1. AWS Audit
  2. Permissions required for Audit recipe

IAM Audit

Permissions
"ec2:DescribeRegions",
  "elbv2:DescribeLoadBalancers",
  "elbv2:DescribeListeners",
  "elbv2:DescribeListenerCertificates",
  "iam:GenerateCredentialReport",
  "iam:GetCredentialReport",
  "iam:GetAccountPasswordPolicy",
  "iam:GetGroup",
  "iam:GetGroupPolicy",
  "iam:GetUserPolicy",
  "iam:ListAttachedGroupPolicies",
  "iam:ListAttachedUserPolicies",
  "iam:ListGroupPolicies",
  "iam:ListGroups",
  "iam:ListGroupsForUser",
  "iam:ListServerCertificates",
  "iam:ListUserPolicies",
  "iam:ListUsers",
  "iam:GenerateServiceLastAccessedDetails",
  "iam:GetServiceLastAccessedDetails",
  "iam:GetServiceLastAccessedDetailsWithEntities",
  "iam:GetOrganizationsAccessReport",
  "iam:GetPolicy",
  "iam:ListRoles",
  "iam:ListRolePolicies",
  "iam:ListAccessKeys",
  "iam:GetAccessKeyLastUsed";

Security Group Audit:

Permissions
"ec2:DescribeRegions",
  "rds:DescribeDBInstances",
  "ec2:DescribeVpcs",
  "ec2:DescribeSubnets",
  "ec2:DescribeRoutingTables",
  "ec2:DescribeNetworkACLs",
  "ec2:DescribeFlowLogs",
  "ec2:DescribeInstances",
  "ec2:DescribeSecurityGroups",
  "redshift:DescribeClusters";

S3 Audit

Permissions
"ec2:DescribeRegions",
  "s3:GetBucketPublicAccessBlock",
  "s3:GetBucketObjectLockConfiguration",
  "s3:GetEncryptionConfiguration",
  "s3:GetLifecycleConfiguration",
  "s3:GetBucketLogging",
  "s3:ListAllMyBuckets",
  "s3:ListBucket",
  "s3:GetAccelerateConfiguration",
  "s3:GetBucketVersioning",
  "s3:GetBucketAcl",
  "s3:GetBucketPolicy",
  "s3:GetBucketEncryption",
  "s3:GetBucketVersioning",
  "s3:GetBucketPolicy",
  "s3:GetBucketPolicyStatus",
  "s3:GetBucketLogging",
  "s3:GetPublicAccessBlock",
  "s3:GetBucketAcl",
  "s3:GetEncryptionConfiguration",
  "s3:GetBucketPublicAccessBlock",
  "s3:GetBucketCORS",
  "s3:GetBucketLocation",
  "s3:GetReplicationConfiguration",
  "s3:GetBucketWebsite";

EC2 Audit

Permissions
"ec2:DescribeRegions",
  "autoscaling:DescribeAutoScalingInstances",
  "ec2:DescribeAddresses",
  "ec2:DescribeInstances",
  "ec2:DescribeTags",
  "ec2:DescribeSnapshotAttribute",
  "ec2:GetEbsEncryptionByDefault",
  "ec2:DescribeInstanceAttribute",
  "servicequotas:GetServiceQuota",
  "ec2:DescribeSnapshots",
  "cloudwatch:GetMetricStatistics",
  "ec2:DescribeSecurityGroups",
  "ec2:DescribeImages",
  "ec2:DescribeNetworkInterfaces",
  "ec2:DescribeAccountAttributes",
  "ec2:DescribeReservedInstances",
  "ec2:DescribeSubnets",
  "ec2:DescribeKeyPairs",
  "ec2:DescribeRouteTables",
  "ec2:DescribeInstanceStatus";

RDS Audit

Permissions
"ec2:DescribeRegions",
  "rds:DescribeEventSubscriptions",
  "rds:DescribeDBSnapshots",
  "rds:DescribeDBSecurityGroups",
  "cloudwatch:GetMetricStatistics",
  "ec2:DescribeSecurityGroups",
  "rds:DescribeDBSnapshotAttributes",
  "rds:DescribeReservedDBInstances",
  "rds:ListTagsForResource",
  "kms:ListAliases",
  "rds:DescribeDBInstances",
  "rds:DescribeDBParameters",
  "ec2:DescribeRouteTables",
  "rds:DescribeDBClusters";

LAMBDA Audit

Permissions
"ec2:DescribeRegions",
  "iam:GetRole",
  "iam:GetPolicyVersion",
  "iam:GetPolicy",
  "lambda:ListFunctions",
  "lambda:ListVersionsByFunction",
  "lambda:GetFunction",
  "lambda:ListAliases",
  "lambda:GetFunctionConfiguration",
  "cloudtrail:GetEventSelectors",
  "cloudtrail:DescribeTrails",
  "lambda:ListTags",
  "iam:ListAttachedRolePolicies",
  "iam:ListRolePolicies",
  "iam:GetRolePolicy",
  "lambda:GetPolicy";

