The following sections describe the minimum permissions that must be set before you can run discovery with the "Amazon Web Services" PowerPack:
Minimum Permissions Needed to Monitor Your AWS Accounts
The following table displays the minimum permissions required for Dynamic Applications in the "Amazon Web Services" PowerPack to collect data.
Service | Actions | |
---|---|---|
Application Certificate Manager - Private Certificate Authority | List | ListCertificateAuthorities |
Airflow | List | ListEnvironments |
Amplify | List | ListApps |
API Gateway | Read | GET |
AppFlow | List | ListFlows |
AppRunner | List | ListServices |
AppStream | Read | DescribeFleets |
AppSync | List | ListGraphqlApis |
Athena | List |
ListDatabases ListDataCatalogs ListWorkGroups |
Backup | List | ListBackupPlans |
Cassandra | Read | Select |
Chime | List |
ListAccounts ListVoiceConnectors |
CloudFront | List |
ListDistributions ListInvalidations ListStreamingDistributions |
Read |
GetDistribution GetStreamingDistribution |
|
CloudHSM | Read | DescribeClusters |
CloudSearch | List | DescribeDomains |
CloudTrail | List | DescribeTrails |
Read | GetTrailStatus | |
CloudWatch | List |
ListMetrics ListMetricStreams |
Read |
DescribeAlarmHistory DescribeAlarms GetMetricData GetMetricStatistics |
|
CloudWatch Logs | List | DescribeLogGroups |
CloudWatch RUM | List | ListAppMonitors |
CloudWatch Synthetics | Read | DescribeCanaries |
CodeBuild | List | ListProjects |
CodeGuru Profiler | List |
ListProfilingGroups |
CodeGuru Reviewer | List |
ListRepositoryAssociations |
Cognito Identity | List | ListIdentityPools |
Config | Read | GetDiscoveredResourceCounts |
Connect | Read | ListInstances |
Data Exchange | List | ListDataSets |
Data Lifecycle Manager | List | GetLifecyclePolicies |
Data Pipeline | List | ListPipelines |
Database Migration Service | Read | DescribeReplicationInstances |
DataSync | List | ListAgents |
DAX | List | DescribeClusters |
Direct Connect | Read |
DescribeConnections DescribeTags DescribeVirtualInterfaces |
DMS | Read | DescribeReplicationInstances |
DynamoDB
|
List |
ListTables |
Read |
DescribeTable |
|
EC2
|
List |
DescribeAvailabilityZones DescribeClientVpnEndpoints DescribeFleets DescribeElasticGpus DescribeInstances DescribeNatGateways DescribeRegions DescribeRouteTables DescribeSecurityGroups DescribeSnapshots DescribeSpotFleetRequests DescribeSubnets DescribeTransitGatewayAttachments DescribeVolumes DescribeVpcEndpointConnections DescribeVpcPeeringConnections DescribeVpcs DescribeVpnGateways |
Read |
DescribeVpnConnections |
|
EC2 Auto Scaling | List |
DescribeAutoScalingGroups DescribeAutoScalingInstances DescribeLaunchConfigurations |
EFS |
List |
DescribeFileSystems |
Elastic Beanstalk
|
List |
DescribeEnvironments |
Read |
DescribeConfigurationSettings DescribeEnvironmentResources DescribeEnvironmentHealth DescribeInstancesHealth |
|
Elastic Container Services (ECS)
|
List |
ListClusters ListContainerInstances ListServices ListTagsForResource ListTasks |
Read |
DescribeClusters DescribeContainerInstances DescribeServices DescribeTaskDefinition DescribeTasks |
|
ElasticCache |
List |
DescribeCacheClusters ListTagsForResource |
Elastic Inference | List | DescribeAccelerators |
Elastic Kubernetes Service (EKS) | List | ListClusters |
Read | DescribeCluster | |
Elastic Transcoder | List | ListPipelines |
ELB
|
List |
DescribeLoadBalancers |
Read |
DescribeTags |
|
ELB v2 | Read |
DescribeListeners DescribeLoadBalancers DescribeTags DescribeTargetGroups DescribeTargetHealth |
EMR | List | ListClusters |
Read | ListInstances | |
ES | List | ListDomainNames |
EventBridge | List | ListRules |
FinSpace | List | ListEnvironments |
Firehose | List | ListDeliveryStreams |
Forecast | List | ListDatasetGroups |
Fraud Detector | List | GetDetectors |
