The following are the recommended policies for the AWS Standard (Read-Only) User, Power User, and GovCloud users as well as the STS Assume Role (see AWS Cloud Setup (Single Cloud Account) for details) and Organization Master Account Role policies (see AWS Cloud Setup (Organizations) for details). Copy the policy (or all policy parts) of interest below, then return to one of the aforementioned cloud setup pages. The API calls that are supported with any of the policies can be found in the Supported API Calls section.
Standard (Read-Only)
For AWS commercial (non-GovCloud) accounts, there are two options for standard users:
- AWS-managed supplemental policy: This option supplements AWS' managed read-only policy. While this policy does not enumerate every permission, its benefit lies in AWS' continuously updating the policy for new services, making it easier for you to attach and maintain the policy.
- Customer-managed policy: This option enumerates every permission in the policy and must be manually updated with each new AWS service that InsightCloudSec supports. New required permissions can be found in the product's release notes.
AWS-Managed Supplemental Policy
As mentioned above, the policy below supplements the existing AWS ReadOnlyAccess policy (screenshot of the policy within the AWS console follows).
AWS' ReadOnlyAccess Policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AwsReadOnlyMissingPermissions",
"Action": [
"airflow:GetEnvironment",
"apprunner:DescribeService",
"apprunner:ListServices",
"memorydb:DescribeClusters",
"memorydb:DescribeSubnetGroups",
"memorydb:ListTags",
"pricing:GetProducts",
"support:*",
"timestream:DescribeEndpoints",
"timestream:ListDatabases",
"timestream:ListTables"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Sid": "AwsReadOnlyDenyPermissions",
"Action": [
"s3:GetObject*"
],
"Effect": "Deny",
"Resource": "*"
}
]
}
Customer-Managed Policy
The customer-managed policy consists of three parts (the permissions have exceeded AWS's limitation on policy size). There is no significance to how the policy permissions are separated except for ease of reading.
Note: This means you'll need to create three separate policies: one for each part.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"access-analyzer:ListAnalyzers",
"access-analyzer:ListFindings",
"acm:DescribeCertificate",
"acm:ListCertificates",
"acm:ListTagsForCertificate",
"airflow:GetEnvironment",
"airflow:ListEnvironments",
"apigateway:GET",
"apprunner:DescribeService",
"apprunner:ListServices",
"appsync:GetApiCache",
"appsync:ListGraphqlApis",
"athena:GetWorkGroup",
"athena:ListWorkGroups",
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeLaunchConfigurations",
"autoscaling:DescribeTags",
"backup:GetBackupVaultAccessPolicy",
"backup:ListBackupVaults",
"batch:DescribeComputeEnvironments",
"cloudformation:DescribeStackResource",
"cloudformation:DescribeStackResources",
"cloudformation:DescribeStacks",
"cloudformation:GetTemplate",
"cloudformation:ListStackResources",
"cloudformation:ListStacks",
"cloudfront:GetDistribution",
"cloudfront:GetStreamingDistribution",
"cloudfront:ListDistributions",
"cloudfront:ListStreamingDistributions",
"cloudfront:ListTagsForResource",
"cloudsearch:DescribeAvailabilityOptions",
"cloudsearch:DescribeDomains",
"cloudsearch:DescribeDomainEndpointOptions",
"cloudsearch:DescribeServiceAccessPolicies",
