AWS Policies

Suggested IAM Policies for AWS Users & Roles

InsightCloudSec offers several different AWS-compatible policies for the accounts that will be harvested. Policy usage will vary depending on the type of AWS Cloud Setup being used (Single vs. Organization, Commercial vs. GovCloud) and the level of access you want to provide InsightCloudSec (Read Only vs. Power User). The policies available include the following:

  • Standard (Read-Only) User (Commercial) -- Policies that enable the minimum access necessary to harvest information from your AWS accounts for use within InsightCloudSec
  • Power User (Commercial) -- Policies that enable unlimited access to the services that InsightCloudSec supports
  • GovCloud User -- Policies that are used to enable harvesting of AWS GovCloud accounts; both read only and power user policies are available
  • STS Assume Role -- Policy used enable harvesting AWS accounts using the STS Assume Role authentication method; see AWS Cloud Setup (Single Cloud Account) for details
  • Organization Master Account Role -- Policy used to harvest AWS organizational information; see AWS Cloud Setup (Organizations) for details

Copy the policy (or all policy parts) of interest below, then return to one of the aforementioned cloud setup pages. The API calls that are supported with any of the policies can be found in the Supported API Calls section.

Standard (Read-Only) User

For AWS commercial (non-GovCloud) accounts, there are two options for standard (read-only) users:

  • AWS-managed supplemental policy: This option supplements AWS' managed read-only policy. This policy's benefit lies in AWS' continuously updating the policy for new services, making it easier for you to attach and maintain the policy.
  • Customer-managed policy: This option outlines the individual read only permissions, e.g., List, Describe, Get, etc., for each service InsightCloudSec supports, but this means the policy must be manually updated with each new AWS service that InsightCloudSec supports. New required permissions are announced in our release notes and updated here.

AWS-Managed Supplemental Policy

As mentioned above, this policy supplements the existing AWS ReadOnlyAccess policy (screenshot of this policy within the AWS console follows). The supplemental policy can be obtained from our public S3 bucket. Note: InsightCloudSec highly recommends that you verify you have the latest supplemental read only policy after each release. If you have questions or concerns about implementing or the scope of this policy, reach out to us via the Customer Support Portal.

AWS' ReadOnlyAccess PolicyAWS' ReadOnlyAccess Policy

AWS' ReadOnlyAccess Policy

Customer-Managed Policy

The customer-managed policy consists of three parts (the permissions have exceeded AWS's limitation on policy size). These policies only contain read only-type permissions, e.g., List, Describe, Get, etc., and as such, will need to be updated any time InsightCloudSec supports a new AWS Service. There is no significance to how the policy permissions are separated except for ease of reading.

