FinalDivvyCloud

Amazon Web Services

Amazon Web Services (AWS) is one of the world’s leading public cloud providers and they offer a variety of cloud services. You can add an AWS account to DivvyCloud in the following ways:

Additionally, we recently introduced, Event Driven Harvesting - a new approach to data collection.

Prerequisite - IAM Policy

All of the approaches mentioned above, rely on adding an Identify and Access Management (IAM) Policy to your AWS accounts in order to provide DivvyCloud user-defined access to your accounts.

DivvyCloud supports a large number of AWS services and adds services regularly. To access these services, we recommend using either a read-only policy (standard managed policy) or a power-user policy.

If you are interested in operating in a read-only fashion, which will prevent DivvyCloud from taking actions against your AWS resources, then we recommend using the DivvyCloud Standard Managed Policies. (There are two policies because the permissions have exceeded AWS's limitation on policy size. There is no significance to how the policy permissions are separated except ease of reading.)

If you would like to use DivvyCloud to manage your AWS resources directly or through the use of Bots, then use the DivvyCloud Power User Policy.

If you are using AWS GovCloud, then check out this section.

Finally, if you would like to use Instance Assume Role or STS, both of which use STS, you will need an additional policy to your read-only or power-user policy. This would apply to both AWS and AWS Gov Cloud.

Instance Assume Role or STS

You will need an additional policy to your read-only or power-user policy. This would apply to both AWS and AWS Gov Cloud.

