InsightCloudSec Docs

Welcome to the InsightCloudSec Docs!

InsightCloudSec by Rapid7 (formerly DivvyCloud) is a Cloud-Native Security Platform that provides real-time analysis and automated remediation for continuous security and compliance for your multi-cloud environment.

For questions reach out to us through [email protected].

Take Me to the Docs!    Release Notes

AWS Policies

Suggested IAM Policies for AWS Users & Roles

The following are the recommended policies for the AWS Standard (Read-Only) User, Power User, and GovCloud users as well as the STS Assume Role (see AWS Cloud Setup (Single Cloud Account) for details) and Organization Master Account Role policies (see AWS Cloud Setup (Organizations) for details). Copy the policy (or all policy parts) of interest below, then return to one of the aforementioned cloud setup pages. The API calls that are supported with any of the policies can be found in the Supported API Calls section.

Standard (Read-Only)

For AWS commercial (non-GovCloud) accounts, there are two options for standard users:

  • AWS-managed supplemental policy: This option supplements AWS' managed read-only policy. While this policy does not enumerate every permission, its benefit lies in AWS' continuously updating the policy for new services, making it easier for you to attach and maintain the policy.
  • Customer-managed policy: This option enumerates every permission in the policy and must be manually updated with each new AWS service that InsightCloudSec supports. New required permissions can be found in the product's release notes.

AWS-Managed Supplemental Policy

As mentioned above, the policy below supplements the existing AWS ReadOnlyAccess policy (screenshot of the policy within the AWS console follows).

AWS' ReadOnlyAccess PolicyAWS' ReadOnlyAccess Policy

AWS' ReadOnlyAccess Policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AwsReadOnlyMissingPermissions",
            "Action": [
                "airflow:GetEnvironment",
                "apprunner:DescribeService",
                "apprunner:ListServices",
                "memorydb:DescribeClusters",
                "memorydb:DescribeSubnetGroups",
                "memorydb:ListTags",
                "pricing:GetProducts",
                "support:*",
                "timestream:DescribeEndpoints",
                "timestream:ListDatabases",
                "timestream:ListTables"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Sid": "AwsReadOnlyDenyPermissions",
            "Action": [
                "s3:GetObject*"
            ],
            "Effect": "Deny",
            "Resource": "*"
        }
    ]
}

Customer-Managed Policy

The customer-managed policy consists of three parts (the permissions have exceeded AWS's limitation on policy size). There is no significance to how the policy permissions are separated except for ease of reading.

