Permissions required for Audit recipe

We have taken enough time and done through analysis to seek out the minimal permission set required to run effective audit against your AWS account. There is not a single permissions more or less which we take to connect to your account in order to finish a successful audit.

IAM Audit

"ec2:DescribeRegions", "elbv2:DescribeLoadBalancers","elbv2:DescribeListeners","elbv2:DescribeListenerCertificates","iam:GenerateCredentialReport", "iam:GetCredentialReport","iam:GetAccountPasswordPolicy","iam:GetGroup","iam:GetGroupPolicy","iam:GetUserPolicy","iam:ListAttachedGroupPolicies","iam:ListAttachedUserPolicies","iam:ListGroupPolicies","iam:ListGroups","iam:ListGroupsForUser","iam:ListServerCertificates","iam:ListUserPolicies","iam:ListUsers","iam:GenerateServiceLastAccessedDetails","iam:GetServiceLastAccessedDetails","iam:GetServiceLastAccessedDetailsWithEntities","iam:GetOrganizationsAccessReport","iam:GetPolicy","iam:ListRoles","iam:ListRolePolicies","iam:ListAccessKeys","iam:GetAccessKeyLastUsed"

Security Group Audit:

"ec2:DescribeRegions", "rds:DescribeDBInstances","ec2:DescribeVpcs", "ec2:DescribeSubnets", "ec2:DescribeRoutingTables", "ec2:DescribeNetworkACLs", "ec2:DescribeFlowLogs", "ec2:DescribeInstances", "ec2:DescribeSecurityGroups", "redshift:DescribeClusters"

S3 Audit:

"ec2:DescribeRegions", "s3:GetBucketPublicAccessBlock", "s3:GetBucketObjectLockConfiguration", "s3:GetEncryptionConfiguration", "s3:GetLifecycleConfiguration", "s3:GetBucketLogging", "s3:ListAllMyBuckets", "s3:ListBucket", "s3:GetAccelerateConfiguration", "s3:GetBucketVersioning", "s3:GetBucketAcl", "s3:GetBucketPolicy", "s3:GetBucketEncryption", "s3:GetBucketVersioning", "s3:GetBucketPolicy", "s3:GetBucketPolicyStatus", "s3:GetBucketLogging", "s3:GetPublicAccessBlock", "s3:GetBucketAcl", "s3:GetEncryptionConfiguration", "s3:GetBucketPublicAccessBlock", "s3:GetBucketCORS", "s3:GetBucketLocation", "s3:GetReplicationConfiguration", "s3:GetBucketWebsite"

EC2 Audit:

"ec2:DescribeRegions", "autoscaling:DescribeAutoScalingInstances", "ec2:DescribeAddresses", "ec2:DescribeInstances", "ec2:DescribeTags", "ec2:DescribeSnapshotAttribute", "ec2:GetEbsEncryptionByDefault", "ec2:DescribeInstanceAttribute", "servicequotas:GetServiceQuota", "ec2:DescribeSnapshots", "cloudwatch:GetMetricStatistics", "ec2:DescribeSecurityGroups", "ec2:DescribeImages", "ec2:DescribeNetworkInterfaces", "ec2:DescribeAccountAttributes", "ec2:DescribeReservedInstances", "ec2:DescribeSubnets", "ec2:DescribeKeyPairs", "ec2:DescribeRouteTables", "ec2:DescribeInstanceStatus"

RDS Audit:

"ec2:DescribeRegions", "rds:DescribeEventSubscriptions", "rds:DescribeDBSnapshots", "rds:DescribeDBSecurityGroups", "cloudwatch:GetMetricStatistics", "ec2:DescribeSecurityGroups", "rds:DescribeDBSnapshotAttributes", "rds:DescribeReservedDBInstances", "rds:ListTagsForResource", "kms:ListAliases", "rds:DescribeDBInstances", "rds:DescribeDBParameters", "ec2:DescribeRouteTables", "rds:DescribeDBClusters"

LAMBDA Audit:

"ec2:DescribeRegions", "iam:GetRole", "iam:GetPolicyVersion", "iam:GetPolicy", "lambda:ListFunctions", "lambda:ListVersionsByFunction", "lambda:GetFunction", "lambda:ListAliases", "lambda:GetFunctionConfiguration", "cloudtrail:GetEventSelectors", "cloudtrail:DescribeTrails", "lambda:ListTags", "iam:ListAttachedRolePolicies", "iam:ListRolePolicies", "iam:GetRolePolicy", "lambda:GetPolicy"

DYNAMODB Audit:

"ec2:DescribeRegions", "dynamodb:DescribeTable", "dynamodb:ListTables", "application-autoscaling:DescribeScalingPolicies", "dynamodb:DescribeContinuousBackups", "kms:DescribeKey", "ec2:DescribeVpcEndpoints", "dynamodb:DescribeTableReplicaAutoScaling"

ELB Audit:

"ec2:DescribeRegions", "elasticloadbalancing:DescribeSSLPolicies", "wafv2:ListResourcesForWebACL", "wafv2:ListWebACLs", "elasticloadbalancing:DescribeTags", "cloudwatch:GetMetricStatistics", "ec2:DescribeSecurityGroups", "elasticloadbalancing:DescribeLoadBalancerAttributes", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeListeners", "elasticloadbalancing:DescribeTargetHealth", "elasticloadbalancing:DescribeLoadBalancerPolicies", "elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:DescribeInstanceHealth"

Elastic Search Audit:

"ec2:DescribeRegions", "es:DescribeReservedElasticsearchInstances", "es:ListDomainNames", "es:ListTags", "es:DescribeElasticsearchDomains", "cloudwatch:GetMetricStatistics"

KMS Audit:

"ec2:DescribeRegions", "kms:ListKeys", "kms:GetKeyRotationStatus", "ec2:DescribeVolumes", "kms:ListAliases", "kms:GetKeyPolicy", "kms:DescribeKey", "kms:ListResourceTags", "kms:ListGrants"

KUBERNETES Audit:

"ec2:DescribeRegions", "eks:DescribeNodegroup", "ecr:DescribeRepositories", "eks:DescribeCluster", "eks:ListClusters", "ec2:DescribeSubnets", "ec2:DescribeSecurityGroups", "ecr:GetRepositoryPolicy", "ecr:GetLifecyclePolicy"

SES Audit:

"ec2:DescribeRegions", "ses:GetIdentityDkimAttributes", "ses:GetIdentityPolicies", "ses:GetIdentityVerificationAttributes", "ses:ListIdentityPolicies", "ses:ListIdentities"

"ec2:DescribeRegions", "sns:ListSubscriptionsByTopic", "sns:GetTopicAttributes", "sns:ListTopics", "sns:GetSubscriptionAttributes", "sns:ListSubscriptions"]

CLOUDFRONT Audit:

"ec2:DescribeRegions", "cloudfront:GetDistribution", "cloudfront:ListDistributions", "cloudfront:GetDistributionConfig"

CLOUDTRAIL Audit:

"ec2:DescribeRegions", "s3:GetBucketObjectLockConfiguration", "logs:DescribeLogGroups", "s3:GetBucketLogging", "cloudtrail:GetTrailStatus", "s3:GetBucketVersioning", "cloudtrail:GetEventSelectors", "s3:GetBucketAcl", "cloudtrail:DescribeTrails"

REDSHIFT Audit:

"ec2:DescribeRegions", "redshift:DescribeReservedNodes", "kms:ListAliases", "redshift:DescribeClusters", "redshift:DescribeTags", "redshift:DescribeLoggingStatus", "cloudwatch:GetMetricStatistics", "redshift:DescribeClusterParameters"

APIGATEWAY Audit:

"ec2:DescribeRegions", "apigateway:GET", "apigateway:GetRestAPIs", "apigateway:GetRestAPI", "apigateway:GetStages", "apigateway:GetClientCertificate", "apigatewayv2:GetRestAPIs", "apigatewayv2:GetRestAPI", "apigatewayv2:GetStages", "apigatewayv2:GetClientCertificate"

SQS Audit:

"ec2:DescribeRegions", "sqs:ListQueues", "sqs:GetQueueAttributes"

CloudFront Audit:

"ec2:DescribeRegions", "events:DescribeEventBus", "logs:DescribeLogGroups", "cloudwatch:DescribeAlarmsForMetric", "ec2:DescribeFlowLogs", "cloudwatch:DescribeAlarms", "events:ListRules", "logs:DescribeMetricFilters"

ROUTE53MONITORING:

"ec2:DescribeRegions", "route53domains:ListDomains", "route53:ListHostedZones", "route53:ListResourceRecordSets", "route53domains:GetDomainDetail"

IAM Audit​

Security Group Audit:​

S3 Audit:​

EC2 Audit:​

RDS Audit:​

LAMBDA Audit:​

DYNAMODB Audit:​

ELB Audit:​

Elastic Search Audit:​

KMS Audit:​

KUBERNETES Audit:​

SES Audit:​

SNS Audit:​

CLOUDFRONT Audit:​

CLOUDTRAIL Audit:​

REDSHIFT Audit:​

APIGATEWAY Audit:​

SQS Audit:​

CloudFront Audit:​

ROUTE53MONITORING:​