Amazon Web Services

DivvyCloud Standard User Policies

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "acm:DescribeCertificate",
                "acm:ListCertificates",
                "acm:ListTagsForCertificate",
                "autoscaling:DescribeAutoScalingGroups",
                "autoscaling:DescribeLaunchConfigurations",
                "autoscaling:DescribeTags",
                "cloudformation:DescribeStackResource",
                "cloudformation:DescribeStackResources",
                "cloudformation:DescribeStacks",
                "cloudformation:GetTemplate",
                "cloudformation:ListStackResources",
                "cloudformation:ListStacks",
                "cloudfront:ListDistributions",
                "cloudfront:ListStreamingDistributions",
                "cloudfront:ListTagsForResource",
                "cloudsearch:DescribeAvailabilityOptions",
                "cloudsearch:DescribeDomains",
                "cloudsearch:DescribeServiceAccessPolicies",
                "cloudsearch:ListDomainNames",
                "cloudtrail:DescribeTrails",
                "cloudtrail:GetTrailStatus",
                "cloudwatch:DescribeAlarms",
                "cloudwatch:GetMetricStatistics",
                "cloudwatch:ListMetrics",
                "config:DescribeConfigurationRecorders",
                "config:DescribeConfigurationRecorderStatus",
                "config:DescribeDeliveryChannels",
                "config:DescribeDeliveryChannelStatus",
                "dax:DescribeClusters",
                "dax:ListTags",
                "dynamodb:DescribeContinuousBackups",
                "dynamodb:DescribeGlobalTable",
                "dynamodb:DescribeTable",
                "dynamodb:ListBackups",
                "dynamodb:ListGlobalTables",
                "dynamodb:ListTables",
                "dynamodb:ListTagsOfResource",
                "ec2:DescribeAccountAttributes",
                "ec2:DescribeAddresses",
                "ec2:DescribeAvailabilityZones",
                "ec2:DescribeFlowLogs",
                "ec2:DescribeHosts",
                "ec2:DescribeImageAttribute",
                "ec2:DescribeImages",
                "ec2:DescribeImportImageTasks",
                "ec2:DescribeInstanceAttribute",
                "ec2:DescribeInstances",
                "ec2:DescribeInstanceStatus",
                "ec2:DescribeInternetGateways",
                "ec2:DescribeKeyPairs",
                "ec2:DescribeNatGateways",
                "ec2:DescribeNetworkAcls",
                "ec2:DescribeNetworkInterfaceAttribute",
                "ec2:DescribeNetworkInterfaces",
                "ec2:DescribePlacementGroups",
                "ec2:DescribeRegions",
                "ec2:DescribeReservedInstances",
                "ec2:DescribeRouteTables",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeSnapshots",
                "ec2:DescribeSubnets",
                "ec2:DescribeTags",
                "ec2:DescribeVolumes",
                "ec2:DescribeVolumeStatus",
                "ec2:DescribeVpcAttribute",
                "ec2:DescribeVpcPeeringConnections",
                "ec2:DescribeVpcs",
                "ec2:GetConsoleOutput",
                "ec2:GetPasswordData",
                "ecr:DescribeImages",
                "ecr:DescribeRepositories",
                "ecr:ListTagsForResource",
                "ecr:GetRepositoryPolicy",
                "ecs:DescribeClusters",
                "ecs:DescribeContainerInstances",
                "ecs:DescribeTaskDefinition",
                "ecs:DescribeTasks",
                "ecs:ListClusters",
                "ecs:ListContainerInstances",
                "ecs:ListTaskDefinitions",
                "ecs:ListTasks",
                "eks:DescribeCluster",
                "eks:ListClusters",
                "elasticache:DescribeCacheClusters",
                "elasticache:DescribeCacheSubnetGroups",
                "elasticache:DescribeSnapshots",
                "elasticache:ListTagsForResource",
                "elasticfilesystem:DescribeFileSystems",
                "elasticfilesystem:DescribeMountTargets",
                "elasticfilesystem:DescribeMountTargetSecurityGroups",
                "elasticfilesystem:DescribeTags",
                "elasticloadbalancing:DescribeInstanceHealth",
                "elasticloadbalancing:DescribeListeners",
                "elasticloadbalancing:DescribeLoadBalancerAttributes",
                "elasticloadbalancing:DescribeLoadBalancerPolicies",
                "elasticloadbalancing:DescribeLoadBalancerPolicyTypes",
                "elasticloadbalancing:DescribeLoadBalancers",
                "elasticloadbalancing:DescribeRules",
                "elasticloadbalancing:DescribeTags",
                "elasticloadbalancing:DescribeTargetGroups",
                "elasticloadbalancing:DescribeTargetHealth",
                "elasticmapreduce:DescribeCluster",
                "elasticmapreduce:ListClusters",
                "elasticmapreduce:ListInstances",
                "es:DescribeElasticsearchDomains",
                "es:ListDomainNames",
                "es:ListTags",
                "events:DescribeEventBus",
                "events:ListRules",
                "events:ListTargetsByRule",
                "firehose:DescribeDeliveryStream",
                "firehose:ListDeliveryStreams",
                "firehose:ListTagsForDeliveryStream",
                "guardduty:GetDetector",
                "guardduty:GetMasterAccount",
                "guardduty:ListDetectors",
                "guardduty:ListMembers",
                "kinesis:DescribeStream",
                "kinesis:ListShards",
                "kinesis:ListStreams",
                "kinesis:ListTagsForStream",
                "kms:DescribeKey",
                "kms:GetKeyPolicy",
                "kms:GetKeyRotationStatus",
                "kms:ListAliases",
                "kms:ListKeys",
                "lambda:GetAccountSettings",
                "lambda:ListFunctions",
                "lambda:ListTags",
                "logs:DescribeLogGroups",
                "organizations:DescribeOrganization",
                "organizations:ListAccounts",
                "rds:DescribeDBClusters",
                "rds:DescribeDBClusterSnapshots",
                "rds:DescribeDBEngineVersions",
                "rds:DescribeDBInstances",
                "rds:DescribeDBSnapshots",
                "rds:DescribeReservedDBInstances",
                "rds:ListTagsForResource",
                "redshift:DescribeClusterParameterGroups",
                "redshift:DescribeClusterParameters",
                "redshift:DescribeClusters",
                "redshift:DescribeClusterSnapshots",
                "redshift:DescribeTags",
                "route53:GetHostedZone",
                "route53:ListGeoLocations",
                "route53:ListHealthChecks",
                "route53:ListHostedZones",
                "route53:ListHostedZonesByName",
                "route53:ListResourceRecordSets",
                "route53:ListTagsForResource",
                "route53:ListTagsForResources",
                "route53:ListVPCAssociationAuthorizations",
                "s3:GetBucketACL",
                "s3:GetBucketCORS",
                "s3:GetBucketLocation",
                "s3:GetBucketLogging",
                "s3:GetBucketPolicy",
                "s3:GetBucketTagging",
                "s3:GetBucketVersioning",
                "s3:GetBucketWebsite",
                "s3:GetEncryptionConfiguration",
                "s3:GetLifecycleConfiguration",
                "s3:GetPublicAccessBlock",
                "s3:ListAllMyBuckets",
                "s3control:GetAccountPublicAccessBlock",
                "sagemaker:DescribeNotebookInstance",
                "sagemaker:ListNotebookInstances",
                "sagemaker:ListTags",
                "ses:GetIdentityDkimAttributes",
                "ses:GetIdentityMailFromDomainAttributes",
                "ses:GetIdentityNotificationAttributes",
                "ses:GetIdentityVerificationAttributes",
                "ses:ListIdentities",
                "ses:ListIdentityPolicies",
                "sns:GetSubscriptionAttributes",
                "sns:GetTopicAttributes",
                "sns:ListSubscriptions",
                "sns:ListTopics",
                "sqs:GetQueueAttributes",
                "sqs:ListQueues",
                "sqs:ListQueueTags",
                "sts:GetCallerIdentity",
                "support:*",
                "workspaces:DescribeTags",
                "workspaces:DescribeWorkspaceBundles",
                "workspaces:DescribeWorkspaceDirectories",
                "workspaces:DescribeWorkspaces",
                "workspaces:DescribeWorkspacesConnectionStatus"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "iam:GenerateCredentialReport",
                "iam:GetAccessKeyLastUsed",
                "iam:GetAccountAuthorizationDetails",
                "iam:GetAccountPasswordPolicy",
                "iam:GetAccountSummary",
                "iam:GetCredentialReport",
                "iam:GetLoginProfile",
                "iam:GetRole",
                "iam:GetSAMLProvider",
                "iam:GetUser",
                "iam:ListAccessKeys",
                "iam:ListAttachedGroupPolicies",
                "iam:ListAttachedRolePolicies",
                "iam:ListAttachedUserPolicies",
                "iam:ListGroupPolicies",
                "iam:ListGroups",
                "iam:ListGroupsForUser",
                "iam:ListInstanceProfiles",
                "iam:ListMFADevices",
                "iam:ListPolicies",
                "iam:ListPolicyVersions",
                "iam:ListRolePolicies",
                "iam:ListRoles",
                "iam:ListSAMLProviders",
                "iam:ListServerCertificates",
                "iam:ListUserPolicies",
                "iam:ListUsers"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}