Note: This means you'll need to create three separate policies: one for each part.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "access-analyzer:ListAnalyzers",
                "access-analyzer:ListFindings",
                "acm:DescribeCertificate",
                "acm:ListCertificates",
                "acm:ListTagsForCertificate",
                "airflow:GetEnvironment",
                "airflow:ListEnvironments",
                "apigateway:GET",
                "apprunner:DescribeService",
                "apprunner:ListServices",
                "appsync:GetApiCache",
                "appsync:ListGraphqlApis",
                "athena:GetWorkGroup",
                "athena:ListWorkGroups",
                "autoscaling:DescribeAutoScalingGroups",
                "autoscaling:DescribeLaunchConfigurations",
                "autoscaling:DescribeTags",
                "backup:GetBackupVaultAccessPolicy",
                "backup:ListBackupVaults",
                "batch:DescribeComputeEnvironments",
                "cloudformation:DescribeStackResource",
                "cloudformation:DescribeStackResources",
                "cloudformation:DescribeStacks",
                "cloudformation:GetTemplate",
                "cloudformation:ListStackResources",
                "cloudformation:ListStacks",
                "cloudfront:GetDistribution",
                "cloudfront:GetStreamingDistribution",
                "cloudfront:ListDistributions",
                "cloudfront:ListStreamingDistributions",
                "cloudfront:ListTagsForResource",
                "cloudsearch:DescribeAvailabilityOptions",
                "cloudsearch:DescribeDomains",
                "cloudsearch:DescribeDomainEndpointOptions",
                "cloudsearch:DescribeServiceAccessPolicies",
                "cloudsearch:ListDomainNames",
                "cloudtrail:DescribeTrails",
                "cloudtrail:GetEventSelectors",
                "cloudtrail:GetTrailStatus",
                "cloudwatch:DescribeAlarms",
                "cloudwatch:DescribeAlarmsForMetric",
                "cloudwatch:GetMetricData",
                "cloudwatch:GetMetricStatistics",
                "cloudwatch:ListMetrics",
                "codebuild:BatchGetProjects",
                "codebuild:ListProjects",
                "cognito-idp:DescribeUserPool",
                "cognito-idp:ListUserPools",
                "cognito-idp:ListIdentityProviders",
                "config:DescribeConfigurationRecorderStatus",
                "config:DescribeConfigurationRecorders",
                "config:DescribeDeliveryChannelStatus",
                "config:DescribeDeliveryChannels",
                "datasync:DescribeTask",
                "datasync:ListTasks",
                "dax:DescribeClusters",
                "directconnect:DescribeConnections",
                "dms:DescribeReplicationInstances",
                "ds:DescribeDirectories",
                "dynamodb:DescribeContinuousBackups",
                "dynamodb:DescribeGlobalTable",
                "dynamodb:DescribeTable",
                "dynamodb:ListBackups",
                "dynamodb:ListGlobalTables",
                "dynamodb:ListTables",
                "dynamodb:ListTagsOfResource",
                "ec2:DescribeAccountAttributes",
                "ec2:DescribeAddresses",
                "ec2:DescribeAvailabilityZones",
                "ec2:DescribeFlowLogs",
                "ec2:DescribeHosts",
                "ec2:DescribeImageAttribute",
                "ec2:DescribeImages",
                "ec2:DescribeImportImageTasks",
                "ec2:DescribeInstanceAttribute",
                "ec2:DescribeInstanceStatus",
                "ec2:DescribeInstances",
                "ec2:DescribeInternetGateways",
                "ec2:DescribeKeyPairs",
                "ec2:DescribeManagedPrefixLists",
                "ec2:DescribeNatGateways",
                "ec2:DescribeNetworkAcls",
                "ec2:DescribeNetworkInterfaceAttribute",
                "ec2:DescribeNetworkInterfaces",
                "ec2:DescribePlacementGroups",
                "ec2:DescribeRegions",
                "ec2:DescribeReservedInstances",
                "ec2:DescribeRouteTables",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeSnapshotAttribute",
                "ec2:DescribeSnapshots",
                "ec2:DescribeSubnets",
                "ec2:DescribeTags",
                "ec2:DescribeTrafficMirrorTargets",
                "ec2:DescribeTransitGatewayAttachments",
