AWS Policies

Suggested IAM Policies for AWS Users & Roles

InsightCloudSec offers several different AWS policies for the accounts that will be harvested. Policy usage varies depending on the type of AWS Cloud Setup being used (Single vs. Organization, Commercial vs. GovCloud) and the level of access you want to provide InsightCloudSec (Read Only vs. Power User). The policies provided here include the following:

AWS Commercial Standard Harvesting

  • Standard (Read-Only) User -- Policies that enable the minimum access necessary to harvest information from your AWS accounts for use within InsightCloudSec
  • AWS-Managed Supplemental Policy -- Policy that supplements the existing AWS ReadOnlyAccess policy with permissions necessary to enable full visibility into your environment for InsightCloudSec
  • Power User -- Policies that enable unlimited access to the services that InsightCloudSec supports

AWS GovCloud Standard Harvesting

  • GovCloud Standard (Read-Only) User -- Policies that are used to enable harvesting of AWS GovCloud accounts
  • GovCloud Power User - Policies that enable expanded access to the GovCloud services that InsightCloudSec supports

Additional Standard Harvesting Policies

📘

Using the Policies

Copy the policy (or all policy parts) of interest below, then return to one of the aforementioned cloud setup pages. The API calls that are supported with any of the policies can be found in the Supported API Calls section.

AWS Commercial Standard Harvesting

For AWS commercial (non-GovCloud) accounts, there are two options for standard (read-only) users:

  • AWS-Managed Supplemental Policy: This option supplements AWS' managed read-only policy. This policy's benefit lies in AWS continually updating the policy for new services, making it easier for you to attach and maintain the policy.
  • Customer-Managed Standard Read-Only User Policy: This option outlines the individual read only permissions, e.g., List, Describe, Get, etc., for each service InsightCloudSec supports, but this means the policy must be manually updated with each new AWS service that InsightCloudSec supports. New required permissions are announced in our release notes and updated here.

AWS-Managed Supplemental Policy

As mentioned above, this policy supplements the existing AWS ReadOnlyAccess policy (screenshot of this policy within the AWS console follows) with permissions necessary to enable full visibility into your environment for InsightCloudSec. The supplemental policy can be obtained from our public S3 bucket. Note: InsightCloudSec highly recommends that you verify you have the latest supplemental read only policy after each release. If you have questions or concerns about implementing this policy or its scope, reach out to us via the Customer Support Portal.

16801680

AWS' ReadOnlyAccess Policy

Customer-Managed Standard (Read-Only) User Policy

The customer-managed policy consists of three parts (the permissions have exceeded AWS's limitation on policy size). These policies only contain read only-type permissions, e.g., List, Describe, Get, etc., and as such, will need to be updated any time InsightCloudSec supports a new AWS Service. There is no significance to how the policy permissions are separated except for ease of reading.