Note: This means you'll need to create three separate policies: one for each part.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "access-analyzer:ListAnalyzers",
                "access-analyzer:ListFindings",
                "acm:DescribeCertificate",
                "acm:ListCertificates",
                "acm:ListTagsForCertificate",
                "airflow:GetEnvironment",
                "airflow:ListEnvironments",
                "apigateway:GET",
                "apprunner:DescribeService",
                "apprunner:ListServices",
                "appsync:GetApiCache",
                "appsync:ListGraphqlApis",
                "athena:GetWorkGroup",
                "athena:ListQueryExecutions",
                "athena:ListWorkGroups",
                "autoscaling:DescribeAutoScalingGroups",
                "autoscaling:DescribeLaunchConfigurations",
                "autoscaling:DescribeTags",
                "backup:GetBackupVaultAccessPolicy",
                "backup:ListBackupVaults",
                "batch:DescribeComputeEnvironments",
                "cloudformation:DescribeStackResource",
                "cloudformation:DescribeStackResources",
                "cloudformation:DescribeStacks",
                "cloudformation:GetTemplate",
                "cloudformation:ListStackResources",
                "cloudformation:ListStacks",
                "cloudfront:GetDistribution",
                "cloudfront:GetStreamingDistribution",
                "cloudfront:ListDistributions",
                "cloudfront:ListStreamingDistributions",
                "cloudfront:ListTagsForResource",
                "cloudsearch:DescribeAvailabilityOptions",
                "cloudsearch:DescribeDomains",
                "cloudsearch:DescribeDomainEndpointOptions",
                "cloudsearch:DescribeServiceAccessPolicies",
                "cloudsearch:ListDomainNames",
                "cloudtrail:DescribeTrails",
                "cloudtrail:GetEventSelectors",
                "cloudtrail:GetTrailStatus",
                "cloudwatch:DescribeAlarms",
                "cloudwatch:DescribeAlarmsForMetric",
                "cloudwatch:GetMetricData",
                "cloudwatch:GetMetricStatistics",
                "cloudwatch:ListMetrics",
                "codebuild:BatchGetProjects",
                "codebuild:ListProjects",
                "cognito-idp:DescribeUserPool",
                "cognito-idp:ListUserPools",
                "cognito-idp:ListIdentityProviders",
                "config:DescribeConfigurationRecorderStatus",
                "config:DescribeConfigurationRecorders",
                "config:DescribeDeliveryChannelStatus",
                "config:DescribeDeliveryChannels",
                "datasync:DescribeTask",
                "datasync:ListTasks",
                "dax:DescribeClusters",
                "directconnect:DescribeConnections",
                "dms:DescribeReplicationInstances",
                "ds:DescribeDirectories",
                "dynamodb:DescribeContinuousBackups",
                "dynamodb:DescribeGlobalTable",
                "dynamodb:DescribeTable",
                "dynamodb:ListBackups",
                "dynamodb:ListGlobalTables",
                "dynamodb:ListTables",
                "dynamodb:ListTagsOfResource",
                "ec2:DescribeAccountAttributes",
                "ec2:DescribeAddresses",
                "ec2:DescribeAvailabilityZones",
                "ec2:DescribeFlowLogs",
                "ec2:DescribeHosts",
                "ec2:DescribeImageAttribute",
                "ec2:DescribeImages",
                "ec2:DescribeImportImageTasks",
                "ec2:DescribeInstanceAttribute",
                "ec2:DescribeInstanceStatus",
                "ec2:DescribeInstances",
                "ec2:DescribeInternetGateways",
                "ec2:DescribeKeyPairs",
                "ec2:DescribeManagedPrefixLists",
                "ec2:DescribeNatGateways",
                "ec2:DescribeNetworkAcls",
                "ec2:DescribeNetworkInterfaceAttribute",
                "ec2:DescribeNetworkInterfaces",
                "ec2:DescribePlacementGroups",
                "ec2:DescribeRegions",
                "ec2:DescribeReservedInstances",
                "ec2:DescribeRouteTables",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeSnapshotAttribute",
                "ec2:DescribeSnapshots",
                "ec2:DescribeSubnets",
                "ec2:DescribeTags",
                "ec2:DescribeTrafficMirrorTargets",
                "ec2:DescribeTransitGatewayAttachments",
                "ec2:DescribeTransitGatewayRouteTables",
                "ec2:DescribeTransitGateways",
                "ec2:DescribeVolumeStatus",
                "ec2:DescribeVolumes",
                "ec2:DescribeVpcAttribute",
                "ec2:DescribeVpcEndpointConnections",