DivvyCloud Power User Policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "autoscaling:*",
                "cloudfront:*",
                "cloudsearch:*",
                "cloudtrail:*",
                "cloudwatch:*",
                "config:*",
                "dax:*",
                "dynamodb:*",
                "ec2:*",
                "eks:*",
                "ecr:*",
              	"ecs:*",
                "elasticache:*",
                "elasticfilesystem:*",
                "elasticloadbalancing:*",
                "elasticmapreduce:*",
                "es:*",
                "events:*",
                "firehose:*",
                "guardduty:*",
                "iam:*",
                "kinesis:*",
                "kms:*",
                "lambda:*",
                "organizations:*",
                "rds:*",
                "redshift:*",
                "route53:*",
              	"sagemaker:*",
                "s3:*",
                "s3control:*",
                "ses:*",
                "sns:*",
                "sqs:*",
                "support:*",
                "workspaces:*"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": [
                "acm:DescribeCertificate",
                "acm:ListCertificates",
                "acm:ListTagsForCertificate"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": [
                "cloudformation:DescribeStackResource",
                "cloudformation:DescribeStackResources",
                "cloudformation:DescribeStacks",
                "cloudformation:GetTemplate",
                "cloudformation:DeleteStack",
                "cloudformation:ListStackResources",
                "cloudformation:ListStacks"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}

Amazon Web Services - Gov Cloud

DivvyCloud supports GovCloud as well. As many GovCloud users know, GovCloud has different services than commercial AWS. Use these policies when using DivvyCloud in GovCloud.