"cloudsearch:ListDomainNames",
"cloudtrail:DescribeTrails",
"cloudtrail:GetEventSelectors",
"cloudtrail:GetTrailStatus",
"cloudwatch:DescribeAlarms",
"cloudwatch:DescribeAlarmsForMetric",
"cloudwatch:GetMetricData",
"cloudwatch:GetMetricStatistics",
"cloudwatch:ListMetrics",
"codebuild:BatchGetProjects",
"codebuild:ListProjects",
"cognito-idp:DescribeUserPool",
"cognito-idp:ListUserPools",
"cognito-idp:ListIdentityProviders",
"config:DescribeConfigurationRecorderStatus",
"config:DescribeConfigurationRecorders",
"config:DescribeDeliveryChannelStatus",
"config:DescribeDeliveryChannels",
"datasync:DescribeTask",
"datasync:ListTasks",
"dax:DescribeClusters",
"directconnect:DescribeConnections",
"dms:DescribeReplicationInstances",
"ds:DescribeDirectories",
"dynamodb:DescribeContinuousBackups",
"dynamodb:DescribeGlobalTable",
"dynamodb:DescribeTable",
"dynamodb:ListBackups",
"dynamodb:ListGlobalTables",
"dynamodb:ListTables",
"dynamodb:ListTagsOfResource",
"ec2:DescribeAccountAttributes",
"ec2:DescribeAddresses",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeFlowLogs",
"ec2:DescribeHosts",
"ec2:DescribeImageAttribute",
"ec2:DescribeImages",
"ec2:DescribeImportImageTasks",
"ec2:DescribeInstanceAttribute",
"ec2:DescribeInstanceStatus",
"ec2:DescribeInstances",
"ec2:DescribeInternetGateways",
"ec2:DescribeKeyPairs",
"ec2:DescribeManagedPrefixLists",
"ec2:DescribeNatGateways",
"ec2:DescribeNetworkAcls",
"ec2:DescribeNetworkInterfaceAttribute",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribePlacementGroups",
"ec2:DescribeRegions",
"ec2:DescribeReservedInstances",
"ec2:DescribeRouteTables",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSnapshotAttribute",
"ec2:DescribeSnapshots",
"ec2:DescribeSubnets",
"ec2:DescribeTags",
"ec2:DescribeTrafficMirrorTargets",
"ec2:DescribeTransitGatewayAttachments",
"ec2:DescribeTransitGateways",
"ec2:DescribeVolumeStatus",
"ec2:DescribeVolumes",
"ec2:DescribeVpcAttribute",
"ec2:DescribeVpcEndpointConnections",
"ec2:DescribeVpcEndpoints",
"ec2:DescribeVpcEndpointServiceConfigurations",
"ec2:DescribeVpcEndpointServicePermissions",
"ec2:DescribeVpcPeeringConnections",
"ec2:DescribeVpcs",
"ec2:DescribeVpnConnections",
"ec2:DescribeVpnGateways",
"ec2:GetConsoleOutput",
"ec2:GetEbsDefaultKmsKeyId",
"ec2:GetEbsEncryptionByDefault",
"ec2:GetManagedPrefixListEntries",
"ec2:GetSerialConsoleAccessStatus",
"ecr:DescribeImages",
"ecr:DescribeImageScanFindings",
"ecr:DescribeRepositories",
"ecr:GetLifecyclePolicy",
"ecr:GetRepositoryPolicy",
"ecr:ListTagsForResource",
"ecs:DescribeClusters",
"ecs:DescribeContainerInstances",
"ecs:DescribeServices",
"ecs:DescribeTaskDefinition",
"ecs:DescribeTasks",
"ecs:ListClusters",
"ecs:ListContainerInstances",
"ecs:ListServices",
"ecs:ListTaskDefinitions",
"ecs:ListTasks",
"eks:DescribeCluster",
"eks:ListClusters"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"elasticbeanstalk:DescribeApplications",
"elasticbeanstalk:DescribeConfigurationSettings",
"elasticbeanstalk:DescribeEnvironmentResources",
"elasticbeanstalk:DescribeEnvironments",
"elasticbeanstalk:DescribePlatformVersion",
"elasticache:DescribeCacheClusters",
"elasticache:DescribeCacheSubnetGroups",
"elasticache:DescribeReplicationGroups",
"elasticache:DescribeReservedCacheNodes",
"elasticache:DescribeSnapshots",
"elasticache:ListTagsForResource",
"elasticfilesystem:DescribeBackupPolicy",
"elasticfilesystem:DescribeFileSystems",