                "ec2:DescribeVpcEndpoints",
                "ec2:DescribeVpcEndpointServiceConfigurations",
                "ec2:DescribeVpcEndpointServicePermissions",
                "ec2:DescribeVpcPeeringConnections",
                "ec2:DescribeVpcs",
                "ec2:DescribeVpnConnections",
                "ec2:DescribeVpnGateways",
                "ec2:GetConsoleOutput",
                "ec2:GetEbsDefaultKmsKeyId",
                "ec2:GetEbsEncryptionByDefault",
                "ec2:GetManagedPrefixListEntries",
                "ec2:GetSerialConsoleAccessStatus",
                "ec2:SearchTransitGatewayRoutes",
                "ecr:DescribeImages",
                "ecr:DescribeImageScanFindings",
                "ecr:DescribeRepositories",
                "ecr:GetLifecyclePolicy",
                "ecr:GetRegistryScanningConfiguration",
                "ecr:GetRepositoryPolicy",
                "ecr:ListTagsForResource",
                "ecs:DescribeClusters",
                "ecs:DescribeContainerInstances",
                "ecs:DescribeServices",
                "ecs:DescribeTaskDefinition",
                "ecs:DescribeTasks",
                "ecs:ListClusters",
                "ecs:ListContainerInstances",
                "ecs:ListServices",
                "ecs:ListTaskDefinitions",
                "ecs:ListTasks",
                "eks:DescribeCluster",
                "eks:ListClusters"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "elasticbeanstalk:DescribeApplications",
                "elasticbeanstalk:DescribeConfigurationSettings",
                "elasticbeanstalk:DescribeEnvironmentResources",
                "elasticbeanstalk:DescribeEnvironments",
                "elasticbeanstalk:DescribePlatformVersion",
                "elasticache:DescribeCacheClusters",
                "elasticache:DescribeCacheSubnetGroups",
                "elasticache:DescribeReplicationGroups",
                "elasticache:DescribeReservedCacheNodes",
                "elasticache:DescribeSnapshots",
                "elasticache:ListTagsForResource",
                "elasticfilesystem:DescribeBackupPolicy",
                "elasticfilesystem:DescribeFileSystems",
                "elasticfilesystem:DescribeFileSystemPolicy",
                "elasticfilesystem:DescribeLifecycleConfiguration",
                "elasticfilesystem:DescribeMountTargetSecurityGroups",
                "elasticfilesystem:DescribeMountTargets",
                "elasticfilesystem:DescribeTags",
                "elasticloadbalancing:DescribeInstanceHealth",
                "elasticloadbalancing:DescribeListeners",
                "elasticloadbalancing:DescribeLoadBalancerAttributes",
                "elasticloadbalancing:DescribeLoadBalancerPolicies",
                "elasticloadbalancing:DescribeLoadBalancerPolicyTypes",
                "elasticloadbalancing:DescribeLoadBalancers",
                "elasticloadbalancing:DescribeRules",
                "elasticloadbalancing:DescribeTags",
                "elasticloadbalancing:DescribeTargetGroups",
                "elasticloadbalancing:DescribeTargetHealth",
                "elasticmapreduce:DescribeCluster",
                "elasticmapreduce:DescribeSecurityConfiguration",
                "elasticmapreduce:ListBootstrapActions",
                "elasticmapreduce:ListClusters",
                "elasticmapreduce:ListInstances",
                "elasticmapreduce:ListSecurityConfigurations",
                "elastictranscoder:ListPipelines",
                "es:DescribeElasticsearchDomains",
                "es:DescribeReservedElasticsearchInstances",
                "es:ListDomainNames",
                "es:ListTags",
                "events:DescribeEventBus",
                "events:ListEventBuses",
                "events:ListRules",
                "events:ListTargetsByRule",
                "firehose:DescribeDeliveryStream",
                "firehose:ListDeliveryStreams",
                "firehose:ListTagsForDeliveryStream",
                "fsx:DescribeFileSystems",
                "glacier:DescribeVault",
                "glacier:GetVaultAccessPolicy",
                "glacier:GetVaultLock",
                "glacier:ListTagsForVault",
                "glacier:ListVaults",
                "glue:GetDatabases",
                "glue:GetDataCatalogEncryptionSettings",
                "glue:GetResourcePolicy",
                "glue:GetSecurityConfigurations",
                "glue:ListCrawlers",
                "glue:ListRegistries",
                "guardduty:GetDetector",
                "guardduty:GetFindings",
                "guardduty:GetMasterAccount",
                "guardduty:ListDetectors",
                "guardduty:ListFindings",
                "guardduty:ListMembers",
                "iam:GenerateCredentialReport",
                "iam:GetAccessKeyLastUsed",