FSx | Read | DescribeFileSystems |
Gamelift | List | ListFleets |
Glacier
|
List |
ListTagsForVault ListVaults |
Read |
GetVaultNotifications |
|
Glue | List | ListJobs |
Glue Databrew | List | ListProjects |
Ground Station | List | ListSatellites |
GuardDuty | List | ListDetectors |
HealthLake | List | ListFHIRDatastores |
IAM |
Read |
GetUser |
Inspector2 | List | ListCoverage |
Interactive Video Service | List | ListChannels |
IoT |
List |
ListScheduledAudits ListSecurityProfiles ListThings ListTagsForResource |
Read |
DescribeThing | |
IoT Analytics | List | ListDatastores |
IoT Events | List | ListDetectorModels |
IoT GreenGrass V2 | List | ListCoreDevices |
IoT Sitewise | List | ListAssetModels |
IoT Twinmaker | List | ListWorkspaces |
Kafka | List | ListClusters |
Kendra | List | ListIndices |
Key Management Service (KMS)
|
List |
ListKeys ListAliases |
Read |
DescribeKey ListResourceTags |
|
Kinesis | List | ListStreams |
Kinesis Firehose | List | ListDeliveryStreams |
Kinesis Video | List | ListStreams |
Lambda | List |
ListFunctions ListAliases ListEventSourceMappings |
Read |
GetAccountSettings GetPolicy ListTags |
|
Lex V2 | ListBots | |
Lightsail
|
List |
GetBundles GetRegions |
Read |
GetInstanceMetricData GetInstances |
|
Location | List | ListMaps |
Lookout for Equipment | List | ListDatasets |
Lookout for Metrics | List | ListAnomalyDetectors |
Lookout for Vision | List | ListProjects |
MediaConnect | List | ListFlows |
MediaConvert | List |
DescribeEndpoints ListQueues |
MediaLive | List | ListChannels |
MediaPackage - VOD | List |
ListPackagingConfigurations ListPackagingGroups |
MediaPackage | Read | ListChannels |
MediaTailor | List | ListPlaybackConfigurations |
MQ | List | ListBrokers |
Network Firewall | List | ListFirewalls |
Network Manager | List | DescribeGlobalNetworks |
Nimble Studio | Read | ListStudios |
OpsWorks |
List |
DescribeInstances DescribeStacks |
Personalize | List | ListDatasets |
Polly | List | ListLexicons |
QLDB | List | ListLedgers |
QuickSight | List | ListDashboards |
RDS
|
List |
DescribeDBClusters DescribeDBSubnetGroups |
Read |
ListTagsForResource |
|
Redshift
|
List |
DescribeClusters |
Read |
DescribeLoggingStatus |
|
RoboMaker | List | ListSimulationJobs |
Route 53 |
List |
GetHostedZone ListHealthChecks ListHostedZones ListResourceRecordSets |
S3
|
List |
ListAllMyBuckets ListBucket |
Read |
GetBucketLocation GetBucketLogging GetBucketTagging GetBucketWebsite GetObject (Restrict access to specific resources of Elastic Beanstalk. For instance, Bucket name: elasticbeanstalk-*, Any Object name.) |
|
SageMaker | List | ListDomains |
Secrets Manager | List | ListSecrets |
Service Catalog | List | SearchProductsAsAdmin |
Shield
|
List |
ListAttacks ListProtections |
Read |
DescribeEmergencyContactSettings GetSubscriptionState |
|
Simple Email Service (SES)
|
List | ListIdentities |
Simple Notification Service (SNS) | List |
ListTopics ListSubscriptions |
SQS
|
List |
ListQueues |
Read |
GetQueueAttributes |
|
SSM | Read | GetParameters |
Storage Gateway |
List |
ListGateways ListVolumes |
States | List | ListStateMachines |
STS |
Read | GetCallerIdentity |
SWF | List | ListDomains |
Tag Editor | Read |
GetResources GetTagKeys GetTagValues |
TimeStream | List | ListDatabases |
Transfer | List | ListServers |
WAF |
List |
ListWebACLs |
Read |
GetRateBasedRule GetRule GetRuleGroup GetWebACL |
|
WAF Regional
|
List |
ListResourcesForWebACL ListWebACLs |
Read |
GetRateBasedRule GetRule GetRuleGroup GetWebACL |
|
WorkMail | List | ListOrganizations |
WorkSpaces |
List |
DescribeWorkspaces DescribeWorkspaceDirectories |
To create the Minimum Permission policy:
If you are monitoring a GovCloud account, see the section on creating the minimum permission policy for those accounts here.