                "ec2:DescribeTransitGateways",
                "ec2:DescribeVolumeStatus",
                "ec2:DescribeVolumes",
                "ec2:DescribeVpcAttribute",
                "ec2:DescribeVpcEndpointConnections",
                "ec2:DescribeVpcEndpoints",
                "ec2:DescribeVpcEndpointServiceConfigurations",
                "ec2:DescribeVpcEndpointServicePermissions",
                "ec2:DescribeVpcPeeringConnections",
                "ec2:DescribeVpcs",
                "ec2:DescribeVpnConnections",
                "ec2:DescribeVpnGateways",
                "ec2:GetConsoleOutput",
                "ec2:GetEbsDefaultKmsKeyId",
                "ec2:GetEbsEncryptionByDefault",
                "ec2:GetManagedPrefixListEntries",
                "ec2:GetSerialConsoleAccessStatus",
                "ecr:DescribeImages",
                "ecr:DescribeImageScanFindings",
                "ecr:DescribeRepositories",
                "ecr:GetLifecyclePolicy",
                "ecr:GetRepositoryPolicy",
                "ecr:ListTagsForResource",
                "ecs:DescribeClusters",
                "ecs:DescribeContainerInstances",
                "ecs:DescribeServices",
                "ecs:DescribeTaskDefinition",
                "ecs:DescribeTasks",
                "ecs:ListClusters",
                "ecs:ListContainerInstances",
                "ecs:ListServices",
                "ecs:ListTaskDefinitions",
                "ecs:ListTasks",
                "eks:DescribeCluster",
                "eks:ListClusters"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "elasticbeanstalk:DescribeApplications",
                "elasticbeanstalk:DescribeConfigurationSettings",
                "elasticbeanstalk:DescribeEnvironmentResources",
                "elasticbeanstalk:DescribeEnvironments",
                "elasticbeanstalk:DescribePlatformVersion",
                "elasticache:DescribeCacheClusters",
                "elasticache:DescribeCacheSubnetGroups",
                "elasticache:DescribeReplicationGroups",
                "elasticache:DescribeReservedCacheNodes",
                "elasticache:DescribeSnapshots",
                "elasticache:ListTagsForResource",
                "elasticfilesystem:DescribeBackupPolicy",
                "elasticfilesystem:DescribeFileSystems",
                "elasticfilesystem:DescribeLifecycleConfiguration",
                "elasticfilesystem:DescribeMountTargetSecurityGroups",
                "elasticfilesystem:DescribeMountTargets",
                "elasticfilesystem:DescribeTags",
                "elasticloadbalancing:DescribeInstanceHealth",
                "elasticloadbalancing:DescribeListeners",
                "elasticloadbalancing:DescribeLoadBalancerAttributes",
                "elasticloadbalancing:DescribeLoadBalancerPolicies",
                "elasticloadbalancing:DescribeLoadBalancerPolicyTypes",
                "elasticloadbalancing:DescribeLoadBalancers",
                "elasticloadbalancing:DescribeRules",
                "elasticloadbalancing:DescribeTags",
                "elasticloadbalancing:DescribeTargetGroups",
                "elasticloadbalancing:DescribeTargetHealth",
                "elasticmapreduce:DescribeCluster",
                "elasticmapreduce:DescribeSecurityConfiguration",
                "elasticmapreduce:ListClusters",
                "elasticmapreduce:ListInstances",
                "elasticmapreduce:ListSecurityConfigurations",
                "elastictranscoder:ListPipelines",
                "es:DescribeElasticsearchDomains",
                "es:DescribeReservedElasticsearchInstances",
                "es:ListDomainNames",
                "es:ListTags",
                "events:DescribeEventBus",
                "events:ListEventBuses",
                "events:ListRules",
                "events:ListTargetsByRule",
                "firehose:DescribeDeliveryStream",
                "firehose:ListDeliveryStreams",
                "firehose:ListTagsForDeliveryStream",
                "fsx:DescribeFileSystems",
                "glacier:DescribeVault",
                "glacier:GetVaultAccessPolicy",
                "glacier:GetVaultLock",
                "glacier:ListTagsForVault",
                "glacier:ListVaults",
                "glue:GetDataCatalogEncryptionSettings",
                "glue:GetResourcePolicy",
                "glue:GetSecurityConfigurations",
                "guardduty:GetDetector",
                "guardduty:GetFindings",
                "guardduty:GetMasterAccount",
                "guardduty:ListDetectors",