"elasticfilesystem:DescribeLifecycleConfiguration",
"elasticfilesystem:DescribeMountTargetSecurityGroups",
"elasticfilesystem:DescribeMountTargets",
"elasticfilesystem:DescribeTags",
"elasticloadbalancing:DescribeInstanceHealth",
"elasticloadbalancing:DescribeListeners",
"elasticloadbalancing:DescribeLoadBalancerAttributes",
"elasticloadbalancing:DescribeLoadBalancerPolicies",
"elasticloadbalancing:DescribeLoadBalancerPolicyTypes",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeRules",
"elasticloadbalancing:DescribeTags",
"elasticloadbalancing:DescribeTargetGroups",
"elasticloadbalancing:DescribeTargetHealth",
"elasticmapreduce:DescribeCluster",
"elasticmapreduce:DescribeSecurityConfiguration",
"elasticmapreduce:ListClusters",
"elasticmapreduce:ListInstances",
"elasticmapreduce:ListSecurityConfigurations",
"elastictranscoder:ListPipelines",
"es:DescribeElasticsearchDomains",
"es:DescribeReservedElasticsearchInstances",
"es:ListDomainNames",
"es:ListTags",
"events:DescribeEventBus",
"events:ListEventBuses",
"events:ListRules",
"events:ListTargetsByRule",
"firehose:DescribeDeliveryStream",
"firehose:ListDeliveryStreams",
"firehose:ListTagsForDeliveryStream",
"fsx:DescribeFileSystems",
"glacier:DescribeVault",
"glacier:GetVaultAccessPolicy",
"glacier:GetVaultLock",
"glacier:ListTagsForVault",
"glacier:ListVaults",
"glue:GetDataCatalogEncryptionSettings",
"glue:GetResourcePolicy",
"glue:GetSecurityConfigurations",
"guardduty:GetDetector",
"guardduty:GetFindings",
"guardduty:GetMasterAccount",
"guardduty:ListDetectors",
"guardduty:ListFindings",
"guardduty:ListMembers",
"iam:GenerateCredentialReport",
"iam:GetAccessKeyLastUsed",
"iam:GetAccountAuthorizationDetails",
"iam:GetAccountPasswordPolicy",
"iam:GetAccountSummary",
"iam:GetCredentialReport",
"iam:GetLoginProfile",
"iam:GetOpenIDConnectProvider",
"iam:GetPolicyVersion",
"iam:GetRole",
"iam:GetRolePolicy",
"iam:GetSAMLProvider",
"iam:GetServerCertificate",
"iam:GetUser",
"iam:GetUserPolicy",
"iam:ListAccessKeys",
"iam:ListAccountAliases",
"iam:ListAttachedGroupPolicies",
"iam:ListAttachedRolePolicies",
"iam:ListAttachedUserPolicies",
"iam:ListEntitiesForPolicy",
"iam:ListGroupPolicies",
"iam:ListGroups",
"iam:ListGroupsForUser",
"iam:ListInstanceProfiles",
"iam:ListMFADevices",
"iam:ListOpenIDConnectProviders",
"iam:ListPolicies",
"iam:ListPolicyVersions",
"iam:ListRolePolicies",
"iam:ListRoles",
"iam:ListRoleTags",
"iam:ListSAMLProviders",
"iam:ListServerCertificates",
"iam:ListSigningCertificates",
"iam:ListUserPolicies",
"iam:ListUsers",
"iam:ListUserTags",
"iam:SimulatePrincipalPolicy",
"kafka:ListClusters",
"kendra:DescribeIndex",
"kendra:ListIndices",
"kinesis:DescribeStream",
"kinesis:ListShards",
"kinesis:ListStreams",
"kinesis:ListTagsForStream",
"kinesisvideo:DescribeStream",
"kinesisvideo:ListStreams",
"kinesisvideo:ListTagsForStream",
"kms:DescribeKey",
"kms:GetKeyPolicy",
"kms:GetKeyRotationStatus",
"kms:ListAliases",
"kms:ListKeys",
"lambda:GetAccountSettings",
"lambda:GetFunction",
"lambda:GetPolicy",
"lambda:ListFunctions",
"lambda:ListTags",
"lightsail:GetContainerServices",
"lightsail:GetDisks",
"lightsail:GetInstances",
"lightsail:GetLoadBalancers",
"lightsail:GetRelationalDatabases",
"logs:DescribeDestinations",
"logs:DescribeLogGroups",
"logs:DescribeMetricFilters",
"macie2:GetFindings",
"macie2:ListFindings",
"macie2:GetMacieSession",