Note: This means you'll need to create three separate policies: one for each part.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "access-analyzer:ListAnalyzers",
                "access-analyzer:ListFindings",
                "acm:DescribeCertificate",
                "acm:ListCertificates",
                "acm:ListTagsForCertificate",
                "airflow:GetEnvironment",
                "airflow:ListEnvironments",
                "apigateway:GET",
                "apprunner:DescribeService",
                "apprunner:ListServices",
                "appstream:DescribeFleets",
                "appsync:GetApiCache",
                "appsync:ListDataSources",
                "appsync:ListGraphqlApis",
                "athena:GetWorkGroup",
                "athena:ListQueryExecutions",
                "athena:ListWorkGroups",
                "autoscaling:DescribeAutoScalingGroups",
                "autoscaling:DescribeLaunchConfigurations",
                "autoscaling:DescribeTags",
                "backup:GetBackupVaultAccessPolicy",
                "backup:ListBackupVaults",
                "batch:DescribeComputeEnvironments",
                "cloudformation:DescribeStackResource",
                "cloudformation:DescribeStackResources",
                "cloudformation:DescribeStacks",
                "cloudformation:GetTemplate",
                "cloudformation:ListStackResources",
                "cloudformation:ListStacks",
                "cloudfront:GetDistribution",
                "cloudfront:GetStreamingDistribution",
                "cloudfront:ListDistributions",
                "cloudfront:ListStreamingDistributions",
                "cloudfront:ListTagsForResource",
                "cloudhsm:DescribeClusters",
                "cloudsearch:DescribeAvailabilityOptions",
                "cloudsearch:DescribeDomains",
                "cloudsearch:DescribeDomainEndpointOptions",
                "cloudsearch:DescribeServiceAccessPolicies",
                "cloudsearch:ListDomainNames",
                "cloudtrail:DescribeTrails",
                "cloudtrail:GetEventSelectors",
                "cloudtrail:GetInsightSelectors",
                "cloudtrail:GetTrailStatus",
                "cloudwatch:DescribeAlarms",
                "cloudwatch:DescribeAlarmsForMetric",
                "cloudwatch:GetMetricData",
                "cloudwatch:GetMetricStatistics",
                "cloudwatch:ListMetrics",
                "codebuild:BatchGetProjects",
                "codebuild:ListProjects",
                "cognito-idp:DescribeUserPool",
                "cognito-idp:ListUserPools",
                "cognito-idp:ListIdentityProviders",
                "config:DescribeConfigurationRecorderStatus",
                "config:DescribeConfigurationRecorders",
                "config:DescribeDeliveryChannelStatus",
                "config:DescribeDeliveryChannels",
                "datasync:DescribeTask",
                "datasync:ListLocations",
                "datasync:ListTasks",
                "dax:DescribeClusters",
                "directconnect:DescribeConnections",
                "dms:DescribeReplicationInstances",
                "ds:DescribeDirectories",
                "dynamodb:DescribeContinuousBackups",
                "dynamodb:DescribeGlobalTable",
                "dynamodb:DescribeTable",
                "dynamodb:ListBackups",
                "dynamodb:ListGlobalTables",
                "dynamodb:ListTables",
                "dynamodb:ListTagsOfResource",
                "ec2:DescribeAccountAttributes",
                "ec2:DescribeAddresses",
                "ec2:DescribeAvailabilityZones",
                "ec2:DescribeFlowLogs",
                "ec2:DescribeHosts",
                "ec2:DescribeImageAttribute",
                "ec2:DescribeImages",
                "ec2:DescribeImportImageTasks",
                "ec2:DescribeInstanceAttribute",
                "ec2:DescribeInstanceStatus",
                "ec2:DescribeInstances",
                "ec2:DescribeInternetGateways",
                "ec2:DescribeKeyPairs",
                "ec2:DescribeLaunchTemplateVersions",
                "ec2:DescribeManagedPrefixLists",
                "ec2:DescribeNatGateways",
                "ec2:DescribeNetworkAcls",
                "ec2:DescribeNetworkInterfaceAttribute",
                "ec2:DescribeNetworkInterfaces",
                "ec2:DescribePlacementGroups",
                "ec2:DescribeRegions",
                "ec2:DescribeReservedInstances",
                "ec2:DescribeRouteTables",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeSnapshotAttribute",
                "ec2:DescribeSnapshots",
                "ec2:DescribeSubnets",
                "ec2:DescribeTags",
                "ec2:DescribeTrafficMirrorTargets",
                "ec2:DescribeTransitGatewayAttachments",
                "ec2:DescribeTransitGatewayRouteTables",
                "ec2:DescribeTransitGateways",
                "ec2:DescribeVolumeStatus",
                "ec2:DescribeVolumes",
                "ec2:DescribeVpcAttribute",
                "ec2:DescribeVpcEndpointConnections",
                "ec2:DescribeVpcEndpoints",
                "ec2:DescribeVpcEndpointServiceConfigurations",
                "ec2:DescribeVpcEndpointServicePermissions",
                "ec2:DescribeVpcPeeringConnections",
                "ec2:DescribeVpcs",
                "ec2:DescribeVpnConnections",
                "ec2:DescribeVpnGateways",
                "ec2:GetConsoleOutput",
                "ec2:GetEbsDefaultKmsKeyId",
                "ec2:GetEbsEncryptionByDefault",
                "ec2:GetManagedPrefixListEntries",
                "ec2:GetSerialConsoleAccessStatus",
                "ec2:SearchTransitGatewayRoutes",
                "ecr:DescribeImageReplicationStatus",
                "ecr:DescribeImages",
                "ecr:DescribeImageScanFindings",
                "ecr:DescribePullThroughCacheRules",
                "ecr:DescribeRegistry",
                "ecr:DescribeRepositories",
                "ecr:GetAuthorizationToken",
                "ecr:GetDownloadUrlForLayer",
                "ecr:GetLifecyclePolicy",
                "ecr:GetLifecyclePolicyPreview",
                "ecr:GetRegistryPolicy",
                "ecr:GetRegistryScanningConfiguration",
                "ecr:GetRepositoryPolicy",
                "ecr:ListImages",
                "ecr:ListTagsForResource",
                "ecr-public:DescribeImages",
                "ecr-public:DescribeRepositories",
                "ecs:DescribeClusters",
                "ecs:DescribeContainerInstances",
                "ecs:DescribeServices",
                "ecs:DescribeTaskDefinition",
                "ecs:DescribeTasks",
                "ecs:ListClusters",
                "ecs:ListContainerInstances",
                "ecs:ListServices",
                "ecs:ListTaskDefinitions",
                "ecs:ListTasks",
                "eks:DescribeCluster",