                "iam:GetAccountAuthorizationDetails",
                "iam:GetAccountPasswordPolicy",
                "iam:GetAccountSummary",
                "iam:GetCredentialReport",
                "iam:GetLoginProfile",
                "iam:GetOpenIDConnectProvider",
                "iam:GetPolicyVersion",
                "iam:GetRole",
                "iam:GetRolePolicy",
                "iam:GetSAMLProvider",
                "iam:GetServerCertificate",
                "iam:GetUser",
                "iam:GetUserPolicy",
                "iam:ListAccessKeys",
                "iam:ListAccountAliases",
                "iam:ListAttachedGroupPolicies",
                "iam:ListAttachedRolePolicies",
                "iam:ListAttachedUserPolicies",
                "iam:ListEntitiesForPolicy",
                "iam:ListGroupPolicies",
                "iam:ListGroups",
                "iam:ListGroupsForUser",
                "iam:ListInstanceProfiles",
                "iam:ListMFADevices",
                "iam:ListOpenIDConnectProviders",
                "iam:ListPolicies",
                "iam:ListPolicyVersions",
                "iam:ListRolePolicies",
                "iam:ListRoles",
                "iam:ListRoleTags",
                "iam:ListSAMLProviders",
                "iam:ListServerCertificates",
                "iam:ListSigningCertificates",
                "iam:ListUserPolicies",
                "iam:ListUsers",
                "iam:ListUserTags",
                "iam:SimulatePrincipalPolicy",
                "inspector2:ListCoverage",
                "inspector2:ListFindings",
                "kafka:ListClusters",
                "kafka:ListClustersV2",
                "kendra:DescribeIndex",
                "kendra:ListIndices",
                "kinesis:DescribeStream",
                "kinesis:ListShards",
                "kinesis:ListStreams",
                "kinesis:ListTagsForStream",
                "kinesisvideo:DescribeStream",
                "kinesisvideo:ListStreams",
                "kinesisvideo:ListTagsForStream",
                "kms:DescribeKey",
                "kms:GetKeyPolicy",
                "kms:GetKeyRotationStatus",
                "kms:ListAliases",
                "kms:ListKeys",
                "lambda:GetAccountSettings",
                "lambda:GetFunction",
                "lambda:GetLayerVersionPolicy",
                "lambda:GetPolicy",
                "lambda:ListFunctions",
                "lambda:ListLayers",
                "lambda:ListTags",
                "lightsail:GetContainerServices",
                "lightsail:GetDisks",
                "lightsail:GetInstances",
                "lightsail:GetLoadBalancers",
                "lightsail:GetRelationalDatabases",
                "logs:DescribeDestinations",
                "logs:DescribeLogGroups",
                "logs:DescribeMetricFilters",
                "macie2:GetFindings",
                "macie2:ListFindings",
                "macie2:GetMacieSession",
                "memorydb:DescribeClusters",
                "memorydb:DescribeSubnetGroups",
                "memorydb:ListTags",
                "mq:DescribeBroker",
                "mq:ListBrokers",
                "organizations:DescribeOrganization",
                "organizations:DescribePolicy",
                "organizations:ListAccounts",
                "organizations:ListPolicies",
                "organizations:ListTargetsForPolicy",
                "outposts:ListOutposts",
                "pricing:GetProducts"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "rbin:GetRule",
                "rbin:ListRules",
                "rds:DescribeDBClusterParameterGroups",
                "rds:DescribeDBClusterParameters",
                "rds:DescribeDbClusterSnapshotAttributes",
                "rds:DescribeDBClusterSnapshots",
                "rds:DescribeDBClusters",
                "rds:DescribeDBEngineVersions",
                "rds:DescribeDBInstances",
                "rds:DescribeDBParameterGroups",
                "rds:DescribeDBParameters",
                "rds:DescribeDBProxies",
                "rds:DescribeDbSnapshotAttributes",
                "rds:DescribeDBSnapshots",
                "rds:DescribeEventSubscriptions",
                "rds:DescribeOptionGroups",
                "rds:DescribeReservedDBInstances",
                "rds:ListTagsForResource",
                "redshift:DescribeClusterParameterGroups",
                "redshift:DescribeClusterParameters",
                "redshift:DescribeClusters",
                "redshift:DescribeClusterSnapshots",
                "redshift:DescribeClusterSubnetGroups",
                "redshift:DescribeLoggingStatus",
                "redshift:DescribeTags",
                "route53:GetDNSSEC",
                "route53:GetHostedZone",
                "route53:ListGeoLocations",