"memorydb:DescribeClusters",
"memorydb:DescribeSubnetGroups",
"memorydb:ListTags",
"mq:DescribeBroker",
"mq:ListBrokers",
"organizations:DescribeOrganization",
"organizations:DescribePolicy",
"organizations:ListAccounts",
"organizations:ListPolicies",
"organizations:ListTargetsForPolicy",
"outposts:ListOutposts",
"pricing:GetProducts"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"rds:DescribeDBClusterParameterGroups",
"rds:DescribeDBClusterParameters",
"rds:DescribeDbClusterSnapshotAttributes",
"rds:DescribeDBClusterSnapshots",
"rds:DescribeDBClusters",
"rds:DescribeDBEngineVersions",
"rds:DescribeDBInstances",
"rds:DescribeDBParameterGroups",
"rds:DescribeDBParameters",
"rds:DescribeDBProxies",
"rds:DescribeDbSnapshotAttributes",
"rds:DescribeDBSnapshots",
"rds:DescribeEventSubscriptions",
"rds:DescribeOptionGroups",
"rds:DescribeReservedDBInstances",
"rds:ListTagsForResource",
"redshift:DescribeClusterParameterGroups",
"redshift:DescribeClusterParameters",
"redshift:DescribeClusters",
"redshift:DescribeClusterSnapshots",
"redshift:DescribeClusterSubnetGroups",
"redshift:DescribeLoggingStatus",
"redshift:DescribeTags",
"route53:GetHostedZone",
"route53:ListGeoLocations",
"route53:ListHealthChecks",
"route53:ListHostedZones",
"route53:ListHostedZonesByName",
"route53:ListHostedZonesByVpc",
"route53:ListResourceRecordSets",
"route53:ListTagsForResource",
"route53:ListTagsForResources",
"route53:ListVPCAssociationAuthorizations",
"route53domains:GetDomainDetail",
"route53domains:ListDomains",
"route53resolver:ListResolverQueryLogConfigs",
"route53resolver:ListResolverQueryLogConfigAssociations",
"s3:GetAccessPointPolicy",
"s3:GetAccessPointPolicyStatus",
"s3:GetAccountPublicAccessBlock",
"s3:GetBucketAcl",
"s3:GetBucketCORS",
"s3:GetBucketLocation",
"s3:GetBucketLogging",
"s3:GetBucketObjectLockConfiguration",
"s3:GetBucketPolicy",
"s3:GetBucketPolicyStatus",
"s3:GetBucketPublicAccessBlock",
"s3:GetBucketTagging",
"s3:GetBucketVersioning",
"s3:GetBucketWebsite",
"s3:GetEncryptionConfiguration",
"s3:GetLifecycleConfiguration",
"s3:GetReplicationConfiguration",
"s3:ListAccessPoints",
"s3:ListAllMyBuckets",
"sagemaker:DescribeNotebookInstance",
"sagemaker:ListNotebookInstances",
"sagemaker:ListTags",
"secretsmanager:DescribeSecret",
"secretsmanager:GetResourcePolicy",
"secretsmanager:ListSecrets",
"serverlessrepo:GetApplication",
"serverlessrepo:GetApplicationPolicy",
"serverlessrepo:ListApplications",
"ses:GetIdentityDkimAttributes",
"ses:GetIdentityMailFromDomainAttributes",
"ses:GetIdentityNotificationAttributes",
"ses:GetIdentityVerificationAttributes",
"ses:ListIdentities",
"ses:ListIdentityPolicies",
"shield:DescribeEmergencyContactSettings",
"shield:GetSubscriptionState",
"shield:ListAttacks",
"shield:ListProtections",
"sns:GetSubscriptionAttributes",
"sns:GetTopicAttributes",
"sns:ListSubscriptions",
"sns:ListTopics",
"sqs:GetQueueAttributes",
"sqs:ListQueueTags",
"sqs:ListQueues",
"ssm:DescribeDocumentPermission",
"ssm:DescribeParameters",
"ssm:GetDocument",
"ssm:GetServiceSetting",
"ssm:ListDocuments",
"ssm:ListDocumentVersions",
"storagegateway:DescribeNFSFileShares",
"storagegateway:DescribeSMBFileShares",
"storagegateway:ListFileShares",
"sts:GetCallerIdentity",
"support:*",
"tag:GetResources",
"timestream:DescribeEndpoints",
"timestream:ListDatabases",
"timestream:ListTables",
"transfer:DescribeServer",
"transfer:DescribeUser",