                "eks:DescribeNodeGroup",
                "eks:ListClusters",
                "eks:ListNodeGroups"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "elasticbeanstalk:DescribeApplications",
                "elasticbeanstalk:DescribeConfigurationSettings",
                "elasticbeanstalk:DescribeEnvironmentResources",
                "elasticbeanstalk:DescribeEnvironments",
                "elasticbeanstalk:DescribePlatformVersion",
                "elasticache:DescribeCacheClusters",
                "elasticache:DescribeCacheSubnetGroups",
                "elasticache:DescribeReplicationGroups",
                "elasticache:DescribeReservedCacheNodes",
                "elasticache:DescribeSnapshots",
                "elasticache:ListTagsForResource",
                "elasticfilesystem:DescribeBackupPolicy",
                "elasticfilesystem:DescribeFileSystems",
                "elasticfilesystem:DescribeFileSystemPolicy",
                "elasticfilesystem:DescribeLifecycleConfiguration",
                "elasticfilesystem:DescribeMountTargetSecurityGroups",
                "elasticfilesystem:DescribeMountTargets",
                "elasticfilesystem:DescribeTags",
                "elasticloadbalancing:DescribeInstanceHealth",
                "elasticloadbalancing:DescribeListeners",
                "elasticloadbalancing:DescribeLoadBalancerAttributes",
                "elasticloadbalancing:DescribeLoadBalancerPolicies",
                "elasticloadbalancing:DescribeLoadBalancerPolicyTypes",
                "elasticloadbalancing:DescribeLoadBalancers",
                "elasticloadbalancing:DescribeRules",
                "elasticloadbalancing:DescribeTags",
                "elasticloadbalancing:DescribeTargetGroups",
                "elasticloadbalancing:DescribeTargetHealth",
                "elasticmapreduce:DescribeCluster",
                "elasticmapreduce:DescribeSecurityConfiguration",
                "elasticmapreduce:ListBootstrapActions",
                "elasticmapreduce:ListClusters",
                "elasticmapreduce:ListInstances",
                "elasticmapreduce:ListSecurityConfigurations",
                "elastictranscoder:ListPipelines",
                "es:DescribeElasticsearchDomains",
                "es:DescribeReservedElasticsearchInstances",
                "es:ListDomainNames",
                "es:ListTags",
                "events:DescribeEventBus",
                "events:ListEventBuses",
                "events:ListRules",
                "events:ListTargetsByRule",
                "firehose:DescribeDeliveryStream",
                "firehose:ListDeliveryStreams",
                "firehose:ListTagsForDeliveryStream",
                "fsx:DescribeFileSystems",
                "glacier:DescribeVault",
                "glacier:GetVaultAccessPolicy",
                "glacier:GetVaultLock",
                "glacier:ListTagsForVault",
                "glacier:ListVaults",
                "glue:GetDatabases",
                "glue:GetDataCatalogEncryptionSettings",
                "glue:GetResourcePolicy",
                "glue:GetSecurityConfigurations",
                "glue:ListCrawlers",
                "glue:ListRegistries",
                "guardduty:GetDetector",
                "guardduty:GetFindings",
                "guardduty:GetMasterAccount",
                "guardduty:ListDetectors",
                "guardduty:ListFindings",
                "guardduty:ListMembers",
                "iam:GenerateCredentialReport",
                "iam:GetAccessKeyLastUsed",
                "iam:GetAccountAuthorizationDetails",
                "iam:GetAccountPasswordPolicy",
                "iam:GetAccountSummary",
                "iam:GetCredentialReport",
                "iam:GetLoginProfile",
                "iam:GetOpenIDConnectProvider",
                "iam:GetPolicyVersion",
                "iam:GetRole",
                "iam:GetRolePolicy",
                "iam:GetSAMLProvider",
                "iam:GetServerCertificate",
                "iam:GetUser",
                "iam:GetUserPolicy",
                "iam:ListAccessKeys",
                "iam:ListAccountAliases",
                "iam:ListAttachedGroupPolicies",
                "iam:ListAttachedRolePolicies",
                "iam:ListAttachedUserPolicies",
                "iam:ListEntitiesForPolicy",
                "iam:ListGroupPolicies",
                "iam:ListGroups",
                "iam:ListGroupsForUser",
                "iam:ListInstanceProfiles",
                "iam:ListMFADevices",
                "iam:ListOpenIDConnectProviders",
                "iam:ListPolicies",
                "iam:ListPolicyVersions",
                "iam:ListRolePolicies",
                "iam:ListRoles",
                "iam:ListRoleTags",
                "iam:ListSAMLProviders",
                "iam:ListServerCertificates",
                "iam:ListSigningCertificates",
                "iam:ListUserPolicies",
                "iam:ListUsers",
                "iam:ListUserTags",
                "iam:SimulatePrincipalPolicy",
                "inspector2:ListCoverage",
                "inspector2:ListFindings",
                "kafka:ListClusters",
                "kafka:ListClustersV2",
                "kendra:DescribeIndex",
                "kendra:ListIndices",
                "kinesis:DescribeStream",
                "kinesis:ListShards",
                "kinesis:ListStreams",
                "kinesis:ListTagsForStream",
                "kinesisvideo:DescribeStream",
                "kinesisvideo:ListStreams",
                "kinesisvideo:ListTagsForStream",
                "kms:DescribeKey",
                "kms:GetKeyPolicy",
                "kms:GetKeyRotationStatus",
                "kms:ListAliases",
                "kms:ListKeys",
                "lambda:GetAccountSettings",
                "lambda:GetFunction",
                "lambda:GetFunctionUrlConfig",
                "lambda:GetLayerVersionPolicy",
                "lambda:GetPolicy",
                "lambda:ListFunctions",
                "lambda:ListLayers",
                "lambda:ListTags",
                "lightsail:GetContainerServices",
                "lightsail:GetDisks",
                "lightsail:GetInstances",
                "lightsail:GetLoadBalancers",
                "lightsail:GetRelationalDatabases",
                "logs:DescribeDestinations",
                "logs:DescribeLogGroups",
                "logs:DescribeMetricFilters",
                "lookoutequipment:DescribeDataset",
                "lookoutequipment:ListDatasets",
                "macie2:GetFindings",
                "macie2:ListFindings",
                "macie2:GetMacieSession",
                "memorydb:DescribeClusters",
                "memorydb:DescribeSubnetGroups",
                "memorydb:ListTags",
                "mq:DescribeBroker",
                "mq:ListBrokers",
                "organizations:DescribeOrganization",
                "organizations:DescribePolicy",
