./HAVOC IAM Roles

When creating a new ./HAVOC deployment, a series of IAM roles, and permissions are created in your AWS account. Below is a list of the IAM roles that are created.

The Terraform configuration file that is used to create the roles is available here: https://github.com/havocsh/havoc/blob/main/havoc_deploy/aws/terraform/iam.tf

The template files that are used to define the policies are available here: https://github.com/havocsh/havoc/tree/main/havoc_deploy/aws/terraform/templates

Lambda Roles

Lambda Role for HAVOC Lambda Functions

Name: ${var.deployment_name}-lambda-role
Description: Role for HAVOC Lambda functions.
Assume Role Policy: Allows AWS Lambda service to assume this role.

Attached Policies

Name: ${var.deployment_name}-lambda-policy
Description: Policy for ./HAVOC Lambda functions
Policy: Defined by the lambda_policy.template template file

Lambda Role for Workspace Access GET Lambda Functions

Name: ${var.deployment_name}-workspace-access-get-lambda-role
Description: Role for ./HAVOC workspace access GET Lambda functions.
Assume Role Policy: Allows AWS Lambda service to assume this role.

Attached Policies

Name: ${var.deployment_name}-workspace-access-get-lambda-policy
Description: Policy for ./HAVOC workspace access GET Lambda functions.
Policy: Defined by the workspace_access_get_lambda_policy.template template file.

Lambda Role for Workspace Access PUT Lambda Functions

Name: ${var.deployment_name}-workspace-access-put-lambda-role
Description: Role for ./HAVOC workspace access PUT Lambda functions.
Assume Role Policy: Allows AWS Lambda service to assume this role.

Attached Policies

Name: ${var.deployment_name}-workspace-access-put-lambda-policy
Description: Policy for ./HAVOC workspace access PUT Lambda functions.
Policy: Defined by workspace_access_put_lambda_policy.template template file.

ECS Roles

ECS Task Role

Name: ${var.deployment_name}-task-role
Description: Role for ./HAVOC ECS tasks.
Assume Role Policy: Allows AWS ECS service to assume this role.

Attached Policies

Name: ${var.deployment_name}-ecs-task-policy
Description: Policy for ./HAVOC ECS tasks.
Policy: Defined by the ecs_task_policy.template template file.

ECS Task Execution Role

Name: ${var.deployment_name}-execution-role
Description: Role for ./HAVOC ECS task execution.
Assume Role Policy: Allows AWS ECS service to assume this role.

Attached Policies

Name: AmazonECSTaskExecutionRolePolicy (AWS-managed policy)

ECS Playbook Operator Role

Name: ${var.deployment_name}-playbook-operator-role
Description: Role for ./HAVOC ECS playbook operator.
Assume Role Policy: Allows AWS ECS service to assume this role.

Attached Policies

Name: ${var.deployment_name}-ecs-playbook-operator-policy
Description: Policy for ./HAVOC ECS playbook operator.
Policy: Defined by the ecs_playbook_operator_policy.template template file.

ECS Playbook Operator Execution Role

Name: ${var.deployment_name}-playbook-operator-execution-role
Description: Role for ./HAVOC ECS playbook operator execution.
Assume Role Policy: Allows AWS ECS service to assume this role.

Attached Policies

Name: AmazonECSTaskExecutionRolePolicy (AWS-managed policy)

Trigger Executor Role

Name: ${var.deployment_name}-trigger-executor-role
Description: Role for ./HAVOC trigger_executor Lambda function.
Assume Role Policy: Allows AWS EventBridge service to assume this role.

Attached Policies

Name: ${var.deployment_name}-trigger-executor-policy
Description: Policy for ./HAVOC trigger_executor Lambda function.
Policy: Defined by the trigger_executor_policy.template template file.

API Gateway Role

Name: ${var.deployment_name}-api-gateway-role
Description: Role for ./HAVOC REST API gateway.
Assume Role Policy: Allows AWS API Gateway service to assume this role.

Attached Policies

Name: ${var.deployment_name}-api-gateway-policy
Description: Policy for ./HAVOC REST API gateway.
Policy: Defined by the api_gateway_policy.template template file.

These IAM roles are used to grant necessary permissions and access for different components of the ./HAVOC application within the AWS environment.