                "guardduty:ListFindings",
                "guardduty:ListMembers",
                "iam:GenerateCredentialReport",
                "iam:GetAccessKeyLastUsed",
                "iam:GetAccountAuthorizationDetails",
                "iam:GetAccountPasswordPolicy",
                "iam:GetAccountSummary",
                "iam:GetCredentialReport",
                "iam:GetLoginProfile",
                "iam:GetOpenIDConnectProvider",
                "iam:GetPolicyVersion",
                "iam:GetRole",
                "iam:GetRolePolicy",
                "iam:GetSAMLProvider",
                "iam:GetServerCertificate",
                "iam:GetUser",
                "iam:GetUserPolicy",
                "iam:ListAccessKeys",
                "iam:ListAccountAliases",
                "iam:ListAttachedGroupPolicies",
                "iam:ListAttachedRolePolicies",
                "iam:ListAttachedUserPolicies",
                "iam:ListEntitiesForPolicy",
                "iam:ListGroupPolicies",
                "iam:ListGroups",
                "iam:ListGroupsForUser",
                "iam:ListInstanceProfiles",
                "iam:ListMFADevices",
                "iam:ListOpenIDConnectProviders",
                "iam:ListPolicies",
                "iam:ListPolicyVersions",
                "iam:ListRolePolicies",
                "iam:ListRoles",
                "iam:ListRoleTags",
                "iam:ListSAMLProviders",
                "iam:ListServerCertificates",
                "iam:ListSigningCertificates",
                "iam:ListUserPolicies",
                "iam:ListUsers",
                "iam:ListUserTags",
                "iam:SimulatePrincipalPolicy",
                "kafka:ListClusters",
                "kendra:DescribeIndex",
                "kendra:ListIndices",
                "kinesis:DescribeStream",
                "kinesis:ListShards",
                "kinesis:ListStreams",
                "kinesis:ListTagsForStream",
                "kinesisvideo:DescribeStream",
                "kinesisvideo:ListStreams",
                "kinesisvideo:ListTagsForStream",
                "kms:DescribeKey",
                "kms:GetKeyPolicy",
                "kms:GetKeyRotationStatus",
                "kms:ListAliases",
                "kms:ListKeys",
                "lambda:GetAccountSettings",
                "lambda:GetFunction",
                "lambda:GetPolicy",
                "lambda:ListFunctions",
                "lambda:ListTags",
                "lightsail:GetContainerServices",
                "lightsail:GetDisks",
                "lightsail:GetInstances",
                "lightsail:GetLoadBalancers",
                "lightsail:GetRelationalDatabases",
                "logs:DescribeDestinations",
                "logs:DescribeLogGroups",
                "logs:DescribeMetricFilters",
                "macie2:GetFindings",
                "macie2:ListFindings",
                "macie2:GetMacieSession",
                "memorydb:DescribeClusters",
                "memorydb:DescribeSubnetGroups",
                "memorydb:ListTags",
                "mq:DescribeBroker",
                "mq:ListBrokers",
                "organizations:DescribeOrganization",
                "organizations:DescribePolicy",
                "organizations:ListAccounts",
                "organizations:ListPolicies",
                "organizations:ListTargetsForPolicy",
                "outposts:ListOutposts",
                "pricing:GetProducts"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "rds:DescribeDBClusterParameterGroups",
                "rds:DescribeDBClusterParameters",
                "rds:DescribeDbClusterSnapshotAttributes",
                "rds:DescribeDBClusterSnapshots",
                "rds:DescribeDBClusters",
                "rds:DescribeDBEngineVersions",
                "rds:DescribeDBInstances",
                "rds:DescribeDBParameterGroups",
                "rds:DescribeDBParameters",
                "rds:DescribeDBProxies",
                "rds:DescribeDbSnapshotAttributes",
                "rds:DescribeDBSnapshots",
                "rds:DescribeEventSubscriptions",
                "rds:DescribeOptionGroups",
                "rds:DescribeReservedDBInstances",
                "rds:ListTagsForResource",
                "redshift:DescribeClusterParameterGroups",
                "redshift:DescribeClusterParameters",
                "redshift:DescribeClusters",
                "redshift:DescribeClusterSnapshots",
                "redshift:DescribeClusterSubnetGroups",