                "organizations:ListAccounts",
                "organizations:ListPolicies",
                "organizations:ListTargetsForPolicy",
                "outposts:ListOutposts",
                "pricing:GetProducts"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "quicksight:DescribeAccountSettings",
                "quicksight:DescribeAccountSubscription",
                "quicksight:DescribeIpRestriction",
                "quicksight:ListUsers",
                "rbin:GetRule",
                "rbin:ListRules",  
                "rds:DescribeDBClusterParameterGroups",
                "rds:DescribeDBClusterParameters",
                "rds:DescribeDbClusterSnapshotAttributes",
                "rds:DescribeDBClusterSnapshots",
                "rds:DescribeDBClusters",
                "rds:DescribeDBEngineVersions",
                "rds:DescribeDBInstances",
                "rds:DescribeDBParameterGroups",
                "rds:DescribeDBParameters",
                "rds:DescribeDBProxies",
                "rds:DescribeDbSnapshotAttributes",
                "rds:DescribeDBSnapshots",
                "rds:DescribeEventSubscriptions",
                "rds:DescribeOptionGroups",
                "rds:DescribeReservedDBInstances",
                "rds:ListTagsForResource",
                "redshift:DescribeClusterParameterGroups",
                "redshift:DescribeClusterParameters",
                "redshift:DescribeClusters",
                "redshift:DescribeClusterSnapshots",
                "redshift:DescribeClusterSubnetGroups",
                "redshift:DescribeLoggingStatus",
                "redshift:DescribeTags",
                "redshift-serverless:ListNamespaces",
                "redshift-serverless:ListWorkgroups",
                "route53:GetDNSSEC",
                "route53:GetHostedZone",
                "route53:ListGeoLocations",
                "route53:ListHealthChecks",
                "route53:ListHostedZones",
                "route53:ListHostedZonesByName",
                "route53:ListHostedZonesByVpc",
                "route53:ListResourceRecordSets",
                "route53:ListTagsForResource",
                "route53:ListTagsForResources",
                "route53:ListVPCAssociationAuthorizations",
                "route53domains:GetDomainDetail",
                "route53domains:ListDomains",
                "route53resolver:ListResolverQueryLogConfigs",
                "route53resolver:ListResolverQueryLogConfigAssociations",
                "s3:GetAccessPointPolicy",
                "s3:GetAccessPointPolicyStatus",
                "s3:GetAccountPublicAccessBlock",
                "s3:GetBucketAcl",
                "s3:GetBucketCORS",
                "s3:GetBucketLocation",
                "s3:GetBucketLogging",
                "s3:GetBucketNotification",
                "s3:GetBucketObjectLockConfiguration",
                "s3:GetBucketOwnershipControls",
                "s3:GetBucketNotification",
                "s3:GetBucketPolicy",
                "s3:GetBucketPolicyStatus",
                "s3:GetBucketPublicAccessBlock",
                "s3:GetBucketTagging",
                "s3:GetBucketVersioning",
                "s3:GetBucketWebsite",
                "s3:GetEncryptionConfiguration",
                "s3:GetLifecycleConfiguration",
                "s3:GetReplicationConfiguration",
                "s3:ListAccessPoints",
                "s3:ListAllMyBuckets",
                "sagemaker:DescribeNotebookInstance",
                "sagemaker:ListNotebookInstances",
                "sagemaker:ListTags",
                "savingsplans:DescribeSavingsPlans",
                "secretsmanager:DescribeSecret",
                "secretsmanager:GetResourcePolicy",
                "secretsmanager:ListSecrets",
                "serverlessrepo:GetApplication",
                "serverlessrepo:GetApplicationPolicy",
                "serverlessrepo:ListApplications",
                "ses:GetIdentityDkimAttributes",
                "ses:GetIdentityMailFromDomainAttributes",
                "ses:GetIdentityNotificationAttributes",
                "ses:GetIdentityVerificationAttributes",
                "ses:ListIdentities",
                "ses:ListIdentityPolicies",
                "shield:DescribeEmergencyContactSettings",
                "shield:GetSubscriptionState",
                "shield:ListAttacks",
                "shield:ListProtections",
                "sns:GetSubscriptionAttributes",
                "sns:GetTopicAttributes",
                "sns:ListSubscriptions",
                "sns:ListTopics",
                "sqs:GetQueueAttributes",
                "sqs:ListQueueTags",
                "sqs:ListQueues",
                "ssm:DescribeDocument",
                "ssm:DescribeDocumentPermission",
                "ssm:DescribeInstanceInformation",
                "ssm:DescribeParameters",
                "ssm:GetDocument",
                "ssm:GetServiceSetting",
                "ssm:ListDocuments",
                "ssm:ListDocumentVersions",
                "states:DescribeStateMachine",
                "states:ListStateMachines",
                "storagegateway:DescribeGatewayInformation",
                "storagegateway:DescribeNFSFileShares",
                "storagegateway:DescribeSMBFileShares",
                "storagegateway:DescribeSMBSettings",
                "storagegateway:ListFileShares",
                "storagegateway:ListGateways",
                "sts:GetCallerIdentity",
                "support:*",
                "tag:GetResources",
                "timestream:DescribeEndpoints",
                "timestream:ListDatabases",
                "timestream:ListTables",
                "transfer:DescribeServer",
                "transfer:DescribeUser",
                "transfer:ListServers",
                "transfer:ListUsers",
                "transcribe:GetMedicalTranscriptionJob",
                "transcribe:GetTranscriptionJob",
                "transcribe:ListMedicalTranscriptionJobs",
                "transcribe:ListTranscriptionJobs",
                "waf-regional:GetRule",
                "waf-regional:GetWebACL",
                "waf-regional:ListResourcesForWebACL",
                "waf-regional:ListRules",
                "waf-regional:ListWebACLs",
                "waf:GetChangeToken",
                "waf:GetRule",
                "waf:GetWebACL",
                "waf:ListLoggingConfigurations",
                "waf:ListRules",
                "waf:ListWebACLs",
                "wafv2:GetWebACL",
                "wafv2:ListWebACLs",
                "wafv2:ListLoggingConfigurations",
                "wafv2:ListResourcesForWebACL",
                "workspaces:DescribeTags",
                "workspaces:DescribeWorkspaceBundles",
                "workspaces:DescribeWorkspaceDirectories",
                "workspaces:DescribeWorkspaces",
                "workspaces:DescribeWorkspacesConnectionStatus"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}