"transfer:ListServers",
"transfer:ListUsers",
"waf-regional:GetRule",
"waf-regional:GetWebACL",
"waf-regional:ListResourcesForWebACL",
"waf-regional:ListRules",
"waf-regional:ListWebACLs",
"waf:GetChangeToken",
"waf:GetRule",
"waf:GetWebACL",
"waf:ListLoggingConfigurations",
"waf:ListRules",
"waf:ListWebACLs",
"wafv2:GetWebACL",
"wafv2:ListWebACLs",
"wafv2:ListLoggingConfigurations",
"wafv2:ListResourcesForWebACL",
"workspaces:DescribeTags",
"workspaces:DescribeWorkspaceBundles",
"workspaces:DescribeWorkspaceDirectories",
"workspaces:DescribeWorkspaces",
"workspaces:DescribeWorkspacesConnectionStatus"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
Power User
For AWS commercial (non-GovCloud) accounts, there is a single policy for power users that enumerates every service and must be manually updated with each new AWS service that InsightCloudSec supports. New required permissions can be found in the product's release notes.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"access-analyzer:*",
"acm:*",
"airflow:*",
"apigateway:*",
"apprunner:*",
"appsync:*",
"athena:*",
"autoscaling:*",
"backup:*",
"batch:*",
"cloudformation:*",
"cloudfront:*",
"cloudsearch:*",
"cloudtrail:*",
"cloudwatch:*",
"codebuild:*",
"cognito-idp:*",
"config:*",
"datasync:*",
"dax:*",
"directconnect:*",
"dms:*",
"ds:*",
"dynamodb:*",
"ec2:*",
"ecr:*",
"ecs:*",
"eks:*",
"elasticbeanstalk:*",
"elasticache:*",
"elasticfilesystem:*",
"elasticloadbalancing:*",
"elasticmapreduce:*",
"elastictranscoder:*",
"es:*",
"events:*",
"firehose:*",
"fsx:*",
"glacier:*",
"glue:*",
"guardduty:*",
"iam:*",
"kafka:*",
"kendra:*",
"kinesis:*",
"kinesisvideo:*",
"kms:*",
"lambda:*",
"lightsail:*",
"logs:*",
"macie2:*",
"memorydb:*",
"mq:*",
"organizations:*",
"outposts:*",
"rds:*",
"redshift:*",
"route53:*",
"route53domains:*",
"route53resolver:*",
"s3:*",
"sagemaker:*",
"secretsmanager:*",
"serverlessrepo:*",
"ses:*",
"shield:*",
"sns:*",
"sqs:*",
"ssm:*",
"storagegateway:*",
"support:*",
"tag:*",
"timestream:*",
"transfer:*",
"waf-regional:*",
"waf:*",
"wafv2:*",
"workspaces:*"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"pricing:GetProducts",
"sts:GetCallerIdentity"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
GovCloud User
For AWS GovCloud accounts, there are two policies. Both policies enumerate every permission and must be manually updated with each new AWS service that InsightCloudSec supports, but the Power User Policy is less granular. New required permissions can be found in the product's release notes.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"access-analyzer:List*",
"acm:Describe*",
"acm:List*",
"apigateway:GET",
"athena:Get*",
"athena:List*",
"autoscaling:Describe*",
"batch:Describe*",
"cloudformation:Describe*",
"cloudformation:Get*",
"cloudformation:List*",
"cloudtrail:Describe*",
"cloudtrail:Get*",
"cloudtrail:List*",
"cloudwatch:Describe*",
"cloudwatch:Get*",
"cloudwatch:List*",
"codebuild:BatchGet*",
"codebuild:List*",
"config:Describe*",
"datasync:Describe*",
"datasync:List*",
"directconnect:Describe*",
"dms:Describe*",
"ds:Describe*",
"dynamodb:Describe*",
"dynamodb:List*",
"ec2:Describe*",
"ec2:Get*",
"ecr:Describe*",
"ecr:Get*",
"ecr:List*",
"ecs:Describe*",
"ecs:List*",
"eks:Describe*",
"eks:List*",
"elasticache:Describe*",
"elasticache:List*",
"elasticbeanstalk:Describe*",
"elasticfilesystem:Describe*",
"elasticloadbalancing:Describe*",
