- AWS Audit
- Permissions required for Audit recipe
We have taken enough time and done through analysis to seek out the minimal permission set required to run effective audit against your AWS account. There is not a single permissions more or less which we take to connect to your account in order to finish a successful audit.
IAM Audit
Permissions
"ec2:DescribeRegions",
"elbv2:DescribeLoadBalancers",
"elbv2:DescribeListeners",
"elbv2:DescribeListenerCertificates",
"iam:GenerateCredentialReport",
"iam:GetCredentialReport",
"iam:GetAccountPasswordPolicy",
"iam:GetGroup",
"iam:GetGroupPolicy",
"iam:GetUserPolicy",
"iam:ListAttachedGroupPolicies",
"iam:ListAttachedUserPolicies",
"iam:ListGroupPolicies",
"iam:ListGroups",
"iam:ListGroupsForUser",
"iam:ListServerCertificates",
"iam:ListUserPolicies",
"iam:ListUsers",
"iam:GenerateServiceLastAccessedDetails",
"iam:GetServiceLastAccessedDetails",
"iam:GetServiceLastAccessedDetailsWithEntities",
"iam:GetOrganizationsAccessReport",
"iam:GetPolicy",
"iam:ListRoles",
"iam:ListRolePolicies",
"iam:ListAccessKeys",
"iam:GetAccessKeyLastUsed";
Security Group Audit:
Permissions
"ec2:DescribeRegions",
"rds:DescribeDBInstances",
"ec2:DescribeVpcs",
"ec2:DescribeSubnets",
"ec2:DescribeRoutingTables",
"ec2:DescribeNetworkACLs",
"ec2:DescribeFlowLogs",
"ec2:DescribeInstances",
"ec2:DescribeSecurityGroups",
"redshift:DescribeClusters";
S3 Audit
Permissions
"ec2:DescribeRegions",
"s3:GetBucketPublicAccessBlock",
"s3:GetBucketObjectLockConfiguration",
"s3:GetEncryptionConfiguration",
"s3:GetLifecycleConfiguration",
"s3:GetBucketLogging",
"s3:ListAllMyBuckets",
"s3:ListBucket",
"s3:GetAccelerateConfiguration",
"s3:GetBucketVersioning",
"s3:GetBucketAcl",
"s3:GetBucketPolicy",
"s3:GetBucketEncryption",
"s3:GetBucketVersioning",
"s3:GetBucketPolicy",
"s3:GetBucketPolicyStatus",
"s3:GetBucketLogging",
"s3:GetPublicAccessBlock",
"s3:GetBucketAcl",
"s3:GetEncryptionConfiguration",
"s3:GetBucketPublicAccessBlock",
"s3:GetBucketCORS",
"s3:GetBucketLocation",
"s3:GetReplicationConfiguration",
"s3:GetBucketWebsite";
EC2 Audit
Permissions
"ec2:DescribeRegions",
"autoscaling:DescribeAutoScalingInstances",
"ec2:DescribeAddresses",
"ec2:DescribeInstances",
"ec2:DescribeTags",
"ec2:DescribeSnapshotAttribute",
"ec2:GetEbsEncryptionByDefault",
"ec2:DescribeInstanceAttribute",
"servicequotas:GetServiceQuota",
"ec2:DescribeSnapshots",
"cloudwatch:GetMetricStatistics",
"ec2:DescribeSecurityGroups",
"ec2:DescribeImages",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeAccountAttributes",
"ec2:DescribeReservedInstances",
"ec2:DescribeSubnets",
"ec2:DescribeKeyPairs",
"ec2:DescribeRouteTables",
"ec2:DescribeInstanceStatus";
RDS Audit
Permissions
"ec2:DescribeRegions",
"rds:DescribeEventSubscriptions",
"rds:DescribeDBSnapshots",
"rds:DescribeDBSecurityGroups",
"cloudwatch:GetMetricStatistics",
"ec2:DescribeSecurityGroups",
"rds:DescribeDBSnapshotAttributes",
"rds:DescribeReservedDBInstances",
"rds:ListTagsForResource",
"kms:ListAliases",
"rds:DescribeDBInstances",
"rds:DescribeDBParameters",
"ec2:DescribeRouteTables",
"rds:DescribeDBClusters";
LAMBDA Audit
Permissions
"ec2:DescribeRegions",
"iam:GetRole",
"iam:GetPolicyVersion",
"iam:GetPolicy",
"lambda:ListFunctions",
"lambda:ListVersionsByFunction",
"lambda:GetFunction",
"lambda:ListAliases",
"lambda:GetFunctionConfiguration",
"cloudtrail:GetEventSelectors",
"cloudtrail:DescribeTrails",
"lambda:ListTags",
"iam:ListAttachedRolePolicies",