AWS Commercial Power User Policy

For AWS commercial (non-GovCloud) accounts, there is a single policy for power users that provides wildcard access to every service that InsightCloudSec supports. This policy must be manually updated with each new AWS service that InsightCloudSec supports. New required permissions are announced in our release notes and updated here.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ICSPowerUserWildcardPermissions",
            "Action": [
                "access-analyzer:*",
                "acm:*",
                "airflow:*",
                "apigateway:*",
                "apprunner:*",
                "appstream:*",
                "appsync:*",
                "athena:*",
                "autoscaling:*",
                "backup:*",
                "batch:*",
                "cloudformation:*",
                "cloudfront:*",
                "cloudhsm:*",
                "cloudsearch:*",
                "cloudtrail:*",
                "cloudwatch:*",
                "codebuild:*",
                "cognito-idp:*",
                "config:*",
                "datasync:*",
                "dax:*",
                "directconnect:*",
                "dms:*",
                "ds:*",
                "dynamodb:*",
                "ec2:*",
                "ecr:*",
                "ecr-public:*",
                "ecs:*",
                "eks:*",
                "elasticache:*",
                "elasticbeanstalk:*",
                "elasticfilesystem:*",
                "elasticloadbalancing:*",
                "elasticmapreduce:*",
                "elastictranscoder:*",
                "es:*",
                "events:*",
                "firehose:*",
                "fsx:*",
                "glacier:*",
                "glue:*",
                "guardduty:*",
                "kafka:*",
                "kendra:*",
                "kinesis:*",
                "kinesisvideo:*",
                "kms:*",
                "lambda:*",
                "lightsail:*",
                "logs:*",
                "lookoutequipment:*",
                "macie2:*",
                "memorydb:*",
                "mq:*",
                "organizations:*",
                "outposts:*",
                "quicksight:*"
                "rbin:*",
                "rds:*",
                "redshift:*",
                "redshift-serverless:*",
                "route53:*",
                "route53domains:*",
                "route53resolver:*",
                "s3:*",
                "sagemaker:*",
                "secretsmanager:*",
                "serverlessrepo:*",
                "ses:*",
                "shield:*",
                "sns:*",
                "sqs:*",
                "ssm:*",
                "states:*",
                "storagegateway:*",
                "support:*",
                "tag:*",
                "timestream:*",
                "transcribe:*",
                "transfer:*",         
                "waf:*",
                "waf-regional:*",
                "wafv2:*",
                "workspaces:*"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Sid": "ICSPowerUserIndividualPermissions",
            "Action": [
                "iam:AddClientIDToOpenIDConnectProvider",
                "iam:AddRoleToInstanceProfile",
                "iam:AddUserToGroup",
                "iam:AttachGroupPolicy",
                "iam:AttachRolePolicy",
                "iam:AttachUserPolicy",
                "iam:ChangePassword",
                "iam:CreateAccessKey",
                "iam:CreateAccountAlias",
                "iam:CreateGroup",
                "iam:CreateInstanceProfile",
                "iam:CreateLoginProfile",
                "iam:CreateOpenIDConnectProvider",
                "iam:CreatePolicy",
                "iam:CreatePolicyVersion",
                "iam:CreateRole",
                "iam:CreateSAMLProvider",
                "iam:CreateServiceLinkedRole",
                "iam:CreateServiceSpecificCredential",
                "iam:CreateUser",
                "iam:CreateVirtualMFADevice",
                "iam:DeactivateMFADevice",
                "iam:DeleteAccessKey",
                "iam:DeleteAccountAlias",
                "iam:DeleteAccountPasswordPolicy",
                "iam:DeleteGroup",
                "iam:DeleteGroupPolicy",
                "iam:DeleteInstanceProfile",
                "iam:DeleteLoginProfile",
                "iam:DeleteOpenIDConnectProvider",
                "iam:DeletePolicy",
                "iam:DeletePolicyVersion",
                "iam:DeleteRole",
                "iam:DeleteRolePermissionsBoundary",
                "iam:DeleteRolePolicy",
                "iam:DeleteSAMLProvider",
                "iam:DeleteServerCertificate",
                "iam:DeleteServiceLinkedRole",
                "iam:DeleteServiceSpecificCredential",
                "iam:DeleteSigningCertificate",
                "iam:DeleteSSHPublicKey",
                "iam:DeleteUser",
                "iam:DeleteUserPermissionsBoundary",
                "iam:DeleteUserPolicy",
                "iam:DeleteVirtualMFADevice",
                "iam:DetachGroupPolicy",
                "iam:DetachRolePolicy",
                "iam:DetachUserPolicy",
                "iam:EnableMFADevice",
                "iam:GenerateCredentialReport",
                "iam:GenerateOrganizationsAccessReport",
                "iam:GenerateServiceLastAccessedDetails",
                "iam:GetAccessKeyLastUsed",
                "iam:GetAccountAuthorizationDetails",
                "iam:GetAccountPasswordPolicy",
                "iam:GetAccountSummary",
                "iam:GetContextKeysForCustomPolicy",
                "iam:GetContextKeysForPrincipalPolicy",
                "iam:GetCredentialReport",
                "iam:GetGroup",
                "iam:GetGroupPolicy",
                "iam:GetInstanceProfile",
                "iam:GetLoginProfile",
                "iam:GetOpenIDConnectProvider",
                "iam:GetOrganizationsAccessReport",
                "iam:GetPolicy",
                "iam:GetPolicyVersion",
                "iam:GetRole",
                "iam:GetRolePolicy",
                "iam:GetSAMLProvider",
                "iam:GetServerCertificate",
                "iam:GetServiceLastAccessedDetails",
                "iam:GetServiceLastAccessedDetailsWithEntities",
                "iam:GetServiceLinkedRoleDeletionStatus",
                "iam:GetSSHPublicKey",
                "iam:GetUser",
                "iam:GetUserPolicy",
                "iam:ListAccessKeys",
                "iam:ListAccountAliases",
                "iam:ListAttachedGroupPolicies",
                "iam:ListAttachedRolePolicies",
                "iam:ListAttachedUserPolicies",
                "iam:ListEntitiesForPolicy",
                "iam:ListGroupPolicies",
                "iam:ListGroups",
                "iam:ListGroupsForUser",
                "iam:ListInstanceProfiles",
                "iam:ListInstanceProfilesForRole",
                "iam:ListInstanceProfileTags",
                "iam:ListMFADevices",
                "iam:ListMFADeviceTags",
                "iam:ListOpenIDConnectProviders",
                "iam:ListOpenIDConnectProviderTags",
                "iam:ListPolicies",
                "iam:ListPoliciesGrantingServiceAccess",
                "iam:ListPolicyTags",
                "iam:ListPolicyVersions",
                "iam:ListRolePolicies",
                "iam:ListRoles",
                "iam:ListRoleTags",
                "iam:ListSAMLProviders",
                "iam:ListSAMLProviderTags",
                "iam:ListServerCertificates",
                "iam:ListServerCertificateTags",
                "iam:ListServiceSpecificCredentials",
                "iam:ListSigningCertificates",
                "iam:ListSSHPublicKeys",
                "iam:ListUserPolicies",
                "iam:ListUsers",
                "iam:ListUserTags",
                "iam:ListVirtualMFADevices",
                "iam:PassRole",
                "iam:PutGroupPolicy",
                "iam:PutRolePermissionsBoundary",
                "iam:PutRolePolicy",
                "iam:PutUserPermissionsBoundary",
                "iam:PutUserPolicy",
                "iam:RemoveClientIDFromOpenIDConnectProvider",
                "iam:RemoveRoleFromInstanceProfile",
                "iam:RemoveUserFromGroup",
                "iam:ResetServiceSpecificCredential",
                "iam:ResyncMFADevice",
                "iam:SetDefaultPolicyVersion",
                "iam:SetSecurityTokenServicePreferences",
                "iam:SimulateCustomPolicy",
                "iam:SimulatePrincipalPolicy",
                "iam:TagInstanceProfile",
                "iam:TagMFADevice",
                "iam:TagOpenIDConnectProvider",
                "iam:TagPolicy",
                "iam:TagRole",
                "iam:TagSAMLProvider",
                "iam:TagServerCertificate",
                "iam:TagUser",
                "iam:UntagInstanceProfile",
                "iam:UntagMFADevice",
                "iam:UntagOpenIDConnectProvider",
                "iam:UntagPolicy",
                "iam:UntagRole",
                "iam:UntagSAMLProvider",
                "iam:UntagServerCertificate",
                "iam:UntagUser",
                "iam:UpdateAccessKey",
                "iam:UpdateAccountPasswordPolicy",
                "iam:UpdateAssumeRolePolicy",
                "iam:UpdateGroup",
                "iam:UpdateLoginProfile",
                "iam:UpdateOpenIDConnectProviderThumbprint",
                "iam:UpdateRole",
                "iam:UpdateRoleDescription",
                "iam:UpdateSAMLProvider",
                "iam:UpdateServerCertificate",
                "iam:UpdateServiceSpecificCredential",
                "iam:UpdateSigningCertificate",
                "iam:UpdateSSHPublicKey",
                "iam:UpdateUser",
                "iam:UploadServerCertificate",
                "iam:UploadSigningCertificate",
                "iam:UploadSSHPublicKey",
                "inspector2:ListCoverage",
                "inspector2:ListFindings",
                "pricing:GetProducts",
                "savingsplans:DescribeSavingsPlans",
                "sts:GetCallerIdentity"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}

