AwsAccount}:log-group:CloudStorageSecurity.*"
            ],
            "Effect": "Allow",
            "Sid": "CloudWatchLog"
        },
        {
            "Action": [
                "logs:StartQuery",
                "logs:GetQueryResults"
            ],
            "Resource": [
                "arn:aws:logs:*:{AwsAccount}:log-group:CloudStorageSecurity.Agent.Jobs:*",
                "arn:aws:logs:*:{AwsAccount}:log-group:CloudStorageSecurity.Agent.ScanStatistics:*",
                "arn:aws:logs:*:{AwsAccount}:log-group:CloudStorageSecurity.Agent.ClassificationStatistics:*",
                "arn:aws:logs:*:{AwsAccount}:log-group:CloudStorageSecurity.Agent.SystemEvents:*",
                "arn:aws:logs:*:{AwsAccount}:log-group:CloudStorageSecurity.Agent.ScanResults:*",
                "arn:aws:logs:*:{AwsAccount}:log-group:CloudStorageSecurity.Agent.ClassificationResults:*"
            ],
            "Effect": "Allow",
            "Sid": "CloudWatchLogQuery"
        },
        {
            "Action": [
                "cloudwatch:DeleteAlarms",
                "cloudwatch:DescribeAlarms",
                "cloudwatch:PutMetricAlarm"
            ],
            "Resource": [
                "arn:aws:cloudwatch:*:{AwsAccount}:alarm:CloudStorageSecLargeQueue-{appId}",
                "arn:aws:cloudwatch:*:{AwsAccount}:alarm:CloudStorageSecSmallQueue-{appId}",
                "arn:aws:cloudwatch:*:{AwsAccount}:alarm:CloudStorageSecLargeQueue-DC-{appId}",
                "arn:aws:cloudwatch:*:{AwsAccount}:alarm:CloudStorageSecSmallQueue-DC-{appId}",
                "arn:aws:cloudwatch:*:{AwsAccount}:alarm:CloudStorageSecConsole-HealthCheck-Alarm-{appId}",
                "arn:aws:cloudwatch:*:{AwsAccount}:alarm:TargetTracking-service/CloudStorageSecCluster-{appId}/CloudStorageSecApiAgentService-{appId}*"
            ],
            "Effect": "Allow",
            "Sid": "CloudWatchAlarm"
        },
        {
            "Action": [
                "securityhub:GetFindings",
                "securityhub:DisableImportFindingsForProduct",
                "securityhub:BatchImportFindings",
                "securityhub:EnableImportFindingsForProduct"
            ],
            "Resource": [
                "arn:aws:securityhub:{AwsRegion}:{AwsAccount}:product/cloud-storage-security/antivirus-for-amazon-s3",
                "arn:aws:securityhub:{AwsRegion}:{AwsAccount}:product-subscription/cloud-storage-security/antivirus-for-amazon-s3",
                "arn:aws:securityhub:{AwsRegion}:{AwsAccount}:hub/default"
            ],
            "Effect": "Allow",
            "Sid": "SecurityHubActions"
        },
        {
            "Condition": {
                "StringEquals": {
                    "cloudwatch:Namespace": "AWS/ECS"
                }
            },
            "Action": "cloudwatch:PutMetricData",
            "Resource": "*",
            "Effect": "Allow",
            "Sid": "PutECSMetricData"
        },
        {
            "Action": [
                "sns:Subscribe",
                "sns:AddPermission",
                "sns:CreateTopic",
                "sns:DeleteTopic",
                "sns:SetTopicAttributes",
                "sns:GetTopicAttributes",
                "sns:GetSubscriptionAttributes",
                "sns:SetSubscriptionAttributes",
                "sns:ListSubscriptionsByTopic",
                "sns:Publish",
                "sns:TagResource",
                "sns:UnTagResource"
            ],
            "Resource": [
                "arn:aws:sns:*:{AwsAccount}:CloudStorageSecNotificationsTopic-{appId}",
                "arn:aws:sns:*:{AwsAccount}:CloudStorageSecTopic-{appId}"
            ],
            "Effect": "Allow",
            "Sid": "SNS"
        },
        {
            "Action": [
                "servicequotas:GetServiceQuota"
            ],
            "Resource": [
                "arn:aws:servicequotas:*:{AwsAccount}:ebs/L-D18FCD1D",
                "arn:aws:servicequotas:*:{AwsAccount}:ebs/L-7A658B76"
            ],
            "Effect": "Allow",
            "Sid": "ServiceQuotas"
        },
        {
            "Action": [
                "budgets:ViewBudget",
                "budgets:ModifyBudget"
            ],
            "Resource": [
                "arn:aws:budgets::{AwsAccount}:budget/Cloud Storage Security Application Cost Budget - Application {appId}"
            ],
            "Effect": "Allow",
            "Sid": "Budgets"
        }
    ]
}