"iam:ListRolePolicies",
"iam:GetRolePolicy",
"lambda:GetPolicy";
DYNAMODB Audit
Permissions
"ec2:DescribeRegions",
"dynamodb:DescribeTable",
"dynamodb:ListTables",
"application-autoscaling:DescribeScalingPolicies",
"dynamodb:DescribeContinuousBackups",
"kms:DescribeKey",
"ec2:DescribeVpcEndpoints",
"dynamodb:DescribeTableReplicaAutoScaling";
ELB Audit
Permissions
"ec2:DescribeRegions",
"elasticloadbalancing:DescribeSSLPolicies",
"wafv2:ListResourcesForWebACL",
"wafv2:ListWebACLs",
"elasticloadbalancing:DescribeTags",
"cloudwatch:GetMetricStatistics",
"ec2:DescribeSecurityGroups",
"elasticloadbalancing:DescribeLoadBalancerAttributes",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeListeners",
"elasticloadbalancing:DescribeTargetHealth",
"elasticloadbalancing:DescribeLoadBalancerPolicies",
"elasticloadbalancing:DescribeTargetGroups",
"elasticloadbalancing:DescribeInstanceHealth";
Elastic Search Audit
Permissions
"ec2:DescribeRegions",
"es:DescribeReservedElasticsearchInstances",
"es:ListDomainNames",
"es:ListTags",
"es:DescribeElasticsearchDomains",
"cloudwatch:GetMetricStatistics";
KMS Audit
Permissions
"ec2:DescribeRegions",
"kms:ListKeys",
"kms:GetKeyRotationStatus",
"ec2:DescribeVolumes",
"kms:ListAliases",
"kms:GetKeyPolicy",
"kms:DescribeKey",
"kms:ListResourceTags",
"kms:ListGrants";
KUBERNETES Audit
Permissions
"ec2:DescribeRegions",
"eks:DescribeNodegroup",
"ecr:DescribeRepositories",
"eks:DescribeCluster",
"eks:ListClusters",
"ec2:DescribeSubnets",
"ec2:DescribeSecurityGroups",
"ecr:GetRepositoryPolicy",
"ecr:GetLifecyclePolicy";
SES Audit:
Permissions
"ec2:DescribeRegions",
"ses:GetIdentityDkimAttributes",
"ses:GetIdentityPolicies",
"ses:GetIdentityVerificationAttributes",
"ses:ListIdentityPolicies",
"ses:ListIdentities";
SNS Audit
Permissions
"ec2:DescribeRegions", "sns:ListSubscriptionsByTopic", "sns:GetTopicAttributes", "sns:ListTopics", "sns:GetSubscriptionAttributes", "sns:ListSubscriptions"]
CLOUDFRONT Audit
Permissions
"ec2:DescribeRegions",
"cloudfront:GetDistribution",
"cloudfront:ListDistributions",
"cloudfront:GetDistributionConfig";
CLOUDTRAIL Audit
Permissions
"ec2:DescribeRegions",
"s3:GetBucketObjectLockConfiguration",
"logs:DescribeLogGroups",
"s3:GetBucketLogging",
"cloudtrail:GetTrailStatus",
"s3:GetBucketVersioning",
"cloudtrail:GetEventSelectors",
"s3:GetBucketAcl",
"cloudtrail:DescribeTrails";
REDSHIFT Audit
Permissions
"ec2:DescribeRegions",
"redshift:DescribeReservedNodes",
"kms:ListAliases",
"redshift:DescribeClusters",
"redshift:DescribeTags",
"redshift:DescribeLoggingStatus",
"cloudwatch:GetMetricStatistics",
"redshift:DescribeClusterParameters";
APIGATEWAY Audit
Permissions
"ec2:DescribeRegions",
"apigateway:GET",
"apigateway:GetRestAPIs",
"apigateway:GetRestAPI",
"apigateway:GetStages",
"apigateway:GetClientCertificate",
"apigatewayv2:GetRestAPIs",
"apigatewayv2:GetRestAPI",
"apigatewayv2:GetStages",
"apigatewayv2:GetClientCertificate";
SQS Audit
Permissions
"ec2:DescribeRegions", "sqs:ListQueues", "sqs:GetQueueAttributes";
CloudFront Audit
Permissions
"ec2:DescribeRegions",
"events:DescribeEventBus",
"logs:DescribeLogGroups",
"cloudwatch:DescribeAlarmsForMetric",
"ec2:DescribeFlowLogs",
"cloudwatch:DescribeAlarms",
"events:ListRules",
"logs:DescribeMetricFilters";
ROUTE53MONITORING
Permissions
"ec2:DescribeRegions",
"route53domains:ListDomains",
"route53:ListHostedZones",
"route53:ListResourceRecordSets",
"route53domains:GetDomainDetail";