AWS GovCloud Standard Harvesting

GovCloud Standard (Read-Only) User Policy

For AWS GovCloud accounts, there are two policies to support read-only users. Each policy must be manually updated with each new AWS GovCloud service that InsightCloudSec supports for the GovCloud Standard Read-Only policy.

New required permissions are announced in our release notes and updated here.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "access-analyzer:ListAnalyzers",
                "access-analyzer:ListFindings",
                "acm:DescribeCertificate",
                "acm:ListCertificates",
                "apigateway:GET",
                "appstream:DescribeFleets",
                "athena:GetWorkGroup",
                "athena:ListQueryExecutions",
                "athena:ListWorkGroups",
                "autoscaling:DescribeAutoScalingGroups",
                "autoscaling:DescribeLaunchConfigurations",
                "autoscaling:DescribeTags",
                "autoscaling:DescribeWarmPool",
                "backup:*",
                "batch:DescribeComputeEnvironments",
                "cloudformation:DescribeStackResource",
                "cloudformation:DescribeStackResources",
                "cloudformation:DescribeStacks",
                "cloudformation:GetTemplate",
                "cloudformation:ListStackResources",
                "cloudformation:ListStacks",
                "cloudhsm:DescribeClusters",
                "cloudtrail:DescribeTrails",
                "cloudtrail:GetEventSelectors",
                "cloudtrail:GetInsightSelectors",
                "cloudtrail:GetTrailStatus",
                "cloudwatch:DescribeAlarms",
                "cloudwatch:DescribeAlarmsForMetric",
                "cloudwatch:GetMetricData",
                "cloudwatch:GetMetricStatistics",
                "cloudwatch:ListMetrics",
                "codebuild:BatchGetProjects",
                "codebuild:ListProjects",
                "cognito-idp:DescribeUserPool",
                "cognito-idp:ListIdentityProviders",
                "cognito-idp:ListUserPools",
                "config:DescribeConfigurationRecorders",
                "config:DescribeConfigurationRecorderStatus",
                "config:DescribeDeliveryChannels",
                "config:DescribeDeliveryChannelStatus",
                "datasync:DescribeTask",
                "datasync:ListLocations",
                "datasync:ListTasks",
                "directconnect:DescribeConnections",
                "dms:DescribeReplicationInstances",
                "ds:DescribeDirectories",
                "dynamodb:DescribeContinuousBackups",
                "dynamodb:DescribeGlobalTable",
                "dynamodb:DescribeTable",
                "dynamodb:ListBackups",
                "dynamodb:ListGlobalTables",
                "dynamodb:ListTables",
                "dynamodb:ListTagsOfResource",
                "ec2:DescribeAccountAttributes",
                "ec2:DescribeAddresses",
                "ec2:DescribeAvailabilityZones",
                "ec2:DescribeFlowLogs",
                "ec2:DescribeHosts",
                "ec2:DescribeImageAttribute",
                "ec2:DescribeImages",
                "ec2:DescribeInstanceAttribute",
                "ec2:DescribeInstances",
                "ec2:DescribeInstanceStatus",
                "ec2:DescribeInternetGateways",
                "ec2:DescribeKeyPairs",
                "ec2:DescribeLaunchTemplateVersions",
                "ec2:DescribeManagedPrefixLists",
                "ec2:DescribeNatGateways",
                "ec2:DescribeNetworkAcls",
                "ec2:DescribeNetworkInterfaceAttribute",
                "ec2:DescribeNetworkInterfaces",
                "ec2:DescribePlacementGroups",
                "ec2:DescribeRegions",
                "ec2:DescribeReservedInstances",
                "ec2:DescribeRouteTables",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeSnapshots",
                "ec2:DescribeSubnets",
                "ec2:DescribeTags",
                "ec2:DescribeTrafficMirrorTargets",
                "ec2:DescribeTransitGatewayAttachments",
                "ec2:DescribeTransitGatewayRouteTables",
                "ec2:DescribeTransitGateways",
                "ec2:DescribeTransitGatewayVpcAttachments",
                "ec2:DescribeVolumes",
                "ec2:DescribeVolumeStatus",
                "ec2:DescribeVpcAttribute",
                "ec2:DescribeVpcEndpointConnections",
                "ec2:DescribeVpcEndpoints",
                "ec2:DescribeVpcEndpointServiceConfigurations",
                "ec2:DescribeVpcEndpointServicePermissions",
                "ec2:DescribeVpcPeeringConnections",
                "ec2:DescribeVpcs",
                "ec2:DescribeVpnConnections",
                "ec2:DescribeVpnGateways",
                "ec2:GetConsoleOutput",
                "ec2:GetEbsDefaultKmsKeyId",
                "ec2:GetEbsEncryptionByDefault",
                "ec2:GetManagedPrefixListEntries",
                "ec2:GetSerialConsoleAccessStatus",
                "ec2:SearchTransitGatewayRoutes",
                "ecr:DescribeImageReplicationStatus",
                "ecr:DescribeImages",
                "ecr:DescribeImageScanFindings",
                "ecr:DescribePullThroughCacheRules",
                "ecr:DescribeRegistry",
                "ecr:DescribeRepositories",
                "ecr:GetAuthorizationToken",
                "ecr:GetDownloadUrlForLayer",
                "ecr:GetLifecyclePolicy",
                "ecr:GetLifecyclePolicyPreview",
                "ecr:GetRegistryPolicy",
                "ecr:GetRegistryScanningConfiguration",
                "ecr:GetRepositoryPolicy",
                "ecr:ListImages",
                "ecr:ListTagsForResource",
                "ecs:DescribeClusters",
                "ecs:DescribeContainerInstances",
                "ecs:DescribeServices",
                "ecs:DescribeTaskDefinition",
                "ecs:DescribeTasks",
                "ecs:ListClusters",
                "ecs:ListContainerInstances",
                "ecs:ListServices",
                "ecs:ListTaskDefinitions",
                "ecs:ListTasks",
                "eks:DescribeCluster",
                "eks:DescribeNodegroup",
                "eks:ListClusters",
                "eks:ListNodegroups",
                "elasticache:DescribeCacheClusters",
                "elasticache:DescribeCacheSubnetGroups",
                "elasticache:DescribeReplicationGroups",
                "elasticache:DescribeReservedCacheNodes",
                "elasticache:DescribeSnapshots",
                "elasticbeanstalk:DescribeApplications",
                "elasticbeanstalk:DescribeConfigurationSettings",
                "elasticbeanstalk:DescribeEnvironmentResources",
                "elasticbeanstalk:DescribeEnvironments",
                "elasticbeanstalk:DescribePlatformVersion",
                "elasticfilesystem:DescribeBackupPolicy",
                "elasticfilesystem:DescribeFileSystemPolicy",
                "elasticfilesystem:DescribeFileSystems",
                "elasticfilesystem:DescribeLifecycleConfiguration",
                "elasticfilesystem:DescribeMountTargets",
                "elasticfilesystem:DescribeMountTargetSecurityGroups",
                "elasticloadbalancing:DescribeInstanceHealth",
                "elasticloadbalancing:DescribeListeners",
                "elasticloadbalancing:DescribeLoadBalancerAttributes",
                "elasticloadbalancing:DescribeLoadBalancerPolicies",
                "elasticloadbalancing:DescribeLoadBalancerPolicyTypes",
                "elasticloadbalancing:DescribeLoadBalancers",
                "elasticloadbalancing:DescribeRules",
                "elasticloadbalancing:DescribeTags",
                "elasticloadbalancing:DescribeTargetGroups",
                "elasticloadbalancing:DescribeTargetHealth",
                "elasticmapreduce:DescribeCluster",
                "elasticmapreduce:DescribeSecurityConfiguration",
                "elasticmapreduce:ListBootstrapActions",
                "elasticmapreduce:ListClusters",
                "elasticmapreduce:ListInstances",
                "elasticmapreduce:ListSecurityConfigurations",
                "es:DescribeElasticsearchDomains",
                "es:DescribeReservedElasticsearchInstances",
                "es:ListDomainNames",
                "events:DescribeEventBus",
                "events:ListEventBuses",
                "events:ListRules",
                "events:ListTargetsByRule",
                "firehose:DescribeDeliveryStream",
                "firehose:ListDeliveryStreams",
                "firehose:ListTagsForDeliveryStream",
                "fsx:DescribeFileSystems",
                "glacier:DescribeVault",
                "glacier:GetVaultAccessPolicy",
                "glacier:GetVaultLock",