DivvyCloud Standard User Policy - Gov Cloud

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "autoscaling:Describe*",
                "cloudformation:DescribeStacks",
                "cloudformation:ListStackResources",
                "cloudformation:ListStacks",
                "cloudformation:DescribeStackResource",
                "cloudformation:DescribeStackResources",
                "cloudformation:GetTemplate",
                "cloudtrail:Describe*",
                "cloudtrail:List*",
                "cloudtrail:Get*",
                "cloudwatch:Describe*",
                "cloudwatch:List*",
                "cloudwatch:Get*",
                "config:Describe*",
                "dynamodb:DescribeGlobalTable",
                "dynamodb:DescribeTable",
                "dynamodb:ListBackups",
                "dynamodb:ListGlobalTables",
                "dynamodb:ListTables",
                "dynamodb:ListTagsOfResource",
                "ec2:Describe*",
                "ec2:List*",
                "ec2:Get*",
                "elasticache:Describe*",
                "elasticache:List*",
                "elasticache:Get*",
                "elasticloadbalancing:Describe*",
                "elasticloadbalancing:List*",
                "elasticloadbalancing:Get*",
                "es:Describe*",
                "es:List*",
                "iam:Describe*",
                "iam:List*",
                "iam:Get*",
                "kms:List*",
                "kms:Get*",
                "kms:Describe*",
                "lambda:Get*",
                "lambda:List*",
                "rds:Describe*",
                "rds:List*",
                "rds:Get*",
                "redshift:Describe*",
                "redshift:List*",
                "redshift:Get*",
                "s3:Describe*",
                "s3:List*",
                "s3:Get*",
                "sqs:GetQueueAttributes",
                "sqs:ListQueueTags",
                "sqs:ListQueues",
                "workspaces:DescribeTags",
                "workspaces:DescribeWorkspaceBundles",
                "workspaces:DescribeWorkspaceDirectories",
                "workspaces:DescribeWorkspaces",
                "workspaces:DescribeWorkspacesConnectionStatus"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}

DivvyCloud Power User Policy - Gov Cloud

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "autoscaling:*",
                "cloudtrail:*",
                "cloudwatch:*",
                "config:*",
                "dynamodb:*",
                "ec2:*",
                "elasticache:*",
                "elasticloadbalancing:*",
                "es:*",
                "iam:*",
                "kms:*",
                "lambda:*",
                "rds:*",
                "redshift:*",
                "s3:*",
                "sqs:*",
                "workspaces:*"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": [
                "cloudformation:DescribeStacks",
                "cloudformation:ListStackResources",
                "cloudformation:ListStacks",
                "cloudformation:DescribeStackResource",
                "cloudformation:DescribeStackResources",
                "cloudformation:GetTemplate",
                "cloudformation:DeleteStack"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}

AWS and AWS Gov Cloud - STS Policy

If you would like to use Instance Assume Role or STS, both of which use STS, you will need an additional policy to your read-only or power-user policy. This would apply to both AWS and AWS Gov Cloud. Give it a name like DivvyCloud-STS-Policy.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": "sts:AssumeRole",
            "Effect": "Allow",
            "Resource": "arn:aws:iam::*:role/*"
        },
        {
            "Action": "sts:GetCallerIdentity",
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}

Setup - IAM Policy

  1. AWS Console - Login to the AWS console and access the Identity & Access Management service. This service can be found by clicking on Services at the top left of the console and then clicking on the Identity & Access Management link under Security, Identity & Compliance.
  1. Create Policy - Select Create policy.
  1. Create Policy JSON - Select JSON
  1. Add Policy (Part 1 of 3)

a. Policy Document. Copy and paste your preferred policy in the Policy Document window.

Review Policy. Click Review Policy.

  1. Review Policy (Part 2 of 3)

a. Policy Name. Name your policy something meaningful to you, e.g., DivvyCloud-PowerUser-Policy. (Note, you cannot have spaces in the Policy Name.)

b. Description. Add a policy description that makes it clear whether the policy is Read-only or Power User.

  1. Create Policy (Part 3 of 3)

Click on Create Policy.

  1. Policy is in Place

Now you have the correct policy in place to use when installing an AWS account via API Keys, Instance Assume Role, or Security Token Service (STS).


What's Next

Once you added your policies, navigate to the correct section depending on how you want to add an AWS cloud account to DivvyCloud.

API Access Keys (AWS)
Instance Assume Role (AWS)
Secure Token Service Assume Role (AWS)
Event Driven Harvesting (AWS)
Supported Calls (AWS)