                "route53:ListHealthChecks",
                "route53:ListHostedZones",
                "route53:ListHostedZonesByName",
                "route53:ListHostedZonesByVpc",
                "route53:ListResourceRecordSets",
                "route53:ListTagsForResource",
                "route53:ListTagsForResources",
                "route53:ListVPCAssociationAuthorizations",
                "route53domains:GetDomainDetail",
                "route53domains:ListDomains",
                "route53resolver:ListResolverQueryLogConfigs",
                "route53resolver:ListResolverQueryLogConfigAssociations",
                "s3:GetAccessPointPolicy",
                "s3:GetAccessPointPolicyStatus",
                "s3:GetAccountPublicAccessBlock",
                "s3:GetBucketAcl",
                "s3:GetBucketCORS",
                "s3:GetBucketLocation",
                "s3:GetBucketLogging",
                "s3:GetBucketObjectLockConfiguration",
                "s3:GetBucketOwnershipControls",
                "s3:GetBucketPolicy",
                "s3:GetBucketPolicyStatus",
                "s3:GetBucketPublicAccessBlock",
                "s3:GetBucketTagging",
                "s3:GetBucketVersioning",
                "s3:GetBucketWebsite",
                "s3:GetEncryptionConfiguration",
                "s3:GetLifecycleConfiguration",
                "s3:GetReplicationConfiguration",
                "s3:ListAccessPoints",
                "s3:ListAllMyBuckets",
                "sagemaker:DescribeNotebookInstance",
                "sagemaker:ListNotebookInstances",
                "sagemaker:ListTags",
                "secretsmanager:DescribeSecret",
                "secretsmanager:GetResourcePolicy",
                "secretsmanager:ListSecrets",
                "serverlessrepo:GetApplication",
                "serverlessrepo:GetApplicationPolicy",
                "serverlessrepo:ListApplications",
                "ses:GetIdentityDkimAttributes",
                "ses:GetIdentityMailFromDomainAttributes",
                "ses:GetIdentityNotificationAttributes",
                "ses:GetIdentityVerificationAttributes",
                "ses:ListIdentities",
                "ses:ListIdentityPolicies",
                "shield:DescribeEmergencyContactSettings",
                "shield:GetSubscriptionState",
                "shield:ListAttacks",
                "shield:ListProtections",
                "sns:GetSubscriptionAttributes",
                "sns:GetTopicAttributes",
                "sns:ListSubscriptions",
                "sns:ListTopics",
                "sqs:GetQueueAttributes",
                "sqs:ListQueueTags",
                "sqs:ListQueues",
                "ssm:DescribeDocument",
                "ssm:DescribeDocumentPermission",
                "ssm:DescribeInstanceInformation",
                "ssm:DescribeParameters",
                "ssm:GetDocument",
                "ssm:GetParameter",
                "ssm:GetServiceSetting",
                "ssm:ListDocuments",
                "ssm:ListDocumentVersions",
                "states:DescribeStateMachine",
                "states:ListStateMachines",
                "storagegateway:DescribeNFSFileShares",
                "storagegateway:DescribeSMBFileShares",
                "storagegateway:ListFileShares",
                "sts:GetCallerIdentity",
                "support:*",
                "tag:GetResources",
                "timestream:DescribeEndpoints",
                "timestream:ListDatabases",
                "timestream:ListTables",
                "transfer:DescribeServer",
                "transfer:DescribeUser",
                "transfer:ListServers",
                "transfer:ListUsers",
                "transcribe:GetMedicalTranscriptionJob",
                "transcribe:GetTranscriptionJob",
                "transcribe:ListMedicalTranscriptionJobs",
                "transcribe:ListTranscriptionJobs",
                "waf-regional:GetRule",
                "waf-regional:GetWebACL",
                "waf-regional:ListResourcesForWebACL",
                "waf-regional:ListRules",
                "waf-regional:ListWebACLs",
                "waf:GetChangeToken",
                "waf:GetRule",
                "waf:GetWebACL",
                "waf:ListLoggingConfigurations",
                "waf:ListRules",
                "waf:ListWebACLs",
                "wafv2:GetWebACL",
                "wafv2:ListWebACLs",
                "wafv2:ListLoggingConfigurations",
                "wafv2:ListResourcesForWebACL",
                "workspaces:DescribeTags",
                "workspaces:DescribeWorkspaceBundles",
                "workspaces:DescribeWorkspaceDirectories",
                "workspaces:DescribeWorkspaces",
                "workspaces:DescribeWorkspacesConnectionStatus"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}