Security-And-Access-Policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "cognito-idp:AdminGetUser",
                "cognito-idp:AdminCreateUser",
                "cognito-idp:AdminAddUserToGroup",
                "cognito-idp:AdminDeleteUser",
                "cognito-idp:AdminDeleteUserAttributes",
                "cognito-idp:AdminDisableUser",
                "cognito-idp:AdminEnableUser",
                "cognito-idp:AdminRemoveUserFromGroup",
                "cognito-idp:AdminListGroupsForUser",
                "cognito-idp:AdminUpdateUserAttributes",
                "cognito-idp:ListTagsForResource",
                "cognito-idp:ListUsers",
                "cognito-idp:ListUsersInGroup",
                "cognito-idp:CreateGroup",
                "cognito-idp:DeleteGroup",
                "cognito-idp:DescribeUserPoolClient",
                "cognito-idp:DescribeUserPool",
                "cognito-idp:UpdateUserPool",
                "cognito-idp:ListIdentityProviders",
                "cognito-idp:SetUserPoolMfaConfig"
            ],
            "Resource": [
                "arn:aws:cognito-idp:{AwsRegion}:{AwsAccount}:userpool/{UserPool-Id}"
            ],
            "Effect": "Allow",
            "Sid": "Cognito"
        },
        {
            "Action": [
                "iam:AddRoleToInstanceProfile",
                "iam:CreateInstanceProfile",
                "iam:DeleteInstanceProfile",
                "iam:GetInstanceProfile",
                "iam:RemoveRoleFromInstanceProfile",
                "iam:TagInstanceProfile",
                "iam:UntagInstanceProfile",
                "iam:UpdateAssumeRolePolicy",
                "iam:AttachRolePolicy",
                "iam:DeleteRolePolicy",
                "iam:DetachRolePolicy",
                "iam:GetRolePolicy",
                "iam:PutRolePolicy",
                "iam:CreateRole",
                "iam:DeleteRole",
                "iam:GetRole",
                "iam:PassRole",
                "iam:TagRole",
                "iam:UntagRole"
            ],
            "Resource": [
                "arn:aws:iam::*:role/CloudStorageSecUserPoolRole-{appId}",
                "arn:aws:iam::{AwsAccount}:role/AppConfigAgentConfigurationDocumentRole-{appId}",
                "arn:aws:iam::{AwsAccount}:role/CloudStorageSecExecutionRole-{appId}",
                "arn:aws:iam::{AwsAccount}:role/CloudStorageSecConsoleRole-{appId}",
                "arn:aws:iam::{AwsAccount}:role/CloudStorageSecAgentRole-{appId}",
                "arn:aws:iam::*:role/CloudStorageSecEc2ContainerRole-{appId}",
                "arn:aws:iam::*:instance-profile/CloudStorageSecEc2ContainerRole-{appId}",
                "arn:aws:iam::*:role/CloudStorageSecEventBridgeRole-{appId}"
            ],
            "Effect": "Allow",
            "Sid": "IAMAction"
        },
        {
            "Action": [
                "sts:AssumeRole"
            ],
            "Resource": "arn:aws:iam::*:role/*{appId}",
            "Effect": "Allow",
            "Sid": "CrossAccountAssumeRole"
        },
        {
            "Condition": {
                "StringLike": {
                    "kms:ViaService": "s3.*.amazonaws.com"
                }
            },
            "Action": [
                "kms:Decrypt",
                "kms:Encrypt",
                "kms:GenerateDataKey"
            ],
            "Resource": "arn:aws:kms:*:{AwsAccount}:key/*",
            "Effect": "Allow",
            "Sid": "KmsConsole"
        },
        {
            "Action": [
                "application-autoscaling:DescribeScalableTargets",
                "aws-marketplace:MeterUsage",
                "acm:DescribeCertificate",
                "acm:RequestCertificate",
                "cloudformation:GetTemplateSummary",
                "cloudwatch:GetMetricStatistics",
                "ec2:DescribeTags",
                "ec2:DescribeInternetGateways",
                "ec2:DescribeInstances",
                "ec2:DescribeNetworkAcls",
                "ec2:DescribeNetworkInterfaces",
                "ec2:DescribeRegions",
                "ec2:DescribeRouteTables",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeSubnets",
                "ec2:DescribeVolumes",
                "ec2:DescribeVpcs",
                "ec2:DescribeInstanceTypeOfferings",
                "ec2:DescribeSnapshots",
                "ecs:DescribeTaskDefinition",
                "ecs:DeregisterTaskDefinition",
                "ecs:ListTaskDefinitions",
                "fsx:DescribeFileSystems",
                "fsx:DescribeVolumes",
                "fsx:DescribeStorageVirtualMachines",
                "logs:DescribeLogGroups",
                "sns:ListSubscriptions",
                "sns:ListSubscriptionsByTopic",
                "sns:ListTopics",
                "sns:Unsubscribe",
                "sqs:ListQueues"
            ],
            "Resource": "*",
            "Effect": "Allow",
            "Sid": "ReadOnlyGlobal"
        },
        {
            "Action": [
                "s3:GetBucketAcl",
                "s3:GetBucketLocation",
                "s3:GetBucketLogging",
                "s3:GetBucketNotification",
                "s3:GetBucketPolicy",
                "s3:GetBucketPolicyStatus",
                "s3:GetBucketPublicAccessBlock",
                "s3:GetInventoryConfiguration",
                "s3:GetBucketTagging",
                "s3:GetBucketVersioning",
                "s3:GetBucketWebsite",
                "s3:GetLifecycleConfiguration",
                "s3:GetObject",
                "s3:GetObjectTagging",
                "s3:ListAllMyBuckets"
            ],
            "Resource": "arn:aws:s3:::*",
            "Effect": "Allow",
            "Sid": "S3ReadOnly"
        },
        {
            "Action": [
                "s3:PutObject",
                "s3:PutObjectTagging",
                "s3:PutBucketLogging",
                "s3:PutBucketNotification",
                "s3:PutBucketPolicy",
                "s3:PutBucketPublicAccessBlock",
                "s3:PutInventoryConfiguration"
            ],
            "Resource": "arn:aws:s3:::*",
            "Effect": "Allow",
            "Sid": "S3Write"
        }
    ]
}

PreviousArchitecture Overview NextDeployment Details

Last updated 23 days ago