Skip to main content

Permissions required for Audit recipe

We have taken enough time and done through analysis to seek out the minimal permission set required to run effective audit against your AWS account. There is not a single permissions more or less which we take to connect to your account in order to finish a successful audit.

IAM Audit

"ec2:DescribeRegions", "elbv2:DescribeLoadBalancers","elbv2:DescribeListeners","elbv2:DescribeListenerCertificates","iam:GenerateCredentialReport", "iam:GetCredentialReport","iam:GetAccountPasswordPolicy","iam:GetGroup","iam:GetGroupPolicy","iam:GetUserPolicy","iam:ListAttachedGroupPolicies","iam:ListAttachedUserPolicies","iam:ListGroupPolicies","iam:ListGroups","iam:ListGroupsForUser","iam:ListServerCertificates","iam:ListUserPolicies","iam:ListUsers","iam:GenerateServiceLastAccessedDetails","iam:GetServiceLastAccessedDetails","iam:GetServiceLastAccessedDetailsWithEntities","iam:GetOrganizationsAccessReport","iam:GetPolicy","iam:ListRoles","iam:ListRolePolicies","iam:ListAccessKeys","iam:GetAccessKeyLastUsed"

Security Group Audit:

"ec2:DescribeRegions", "rds:DescribeDBInstances","ec2:DescribeVpcs", "ec2:DescribeSubnets", "ec2:DescribeRoutingTables", "ec2:DescribeNetworkACLs", "ec2:DescribeFlowLogs", "ec2:DescribeInstances", "ec2:DescribeSecurityGroups", "redshift:DescribeClusters"

S3 Audit:

"ec2:DescribeRegions", "s3:GetBucketPublicAccessBlock", "s3:GetBucketObjectLockConfiguration", "s3:GetEncryptionConfiguration", "s3:GetLifecycleConfiguration", "s3:GetBucketLogging", "s3:ListAllMyBuckets", "s3:ListBucket", "s3:GetAccelerateConfiguration", "s3:GetBucketVersioning", "s3:GetBucketAcl", "s3:GetBucketPolicy", "s3:GetBucketEncryption", "s3:GetBucketVersioning", "s3:GetBucketPolicy", "s3:GetBucketPolicyStatus", "s3:GetBucketLogging", "s3:GetPublicAccessBlock", "s3:GetBucketAcl", "s3:GetEncryptionConfiguration", "s3:GetBucketPublicAccessBlock", "s3:GetBucketCORS", "s3:GetBucketLocation", "s3:GetReplicationConfiguration", "s3:GetBucketWebsite"

EC2 Audit:

"ec2:DescribeRegions", "autoscaling:DescribeAutoScalingInstances", "ec2:DescribeAddresses", "ec2:DescribeInstances", "ec2:DescribeTags", "ec2:DescribeSnapshotAttribute", "ec2:GetEbsEncryptionByDefault", "ec2:DescribeInstanceAttribute", "servicequotas:GetServiceQuota", "ec2:DescribeSnapshots", "cloudwatch:GetMetricStatistics", "ec2:DescribeSecurityGroups", "ec2:DescribeImages", "ec2:DescribeNetworkInterfaces", "ec2:DescribeAccountAttributes", "ec2:DescribeReservedInstances", "ec2:DescribeSubnets", "ec2:DescribeKeyPairs", "ec2:DescribeRouteTables", "ec2:DescribeInstanceStatus"

RDS Audit:

"ec2:DescribeRegions", "rds:DescribeEventSubscriptions", "rds:DescribeDBSnapshots", "rds:DescribeDBSecurityGroups", "cloudwatch:GetMetricStatistics", "ec2:DescribeSecurityGroups", "rds:DescribeDBSnapshotAttributes", "rds:DescribeReservedDBInstances", "rds:ListTagsForResource", "kms:ListAliases", "rds:DescribeDBInstances", "rds:DescribeDBParameters", "ec2:DescribeRouteTables", "rds:DescribeDBClusters"

LAMBDA Audit:

"ec2:DescribeRegions", "iam:GetRole", "iam:GetPolicyVersion", "iam:GetPolicy", "lambda:ListFunctions", "lambda:ListVersionsByFunction", "lambda:GetFunction", "lambda:ListAliases", "lambda:GetFunctionConfiguration", "cloudtrail:GetEventSelectors", "cloudtrail:DescribeTrails", "lambda:ListTags", "iam:ListAttachedRolePolicies", "iam:ListRolePolicies", "iam:GetRolePolicy", "lambda:GetPolicy"