                "glacier:ListTagsForVault",
                "glacier:ListVaults",
                "glue:GetDatabases",
                "glue:GetDataCatalogEncryptionSettings",
                "glue:GetResourcePolicy",
                "glue:GetSecurityConfigurations",
                "glue:ListCrawlers",
                "glue:ListRegistries",
                "guardduty:GetDetector",
                "guardduty:GetFindings",
                "guardduty:GetMasterAccount",
                "guardduty:ListDetectors",
                "guardduty:ListFindings",
                "guardduty:ListMembers"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "iam:GenerateCredentialReport",
                "iam:GetAccessKeyLastUsed",
                "iam:GetAccountAuthorizationDetails",
                "iam:GetAccountPasswordPolicy",
                "iam:GetAccountSummary",
                "iam:GetCredentialReport",
                "iam:GetLoginProfile",
                "iam:GetOpenIDConnectProvider",
                "iam:GetPolicyVersion",
                "iam:GetRole",
                "iam:GetRolePolicy",
                "iam:GetSAMLProvider",
                "iam:GetServerCertificate",
                "iam:GetUser",
                "iam:GetUserPolicy",
                "iam:ListAccessKeys",
                "iam:ListAccountAliases",
                "iam:ListAttachedGroupPolicies",
                "iam:ListAttachedRolePolicies",
                "iam:ListAttachedUserPolicies",
                "iam:ListEntitiesForPolicy",
                "iam:ListGroupPolicies",
                "iam:ListGroups",
                "iam:ListGroupsForUser",
                "iam:ListInstanceProfiles",
                "iam:ListMFADevices",
                "iam:ListOpenIDConnectProviders",
                "iam:ListPolicies",
                "iam:ListPolicyVersions",
                "iam:ListRolePolicies",
                "iam:ListRoleTags",
                "iam:ListRoles",
                "iam:ListSAMLProviders",
                "iam:ListServerCertificates",
                "iam:ListSigningCertificates",
                "iam:ListUserPolicies",
                "iam:ListUserTags",
                "iam:ListUsers",
                "iam:SimulatePrincipalPolicy",
                "kafka:ListClusters",
                "kafka:ListClustersV2",
                "kendra:DescribeIndex",
                "kendra:ListIndices",
                "kinesis:DescribeStream",
                "kinesis:ListShards",
                "kinesis:ListStreams",
                "kinesis:ListTagsForStream",
                "kms:DescribeKey",
                "kms:GetKeyPolicy",
                "kms:GetKeyRotationStatus",
                "kms:ListAliases",
                "kms:ListKeys",
                "lambda:GetAccountSettings",
                "lambda:GetFunction",
                "lambda:GetLayerVersionPolicy",
                "lambda:GetPolicy",
                "lambda:ListFunctions",
                "lambda:ListLayers",
                "lambda:ListTags",
                "logs:DescribeDestinations",
                "logs:DescribeLogGroups",
                "logs:DescribeMetricFilters",
                "memorydb:DescribeClusters",
                "memorydb:DescribeSubnetGroups",
                "memorydb:ListTags",
                "mq:DescribeBroker",
                "mq:ListBrokers",
                "organizations:DescribeOrganization",
                "organizations:DescribePolicy",
                "organizations:ListAccounts",
                "organizations:ListPolicies",
                "organizations:ListTargetsForPolicy",
                "outposts:ListOutposts",
                "quicksight:DescribeAccountSettings",
                "quicksight:DescribeAccountSubscription",
                "quicksight:DescribeIpRestriction",
                "quicksight:ListUsers",
                "rbin:GetRule",
                "rbin:ListRules",
                "rds:DescribeDBClusterSnapshots",
                "rds:DescribeDBClusters",
                "rds:DescribeDBEngineVersions",
                "rds:DescribeDBInstances",
                "rds:DescribeDBParameterGroups",
                "rds:DescribeDBParameters",
                "rds:DescribeDBSnapshots",
                "rds:DescribeDbProxies",
                "rds:DescribeEventSubscriptions",
                "rds:DescribeOptionGroups",
                "rds:DescribePendingMaintenanceActions",
                "rds:DescribeReservedDBInstances",
                "redshift:DescribeClusterParameterGroups",
                "redshift:DescribeClusterParameters",
                "redshift:DescribeClusterSnapshots",
                "redshift:DescribeClusterSubnetGroups",
                "redshift:DescribeClusters",
                "redshift:DescribeLoggingStatus",
                "route53:GetHostedZone",
                "route53:ListHealthChecks",
                "route53:ListHostedZones",
                "route53:ListHostedZonesByName",
                "route53:ListHostedZonesByVpc",
                "route53:ListResourceRecordSets",
                "route53:ListVPCAssociationAuthorizations",
                "route53resolver:ListResolverQueryLogConfigAssociations",
                "route53resolver:ListResolverQueryLogConfigs",
                "s3:GetAccessPointPolicy",
                "s3:GetAccessPointPolicyStatus",
                "s3:GetAccountPublicAccessBlock",
                "s3:GetBucketAcl",
                "s3:GetBucketCORS",
                "s3:GetBucketLocation",
                "s3:GetBucketLogging",
                "s3:GetBucketNotification",
                "s3:GetBucketObjectLockConfiguration",
                "s3:GetBucketOwnershipControls",
                "s3:GetBucketNotification",
                "s3:GetBucketPolicy",
                "s3:GetBucketPolicyStatus",
                "s3:GetBucketPublicAccessBlock",
                "s3:GetBucketTagging",
                "s3:GetBucketVersioning",
                "s3:GetBucketWebsite",
                "s3:GetEncryptionConfiguration",
                "s3:GetLifecycleConfiguration",
                "s3:GetReplicationConfiguration",
                "s3:ListAccessPoints",
                "s3:ListAllMyBuckets",
                "sagemaker:DescribeNotebookInstance",
                "sagemaker:ListNotebookInstances",
                "savingsplans:DescribeSavingsPlans",
                "secretsmanager:DescribeSecret",
                "secretsmanager:GetResourcePolicy",
                "secretsmanager:ListSecrets",
                "serverlessrepo:GetApplication",
                "serverlessrepo:GetApplicationPolicy",
                "serverlessrepo:ListApplications",
                "ses:GetIdentityDkimAttributes",
                "ses:GetIdentityMailFromDomainAttributes",
                "ses:GetIdentityNotificationAttributes",
                "ses:GetIdentityVerificationAttributes",
                "ses:ListIdentities",
                "ses:ListIdentityPolicies",
                "sns:GetSubscriptionAttributes",
                "sns:GetTopicAttributes",
                "sns:ListSubscriptions",
                "sns:ListTopics",
                "sqs:GetQueueAttributes",
                "sqs:ListQueueTags",
                "sqs:ListQueues",
                "ssm:DescribeDocument",
                "ssm:DescribeDocumentPermission",
                "ssm:DescribeInstanceInformation",
                "ssm:DescribeParameters",
                "ssm:GetDocument",
                "ssm:GetServiceSetting",
                "ssm:ListDocumentVersions",
                "ssm:ListDocuments",
                "states:DescribeStateMachine",
                "states:ListStateMachines",
                "storagegateway:DescribeGatewayInformation",
                "storagegateway:DescribeNFSFileShares",
                "storagegateway:DescribeSMBFileShares",
                "storagegateway:ListFileShares",
                "storagegateway:ListGateways",
                "sts:GetCallerIdentity",
                "support:*",
                "tag:GetResources",
                "transcribe:GetMedicalTranscriptionJob",
                "transcribe:GetTranscriptionJob",
                "transcribe:ListMedicalTranscriptionJobs",
                "transcribe:ListTranscriptionJobs",
                "transfer:DescribeServer",
                "transfer:DescribeUser",
                "transfer:ListServers",
                "transfer:ListUsers",
                "wafv2:GetWebACL",
                "wafv2:ListLoggingConfigurations",
                "wafv2:ListResourcesForWebACL",
                "wafv2:ListWebACLs",
                "workspaces:DescribeWorkspaceBundles",
                "workspaces:DescribeWorkspaceDirectories",
                "workspaces:DescribeWorkspaces",
                "workspaces:DescribeWorkspacesConnectionStatus"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}

