Merge pull request #386 from VirtualMetric:DT-566-iam-roles-documentation

DT-566-Add IAM Permissions sections to 24 target and device docs

Author: KorayErkan

.github/workflows/pr.yml

@@ -29,15 +29,13 @@ jobs:
       - name: Build documentation
         run: npm run build
 
-      - name: Install Wrangler
-        run: npm install -g wrangler@4
-
       - name: Deploy Preview to Cloudflare Pages
         id: deploy
-        run: wrangler pages deploy build --project-name=virtualmetric-docs --branch=${{ github.head_ref }} --commit-dirty=true
-        env:
-          CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }}
-          CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
+        uses: cloudflare/wrangler-action@v3
+        with:
+          apiToken: ${{ secrets.CLOUDFLARE_API_TOKEN }}
+          accountId: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
+          command: pages deploy build --project-name=virtualmetric-docs --branch=${{ github.head_ref }} --commit-dirty=true
 
       - name: Remove old deployment comments
         uses: izhangzhihao/delete-comment@master
@@ -50,4 +48,4 @@ jobs:
         uses: thollander/actions-comment-pull-request@v2
         with:
           message: |
-            📄 **Docs Preview:** ${{ steps.deploy.outputs.deployment-url }}
+            📄 **Docs Preview:** ${{ steps.deploy.outputs.pages-deployment-alias-url }}

docs/configuration/devices/amazon-s3.mdx

@@ -95,6 +95,61 @@ Avoid hardcoding `access_key_id` and `secret_access_key` in plain text. Prefer I
 
 ## Details
 
+### IAM Permissions
+
+When using IAM role-based authentication, the following permissions are required:
+
+|IAM Action|Purpose|
+|---|---|
+|`s3:GetObject`|Download S3 objects for processing|
+|`s3:ListBucket`|Validate bucket access at startup (when bucket name is configured)|
+|`s3:ListAllMyBuckets`|Validate S3 access at startup (when bucket name is not configured)|
+|`sqs:ReceiveMessage`|Poll SQS queue for S3 event notifications|
+|`sqs:DeleteMessage`|Remove processed messages from the queue|
+|`sqs:GetQueueAttributes`|Validate SQS queue connectivity at startup|
+
+When using cross-account role assumption (`role_arn`), the calling identity also requires:
+
+|IAM Action|Purpose|
+|---|---|
+|`sts:AssumeRole`|Assume IAM role in the target account|
+
+**Minimum IAM Policy**:
+
+```json
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Sid": "S3ReadObjects",
+      "Effect": "Allow",
+      "Action": "s3:GetObject",
+      "Resource": "arn:aws:s3:::BUCKET_NAME/*"
+    },
+    {
+      "Sid": "S3ValidateBucket",
+      "Effect": "Allow",
+      "Action": "s3:ListBucket",
+      "Resource": "arn:aws:s3:::BUCKET_NAME"
+    },
+    {
+      "Sid": "SQSConsumeMessages",
+      "Effect": "Allow",
+      "Action": [
+        "sqs:ReceiveMessage",
+        "sqs:DeleteMessage",
+        "sqs:GetQueueAttributes"
+      ],
+      "Resource": "arn:aws:sqs:REGION:ACCOUNT_ID:QUEUE_NAME"
+    }
+  ]
+}
+```
+
+:::note Cross-Account Access
+When accessing S3 buckets in another AWS account, configure `role_arn` and optionally use temporary credentials. The assumed role must have the S3 and SQS permissions above. The target role's trust policy must allow assumption from the source account, with optional `ExternalId` condition for Security Lake scenarios.
+:::
+
 The Amazon S3 device operates as an event-driven pull-type data source that processes S3 objects based on SQS notifications. The device continuously polls an SQS queue for S3 event messages, downloads the referenced objects, and processes their contents through the telemetry pipeline.
 
 **Event Processing Flow**: The device receives S3 event notifications from SQS containing bucket name and object key information. For each ObjectCreated event (Put, Post, Copy, CompleteMultipartUpload), the device downloads the S3 object and processes it according to its file type. After successful processing, the SQS message is deleted to prevent reprocessing.

docs/configuration/devices/amazon-security-lake.mdx

@@ -100,6 +100,74 @@ AWS enforces strict SQS parameter limits. Values outside allowed ranges are auto
 