"elasticmapreduce:Describe*",
"elasticmapreduce:List*",
"es:Describe*",
"es:List*",
"events:Describe*",
"events:List*",
"firehose:Describe*",
"firehose:List*",
"fsx:DescribeFileSystems",
"glacier:Describe*",
"glacier:Get*",
"glacier:List*",
"glue:Get*",
"guardduty:Get*",
"guardduty:List*",
"iam:GenerateCredentialReport",
"iam:Get*",
"iam:List*",
"iam:SimulatePrincipalPolicy",
"kafka:List*",
"kinesis:Describe*",
"kinesis:List*",
"kms:Get*",
"kms:Describe*",
"kms:List*",
"lambda:Get*",
"lambda:List*",
"logs:Describe*",
"memorydb:Describe*",
"memorydb:List*",
"organizations:Describe*",
"organizations:List*",
"outposts:List*",
"rds:Describe*",
"rds:List*",
"redshift:Describe*",
"redshift:Get*",
"redshift:List*",
"route53:Get*",
"route53:List*",
"route53resolver:List*",
"s3:Describe*",
"s3:Get*",
"s3:List*",
"sagemaker:Describe*",
"sagemaker:List*",
"secretsmanager:Describe*",
"secretsmanager:Get*",
"secretsmanager:List*",
"serverlessrepo:Get*",
"serverlessrepo:List*",
"sns:Get*",
"sns:List*",
"sqs:Get*",
"sqs:List*",
"ssm:Describe*",
"ssm:Get*",
"ssm:List*",
"storagegateway:Describe*",
"storagegateway:List*",
"sts:GetCallerIdentity",
"support:*",
"tag:Get*",
"transfer:DescribeServer",
"transfer:DescribeUser",
"transfer:ListServers",
"transfer:ListUsers",
"waf-regional:Get*",
"waf-regional:List*",
"workspaces:Describe*"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"access-analyzer:*",
"acm:*",
"apigateway:*",
"athena:*",
"autoscaling:*",
"batch:*",
"cloudformation:*",
"cloudtrail:*",
"cloudwatch:*",
"codebuild:*",
"config:*",
"datasync:*",
"directconnect:*",
"dms:*",
"ds:*",
"dynamodb:*",
"ec2:*",
"ecr:*",
"ecs:*",
"eks:*",
"elasticache:*",
"elasticbeanstalk:*",
"elasticfilesystem:*",
"elasticloadbalancing:*",
"elasticmapreduce:*",
"es:*",
"events:*",
"firehose:*",
"fsx:*",
"glacier:*",
"glue:*",
"guardduty:*",
"iam:*",
"kafka:*",
"kinesis:*",
"kms:*",
"lambda:*",
"logs:*",
"memorydb:*",
"organizations:*",
"outposts:*",
"rds:*",
"redshift:*",
"route53:*",
"route53resolver:*",
"s3:*",
"sagemaker:*",
"secretsmanager:*",
"serverlessrepo:*",
"sns:*",
"sqs:*",
"ssm:*",
"storagegateway:*",
"support:*",
"tag:*",
"transfer:*",
"waf-regional:*",
"workspaces:*"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"sts:GetCallerIdentity"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
STS Assume Role
The following policy is used to allow InsightCloudSec to securely assume a role within your AWS environment regardless of the selected authentication method. Review AWS Cloud Setup (Single Cloud Account) for more information on the available authentication methods.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Resource": "arn:aws:iam::*:role/*"
},
{
"Action": "sts:GetCallerIdentity",
"Effect": "Allow",
"Resource": "*"
}
]
}
Organization Master Account Role
The following policy is used to allow InsightCloudSec access to organizational information. Review AWS Cloud Setup (Organizations) for more information on integrating your AWS Organization(s) with InsightCloudSec.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:SimulatePrincipalPolicy",
"organizations:DescribeOrganization",
"organizations:ListAccountsForParent",
"organizations:ListOrganizationalUnitsForParent",
"organizations:ListPolicies",
"organizations:ListRoots",
"organizations:ListTagsForResource",
"organizations:ListTargetsForPolicy"
],
"Resource": "*"
}
]
}
Updated 4 days ago