Power User

For AWS commercial (non-GovCloud) accounts, there is a single policy for power users that provides wildcard access to every service that InsightCloudSec supports. This policy must be manually updated with each new AWS service that InsightCloudSec supports. New required permissions are announced in our release notes and updated here.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "access-analyzer:*",
                "acm:*",
                "airflow:*",
                "apigateway:*",
                "apprunner:*",
                "appsync:*",
                "athena:*",
                "autoscaling:*",
                "backup:*",
                "batch:*",
                "cloudformation:*",
                "cloudfront:*",
                "cloudsearch:*",
                "cloudtrail:*",
                "cloudwatch:*",
                "codebuild:*",
                "cognito-idp:*",
                "config:*",
                "datasync:*",
                "dax:*",
                "directconnect:*",
                "dms:*",
                "ds:*",
                "dynamodb:*",
                "ec2:*",
                "ecr:*",
                "ecs:*",
                "eks:*",
                "elasticbeanstalk:*",
                "elasticache:*",
                "elasticfilesystem:*",
                "elasticloadbalancing:*",
                "elasticmapreduce:*",
                "elastictranscoder:*",
                "es:*",
                "events:*",
                "firehose:*",
                "fsx:*",
                "glacier:*",
                "glue:*",
                "guardduty:*",
                "iam:*",
                "inspector2:*",
                "kafka:*",
                "kendra:*",
                "kinesis:*",
                "kinesisvideo:*",
                "kms:*",
                "lambda:*",
                "lightsail:*",
                "logs:*",
                "macie2:*",
                "memorydb:*",
                "mq:*",
                "organizations:*",
                "outposts:*",
                "rbin:*",
                "rds:*",
                "redshift:*",
                "route53:*",
                "route53domains:*",
                "route53resolver:*",
                "s3:*",
                "sagemaker:*",
                "secretsmanager:*",
                "serverlessrepo:*",
                "ses:*",
                "shield:*",
                "sns:*",
                "sqs:*",
                "ssm:*",
                "states:*",
                "storagegateway:*",
                "support:*",
                "tag:*",
                "timestream:*",
                "transcribe:*",
                "transfer:*",
                "waf-regional:*",
                "waf:*",
                "wafv2:*",
                "workspaces:*"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": [
                "pricing:GetProducts",
                "sts:GetCallerIdentity"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}