                "redshift:DescribeLoggingStatus",
                "redshift:DescribeTags",
                "route53:GetHostedZone",
                "route53:ListGeoLocations",
                "route53:ListHealthChecks",
                "route53:ListHostedZones",
                "route53:ListHostedZonesByName",
                "route53:ListHostedZonesByVpc",
                "route53:ListResourceRecordSets",
                "route53:ListTagsForResource",
                "route53:ListTagsForResources",
                "route53:ListVPCAssociationAuthorizations",
                "route53domains:GetDomainDetail",
                "route53domains:ListDomains",
                "route53resolver:ListResolverQueryLogConfigs",
                "route53resolver:ListResolverQueryLogConfigAssociations",
                "s3:GetAccessPointPolicy",
                "s3:GetAccessPointPolicyStatus",
                "s3:GetAccountPublicAccessBlock",
                "s3:GetBucketAcl",
                "s3:GetBucketCORS",
                "s3:GetBucketLocation",
                "s3:GetBucketLogging",
                "s3:GetBucketObjectLockConfiguration",
                "s3:GetBucketPolicy",
                "s3:GetBucketPolicyStatus",
                "s3:GetBucketPublicAccessBlock",
                "s3:GetBucketTagging",
                "s3:GetBucketVersioning",
                "s3:GetBucketWebsite",
                "s3:GetEncryptionConfiguration",
                "s3:GetLifecycleConfiguration",
                "s3:GetReplicationConfiguration",
                "s3:ListAccessPoints",
                "s3:ListAllMyBuckets",
                "sagemaker:DescribeNotebookInstance",
                "sagemaker:ListNotebookInstances",
                "sagemaker:ListTags",
                "secretsmanager:DescribeSecret",
                "secretsmanager:GetResourcePolicy",
                "secretsmanager:ListSecrets",
                "serverlessrepo:GetApplication",
                "serverlessrepo:GetApplicationPolicy",
                "serverlessrepo:ListApplications",
                "ses:GetIdentityDkimAttributes",
                "ses:GetIdentityMailFromDomainAttributes",
                "ses:GetIdentityNotificationAttributes",
                "ses:GetIdentityVerificationAttributes",
                "ses:ListIdentities",
                "ses:ListIdentityPolicies",
                "shield:DescribeEmergencyContactSettings",
                "shield:GetSubscriptionState",
                "shield:ListAttacks",
                "shield:ListProtections",
                "sns:GetSubscriptionAttributes",
                "sns:GetTopicAttributes",
                "sns:ListSubscriptions",
                "sns:ListTopics",
                "sqs:GetQueueAttributes",
                "sqs:ListQueueTags",
                "sqs:ListQueues",
                "ssm:DescribeDocumentPermission",
                "ssm:DescribeParameters",
                "ssm:GetDocument",
                "ssm:GetServiceSetting",
                "ssm:ListDocuments",
                "ssm:ListDocumentVersions",
                "storagegateway:DescribeNFSFileShares",
                "storagegateway:DescribeSMBFileShares",
                "storagegateway:ListFileShares",
                "sts:GetCallerIdentity",
                "support:*",
                "tag:GetResources",
                "timestream:DescribeEndpoints",
                "timestream:ListDatabases",
                "timestream:ListTables",
                "transfer:DescribeServer",
                "transfer:DescribeUser",
                "transfer:ListServers",
                "transfer:ListUsers",
                "waf-regional:GetRule",
                "waf-regional:GetWebACL",
                "waf-regional:ListResourcesForWebACL",
                "waf-regional:ListRules",
                "waf-regional:ListWebACLs",
                "waf:GetChangeToken",
                "waf:GetRule",
                "waf:GetWebACL",
                "waf:ListLoggingConfigurations",
                "waf:ListRules",
                "waf:ListWebACLs",
                "wafv2:GetWebACL",
                "wafv2:ListWebACLs",
                "wafv2:ListLoggingConfigurations",
                "wafv2:ListResourcesForWebACL",
                "workspaces:DescribeTags",
                "workspaces:DescribeWorkspaceBundles",
                "workspaces:DescribeWorkspaceDirectories",
                "workspaces:DescribeWorkspaces",
                "workspaces:DescribeWorkspacesConnectionStatus"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}