DYNAMODB Audit:

"ec2:DescribeRegions", "dynamodb:DescribeTable", "dynamodb:ListTables", "application-autoscaling:DescribeScalingPolicies", "dynamodb:DescribeContinuousBackups", "kms:DescribeKey", "ec2:DescribeVpcEndpoints", "dynamodb:DescribeTableReplicaAutoScaling"

ELB Audit:

"ec2:DescribeRegions", "elasticloadbalancing:DescribeSSLPolicies", "wafv2:ListResourcesForWebACL", "wafv2:ListWebACLs", "elasticloadbalancing:DescribeTags", "cloudwatch:GetMetricStatistics", "ec2:DescribeSecurityGroups", "elasticloadbalancing:DescribeLoadBalancerAttributes", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeListeners", "elasticloadbalancing:DescribeTargetHealth", "elasticloadbalancing:DescribeLoadBalancerPolicies", "elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:DescribeInstanceHealth"

Elastic Search Audit:

"ec2:DescribeRegions", "es:DescribeReservedElasticsearchInstances", "es:ListDomainNames", "es:ListTags", "es:DescribeElasticsearchDomains", "cloudwatch:GetMetricStatistics"

KMS Audit:

"ec2:DescribeRegions", "kms:ListKeys", "kms:GetKeyRotationStatus", "ec2:DescribeVolumes", "kms:ListAliases", "kms:GetKeyPolicy", "kms:DescribeKey", "kms:ListResourceTags", "kms:ListGrants"

KUBERNETES Audit:

"ec2:DescribeRegions", "eks:DescribeNodegroup", "ecr:DescribeRepositories", "eks:DescribeCluster", "eks:ListClusters", "ec2:DescribeSubnets", "ec2:DescribeSecurityGroups", "ecr:GetRepositoryPolicy", "ecr:GetLifecyclePolicy"

SES Audit:

"ec2:DescribeRegions", "ses:GetIdentityDkimAttributes", "ses:GetIdentityPolicies", "ses:GetIdentityVerificationAttributes", "ses:ListIdentityPolicies", "ses:ListIdentities"

SNS Audit:

"ec2:DescribeRegions", "sns:ListSubscriptionsByTopic", "sns:GetTopicAttributes", "sns:ListTopics", "sns:GetSubscriptionAttributes", "sns:ListSubscriptions"]

CLOUDFRONT Audit:

"ec2:DescribeRegions", "cloudfront:GetDistribution", "cloudfront:ListDistributions", "cloudfront:GetDistributionConfig"

CLOUDTRAIL Audit:

"ec2:DescribeRegions", "s3:GetBucketObjectLockConfiguration", "logs:DescribeLogGroups", "s3:GetBucketLogging", "cloudtrail:GetTrailStatus", "s3:GetBucketVersioning", "cloudtrail:GetEventSelectors", "s3:GetBucketAcl", "cloudtrail:DescribeTrails"

REDSHIFT Audit:

"ec2:DescribeRegions", "redshift:DescribeReservedNodes", "kms:ListAliases", "redshift:DescribeClusters", "redshift:DescribeTags", "redshift:DescribeLoggingStatus", "cloudwatch:GetMetricStatistics", "redshift:DescribeClusterParameters"

APIGATEWAY Audit:

"ec2:DescribeRegions", "apigateway:GET", "apigateway:GetRestAPIs", "apigateway:GetRestAPI", "apigateway:GetStages", "apigateway:GetClientCertificate", "apigatewayv2:GetRestAPIs", "apigatewayv2:GetRestAPI", "apigatewayv2:GetStages", "apigatewayv2:GetClientCertificate"

SQS Audit:

"ec2:DescribeRegions", "sqs:ListQueues", "sqs:GetQueueAttributes"

CloudFront Audit:

"ec2:DescribeRegions", "events:DescribeEventBus", "logs:DescribeLogGroups", "cloudwatch:DescribeAlarmsForMetric", "ec2:DescribeFlowLogs", "cloudwatch:DescribeAlarms", "events:ListRules", "logs:DescribeMetricFilters"

ROUTE53MONITORING:

"ec2:DescribeRegions", "route53domains:ListDomains", "route53:ListHostedZones", "route53:ListResourceRecordSets", "route53domains:GetDomainDetail"