- Go to the AWS console and select IAM > Policies > Create Policy. Select JSON and cut and paste the following JSON document:
If you receive an error message that the policy exceeds the character limit, split the following JSON into two policies.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "acm-pca:ListCertificateAuthorities", "airflow:ListEnvironments", "amplify:ListApps", "apigateway:GET", "appflow:ListFlows", "apprunner:ListServices", "appstream:DescribeFleets", "appsync:ListGraphqlApis", "athena:ListDatabases", "athena:ListDataCatalogs", "athena:ListWorkGroups", "autoscaling:DescribeAutoScalingGroups", "autoscaling:DescribeAutoScalingInstances", "autoscaling:DescribeLaunchConfigurations", "backup:ListBackupPlans", "cassandra:Select", "chime:ListAccounts", "chime:ListVoiceConnectors", "cloudfront:GetDistribution", "cloudfront:GetStreamingDistribution", "cloudfront:ListDistributions", "cloudfront:ListInvalidations", "cloudfront:ListStreamingDistributions", "cloudhsm:DescribeClusters", "cloudsearch:DescribeDomains", "cloudtrail:DescribeTrails", "cloudtrail:GetTrailStatus", "cloudwatch:DescribeAlarmHistory", "cloudwatch:DescribeAlarms", "cloudwatch:GetMetricData", "cloudwatch:GetMetricStatistics", "cloudwatch:ListMetrics", "cloudwatch:ListMetricStreams", "codebuild:ListProjects", "codeguru-profiler:ListProfilingGroups", "codeguru-reviewer:ListRepositoryAssociations", "cognito-identity:ListIdentityPools", "config:GetDiscoveredResourceCounts", "connect:ListInstances", "databrew:ListProjects", "dataexchange:ListDataSets", "datasync:ListAgents", "datapipeline:ListPipelines", "dax:DescribeClusters", "devops-guru:ListMonitoredResources", "directconnect:DescribeConnections", "directconnect:DescribeTags", "directconnect:DescribeVirtualInterfaces", "dlm:GetLifecyclePolicies", "dms:DescribeReplicationInstances", "dynamodb:DescribeTable", "dynamodb:ListTables", "ec2:DescribeAvailabilityZones", "ec2:DescribeClientVpnEndpoints", "ec2:DescribeFleets", "ec2:DescribeElasticGpus", "ec2:DescribeImages", "ec2:DescribeInstances", "ec2:DescribeNatGateways", "ec2:DescribeRegions", "ec2:DescribeRouteTables", "ec2:DescribeSecurityGroups", "ec2:DescribeSnapshots", "ec2:DescribeSpotFleetRequests", "ec2:DescribeSubnets", "ec2:DescribeTransitGatewayAttachments", "ec2:DescribeTransitGatewayRouteTables", "ec2:DescribeTransitGateways", "ec2:DescribeVolumes", "ec2:DescribeVpcPeeringConnections", "ec2:DescribeVpcs", "ec2:DescribeVpcEndpointConnections", "ec2:DescribeVpnConnections", "ec2:DescribeVpnGateways", "ecs:DescribeClusters", "ecs:DescribeContainerInstances", "ecs:DescribeServices", "ecs:DescribeTaskDefinition", "ecs:DescribeTasks", "ecs:ListClusters", "ecs:ListContainerInstances", "ecs:ListServices", "ecs:ListTagsForResource", "ecs:ListTasks", "eks:DescribeCluster", "eks:ListClusters", "elasticache:DescribeCacheClusters", "elasticache:ListTagsForResource", "elasticbeanstalk:DescribeConfigurationSettings", "elasticbeanstalk:DescribeEnvironmentHealth", "elasticbeanstalk:DescribeEnvironmentResources", "elasticbeanstalk:DescribeEnvironments", "elasticbeanstalk:DescribeInstancesHealth", "elasticfilesystem:DescribeFileSystems", "elastic-inference:DescribeAccelerators", "elasticloadbalancing:DescribeListeners", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeTags", "elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:DescribeTargetHealth", "elasticmapreduce:ListClusters", "elasticmapreduce:ListInstances", "elastictranscoder:ListPipelines", "es:ListDomainNames", "events:ListRules", "finspace:ListEnvironments", "firehose:ListDeliveryStreams", "forecast:ListDatasetGroups", "frauddetector:GetDetectors", "fsx:DescribeFileSystems", "gamelift:ListFleets", "geo:ListMaps", "glacier:GetVaultNotifications", "glacier:ListTagsForVault", "glacier:ListVaults", "glue:ListJobs", "greengrass:ListCoreDevices", "groundstation:ListSatellites", "guardduty:ListDetectors", "healthlake:ListFHIRDatastores", "iam:GetAccountAuthorizationDetails", "iam:GetUser", "inspector2:ListUsageTotals", "iot:DescribeThing", "iot:ListScheduledAudits", "iot:ListSecurityProfiles", "iot:ListTagsForResource", "iot:ListThings", "iotanalytics:ListDatastores", "iotevents:ListDetectorModels", "iotsitewise:ListAssetModels", "iottwinmaker:ListWorkspaces", "ivs:ListChannels", "ivschat:ListRooms", "kafka:ListClusters", "kendra:ListIndices", "kinesis:ListStreams", "kinesisvideo:ListStreams", "kms:DescribeKey", "kms:ListAliases", "kms:ListKeys", "kms:ListResourceTags", "lakeformation:ListResources", "lambda:GetAccountSettings", "lambda:GetPolicy", "lambda:ListAliases", "lambda:ListEventSourceMappings", "lambda:ListFunctions", "lambda:ListTags", "lex:ListBots", "lightsail:GetBundles", "lightsail:GetInstanceMetricData", "lightsail:GetInstances", "lightsail:GetRegions", "logs:DescribeLogGroups", "lookoutequipment:ListDatasets", "lookoutmetrics:ListAnomalyDetectors", "lookoutvision:ListProjects", "mediaconnect:ListFlows", "mediaconvert:DescribeEndpoints", "mediaconvert:ListQueues", "medialive:ListChannels", "mediapackage-vod:ListPackagingConfigurations", "mediapackage-vod:ListPackagingGroups", "mediapackage:ListChannels", "mediatailor:ListPlaybackConfigurations", "mq:ListBrokers", "network-firewall:ListFirewalls", "nimble:ListStudios", "opsworks:DescribeInstances", "opsworks:DescribeStacks", "panorama:ListDevices", "personalize:ListDatasets", "polly:ListLexicons", "qldb:ListLedgers", "rds:DescribeDBClusters", "rds:DescribeDBInstances", "rds:DescribeDBSubnetGroups", "rds:ListTagsForResource", "redshift:DescribeClusters", "redshift:DescribeLoggingStatus", "rekognition:DescribeProjects", "robomaker:ListSimulationJobs", "route53:GetHostedZone", "route53:ListHealthChecks", "route53:ListHostedZones", "route53:ListResourceRecordSets", "rum:ListAppMonitors", "s3:GetBucketLocation", "s3:GetBucketLogging", "s3:GetBucketTagging", "s3:GetBucketWebsite", "s3:GetObject", "s3:ListAllMyBuckets", "s3:ListBucket", "sagemaker:ListDomains", "states:ListStateMachines", "secretsmanager:ListSecrets", "ses:ListIdentities", "servicecatalog:SearchProductsAsAdmin", "shield:DescribeEmergencyContactSettings", "shield:GetSubscriptionState", "shield:ListAttacks", "shield:ListProtections", "sns:ListSubscriptions", "sns:ListTopics", "sqs:GetQueueAttributes", "sqs:ListQueues", "ssm:GetInventory", "ssm:GetParameters", "storagegateway:ListGateways", "storagegateway:ListVolumes", "sts:GetCallerIdentity", "swf:ListDomains", "synthetics:DescribeCanaries", "tag:GetResources", "tag:GetTagKeys", "tag:GetTagValues", "timestream:ListDatabases", "transcribe:ListTranscriptionJobs", "transfer:ListServers", "translate:ListTextTranslationJobs", "waf-regional:GetRateBasedRule", "waf-regional:GetRule", "waf-regional:GetRuleGroup", "waf-regional:GetWebACL", "waf-regional:ListResourcesForWebACL", "waf-regional:ListWebACLs", "waf:GetRateBasedRule", "waf:GetRule", "waf:GetRuleGroup", "waf:GetWebACL", "waf:ListWebACLs", "workmail:ListOrganizations", "workspaces-web:ListPortals", "workspaces:DescribeWorkspaceDirectories", "workspaces:DescribeWorkspaces" ], "Resource": "*" } ] }
- Click . If applicable, enter your Tags.
- Click . Name the policy "SL1MinimumPermissions" and click .
This policy needs to be available in each account that is to be monitored and will be referenced in the following sections.
Creating a Minimum Permissions Policy for GovCloud Accounts
If you are on an AWS GovCloud account, perform the following steps to create the Minimum Permission policy:
- Go to the AWS console and select IAM > Policies > Create Policy. Select JSON and cut and paste the following JSON document:
If you receive an error message that the policy exceeds the character limit, split the following JSON into two policies.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "acm-pca:ListCertificateAuthorities", "apigateway:GET", "appstream:DescribeFleets", "athena:ListWorkGroups", "athena:ListDatabases", "athena:ListDataCatalogs", "autoscaling:DescribeAutoScalingGroups", "autoscaling:DescribeAutoScalingInstances", "autoscaling:DescribeLaunchConfigurations", "backup:ListBackupPlans", "cloudhsm:DescribeClusters", "cloudtrail:DescribeTrails", "cloudtrail:GetTrailStatus", "cloudwatch:DescribeAlarmHistory", "cloudwatch:DescribeAlarms", "cloudwatch:GetMetricData", "cloudwatch:GetMetricStatistics", "cloudwatch:ListMetrics", "cloudwatch:ListMetricStreams", "codebuild:ListProjects", "cognito-identity:ListIdentityPools", "config:GetDiscoveredResourceCounts", "connect:ListInstances", "databrew:ListProjects", "datasync:ListAgents", "directconnect:DescribeConnections", "directconnect:DescribeTags", "directconnect:DescribeVirtualInterfaces", "dms:DescribeReplicationInstances", "dynamodb:DescribeTable", "dynamodb:ListTables", "ec2:DescribeAvailabilityZones", "ec2:DescribeClientVpnEndpoints", "ec2:DescribeFleets", "ec2:DescribeImages", "ec2:DescribeInstances", "ec2:DescribeNatGateways", "ec2:DescribeRegions", "ec2:DescribeRouteTables", "ec2:DescribeSecurityGroups", "ec2:DescribeSnapshots", "ec2:DescribeSpotFleetRequests", "ec2:DescribeSubnets", "ec2:DescribeTransitGatewayAttachments", "ec2:DescribeTransitGatewayRouteTables", "ec2:DescribeTransitGateways", "ec2:DescribeVolumes", "ec2:DescribeVpcEndpointConnections", "ec2:DescribeVpcPeeringConnections", "ec2:DescribeVpcs", "ec2:DescribeVpnConnections", "ec2:DescribeVpnGateways", "ecs:DescribeClusters", "ecs:DescribeContainerInstances", "ecs:DescribeServices", "ecs:DescribeTaskDefinition", "ecs:DescribeTasks", "ecs:ListClusters", "ecs:ListContainerInstances", "ecs:ListServices", "ecs:ListTasks", "ecs:ListTagsForResource", "eks:DescribeCluster", "eks:ListClusters", "elasticache:DescribeCacheClusters", "elasticbeanstalk:DescribeConfigurationSettings", "elasticbeanstalk:DescribeEnvironmentHealth", "elasticbeanstalk:DescribeEnvironmentResources", "elasticbeanstalk:DescribeEnvironments", "elasticbeanstalk:DescribeInstancesHealth", "elasticfilesystem:DescribeFileSystems", "elasticloadbalancing:DescribeListeners", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeTags", "elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:DescribeTargetHealth", "elasticmapreduce:ListClusters", "elasticmapreduce:ListInstances", "es:ListDomainNames", "events:ListRules", "firehose:ListDeliveryStreams", "fsx:DescribeFileSystems", "glacier:GetVaultNotifications", "glacier:ListTagsForVault", "glacier:ListVaults", "glue:ListJobs", "greengrass:ListCoreDevices", "guardduty:ListDetectors", "iam:GetAccountAuthorizationDetails", "iam:GetUser", "inspector2:ListUsageTotals", "iot:DescribeThing", "iot:ListScheduledAudits", "iot:ListSecurityProfiles", "iot:ListTagsForResource", "iot:ListThings", "iotevents:ListDetectorModels", "iotsitewise:ListAssetModels", "kafka:ListClusters", "kendra:ListIndices", "kinesis:ListStreams", "kms:DescribeKey", "kms:ListAliases", "kms:ListKeys", "kms:ListResourceTags", "lakeformation:ListResources", "lambda:GetAccountSettings", "lambda:GetPolicy", "lambda:ListAliases", "lambda:ListEventSourceMappings", "lambda:ListFunctions", "lambda:ListTags", "logs:DescribeLogGroups", "mq:ListBrokers", "network-firewall:ListFirewalls", "polly:ListLexicons", "rds:DescribeDBClusters", "rds:DescribeDBInstances", "rds:DescribeDBSubnetGroups", "rds:ListTagsForResource", "redshift:DescribeClusters", "redshift:DescribeLoggingStatus", "rekognition:DescribeProjects", "route53:GetHostedZone", "route53:ListHealthChecks", "route53:ListHostedZones", "route53:ListResourceRecordSets", "s3:GetBucketLocation", "s3:GetBucketLogging", "s3:GetBucketTagging", "s3:GetBucketWebsite", "s3:GetObject", "s3:ListAllMyBuckets", "s3:ListBucket", "sagemaker:ListDomains", "states:ListStateMachines", "secretsmanager:ListSecrets", "servicecatalog:SearchProductsAsAdmin", "ses:ListIdentities", "sns:ListSubscriptions", "sns:ListTopics", "sqs:GetQueueAttributes", "sqs:ListQueues", "ssm:GetInventory", "ssm:GetParameters", "storagegateway:ListGateways", "storagegateway:ListVolumes", "sts:GetCallerIdentity", "swf:ListDomains", "synthetics:DescribeCanaries", "tag:GetResources", "tag:GetTagKeys", "tag:GetTagValues", "transcribe:ListTranscriptionJobs", "transfer:ListServers", "translate:ListTextTranslationJobs", "workspaces:DescribeWorkspaceDirectories", "workspaces:DescribeWorkspaces" ], "Resource": "*" } ] }
- Click . If applicable, enter your Tags.
- Click . Name the policy "SL1MinimumPermissions" and click .
This policy needs to be available in each account that is to be monitored and will be referenced in the following sections.