Power User

For AWS commercial (non-GovCloud) accounts, there is a single policy for power users that enumerates every service and must be manually updated with each new AWS service that InsightCloudSec supports. New required permissions can be found in the product's release notes.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "access-analyzer:*",
                "acm:*",
                "airflow:*",
                "apigateway:*",
                "apprunner:*",
                "appsync:*",
                "athena:*",
                "autoscaling:*",
                "backup:*",
                "batch:*",
                "cloudformation:*",
                "cloudfront:*",
                "cloudsearch:*",
                "cloudtrail:*",
                "cloudwatch:*",
                "codebuild:*",
                "cognito-idp:*",
                "config:*",
                "datasync:*",
                "dax:*",
                "directconnect:*",
                "dms:*",
                "ds:*",
                "dynamodb:*",
                "ec2:*",
                "ecr:*",
                "ecs:*",
                "eks:*",
                "elasticbeanstalk:*",
                "elasticache:*",
                "elasticfilesystem:*",
                "elasticloadbalancing:*",
                "elasticmapreduce:*",
                "elastictranscoder:*",
                "es:*",
                "events:*",
                "firehose:*",
                "fsx:*",
                "glacier:*",
                "glue:*",
                "guardduty:*",
                "iam:*",
                "kafka:*",
                "kendra:*",
                "kinesis:*",
                "kinesisvideo:*",
                "kms:*",
                "lambda:*",
                "lightsail:*",
                "logs:*",
                "macie2:*",
                "memorydb:*",
                "mq:*",
                "organizations:*",
                "outposts:*",
                "rds:*",
                "redshift:*",
                "route53:*",
                "route53domains:*",
                "route53resolver:*",
                "s3:*",
                "sagemaker:*",
                "secretsmanager:*",
                "serverlessrepo:*",
                "ses:*",
                "shield:*",
                "sns:*",
                "sqs:*",
                "ssm:*",
                "storagegateway:*",
                "support:*",
                "tag:*",
                "timestream:*",
                "transfer:*",
                "waf-regional:*",
                "waf:*",
                "wafv2:*",
                "workspaces:*"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": [
                "pricing:GetProducts",
                "sts:GetCallerIdentity"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}