DYNAMODB Audit

Permissions
"ec2:DescribeRegions",
  "dynamodb:DescribeTable",
  "dynamodb:ListTables",
  "application-autoscaling:DescribeScalingPolicies",
  "dynamodb:DescribeContinuousBackups",
  "kms:DescribeKey",
  "ec2:DescribeVpcEndpoints",
  "dynamodb:DescribeTableReplicaAutoScaling";

ELB Audit

Permissions
"ec2:DescribeRegions",
  "elasticloadbalancing:DescribeSSLPolicies",
  "wafv2:ListResourcesForWebACL",
  "wafv2:ListWebACLs",
  "elasticloadbalancing:DescribeTags",
  "cloudwatch:GetMetricStatistics",
  "ec2:DescribeSecurityGroups",
  "elasticloadbalancing:DescribeLoadBalancerAttributes",
  "elasticloadbalancing:DescribeLoadBalancers",
  "elasticloadbalancing:DescribeListeners",
  "elasticloadbalancing:DescribeTargetHealth",
  "elasticloadbalancing:DescribeLoadBalancerPolicies",
  "elasticloadbalancing:DescribeTargetGroups",
  "elasticloadbalancing:DescribeInstanceHealth";

Elastic Search Audit

Permissions
"ec2:DescribeRegions",
  "es:DescribeReservedElasticsearchInstances",
  "es:ListDomainNames",
  "es:ListTags",
  "es:DescribeElasticsearchDomains",
  "cloudwatch:GetMetricStatistics";

KMS Audit

Permissions
"ec2:DescribeRegions",
  "kms:ListKeys",
  "kms:GetKeyRotationStatus",
  "ec2:DescribeVolumes",
  "kms:ListAliases",
  "kms:GetKeyPolicy",
  "kms:DescribeKey",
  "kms:ListResourceTags",
  "kms:ListGrants";

KUBERNETES Audit

Permissions
"ec2:DescribeRegions",
  "eks:DescribeNodegroup",
  "ecr:DescribeRepositories",
  "eks:DescribeCluster",
  "eks:ListClusters",
  "ec2:DescribeSubnets",
  "ec2:DescribeSecurityGroups",
  "ecr:GetRepositoryPolicy",
  "ecr:GetLifecyclePolicy";

SES Audit:

Permissions
"ec2:DescribeRegions",
  "ses:GetIdentityDkimAttributes",
  "ses:GetIdentityPolicies",
  "ses:GetIdentityVerificationAttributes",
  "ses:ListIdentityPolicies",
  "ses:ListIdentities";

SNS Audit

Permissions
    "ec2:DescribeRegions", "sns:ListSubscriptionsByTopic", "sns:GetTopicAttributes", "sns:ListTopics", "sns:GetSubscriptionAttributes", "sns:ListSubscriptions"]

CLOUDFRONT Audit

Permissions
"ec2:DescribeRegions",
  "cloudfront:GetDistribution",
  "cloudfront:ListDistributions",
  "cloudfront:GetDistributionConfig";

CLOUDTRAIL Audit

Permissions
"ec2:DescribeRegions",
  "s3:GetBucketObjectLockConfiguration",
  "logs:DescribeLogGroups",
  "s3:GetBucketLogging",
  "cloudtrail:GetTrailStatus",
  "s3:GetBucketVersioning",
  "cloudtrail:GetEventSelectors",
  "s3:GetBucketAcl",
  "cloudtrail:DescribeTrails";

REDSHIFT Audit

Permissions
"ec2:DescribeRegions",
  "redshift:DescribeReservedNodes",
  "kms:ListAliases",
  "redshift:DescribeClusters",
  "redshift:DescribeTags",
  "redshift:DescribeLoggingStatus",
  "cloudwatch:GetMetricStatistics",
  "redshift:DescribeClusterParameters";

APIGATEWAY Audit

Permissions
"ec2:DescribeRegions",
  "apigateway:GET",
  "apigateway:GetRestAPIs",
  "apigateway:GetRestAPI",
  "apigateway:GetStages",
  "apigateway:GetClientCertificate",
  "apigatewayv2:GetRestAPIs",
  "apigatewayv2:GetRestAPI",
  "apigatewayv2:GetStages",
  "apigatewayv2:GetClientCertificate";

SQS Audit

Permissions
"ec2:DescribeRegions", "sqs:ListQueues", "sqs:GetQueueAttributes";

CloudFront Audit

Permissions
"ec2:DescribeRegions",
  "events:DescribeEventBus",
  "logs:DescribeLogGroups",
  "cloudwatch:DescribeAlarmsForMetric",
  "ec2:DescribeFlowLogs",
  "cloudwatch:DescribeAlarms",
  "events:ListRules",
  "logs:DescribeMetricFilters";

ROUTE53MONITORING

Permissions
"ec2:DescribeRegions",
  "route53domains:ListDomains",
  "route53:ListHostedZones",
  "route53:ListResourceRecordSets",
  "route53domains:GetDomainDetail";