GovCloud Power User Policy

AWS GovCloud Power User Policy is provided below. This policy must be manually updated with each new AWS GovCloud service that InsightCloudSec supports. New required permissions are announced in our release notes and updated here.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ICSPowerUserWildcardPermissions",
            "Action": [
                "access-analyzer:*",
                "acm:*",
                "apigateway:*",
                "appstream:*",
                "athena:*",
                "autoscaling:*",
                "backup:*",
                "batch:*",
                "cloudformation:*",
                "cloudhsm:*",
                "cloudtrail:*",
                "cloudwatch:*",
                "codebuild:*",
                "cognito-idp:*",
                "config:*",
                "datasync:*",
                "directconnect:*",
                "dms:*",
                "ds:*",
                "dynamodb:*",
                "ec2:*",
                "ecr:*",
                "ecs:*",
                "eks:*",
                "elasticache:*",
                "elasticbeanstalk:*",
                "elasticfilesystem:*",
                "elasticloadbalancing:*",
                "elasticmapreduce:*",
                "es:*",
                "events:*",
                "firehose:*",
                "fsx:*",
                "glacier:*",
                "glue:*",
                "guardduty:*",
                "kafka:*",
                "kendra:*",
                "kinesis:*",
                "kms:*",
                "lambda:*",
                "logs:*",
                "memorydb:*",
                "mq:*",
                "organizations:*",
                "outposts:*",
                "quicksight:*",
                "rbin:*",
                "rds:*",
                "redshift:*",
                "route53:*",
                "route53resolver:*",
                "s3:*",
                "sagemaker:*",
                "secretsmanager:*",
                "serverlessrepo:*",
                "ses:*",
                "sns:*",
                "sqs:*",
                "ssm:*",
                "states:*",
                "storagegateway:*",
                "support:*",
                "tag:*",
                "transcribe:*",
                "transfer:*",
                "waf-regional:*",
                "wafv2:*",
                "workspaces:*"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Sid": "ICSPowerUserIndividualPermissions",
            "Action": [
                "iam:AddClientIDToOpenIDConnectProvider",
                "iam:AddRoleToInstanceProfile",
                "iam:AddUserToGroup",
                "iam:AttachGroupPolicy",
                "iam:AttachRolePolicy",
                "iam:AttachUserPolicy",
                "iam:ChangePassword",
                "iam:CreateAccessKey",
                "iam:CreateAccountAlias",
                "iam:CreateGroup",
                "iam:CreateInstanceProfile",
                "iam:CreateLoginProfile",
                "iam:CreateOpenIDConnectProvider",
                "iam:CreatePolicy",
                "iam:CreatePolicyVersion",
                "iam:CreateRole",
                "iam:CreateSAMLProvider",
                "iam:CreateServiceLinkedRole",
                "iam:CreateServiceSpecificCredential",
                "iam:CreateUser",
                "iam:CreateVirtualMFADevice",
                "iam:DeactivateMFADevice",
                "iam:DeleteAccessKey",
                "iam:DeleteAccountAlias",
                "iam:DeleteAccountPasswordPolicy",
                "iam:DeleteGroup",
                "iam:DeleteGroupPolicy",
                "iam:DeleteInstanceProfile",
                "iam:DeleteLoginProfile",
                "iam:DeleteOpenIDConnectProvider",
                "iam:DeletePolicy",
                "iam:DeletePolicyVersion",
                "iam:DeleteRole",
                "iam:DeleteRolePermissionsBoundary",
                "iam:DeleteRolePolicy",
                "iam:DeleteSAMLProvider",
                "iam:DeleteServerCertificate",
                "iam:DeleteServiceLinkedRole",
                "iam:DeleteServiceSpecificCredential",
                "iam:DeleteSigningCertificate",
                "iam:DeleteSSHPublicKey",
                "iam:DeleteUser",
                "iam:DeleteUserPermissionsBoundary",
                "iam:DeleteUserPolicy",
                "iam:DeleteVirtualMFADevice",
                "iam:DetachGroupPolicy",
                "iam:DetachRolePolicy",
                "iam:DetachUserPolicy",
                "iam:EnableMFADevice",
                "iam:GenerateCredentialReport",
                "iam:Get*",
                "iam:List*",
                "iam:PassRole",
                "iam:PutGroupPolicy",
                "iam:PutRolePermissionsBoundary",
                "iam:PutRolePolicy",
                "iam:PutUserPermissionsBoundary",
                "iam:PutUserPolicy",
                "iam:RemoveClientIDFromOpenIDConnectProvider",
                "iam:RemoveRoleFromInstanceProfile",
                "iam:RemoveUserFromGroup",
                "iam:ResetServiceSpecificCredential",
                "iam:ResyncMFADevice",
                "iam:SetDefaultPolicyVersion",
                "iam:SimulateCustomPolicy",
                "iam:SimulatePrincipalPolicy",
                "iam:TagInstanceProfile",
                "iam:TagMFADevice",
                "iam:TagOpenIDConnectProvider",
                "iam:TagPolicy",
                "iam:TagRole",
                "iam:TagSAMLProvider",
                "iam:TagServerCertificate",
                "iam:TagUser",
                "iam:UntagInstanceProfile",
                "iam:UntagMFADevice",
                "iam:UntagOpenIDConnectProvider",
                "iam:UntagPolicy",
                "iam:UntagRole",
                "iam:UntagSAMLProvider",
                "iam:UntagServerCertificate",
                "iam:UntagUser",
                "iam:UpdateAccessKey",
                "iam:UpdateAccountPasswordPolicy",
                "iam:UpdateAssumeRolePolicy",
                "iam:UpdateGroup",
                "iam:UpdateLoginProfile",
                "iam:UpdateOpenIDConnectProviderThumbprint",
                "iam:UpdateRole",
                "iam:UpdateRoleDescription",
                "iam:UpdateSAMLProvider",
                "iam:UpdateServerCertificate",
                "iam:UpdateServiceSpecificCredential",
                "iam:UpdateSigningCertificate",
                "iam:UpdateSSHPublicKey",
                "iam:UpdateUser",
                "iam:UploadServerCertificate",
                "iam:UploadSigningCertificate",
                "iam:UploadSSHPublicKey",
                "savingsplans:DescribeSavingsPlans",
                "sts:GetCallerIdentity"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}

Organization Master Account Role

The following policy is used to allow InsightCloudSec access to organizational information. Review AWS Cloud Setup (Organizations) for more information on integrating your AWS Organization(s) with InsightCloudSec.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "iam:SimulatePrincipalPolicy",
                "organizations:DescribeOrganization",
                "organizations:ListAccountsForParent",
                "organizations:ListOrganizationalUnitsForParent",
                "organizations:ListPolicies",
                "organizations:ListRoots",
                "organizations:ListTagsForResource",
                "organizations:ListTargetsForPolicy"
            ],
            "Resource": "*"
        }
    ]
}

Did this page help you?