 ## Details
 
+### IAM Permissions
+
+When using IAM credentials or role assumption, the following permissions are required:
+
+**SQS Permissions**:
+
+|IAM Action|Purpose|
+|---|---|
+|`sqs:ReceiveMessage`|Poll queue for S3 object notifications|
+|`sqs:DeleteMessage`|Remove processed messages from the queue|
+|`sqs:GetQueueAttributes`|Validate SQS connectivity at startup|
+
+**S3 Permissions**:
+
+|IAM Action|Purpose|
+|---|---|
+|`s3:GetObject`|Download Parquet files from the Security Lake bucket|
+|`s3:ListBucket`|Validate access to a specific bucket at startup|
+|`s3:ListAllMyBuckets`|Validate S3 access at startup (when no specific bucket is configured)|
+
+**STS Permissions (conditional)**:
+
+|IAM Action|Purpose|
+|---|---|
+|`sts:AssumeRole`|Assume a cross-account IAM role (when `role_arn` is configured)|
+
+**Minimum IAM Policy**:
+
+```json
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Sid": "SQSAccess",
+      "Effect": "Allow",
+      "Action": [
+        "sqs:ReceiveMessage",
+        "sqs:DeleteMessage",
+        "sqs:GetQueueAttributes"
+      ],
+      "Resource": "arn:aws:sqs:REGION:ACCOUNT_ID:QUEUE_NAME"
+    },
+    {
+      "Sid": "S3ReadAccess",
+      "Effect": "Allow",
+      "Action": "s3:GetObject",
+      "Resource": "arn:aws:s3:::SECURITY_LAKE_BUCKET/*"
+    },
+    {
+      "Sid": "S3ValidateBucket",
+      "Effect": "Allow",
+      "Action": "s3:ListBucket",
+      "Resource": "arn:aws:s3:::SECURITY_LAKE_BUCKET"
+    },
+    {
+      "Sid": "S3ListBuckets",
+      "Effect": "Allow",
+      "Action": "s3:ListAllMyBuckets",
+      "Resource": "*"
+    }
+  ]
+}
+```
+
+:::note Cross-Account Role Assumption
+Security Lake typically requires cross-account access via `role_arn` with `external_id`. The calling identity needs `sts:AssumeRole` on the target role. The target role's trust policy must allow assumption from the source account with the configured `ExternalId` condition. The assumed role must have the S3 and SQS permissions above attached to it.
+:::
+
 The Amazon Security Lake device implements a pull-type consumer pattern that integrates with Amazon Security Lake's S3-backed architecture. Security Lake stores normalized security data in OCSF format as Parquet files, and publishes S3 ObjectCreated events to an SQS queue. The device polls this queue, downloads referenced Parquet files, and ingests OCSF events into DataStream.
 
 **OCSF Schema Validation**: When enabled, the device validates each Parquet record against OCSF schema requirements. Invalid records generate warnings but do not halt file processing. Disable validation for performance-critical scenarios or when processing pre-validated data.

docs/configuration/devices/azure-blob-storage.mdx

@@ -71,6 +71,23 @@ Avoid hardcoding `connection_string` and `client_secret` in plain text. Prefer r
 
 ## Details
 
+### IAM Permissions
+
+When using service principal authentication, the following Azure RBAC roles are required:
+
+|Azure Role|Scope|Purpose|
+|---|---|---|
+|`Storage Blob Data Reader`|Storage Account or Container|Read blobs and blob properties|
+|`Storage Queue Data Message Processor`|Storage Account or Queue|Dequeue and delete queue messages|
+
+:::note Connection String Authentication
+When using connection string authentication, Azure RBAC roles are not applicable. The shared key embedded in the connection string provides full storage account access.
+:::
+
+:::note Startup Validation
+The device validates connectivity at startup by reading blob service properties and queue metadata. The recommended roles above may not fully cover these validation calls. If startup validation fails, either use a custom role with the exact data actions or assign `Storage Queue Data Contributor` instead of `Storage Queue Data Message Processor` for broader queue access.
+:::
+
 The Azure Blob Storage device operates as a pull-type data source that periodically scans Azure storage containers for new files. The device supports multiple file formats and provides flexible authentication options for enterprise environments.
 
 **File Format Processing**: The device automatically detects and processes files based on the configured format. JSON files are parsed as individual objects, JSONL files process each line as a separate record, and Parquet files are read using columnar processing for efficient large-data handling.

docs/configuration/devices/event-hubs.mdx

@@ -118,6 +118,23 @@ To enhance performance and achieve better message handling, the following settin
 |`reuse`|N|`true`|Enable multi-worker mode|
 |`workers`|N|`4`|Number of worker processes when reuse enabled|
 
+## Details
+
+### IAM Permissions
+
+When using service principal authentication, the following Azure RBAC roles are required:
+
+|Azure Role|Scope|Purpose|
+|---|---|---|
+|`Azure Event Hubs Data Receiver`|Event Hubs Namespace or Event Hub|Consume events and read hub properties|
+|`Storage Blob Data Contributor`|Storage Account or Container|Read, write, and list checkpoint blobs|
+
+The checkpoint storage requires `Contributor` (not just `Reader`) because the device writes checkpoint state and manages ownership blobs for partition load balancing.
+
+:::note Connection String Authentication
+When using connection string authentication, Azure RBAC roles are not needed for Event Hubs access. The Shared Access Policy embedded in the connection string governs access (typically `Listen` claim for consumers). Checkpoint storage still requires either a connection string or RBAC role assignment.
+:::
+
 ## Key Features
 