GovCloud User

For AWS GovCloud accounts, there are two policies. Both policies enumerate every permission and must be manually updated with each new AWS service that InsightCloudSec supports, but the Power User Policy is less granular. New required permissions can be found in the product's release notes.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "access-analyzer:List*",
                "acm:Describe*",
                "acm:List*",
                "apigateway:GET",
                "athena:Get*",
                "athena:List*",
                "autoscaling:Describe*",
                "batch:Describe*",
                "cloudformation:Describe*",
                "cloudformation:Get*",
                "cloudformation:List*",
                "cloudtrail:Describe*",
                "cloudtrail:Get*",
                "cloudtrail:List*",
                "cloudwatch:Describe*",
                "cloudwatch:Get*",
                "cloudwatch:List*",
                "codebuild:BatchGet*",
                "codebuild:List*",
                "config:Describe*",
                "datasync:Describe*",
                "datasync:List*",
                "directconnect:Describe*",
                "dms:Describe*",
                "ds:Describe*",
                "dynamodb:Describe*",
                "dynamodb:List*",
                "ec2:Describe*",
                "ec2:Get*",
                "ecr:Describe*",
                "ecr:Get*",
                "ecr:List*",
                "ecs:Describe*",
                "ecs:List*",
                "eks:Describe*",
                "eks:List*",
                "elasticache:Describe*",
                "elasticache:List*",
                "elasticbeanstalk:Describe*",
                "elasticfilesystem:Describe*",
                "elasticloadbalancing:Describe*",
                "elasticmapreduce:Describe*",
                "elasticmapreduce:List*",
                "es:Describe*",
                "es:List*",
                "events:Describe*",
                "events:List*",
                "firehose:Describe*",
                "firehose:List*",
                "fsx:DescribeFileSystems",
                "glacier:Describe*",
                "glacier:Get*",
                "glacier:List*",
                "glue:Get*",
                "guardduty:Get*",
                "guardduty:List*",
                "iam:GenerateCredentialReport",
                "iam:Get*",
                "iam:List*",
                "iam:SimulatePrincipalPolicy",
                "kafka:List*",
                "kinesis:Describe*",
                "kinesis:List*",
                "kms:Get*",
                "kms:Describe*",
                "kms:List*",
                "lambda:Get*",
                "lambda:List*",
                "logs:Describe*",
                "memorydb:Describe*",
                "memorydb:List*",
                "organizations:Describe*",
                "organizations:List*",
                "outposts:List*",
                "rds:Describe*",
                "rds:List*",
                "redshift:Describe*",
                "redshift:Get*",
                "redshift:List*",
                "route53:Get*",
                "route53:List*",
                "route53resolver:List*",
                "s3:Describe*",
                "s3:Get*",
                "s3:List*",
                "sagemaker:Describe*",
                "sagemaker:List*",
                "secretsmanager:Describe*",
                "secretsmanager:Get*",
                "secretsmanager:List*",
                "serverlessrepo:Get*",
                "serverlessrepo:List*",
                "sns:Get*",
                "sns:List*",
                "sqs:Get*",
                "sqs:List*",
                "ssm:Describe*",
                "ssm:Get*",
                "ssm:List*",
                "storagegateway:Describe*",
                "storagegateway:List*",
                "sts:GetCallerIdentity",
                "support:*",
                "tag:Get*",
                "transfer:DescribeServer",
                "transfer:DescribeUser",
                "transfer:ListServers",
                "transfer:ListUsers",
                "waf-regional:Get*",
                "waf-regional:List*",
                "workspaces:Describe*"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "access-analyzer:*",
                "acm:*",
                "apigateway:*",
                "athena:*",
                "autoscaling:*",
                "batch:*",
                "cloudformation:*",
                "cloudtrail:*",
                "cloudwatch:*",
                "codebuild:*",
                "config:*",
                "datasync:*",
                "directconnect:*",
                "dms:*",
                "ds:*",
                "dynamodb:*",
                "ec2:*",
                "ecr:*",
                "ecs:*",
                "eks:*",
                "elasticache:*",
                "elasticbeanstalk:*",
                "elasticfilesystem:*",
                "elasticloadbalancing:*",
                "elasticmapreduce:*",
                "es:*",
                "events:*",
                "firehose:*",
                "fsx:*",
                "glacier:*",
                "glue:*",
                "guardduty:*",
                "iam:*",
                "kafka:*",
                "kinesis:*",
                "kms:*",
                "lambda:*",
                "logs:*",
                "memorydb:*",
                "organizations:*",
                "outposts:*",
                "rds:*",
                "redshift:*",
                "route53:*",
                "route53resolver:*",
                "s3:*",
                "sagemaker:*",
                "secretsmanager:*",
                "serverlessrepo:*",
                "sns:*",
                "sqs:*",
                "ssm:*",
                "storagegateway:*",
                "support:*",
                "tag:*",
                "transfer:*",
                "waf-regional:*",
                "workspaces:*"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": [
                "sts:GetCallerIdentity"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}

STS Assume Role

The following policy is used to allow InsightCloudSec to securely assume a role within your AWS environment regardless of the selected authentication method. Review AWS Cloud Setup (Single Cloud Account) for more information on the available authentication methods.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": "sts:AssumeRole",
            "Effect": "Allow",
            "Resource": "arn:aws:iam::*:role/*"
        },
        {
            "Action": "sts:GetCallerIdentity",
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}

Organization Master Account Role

The following policy is used to allow InsightCloudSec access to organizational information. Review AWS Cloud Setup (Organizations) for more information on integrating your AWS Organization(s) with InsightCloudSec.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "iam:SimulatePrincipalPolicy",
                "organizations:DescribeOrganization",
                "organizations:ListAccountsForParent",
                "organizations:ListOrganizationalUnitsForParent",
                "organizations:ListPolicies",
                "organizations:ListRoots",
                "organizations:ListTagsForResource",
                "organizations:ListTargetsForPolicy"
            ],
            "Resource": "*"
        }
    ]
}

Updated 4 days ago

AWS Policies


Suggested IAM Policies for AWS Users & Roles

Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.