GovCloud User

For AWS GovCloud accounts, there are two policies. Both policies must be manually updated with each new AWS service that InsightCloudSec supports, but the Power User Policy is less granular. New required permissions are announced in our release notes and updated here.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "access-analyzer:List*",
                "acm:Describe*",
                "acm:List*",
                "apigateway:GET",
                "athena:Get*",
                "athena:List*",
                "autoscaling:Describe*",
                "batch:Describe*",
                "cloudformation:Describe*",
                "cloudformation:Get*",
                "cloudformation:List*",
                "cloudtrail:Describe*",
                "cloudtrail:Get*",
                "cloudtrail:List*",
                "cloudwatch:Describe*",
                "cloudwatch:Get*",
                "cloudwatch:List*",
                "codebuild:BatchGet*",
                "codebuild:List*",
                "config:Describe*",
                "datasync:Describe*",
                "datasync:List*",
                "directconnect:Describe*",
                "dms:Describe*",
                "ds:Describe*",
                "dynamodb:Describe*",
                "dynamodb:List*",
                "ec2:Describe*",
                "ec2:Get*",
                "ec2:Search*",
                "ecr:Describe*",
                "ecr:Get*",
                "ecr:List*",
                "ecs:Describe*",
                "ecs:List*",
                "eks:Describe*",
                "eks:List*",
                "elasticache:Describe*",
                "elasticache:List*",
                "elasticbeanstalk:Describe*",
                "elasticfilesystem:Describe*",
                "elasticloadbalancing:Describe*",
                "elasticmapreduce:Describe*",
                "elasticmapreduce:List*",
                "es:Describe*",
                "es:List*",
                "events:Describe*",
                "events:List*",
                "firehose:Describe*",
                "firehose:List*",
                "fsx:DescribeFileSystems",
                "glacier:Describe*",
                "glacier:Get*",
                "glacier:List*",
                "glue:Get*",
                "glue:List*",
                "guardduty:Get*",
                "guardduty:List*",
                "iam:GenerateCredentialReport",
                "iam:Get*",
                "iam:List*",
                "iam:SimulatePrincipalPolicy",
                "kafka:List*",
                "kendra:DescribeIndex”,
                "kendra:ListIndices",
                "kinesis:Describe*",
                "kinesis:List*",
                "kms:Get*",
                "kms:Describe*",
                "kms:List*",
                "lambda:Get*",
                "lambda:List*",
                "logs:Describe*",
                "memorydb:Describe*",
                "memorydb:List*",
                "organizations:Describe*",
                "organizations:List*",
                "outposts:List*",
                "rbin:Get*",
                "rbin:List*",
                "rds:Describe*",
                "rds:List*",
                "redshift:Describe*",
                "redshift:Get*",
                "redshift:List*",
                "route53:Get*",
                "route53:List*",
                "route53resolver:List*",
                "s3:Describe*",
                "s3:Get*",
                "s3:List*",
                "sagemaker:Describe*",
                "sagemaker:List*",
                "secretsmanager:Describe*",
                "secretsmanager:Get*",
                "secretsmanager:List*",
                "serverlessrepo:Get*",
                "serverlessrepo:List*",
                "sns:Get*",
                "sns:List*",
                "sqs:Get*",
                "sqs:List*",
                "ssm:Describe*",
                "ssm:Get*",
                "ssm:List*",
                "states:Describe*",
                "states:List*",
                "storagegateway:Describe*",
                "storagegateway:List*",
                "sts:GetCallerIdentity",
                "support:*",
                "tag:Get*",
                "transcribe:Get*",
                "transcribe:List*",
                "transfer:DescribeServer",
                "transfer:DescribeUser",
                "transfer:ListServers",
                "transfer:ListUsers",
                "waf-regional:Get*",
                "waf-regional:List*",
                "workspaces:Describe*"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "access-analyzer:*",
                "acm:*",
                "apigateway:*",
                "athena:*",
                "autoscaling:*",
                "batch:*",
                "cloudformation:*",
                "cloudtrail:*",
                "cloudwatch:*",
                "codebuild:*",
                "config:*",
                "datasync:*",
                "directconnect:*",
                "dms:*",
                "ds:*",
                "dynamodb:*",
                "ec2:*",
                "ecr:*",
                "ecs:*",
                "eks:*",
                "elasticache:*",
                "elasticbeanstalk:*",
                "elasticfilesystem:*",
                "elasticloadbalancing:*",
                "elasticmapreduce:*",
                "es:*",
                "events:*",
                "firehose:*",
                "fsx:*",
                "glacier:*",
                "glue:*",
                "guardduty:*",
                "iam:*",
                "kafka:*",
                "kendra:*",
                "kinesis:*",
                "kms:*",
                "lambda:*",
                "logs:*",
                "memorydb:*",
                "organizations:*",
                "outposts:*",
                "rbin:*",
                "rds:*",
                "redshift:*",
                "route53:*",
                "route53resolver:*",
                "s3:*",
                "sagemaker:*",
                "secretsmanager:*",
                "serverlessrepo:*",
                "sns:*",
                "sqs:*",
                "ssm:*",
                "states:*",
                "storagegateway:*",
                "support:*",
                "tag:*",
                "transfer:*",
                "transcribe:*",
                "waf-regional:*",
                "workspaces:*"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": [
                "sts:GetCallerIdentity"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}

STS Assume Role

The following policy is used to allow InsightCloudSec to securely assume a role within your AWS environment regardless of the selected authentication method. Review AWS Cloud Setup (Single Cloud Account) for more information on the available authentication methods.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": "sts:AssumeRole",
            "Effect": "Allow",
            "Resource": "arn:aws:iam::*:role/*"
        },
        {
            "Action": "sts:GetCallerIdentity",
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}

Organization Master Account Role

The following policy is used to allow InsightCloudSec access to organizational information. Review AWS Cloud Setup (Organizations) for more information on integrating your AWS Organization(s) with InsightCloudSec.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "iam:SimulatePrincipalPolicy",
                "organizations:DescribeOrganization",
                "organizations:ListAccountsForParent",
                "organizations:ListOrganizationalUnitsForParent",
                "organizations:ListPolicies",
                "organizations:ListRoots",
                "organizations:ListTagsForResource",
                "organizations:ListTargetsForPolicy"
            ],
            "Resource": "*"
        }
    ]
}

Did this page help you?