 ### Multiple Workers

docs/configuration/devices/microsoft-sentinel.mdx

@@ -64,6 +64,22 @@ The following fields are used to define the device:
 |---|---|---|---|
 |`batch_size`|N|`1000`|Number of incidents to fetch per batch|
 
+## Details
+
+### IAM Permissions
+
+The service principal requires the following Azure RBAC role:
+
+|Azure Role|Scope|Purpose|
+|---|---|---|
+|`Microsoft Sentinel Reader`|Log Analytics Workspace|Read incidents from Microsoft Sentinel|
+
+The device is strictly read-only — it only lists incidents using `Microsoft.SecurityInsights/incidents/read`. No create, update, or delete operations are performed.
+
+:::note Scope
+Assign the role at the Log Analytics Workspace level rather than the subscription or resource group level for least-privilege access.
+:::
+
 ## Key Features
 
 ### Incidents

docs/configuration/targets/_managed-identity.mdx

@@ -17,7 +17,7 @@ Azure targets support **Managed Identity** authentication for credential-free ac
 - Azure Kubernetes Service (AKS)
 - Azure Functions
 
-**Required permissions**: The Managed Identity must be granted appropriate roles on the target Azure resource (e.g., `Storage Blob Data Contributor` for Blob Storage, `Azure Event Hubs Data Sender` for Event Hubs).
+**Required permissions**: The Managed Identity must be granted the appropriate Azure RBAC roles documented in each target's **IAM Permissions** section.
 
 :::note
 Managed Identity eliminates credential management overhead and is the recommended authentication method for Azure-hosted Director deployments.

docs/configuration/targets/_s3-multipart-iam-note.mdx

@@ -0,0 +1,3 @@
+:::note
+Per the AWS Service Authorization Reference, `s3:PutObject` covers `CreateMultipartUpload`, `UploadPart`, and `CompleteMultipartUpload`. Only `s3:AbortMultipartUpload` requires its own IAM action.
+:::

docs/configuration/targets/aws/amazon-cloudwatch.mdx

@@ -90,6 +90,48 @@ Amazon CloudWatch Logs supports a maximum of 10,000 log events per PutLogEvents
 
 Supports static credentials (access key and secret key) with optional session tokens for temporary credentials. When deployed on AWS infrastructure, can leverage IAM role-based authentication without explicit credentials.
 
+All authentication methods call `sts:GetCallerIdentity` during initialization to validate credentials before proceeding.
+
+### IAM Permissions
+
+When using IAM role-based authentication, the following permissions are required:
+
+|IAM Action|Purpose|
+|---|---|
+|`sts:GetCallerIdentity`|Validate credentials at initialization|
+|`logs:CreateLogGroup`|Create log group if it does not exist|
+|`logs:CreateLogStream`|Create log stream if it does not exist|
+|`logs:PutLogEvents`|Send log events to the stream|
+
+Minimum IAM policy:
+
+```json
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Sid": "STSIdentity",
+      "Effect": "Allow",
+      "Action": "sts:GetCallerIdentity",
+      "Resource": "*"
+    },
+    {
+      "Sid": "CloudWatchLogsWrite",
+      "Effect": "Allow",
+      "Action": [
+        "logs:CreateLogGroup",
+        "logs:CreateLogStream",
+        "logs:PutLogEvents"
+      ],
+      "Resource": [
+        "arn:aws:logs:REGION:ACCOUNT_ID:log-group:LOG_GROUP_NAME",
+        "arn:aws:logs:REGION:ACCOUNT_ID:log-group:LOG_GROUP_NAME:log-stream:*"
+      ]
+    }
+  ]
+}
+```
+
 ### Log Groups and Streams
 
 CloudWatch Logs organizes log data into log groups and log streams:

docs/configuration/targets/aws/amazon-kinesis.mdx

@@ -92,6 +92,39 @@ Amazon Kinesis Data Streams is a fully managed streaming data service that captu
 
 Supports static credentials (access key and secret key) with optional session tokens for temporary credentials. When deployed on AWS infrastructure, can leverage IAM role-based authentication without explicit credentials.
 
+All authentication methods call `sts:GetCallerIdentity` during initialization to validate credentials before proceeding.
+
+### IAM Permissions
+
+When using IAM role-based authentication, the following permissions are required:
+
+|IAM Action|Purpose|
+|---|---|
+|`sts:GetCallerIdentity`|Validate credentials at initialization|
+|`kinesis:PutRecords`|Send batch of records to stream|
+
+Minimum IAM policy:
+
+```json
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Sid": "STSIdentity",
+      "Effect": "Allow",
+      "Action": "sts:GetCallerIdentity",
+      "Resource": "*"
+    },
+    {
+      "Sid": "KinesisWrite",
+      "Effect": "Allow",
+      "Action": "kinesis:PutRecords",
+      "Resource": "arn:aws:kinesis:REGION:ACCOUNT_ID:stream/STREAM_NAME"
+    }
+  ]
+}
+```
+
 ### Stream and Shard Architecture
 
 Kinesis Data Streams uses shards as the base throughput unit. Each shard provides: