AWS Policies
Suggested IAM Policies for AWS Users & Roles
InsightCloudSec offers several different AWS policies for the accounts that will be harvested. Policy usage varies depending on the type of AWS Cloud Setup being used (Single vs. Organization, Commercial vs. GovCloud) and the level of access you want to provide InsightCloudSec (Read Only vs. Power User). The policies provided here include the following:
AWS Commercial Standard Harvesting
- Standard (Read-Only) User -- Policies that enable the minimum access necessary to harvest information from your AWS accounts for use within InsightCloudSec
- AWS-Managed Supplemental Policy -- Policy that supplements the existing AWS ReadOnlyAccess policy with permissions necessary to enable full visibility into your environment for InsightCloudSec
- Power User -- Policies that enable unlimited access to the services that InsightCloudSec supports
AWS GovCloud Standard Harvesting
- GovCloud Standard (Read-Only) User -- Policies that are used to enable harvesting of AWS GovCloud accounts
- GovCloud Power User - Policies that enable expanded access to the GovCloud services that InsightCloudSec supports
Additional Standard Harvesting Policies
- STS Assume Role -- Policy used enable harvesting AWS accounts using the STS Assume Role authentication method; see AWS Cloud Setup (Single Cloud Account) for details
- Organization Master Account Role -- Policy used to harvest AWS organizational information; see AWS Cloud Setup (Organizations) for details
Using the Policies
Copy the policy (or all policy parts) of interest below, then return to one of the aforementioned cloud setup pages. The API calls that are supported with any of the policies can be found in the Supported API Calls section.
AWS Commercial Standard Harvesting
For AWS commercial (non-GovCloud) accounts, there are two options for standard (read-only) users:
- AWS-Managed Supplemental Policy: This option supplements AWS' managed read-only policy. This policy's benefit lies in AWS continually updating the policy for new services, making it easier for you to attach and maintain the policy.
- Customer-Managed Standard Read-Only User Policy: This option outlines the individual read only permissions, e.g.,
List,Describe,Get, etc., for each service InsightCloudSec supports, but this means the policy must be manually updated with each new AWS service that InsightCloudSec supports. New required permissions are announced in our release notes and updated here.
AWS-Managed Supplemental Policy
As mentioned above, this policy supplements the existing AWS ReadOnlyAccess policy (screenshot of this policy within the AWS console follows) with permissions necessary to enable full visibility into your environment for InsightCloudSec. The supplemental policy can be obtained from our public S3 bucket. Note: InsightCloudSec highly recommends that you verify you have the latest supplemental read only policy after each release. If you have questions or concerns about implementing this policy or its scope, reach out to us via the Customer Support Portal.
AWS' ReadOnlyAccess Policy
Customer-Managed Standard (Read-Only) User Policy
The customer-managed policy consists of three parts (the permissions have exceeded AWS's limitation on policy size). These policies only contain read only-type permissions, e.g., List, Describe, Get, etc., and as such, will need to be updated any time InsightCloudSec supports a new AWS Service. There is no significance to how the policy permissions are separated except for ease of reading.
Note: This means you'll need to create three separate policies: one for each part.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"access-analyzer:ListAnalyzers",
"access-analyzer:ListFindings",
"acm:DescribeCertificate",
"acm:ListCertificates",
"acm:ListTagsForCertificate",
"airflow:GetEnvironment",
"airflow:ListEnvironments",
"apigateway:GET",
"apprunner:DescribeService",
"apprunner:ListServices",
"appsync:GetApiCache",
"appsync:ListDataSources",
"appsync:ListGraphqlApis",
"athena:GetWorkGroup",
"athena:ListQueryExecutions",
"athena:ListWorkGroups",
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeLaunchConfigurations",
"autoscaling:DescribeTags",
"backup:GetBackupVaultAccessPolicy",
"backup:ListBackupVaults",
"batch:DescribeComputeEnvironments",
"cloudformation:DescribeStackResource",
"cloudformation:DescribeStackResources",
"cloudformation:DescribeStacks",
"cloudformation:GetTemplate",
"cloudformation:ListStackResources",
"cloudformation:ListStacks",
"cloudfront:GetDistribution",
"cloudfront:GetStreamingDistribution",
"cloudfront:ListDistributions",
"cloudfront:ListStreamingDistributions",
"cloudfront:ListTagsForResource",
"cloudhsm:DescribeClusters",
"cloudsearch:DescribeAvailabilityOptions",
"cloudsearch:DescribeDomains",
"cloudsearch:DescribeDomainEndpointOptions",
"cloudsearch:DescribeServiceAccessPolicies",
"cloudsearch:ListDomainNames",
"cloudtrail:DescribeTrails",
"cloudtrail:GetEventSelectors",
"cloudtrail:GetInsightSelectors",
"cloudtrail:GetTrailStatus",
"cloudwatch:DescribeAlarms",
"cloudwatch:DescribeAlarmsForMetric",
"cloudwatch:GetMetricData",
"cloudwatch:GetMetricStatistics",
"cloudwatch:ListMetrics",
"codebuild:BatchGetProjects",
"codebuild:ListProjects",
"cognito-idp:DescribeUserPool",
"cognito-idp:ListUserPools",
"cognito-idp:ListIdentityProviders",
"config:DescribeConfigurationRecorderStatus",
"config:DescribeConfigurationRecorders",
"config:DescribeDeliveryChannelStatus",
"config:DescribeDeliveryChannels",
"datasync:DescribeTask",
"datasync:ListLocations",
"datasync:ListTasks",
"dax:DescribeClusters",
"directconnect:DescribeConnections",
"dms:DescribeReplicationInstances",
"ds:DescribeDirectories",
"dynamodb:DescribeContinuousBackups",
"dynamodb:DescribeGlobalTable",
"dynamodb:DescribeTable",
"dynamodb:ListBackups",
"dynamodb:ListGlobalTables",
"dynamodb:ListTables",
"dynamodb:ListTagsOfResource",
"ec2:DescribeAccountAttributes",
"ec2:DescribeAddresses",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeFlowLogs",
"ec2:DescribeHosts",
"ec2:DescribeImageAttribute",
"ec2:DescribeImages",
"ec2:DescribeImportImageTasks",
"ec2:DescribeInstanceAttribute",
"ec2:DescribeInstanceStatus",
"ec2:DescribeInstances",
"ec2:DescribeInternetGateways",
"ec2:DescribeKeyPairs",
"ec2:DescribeLaunchTemplateVersions",
"ec2:DescribeManagedPrefixLists",
"ec2:DescribeNatGateways",
"ec2:DescribeNetworkAcls",
"ec2:DescribeNetworkInterfaceAttribute",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribePlacementGroups",
"ec2:DescribeRegions",
"ec2:DescribeReservedInstances",
"ec2:DescribeRouteTables",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSnapshotAttribute",
"ec2:DescribeSnapshots",
"ec2:DescribeSubnets",
"ec2:DescribeTags",
"ec2:DescribeTrafficMirrorTargets",
"ec2:DescribeTransitGatewayAttachments",
"ec2:DescribeTransitGatewayRouteTables",
"ec2:DescribeTransitGateways",
"ec2:DescribeVolumeStatus",
"ec2:DescribeVolumes",
"ec2:DescribeVpcAttribute",
"ec2:DescribeVpcEndpointConnections",
"ec2:DescribeVpcEndpoints",
"ec2:DescribeVpcEndpointServiceConfigurations",
"ec2:DescribeVpcEndpointServicePermissions",
"ec2:DescribeVpcPeeringConnections",
"ec2:DescribeVpcs",
"ec2:DescribeVpnConnections",
"ec2:DescribeVpnGateways",
"ec2:GetConsoleOutput",
"ec2:GetEbsDefaultKmsKeyId",
"ec2:GetEbsEncryptionByDefault",
"ec2:GetManagedPrefixListEntries",
"ec2:GetSerialConsoleAccessStatus",
"ec2:SearchTransitGatewayRoutes",
"ecr:DescribeImageReplicationStatus",
"ecr:DescribeImages",
"ecr:DescribeImageScanFindings",
"ecr:DescribePullThroughCacheRules",
"ecr:DescribeRegistry",
"ecr:DescribeRepositories",
"ecr:GetAuthorizationToken",
"ecr:GetDownloadUrlForLayer",
"ecr:GetLifecyclePolicy",
"ecr:GetLifecyclePolicyPreview",
"ecr:GetRegistryPolicy",
"ecr:GetRegistryScanningConfiguration",
"ecr:GetRepositoryPolicy",
"ecr:ListImages",
"ecr:ListTagsForResource",
"ecr-public:DescribeImages",
"ecr-public:DescribeRepositories",
"ecs:DescribeClusters",
"ecs:DescribeContainerInstances",
"ecs:DescribeServices",
"ecs:DescribeTaskDefinition",
"ecs:DescribeTasks",
"ecs:ListClusters",
"ecs:ListContainerInstances",
"ecs:ListServices",
"ecs:ListTaskDefinitions",
"ecs:ListTasks",
"eks:DescribeCluster",
"eks:DescribeNodeGroup",
"eks:ListClusters",
"eks:ListNodeGroups"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"elasticbeanstalk:DescribeApplications",
"elasticbeanstalk:DescribeConfigurationSettings",
"elasticbeanstalk:DescribeEnvironmentResources",
"elasticbeanstalk:DescribeEnvironments",
"elasticbeanstalk:DescribePlatformVersion",
"elasticache:DescribeCacheClusters",
"elasticache:DescribeCacheSubnetGroups",
"elasticache:DescribeReplicationGroups",
"elasticache:DescribeReservedCacheNodes",
"elasticache:DescribeSnapshots",
"elasticache:ListTagsForResource",
"elasticfilesystem:DescribeBackupPolicy",
"elasticfilesystem:DescribeFileSystems",
"elasticfilesystem:DescribeFileSystemPolicy",
"elasticfilesystem:DescribeLifecycleConfiguration",
"elasticfilesystem:DescribeMountTargetSecurityGroups",
"elasticfilesystem:DescribeMountTargets",
"elasticfilesystem:DescribeTags",
"elasticloadbalancing:DescribeInstanceHealth",
"elasticloadbalancing:DescribeListeners",
"elasticloadbalancing:DescribeLoadBalancerAttributes",
"elasticloadbalancing:DescribeLoadBalancerPolicies",
"elasticloadbalancing:DescribeLoadBalancerPolicyTypes",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeRules",
"elasticloadbalancing:DescribeTags",
"elasticloadbalancing:DescribeTargetGroups",
"elasticloadbalancing:DescribeTargetHealth",
"elasticmapreduce:DescribeCluster",
"elasticmapreduce:DescribeSecurityConfiguration",
"elasticmapreduce:ListBootstrapActions",
"elasticmapreduce:ListClusters",
"elasticmapreduce:ListInstances",
"elasticmapreduce:ListSecurityConfigurations",
"elastictranscoder:ListPipelines",
"es:DescribeElasticsearchDomains",
"es:DescribeReservedElasticsearchInstances",
"es:ListDomainNames",
"es:ListTags",
"events:DescribeEventBus",
"events:ListEventBuses",
"events:ListRules",
"events:ListTargetsByRule",
"firehose:DescribeDeliveryStream",
"firehose:ListDeliveryStreams",
"firehose:ListTagsForDeliveryStream",
"fsx:DescribeFileSystems",
"glacier:DescribeVault",
"glacier:GetVaultAccessPolicy",
"glacier:GetVaultLock",
"glacier:ListTagsForVault",
"glacier:ListVaults",
"glue:GetDatabases",
"glue:GetDataCatalogEncryptionSettings",
"glue:GetResourcePolicy",
"glue:GetSecurityConfigurations",
"glue:ListCrawlers",
"glue:ListRegistries",
"guardduty:GetDetector",
"guardduty:GetFindings",
"guardduty:GetMasterAccount",
"guardduty:ListDetectors",
"guardduty:ListFindings",
"guardduty:ListMembers",
"iam:GenerateCredentialReport",
"iam:GetAccessKeyLastUsed",
"iam:GetAccountAuthorizationDetails",
"iam:GetAccountPasswordPolicy",
"iam:GetAccountSummary",
"iam:GetCredentialReport",
"iam:GetLoginProfile",
"iam:GetOpenIDConnectProvider",
"iam:GetPolicyVersion",
"iam:GetRole",
"iam:GetRolePolicy",
"iam:GetSAMLProvider",
"iam:GetServerCertificate",
"iam:GetUser",
"iam:GetUserPolicy",
"iam:ListAccessKeys",
"iam:ListAccountAliases",
"iam:ListAttachedGroupPolicies",
"iam:ListAttachedRolePolicies",
"iam:ListAttachedUserPolicies",
"iam:ListEntitiesForPolicy",
"iam:ListGroupPolicies",
"iam:ListGroups",
"iam:ListGroupsForUser",
"iam:ListInstanceProfiles",
"iam:ListMFADevices",
"iam:ListOpenIDConnectProviders",
"iam:ListPolicies",
"iam:ListPolicyVersions",
"iam:ListRolePolicies",
"iam:ListRoles",
"iam:ListRoleTags",
"iam:ListSAMLProviders",
"iam:ListServerCertificates",
"iam:ListSigningCertificates",
"iam:ListUserPolicies",
"iam:ListUsers",
"iam:ListUserTags",
"iam:SimulatePrincipalPolicy",
"inspector2:ListCoverage",
"inspector2:ListFindings",
"kafka:ListClusters",
"kafka:ListClustersV2",
"kendra:DescribeIndex",
"kendra:ListIndices",
"kinesis:DescribeStream",
"kinesis:ListShards",
"kinesis:ListStreams",
"kinesis:ListTagsForStream",
"kinesisvideo:DescribeStream",
"kinesisvideo:ListStreams",
"kinesisvideo:ListTagsForStream",
"kms:DescribeKey",
"kms:GetKeyPolicy",
"kms:GetKeyRotationStatus",
"kms:ListAliases",
"kms:ListKeys",
"lambda:GetAccountSettings",
"lambda:GetFunction",
"lambda:GetFunctionUrlConfig",
"lambda:GetLayerVersionPolicy",
"lambda:GetPolicy",
"lambda:ListFunctions",
"lambda:ListLayers",
"lambda:ListTags",
"lightsail:GetContainerServices",
"lightsail:GetDisks",
"lightsail:GetInstances",
"lightsail:GetLoadBalancers",
"lightsail:GetRelationalDatabases",
"logs:DescribeDestinations",
"logs:DescribeLogGroups",
"logs:DescribeMetricFilters",
"macie2:GetFindings",
"macie2:ListFindings",
"macie2:GetMacieSession",
"memorydb:DescribeClusters",
"memorydb:DescribeSubnetGroups",
"memorydb:ListTags",
"mq:DescribeBroker",
"mq:ListBrokers",
"organizations:DescribeOrganization",
"organizations:DescribePolicy",
"organizations:ListAccounts",
"organizations:ListPolicies",
"organizations:ListTargetsForPolicy",
"outposts:ListOutposts",
"pricing:GetProducts"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"rbin:GetRule",
"rbin:ListRules",
"rds:DescribeDBClusterParameterGroups",
"rds:DescribeDBClusterParameters",
"rds:DescribeDbClusterSnapshotAttributes",
"rds:DescribeDBClusterSnapshots",
"rds:DescribeDBClusters",
"rds:DescribeDBEngineVersions",
"rds:DescribeDBInstances",
"rds:DescribeDBParameterGroups",
"rds:DescribeDBParameters",
"rds:DescribeDBProxies",
"rds:DescribeDbSnapshotAttributes",
"rds:DescribeDBSnapshots",
"rds:DescribeEventSubscriptions",
"rds:DescribeOptionGroups",
"rds:DescribeReservedDBInstances",
"rds:ListTagsForResource",
"redshift:DescribeClusterParameterGroups",
"redshift:DescribeClusterParameters",
"redshift:DescribeClusters",
"redshift:DescribeClusterSnapshots",
"redshift:DescribeClusterSubnetGroups",
"redshift:DescribeLoggingStatus",
"redshift:DescribeTags",
"route53:GetDNSSEC",
"route53:GetHostedZone",
"route53:ListGeoLocations",
"route53:ListHealthChecks",
"route53:ListHostedZones",
"route53:ListHostedZonesByName",
"route53:ListHostedZonesByVpc",
"route53:ListResourceRecordSets",
"route53:ListTagsForResource",
"route53:ListTagsForResources",
"route53:ListVPCAssociationAuthorizations",
"route53domains:GetDomainDetail",
"route53domains:ListDomains",
"route53resolver:ListResolverQueryLogConfigs",
"route53resolver:ListResolverQueryLogConfigAssociations",
"s3:GetAccessPointPolicy",
"s3:GetAccessPointPolicyStatus",
"s3:GetAccountPublicAccessBlock",
"s3:GetBucketAcl",
"s3:GetBucketCORS",
"s3:GetBucketLocation",
"s3:GetBucketLogging",
"s3:GetBucketObjectLockConfiguration",
"s3:GetBucketOwnershipControls",
"s3:GetBucketPolicy",
"s3:GetBucketPolicyStatus",
"s3:GetBucketPublicAccessBlock",
"s3:GetBucketTagging",
"s3:GetBucketVersioning",
"s3:GetBucketWebsite",
"s3:GetEncryptionConfiguration",
"s3:GetLifecycleConfiguration",
"s3:GetReplicationConfiguration",
"s3:ListAccessPoints",
"s3:ListAllMyBuckets",
"sagemaker:DescribeNotebookInstance",
"sagemaker:ListNotebookInstances",
"sagemaker:ListTags",
"secretsmanager:DescribeSecret",
"secretsmanager:GetResourcePolicy",
"secretsmanager:ListSecrets",
"serverlessrepo:GetApplication",
"serverlessrepo:GetApplicationPolicy",
"serverlessrepo:ListApplications",
"ses:GetIdentityDkimAttributes",
"ses:GetIdentityMailFromDomainAttributes",
"ses:GetIdentityNotificationAttributes",
"ses:GetIdentityVerificationAttributes",
"ses:ListIdentities",
"ses:ListIdentityPolicies",
"shield:DescribeEmergencyContactSettings",
"shield:GetSubscriptionState",
"shield:ListAttacks",
"shield:ListProtections",
"sns:GetSubscriptionAttributes",
"sns:GetTopicAttributes",
"sns:ListSubscriptions",
"sns:ListTopics",
"sqs:GetQueueAttributes",
"sqs:ListQueueTags",
"sqs:ListQueues",
"ssm:DescribeDocument",
"ssm:DescribeDocumentPermission",
"ssm:DescribeInstanceInformation",
"ssm:DescribeParameters",
"ssm:GetDocument",
"ssm:GetServiceSetting",
"ssm:ListDocuments",
"ssm:ListDocumentVersions",
"states:DescribeStateMachine",
"states:ListStateMachines",
"storagegateway:DescribeGatewayInformation",
"storagegateway:DescribeNFSFileShares",
"storagegateway:DescribeSMBFileShares",
"storagegateway:ListFileShares",
"storagegateway:ListGateways",
"sts:GetCallerIdentity",
"support:*",
"tag:GetResources",
"timestream:DescribeEndpoints",
"timestream:ListDatabases",
"timestream:ListTables",
"transfer:DescribeServer",
"transfer:DescribeUser",
"transfer:ListServers",
"transfer:ListUsers",
"transcribe:GetMedicalTranscriptionJob",
"transcribe:GetTranscriptionJob",
"transcribe:ListMedicalTranscriptionJobs",
"transcribe:ListTranscriptionJobs",
"waf-regional:GetRule",
"waf-regional:GetWebACL",
"waf-regional:ListResourcesForWebACL",
"waf-regional:ListRules",
"waf-regional:ListWebACLs",
"waf:GetChangeToken",
"waf:GetRule",
"waf:GetWebACL",
"waf:ListLoggingConfigurations",
"waf:ListRules",
"waf:ListWebACLs",
"wafv2:GetWebACL",
"wafv2:ListWebACLs",
"wafv2:ListLoggingConfigurations",
"wafv2:ListResourcesForWebACL",
"workspaces:DescribeTags",
"workspaces:DescribeWorkspaceBundles",
"workspaces:DescribeWorkspaceDirectories",
"workspaces:DescribeWorkspaces",
"workspaces:DescribeWorkspacesConnectionStatus"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
AWS Commercial Power User Policy
For AWS commercial (non-GovCloud) accounts, there is a single policy for power users that provides wildcard access to every service that InsightCloudSec supports. This policy must be manually updated with each new AWS service that InsightCloudSec supports. New required permissions are announced in our release notes and updated here.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ICSPowerUserWildcardPermissions",
"Action": [
"access-analyzer:*",
"acm:*",
"airflow:*",
"apigateway:*",
"apprunner:*",
"appsync:*",
"athena:*",
"autoscaling:*",
"backup:*",
"batch:*",
"cloudformation:*",
"cloudfront:*",
"cloudhsm:*",
"cloudsearch:*",
"cloudtrail:*",
"cloudwatch:*",
"codebuild:*",
"cognito-idp:*",
"config:*",
"datasync:*",
"dax:*",
"directconnect:*",
"dms:*",
"ds:*",
"dynamodb:*",
"ec2:*",
"ecr:*",
"ecr-public:*",
"ecs:*",
"eks:*",
"elasticbeanstalk:*",
"elasticache:*",
"elasticfilesystem:*",
"elasticloadbalancing:*",
"elasticmapreduce:*",
"elastictranscoder:*",
"es:*",
"events:*",
"firehose:*",
"fsx:*",
"glacier:*",
"glue:*",
"guardduty:*",
"kafka:*",
"kendra:*",
"kinesis:*",
"kinesisvideo:*",
"kms:*",
"lambda:*",
"lightsail:*",
"logs:*",
"macie2:*",
"memorydb:*",
"mq:*",
"organizations:*",
"outposts:*",
"rbin:*",
"rds:*",
"redshift:*",
"route53:*",
"route53domains:*",
"route53resolver:*",
"s3:*",
"sagemaker:*",
"secretsmanager:*",
"serverlessrepo:*",
"ses:*",
"shield:*",
"sns:*",
"sqs:*",
"ssm:*",
"states:*",
"storagegateway:*",
"support:*",
"tag:*",
"timestream:*",
"transcribe:*",
"transfer:*",
"waf-regional:*",
"waf:*",
"wafv2:*",
"workspaces:*"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Sid": "ICSPowerUserIndividualPermissions",
"Action": [
"iam:AddClientIDToOpenIDConnectProvider",
"iam:AddRoleToInstanceProfile",
"iam:AddUserToGroup",
"iam:AttachGroupPolicy",
"iam:AttachRolePolicy",
"iam:AttachUserPolicy",
"iam:ChangePassword",
"iam:CreateAccessKey",
"iam:CreateAccountAlias",
"iam:CreateGroup",
"iam:CreateInstanceProfile",
"iam:CreateLoginProfile",
"iam:CreateOpenIDConnectProvider",
"iam:CreatePolicy",
"iam:CreatePolicyVersion",
"iam:CreateRole",
"iam:CreateSAMLProvider",
"iam:CreateServiceLinkedRole",
"iam:CreateServiceSpecificCredential",
"iam:CreateUser",
"iam:CreateVirtualMFADevice",
"iam:DeactivateMFADevice",
"iam:DeleteAccessKey",
"iam:DeleteAccountAlias",
"iam:DeleteAccountPasswordPolicy",
"iam:DeleteGroup",
"iam:DeleteGroupPolicy",
"iam:DeleteInstanceProfile",
"iam:DeleteLoginProfile",
"iam:DeleteOpenIDConnectProvider",
"iam:DeletePolicy",
"iam:DeletePolicyVersion",
"iam:DeleteRole",
"iam:DeleteRolePermissionsBoundary",
"iam:DeleteRolePolicy",
"iam:DeleteSAMLProvider",
"iam:DeleteServerCertificate",
"iam:DeleteServiceLinkedRole",
"iam:DeleteServiceSpecificCredential",
"iam:DeleteSigningCertificate",
"iam:DeleteSSHPublicKey",
"iam:DeleteUser",
"iam:DeleteUserPermissionsBoundary",
"iam:DeleteUserPolicy",
"iam:DeleteVirtualMFADevice",
"iam:DetachGroupPolicy",
"iam:DetachRolePolicy",
"iam:DetachUserPolicy",
"iam:EnableMFADevice",
"iam:GenerateCredentialReport",
"iam:GenerateOrganizationsAccessReport",
"iam:GenerateServiceLastAccessedDetails",
"iam:GetAccessKeyLastUsed",
"iam:GetAccountAuthorizationDetails",
"iam:GetAccountPasswordPolicy",
"iam:GetAccountSummary",
"iam:GetContextKeysForCustomPolicy",
"iam:GetContextKeysForPrincipalPolicy",
"iam:GetCredentialReport",
"iam:GetGroup",
"iam:GetGroupPolicy",
"iam:GetInstanceProfile",
"iam:GetLoginProfile",
"iam:GetOpenIDConnectProvider",
"iam:GetOrganizationsAccessReport",
"iam:GetPolicy",
"iam:GetPolicyVersion",
"iam:GetRole",
"iam:GetRolePolicy",
"iam:GetSAMLProvider",
"iam:GetServerCertificate",
"iam:GetServiceLastAccessedDetails",
"iam:GetServiceLastAccessedDetailsWithEntities",
"iam:GetServiceLinkedRoleDeletionStatus",
"iam:GetSSHPublicKey",
"iam:GetUser",
"iam:GetUserPolicy",
"iam:ListAccessKeys",
"iam:ListAccountAliases",
"iam:ListAttachedGroupPolicies",
"iam:ListAttachedRolePolicies",
"iam:ListAttachedUserPolicies",
"iam:ListEntitiesForPolicy",
"iam:ListGroupPolicies",
"iam:ListGroups",
"iam:ListGroupsForUser",
"iam:ListInstanceProfiles",
"iam:ListInstanceProfilesForRole",
"iam:ListInstanceProfileTags",
"iam:ListMFADevices",
"iam:ListMFADeviceTags",
"iam:ListOpenIDConnectProviders",
"iam:ListOpenIDConnectProviderTags",
"iam:ListPolicies",
"iam:ListPoliciesGrantingServiceAccess",
"iam:ListPolicyTags",
"iam:ListPolicyVersions",
"iam:ListRolePolicies",
"iam:ListRoles",
"iam:ListRoleTags",
"iam:ListSAMLProviders",
"iam:ListSAMLProviderTags",
"iam:ListServerCertificates",
"iam:ListServerCertificateTags",
"iam:ListServiceSpecificCredentials",
"iam:ListSigningCertificates",
"iam:ListSSHPublicKeys",
"iam:ListUserPolicies",
"iam:ListUsers",
"iam:ListUserTags",
"iam:ListVirtualMFADevices",
"iam:PassRole",
"iam:PutGroupPolicy",
"iam:PutRolePermissionsBoundary",
"iam:PutRolePolicy",
"iam:PutUserPermissionsBoundary",
"iam:PutUserPolicy",
"iam:RemoveClientIDFromOpenIDConnectProvider",
"iam:RemoveRoleFromInstanceProfile",
"iam:RemoveUserFromGroup",
"iam:ResetServiceSpecificCredential",
"iam:ResyncMFADevice",
"iam:SetDefaultPolicyVersion",
"iam:SetSecurityTokenServicePreferences",
"iam:SimulateCustomPolicy",
"iam:SimulatePrincipalPolicy",
"iam:TagInstanceProfile",
"iam:TagMFADevice",
"iam:TagOpenIDConnectProvider",
"iam:TagPolicy",
"iam:TagRole",
"iam:TagSAMLProvider",
"iam:TagServerCertificate",
"iam:TagUser",
"iam:UntagInstanceProfile",
"iam:UntagMFADevice",
"iam:UntagOpenIDConnectProvider",
"iam:UntagPolicy",
"iam:UntagRole",
"iam:UntagSAMLProvider",
"iam:UntagServerCertificate",
"iam:UntagUser",
"iam:UpdateAccessKey",
"iam:UpdateAccountPasswordPolicy",
"iam:UpdateAssumeRolePolicy",
"iam:UpdateGroup",
"iam:UpdateLoginProfile",
"iam:UpdateOpenIDConnectProviderThumbprint",
"iam:UpdateRole",
"iam:UpdateRoleDescription",
"iam:UpdateSAMLProvider",
"iam:UpdateServerCertificate",
"iam:UpdateServiceSpecificCredential",
"iam:UpdateSigningCertificate",
"iam:UpdateSSHPublicKey",
"iam:UpdateUser",
"iam:UploadServerCertificate",
"iam:UploadSigningCertificate",
"iam:UploadSSHPublicKey",
"inspector2:ListCoverage",
"inspector2:ListFindings",
"pricing:GetProducts",
"sts:GetCallerIdentity"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
AWS GovCloud Standard Harvesting
GovCloud Standard (Read-Only) User Policy
For AWS GovCloud accounts, there are two policies to support read-only users. Each policy must be manually updated with each new AWS GovCloud service that InsightCloudSec supports for the GovCloud Standard Read-Only policy.
New required permissions are announced in our release notes and updated here.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"access-analyzer:ListAnalyzers",
"access-analyzer:ListFindings",
"acm:DescribeCertificate",
"acm:ListCertificates",
"apigateway:GET",
"athena:GetWorkGroup",
"athena:ListQueryExecutions",
"athena:ListWorkGroups",
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeLaunchConfigurations",
"autoscaling:DescribeTags",
"autoscaling:DescribeWarmPool",
"backup:*",
"batch:DescribeComputeEnvironments",
"cloudformation:DescribeStackResource",
"cloudformation:DescribeStackResources",
"cloudformation:DescribeStacks",
"cloudformation:GetTemplate",
"cloudformation:ListStackResources",
"cloudformation:ListStacks",
"cloudhsm:DescribeClusters",
"cloudtrail:DescribeTrails",
"cloudtrail:GetEventSelectors",
"cloudtrail:GetInsightSelectors",
"cloudtrail:GetTrailStatus",
"cloudwatch:DescribeAlarms",
"cloudwatch:DescribeAlarmsForMetric",
"cloudwatch:GetMetricData",
"cloudwatch:GetMetricStatistics",
"cloudwatch:ListMetrics",
"codebuild:BatchGetProjects",
"codebuild:ListProjects",
"cognito-idp:DescribeUserPool",
"cognito-idp:ListIdentityProviders",
"cognito-idp:ListUserPools",
"config:DescribeConfigurationRecorders",
"config:DescribeConfigurationRecorderStatus",
"config:DescribeDeliveryChannels",
"config:DescribeDeliveryChannelStatus",
"datasync:DescribeTask",
"datasync:ListLocations",
"datasync:ListTasks",
"directconnect:DescribeConnections",
"dms:DescribeReplicationInstances",
"ds:DescribeDirectories",
"dynamodb:DescribeContinuousBackups",
"dynamodb:DescribeGlobalTable",
"dynamodb:DescribeTable",
"dynamodb:ListBackups",
"dynamodb:ListGlobalTables",
"dynamodb:ListTables",
"dynamodb:ListTagsOfResource",
"ec2:DescribeAccountAttributes",
"ec2:DescribeAddresses",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeFlowLogs",
"ec2:DescribeHosts",
"ec2:DescribeImageAttribute",
"ec2:DescribeImages",
"ec2:DescribeInstanceAttribute",
"ec2:DescribeInstances",
"ec2:DescribeInstanceStatus",
"ec2:DescribeInternetGateways",
"ec2:DescribeKeyPairs",
"ec2:DescribeLaunchTemplateVersions",
"ec2:DescribeManagedPrefixLists",
"ec2:DescribeNatGateways",
"ec2:DescribeNetworkAcls",
"ec2:DescribeNetworkInterfaceAttribute",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribePlacementGroups",
"ec2:DescribeRegions",
"ec2:DescribeReservedInstances",
"ec2:DescribeRouteTables",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSnapshots",
"ec2:DescribeSubnets",
"ec2:DescribeTags",
"ec2:DescribeTrafficMirrorTargets",
"ec2:DescribeTransitGatewayAttachments",
"ec2:DescribeTransitGatewayRouteTables",
"ec2:DescribeTransitGateways",
"ec2:DescribeTransitGatewayVpcAttachments",
"ec2:DescribeVolumes",
"ec2:DescribeVolumeStatus",
"ec2:DescribeVpcAttribute",
"ec2:DescribeVpcEndpointConnections",
"ec2:DescribeVpcEndpoints",
"ec2:DescribeVpcEndpointServiceConfigurations",
"ec2:DescribeVpcEndpointServicePermissions",
"ec2:DescribeVpcPeeringConnections",
"ec2:DescribeVpcs",
"ec2:DescribeVpnConnections",
"ec2:DescribeVpnGateways",
"ec2:GetConsoleOutput",
"ec2:GetEbsDefaultKmsKeyId",
"ec2:GetEbsEncryptionByDefault",
"ec2:GetManagedPrefixListEntries",
"ec2:GetSerialConsoleAccessStatus",
"ec2:SearchTransitGatewayRoutes",
"ecr:DescribeImageReplicationStatus",
"ecr:DescribeImages",
"ecr:DescribeImageScanFindings",
"ecr:DescribePullThroughCacheRules",
"ecr:DescribeRegistry",
"ecr:DescribeRepositories",
"ecr:GetAuthorizationToken",
"ecr:GetDownloadUrlForLayer",
"ecr:GetLifecyclePolicy",
"ecr:GetLifecyclePolicyPreview",
"ecr:GetRegistryPolicy",
"ecr:GetRegistryScanningConfiguration",
"ecr:GetRepositoryPolicy",
"ecr:ListImages",
"ecr:ListTagsForResource",
"ecs:DescribeClusters",
"ecs:DescribeContainerInstances",
"ecs:DescribeServices",
"ecs:DescribeTaskDefinition",
"ecs:DescribeTasks",
"ecs:ListClusters",
"ecs:ListContainerInstances",
"ecs:ListServices",
"ecs:ListTaskDefinitions",
"ecs:ListTasks",
"eks:DescribeCluster",
"eks:DescribeNodegroup",
"eks:ListClusters",
"eks:ListNodegroups",
"elasticache:DescribeCacheClusters",
"elasticache:DescribeCacheSubnetGroups",
"elasticache:DescribeReplicationGroups",
"elasticache:DescribeReservedCacheNodes",
"elasticache:DescribeSnapshots",
"elasticbeanstalk:DescribeApplications",
"elasticbeanstalk:DescribeConfigurationSettings",
"elasticbeanstalk:DescribeEnvironmentResources",
"elasticbeanstalk:DescribeEnvironments",
"elasticbeanstalk:DescribePlatformVersion",
"elasticfilesystem:DescribeBackupPolicy",
"elasticfilesystem:DescribeFileSystemPolicy",
"elasticfilesystem:DescribeFileSystems",
"elasticfilesystem:DescribeLifecycleConfiguration",
"elasticfilesystem:DescribeMountTargets",
"elasticfilesystem:DescribeMountTargetSecurityGroups",
"elasticloadbalancing:DescribeInstanceHealth",
"elasticloadbalancing:DescribeListeners",
"elasticloadbalancing:DescribeLoadBalancerAttributes",
"elasticloadbalancing:DescribeLoadBalancerPolicies",
"elasticloadbalancing:DescribeLoadBalancerPolicyTypes",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeRules",
"elasticloadbalancing:DescribeTags",
"elasticloadbalancing:DescribeTargetGroups",
"elasticloadbalancing:DescribeTargetHealth",
"elasticmapreduce:DescribeCluster",
"elasticmapreduce:DescribeSecurityConfiguration",
"elasticmapreduce:ListBootstrapActions",
"elasticmapreduce:ListClusters",
"elasticmapreduce:ListInstances",
"elasticmapreduce:ListSecurityConfigurations",
"es:DescribeElasticsearchDomains",
"es:DescribeReservedElasticsearchInstances",
"es:ListDomainNames",
"events:DescribeEventBus",
"events:ListEventBuses",
"events:ListRules",
"events:ListTargetsByRule",
"firehose:DescribeDeliveryStream",
"firehose:ListDeliveryStreams",
"firehose:ListTagsForDeliveryStream",
"fsx:DescribeFileSystems",
"glacier:DescribeVault",
"glacier:GetVaultAccessPolicy",
"glacier:GetVaultLock",
"glacier:ListTagsForVault",
"glacier:ListVaults",
"glue:GetDatabases",
"glue:GetDataCatalogEncryptionSettings",
"glue:GetResourcePolicy",
"glue:GetSecurityConfigurations",
"glue:ListCrawlers",
"glue:ListRegistries",
"guardduty:GetDetector",
"guardduty:GetFindings",
"guardduty:GetMasterAccount",
"guardduty:ListDetectors",
"guardduty:ListFindings",
"guardduty:ListMembers"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"iam:GenerateCredentialReport",
"iam:GetAccessKeyLastUsed",
"iam:GetAccountAuthorizationDetails",
"iam:GetAccountPasswordPolicy",
"iam:GetAccountSummary",
"iam:GetCredentialReport",
"iam:GetLoginProfile",
"iam:GetOpenIDConnectProvider",
"iam:GetPolicyVersion",
"iam:GetRole",
"iam:GetRolePolicy",
"iam:GetSAMLProvider",
"iam:GetServerCertificate",
"iam:GetUser",
"iam:GetUserPolicy",
"iam:ListAccessKeys",
"iam:ListAccountAliases",
"iam:ListAttachedGroupPolicies",
"iam:ListAttachedRolePolicies",
"iam:ListAttachedUserPolicies",
"iam:ListEntitiesForPolicy",
"iam:ListGroupPolicies",
"iam:ListGroups",
"iam:ListGroupsForUser",
"iam:ListInstanceProfiles",
"iam:ListMFADevices",
"iam:ListOpenIDConnectProviders",
"iam:ListPolicies",
"iam:ListPolicyVersions",
"iam:ListRolePolicies",
"iam:ListRoleTags",
"iam:ListRoles",
"iam:ListSAMLProviders",
"iam:ListServerCertificates",
"iam:ListSigningCertificates",
"iam:ListUserPolicies",
"iam:ListUserTags",
"iam:ListUsers",
"iam:SimulatePrincipalPolicy",
"kafka:ListClusters",
"kafka:ListClustersV2",
"kendra:DescribeIndex",
"kendra:ListIndices",
"kinesis:DescribeStream",
"kinesis:ListShards",
"kinesis:ListStreams",
"kinesis:ListTagsForStream",
"kms:DescribeKey",
"kms:GetKeyPolicy",
"kms:GetKeyRotationStatus",
"kms:ListAliases",
"kms:ListKeys",
"lambda:GetAccountSettings",
"lambda:GetFunction",
"lambda:GetLayerVersionPolicy",
"lambda:GetPolicy",
"lambda:ListFunctions",
"lambda:ListLayers",
"lambda:ListTags",
"logs:DescribeDestinations",
"logs:DescribeLogGroups",
"logs:DescribeMetricFilters",
"memorydb:DescribeClusters",
"memorydb:DescribeSubnetGroups",
"memorydb:ListTags",
"mq:DescribeBroker",
"mq:ListBrokers",
"organizations:DescribeOrganization",
"organizations:DescribePolicy",
"organizations:ListAccounts",
"organizations:ListPolicies",
"organizations:ListTargetsForPolicy",
"outposts:ListOutposts",
"rbin:GetRule",
"rbin:ListRules",
"rds:DescribeDBClusterSnapshots",
"rds:DescribeDBClusters",
"rds:DescribeDBEngineVersions",
"rds:DescribeDBInstances",
"rds:DescribeDBParameterGroups",
"rds:DescribeDBParameters",
"rds:DescribeDBSnapshots",
"rds:DescribeDbProxies",
"rds:DescribeEventSubscriptions",
"rds:DescribeOptionGroups",
"rds:DescribePendingMaintenanceActions",
"rds:DescribeReservedDBInstances",
"redshift:DescribeClusterParameterGroups",
"redshift:DescribeClusterParameters",
"redshift:DescribeClusterSnapshots",
"redshift:DescribeClusterSubnetGroups",
"redshift:DescribeClusters",
"redshift:DescribeLoggingStatus",
"route53:GetHostedZone",
"route53:ListHealthChecks",
"route53:ListHostedZones",
"route53:ListHostedZonesByName",
"route53:ListHostedZonesByVpc",
"route53:ListResourceRecordSets",
"route53:ListVPCAssociationAuthorizations",
"route53resolver:ListResolverQueryLogConfigAssociations",
"route53resolver:ListResolverQueryLogConfigs",
"s3:GetAccessPointPolicy",
"s3:GetAccessPointPolicyStatus",
"s3:GetAccountPublicAccessBlock",
"s3:GetBucketAcl",
"s3:GetBucketCORS",
"s3:GetBucketLocation",
"s3:GetBucketLogging",
"s3:GetBucketObjectLockConfiguration",
"s3:GetBucketOwnershipControls",
"s3:GetBucketPolicy",
"s3:GetBucketPolicyStatus",
"s3:GetBucketPublicAccessBlock",
"s3:GetBucketTagging",
"s3:GetBucketVersioning",
"s3:GetBucketWebsite",
"s3:GetEncryptionConfiguration",
"s3:GetLifecycleConfiguration",
"s3:GetReplicationConfiguration",
"s3:ListAccessPoints",
"s3:ListAllMyBuckets",
"sagemaker:DescribeNotebookInstance",
"sagemaker:ListNotebookInstances",
"secretsmanager:DescribeSecret",
"secretsmanager:GetResourcePolicy",
"secretsmanager:ListSecrets",
"serverlessrepo:GetApplication",
"serverlessrepo:GetApplicationPolicy",
"serverlessrepo:ListApplications",
"ses:GetIdentityDkimAttributes",
"ses:GetIdentityMailFromDomainAttributes",
"ses:GetIdentityNotificationAttributes",
"ses:GetIdentityVerificationAttributes",
"ses:ListIdentities",
"ses:ListIdentityPolicies",
"sns:GetSubscriptionAttributes",
"sns:GetTopicAttributes",
"sns:ListSubscriptions",
"sns:ListTopics",
"sqs:GetQueueAttributes",
"sqs:ListQueueTags",
"sqs:ListQueues",
"ssm:DescribeDocument",
"ssm:DescribeDocumentPermission",
"ssm:DescribeInstanceInformation",
"ssm:DescribeParameters",
"ssm:GetDocument",
"ssm:GetServiceSetting",
"ssm:ListDocumentVersions",
"ssm:ListDocuments",
"states:DescribeStateMachine",
"states:ListStateMachines",
"storagegateway:DescribeGatewayInformation",
"storagegateway:DescribeNFSFileShares",
"storagegateway:DescribeSMBFileShares",
"storagegateway:ListFileShares",
"storagegateway:ListGateways",
"sts:GetCallerIdentity",
"support:*",
"support:DescribeTrustedAdvisorCheckResult",
"support:DescribeTrustedAdvisorChecks",
"support:RefreshTrustedAdvisorCheck",
"tag:GetResources",
"transcribe:GetMedicalTranscriptionJob",
"transcribe:GetTranscriptionJob",
"transcribe:ListMedicalTranscriptionJobs",
"transcribe:ListTranscriptionJobs",
"transfer:DescribeServer",
"transfer:DescribeUser",
"transfer:ListServers",
"transfer:ListUsers",
"wafv2:GetWebACL",
"wafv2:ListLoggingConfigurations",
"wafv2:ListResourcesForWebACL",
"wafv2:ListWebACLs",
"workspaces:DescribeWorkspaceBundles",
"workspaces:DescribeWorkspaceDirectories",
"workspaces:DescribeWorkspaces",
"workspaces:DescribeWorkspacesConnectionStatus"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
GovCloud Power User Policy
AWS GovCloud Power User Policy is provided below. This policy must be manually updated with each new AWS GovCloud service that InsightCloudSec supports. New required permissions are announced in our release notes and updated here.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"access-analyzer:*",
"acm:*",
"apigateway:*",
"athena:*",
"autoscaling:*",
"batch:*",
"cloudformation:*",
"cloudhsm:*",
"cloudtrail:*",
"cloudwatch:*",
"codebuild:*",
"config:*",
"datasync:*",
"directconnect:*",
"dms:*",
"ds:*",
"dynamodb:*",
"ec2:*",
"ecr:*",
"ecs:*",
"eks:*",
"elasticache:*",
"elasticbeanstalk:*",
"elasticfilesystem:*",
"elasticloadbalancing:*",
"elasticmapreduce:*",
"es:*",
"events:*",
"firehose:*",
"fsx:*",
"glacier:*",
"glue:*",
"guardduty:*",
"iam:*",
"kafka:*",
"kendra:*",
"kinesis:*",
"kms:*",
"lambda:*",
"logs:*",
"memorydb:*",
"organizations:*",
"outposts:*",
"rbin:*",
"rds:*",
"redshift:*",
"route53:*",
"route53resolver:*",
"s3:*",
"sagemaker:*",
"secretsmanager:*",
"serverlessrepo:*",
"sns:*",
"sqs:*",
"ssm:*",
"states:*",
"storagegateway:*",
"support:*",
"tag:*",
"transfer:*",
"transcribe:*",
"waf-regional:*",
"workspaces:*"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"sts:GetCallerIdentity"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
Organization Master Account Role
The following policy is used to allow InsightCloudSec access to organizational information. Review AWS Cloud Setup (Organizations) for more information on integrating your AWS Organization(s) with InsightCloudSec.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:SimulatePrincipalPolicy",
"organizations:DescribeOrganization",
"organizations:ListAccountsForParent",
"organizations:ListOrganizationalUnitsForParent",
"organizations:ListPolicies",
"organizations:ListRoots",
"organizations:ListTagsForResource",
"organizations:ListTargetsForPolicy"
],
"Resource": "*"
}
]
}
Updated 11 days ago
Did this page help you?