Hyperglance AWS IAM Policy Requirements

Hyperglance needs an IAM role/policy applied to gather inventory, create diagrams, and evaluate cost-saving, compliance, and security rules

Hyperglance IAM Permissions

If you're connecting Hyperglance to an AWS GovCloud account, follow these instructions instead.

The Hyperglance IAM user needs certain rights to poll the relevant information from the API.

Hyperglance only needs a 'Read Only' policy applied to gather inventory, create diagrams and evaluate rules.

If you'd like to use Hyperglance to enable resource controls (e.g. Start, Stop, Add Tag, etc.) then you'll need to apply a Read-Write Policy:

Generic Read-Only Policy

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"access-analyzer:List*",
"apigateway:GET",
"autoscaling:Describe*",
"backup:ListProtectedResources",
"cloudwatch:Describe*",
"cloudwatch:GetMetricStatistics",
"cloudwatch:ListMetrics",
"cur:DescribeReportDefinitions",
"dax:Describe*",
"dax:ListTags",
"dynamodb:Describe*",
"dynamodb:ListTables",
"dynamodb:ListTagsOfResource",
"directconnect:Describe*",
"ec2:Describe*",
"ec2:Get*",
"ec2:Search*",
"ecs:Describe*",
"ecs:List*",
"eks:Describe*",
"eks:List*",
"elasticloadbalancing:Describe*",
"iam:List*",
"iam:Get*",
"iam:GenerateCredentialReport",
"lambda:List*",
"ram:GetResourceShareAssociations",
"redshift:Describe*",
"redshift:List*",
"rds:Describe*",
"rds:ListTagsForResource",
"route53:List*",
"route53:Get*",
"s3:Get*",
"s3:ListAllMyBuckets",
"s3:ListBucket",
"sts:AssumeRole",
"sts:GetCallerIdentity",
"workspaces:Describe*",
"sns:List*",
"sns:Get*",
"sqs:List*",
"sqs:Get*"
],
"Resource": "*"
}
]
}

Detailed Read-Only Policy

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"access-analyzer:ListAnalyzers",
"apigateway:GET",
"autoscaling:Describe*",
"backup:ListProtectedResources",
"cloudwatch:Describe*",
"cloudwatch:GetMetricStatistics",
"cloudwatch:ListMetrics",
"cur:DescribeReportDefinitions",
"dax:Describe*",
"dax:ListTags",
"dynamodb:Describe*",
"dynamodb:ListTables",
"dynamodb:ListTagsOfResource",
 "directconnect:DescribeLags",
"directconnect:DescribeConnections",
"directconnect:DescribeVirtualInterfaces",
"directconnect:DescribeDirectConnectGateways",
"directconnect:DescribeDirectConnectGatewayAssociations",
"ec2:Describe*",
"ec2:GetEbsEncryptionByDefault",
"ec2:GetTransitGatewayRouteTablePropagations",
"ec2:SearchTransitGatewayRoutes",
"ecs:describeClusters",
"ecs:describeContainerInstances",
"ecs:describeServices",
"ecs:describeTasks",
"ecs:listClusters",
"ecs:listContainerInstances",
"ecs:listServices",
"ecs:listTasks",
"eks:DescribeCluster",
"eks:DescribeFargateProfile",
"eks:DescribeUpdate",
"eks:DescribeNodegroup",
"eks:ListClusters",
"eks:ListUpdates",
"eks:ListFargateProfiles",
"eks:ListNodegroups",
"eks:ListTagsForResource",
"elasticloadbalancing:Describe*",
"elasticloadbalancing:DescribeAccountLimits",
"elasticloadbalancing:DescribeInstanceHealth",
"elasticloadbalancing:DescribeListenerCertificates",
"elasticloadbalancing:DescribeListeners",
"elasticloadbalancing:DescribeLoadBalancerAttributes",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeRules",
"elasticloadbalancing:DescribeSSLPolicies",
"elasticloadbalancing:DescribeTags",
"elasticloadbalancing:DescribeTargetGroupAttributes",
"elasticloadbalancing:DescribeTargetGroups",
"elasticloadbalancing:DescribeTargetHealth",
"iam:ListAttachedUserPolicies",
"iam:ListEntitiesForPolicy",
"iam:ListPolicies",
"iam:ListUserPolicies",
"iam:ListUsers",
"iam:ListMFADevices",
"iam:ListServerCertificates",
"iam:ListGroupsForUser",
"iam:ListSSHPublicKeys",
"iam:ListAccessKeys",
"iam:GetAccessKeyLastUsed",
"iam:GetAccountPasswordPolicy",
"iam:GetCredentialReport",
"iam:GetPolicyVersion",
"iam:GenerateCredentialReport",
"lambda:List*",
"ram:GetResourceShareAssociations",
"redshift:describeClusterSubnetGroups",
"redshift:describeClusters",
"redshift:describeTags",
"rds:Describe*",
"rds:ListTagsForResource",
"route53:ListTrafficPolicyInstances",
"route53:ListTrafficPolicyVersions",
"route53:ListResourceRecordSets",
"route53:ListHostedZones",
"route53:GetHostedZone",
"s3:GetAccelerateConfiguration",
"s3:GetAnalyticsConfiguration",
"s3:GetBucketAcl",
"s3:GetBucketCORS",
"s3:GetBucketLocation",
"s3:GetBucketLogging",
"s3:GetBucketNotification",
"s3:GetBucketPolicy",
"s3:GetBucketRequestPayment",
"s3:GetBucketTagging",
"s3:GetBucketVersioning",
"s3:GetBucketWebsite",
"s3:GetEncryptionConfiguration",
"s3:GetInventoryConfiguration",
"s3:GetLifecycleConfiguration",
"s3:GetMetricsConfiguration",
"s3:GetBucketPublicAccessBlock",
"s3:GetReplicationConfiguration",
"s3:GetObject",
"s3:ListAllMyBuckets",
"s3:ListBucket",
"sts:AssumeRole",
"sts:GetCallerIdentity",
"workspaces:DescribeWorkspaces",
"workspaces:DescribeWorkspaceDirectories",
"workspaces:DescribeWorkspaceBundles",
"workspaces:DescribeWorkspacesConnectionStatus",
"sns:ListTopics",
"sns:ListSubscriptions",
"sns:ListTagsForResource",
"sns:GetTopicAttributes",
"sqs:ListQueues",
"sqs:GetQueueAttributes",
"sqs:ListQueueTags"
],
"Resource": "*"
}
]
}

Detailed Full Read-Write Policy

You can choose which actions to enable in the policy without Hyperglance complaining, e.g. only allowing create/delete tags

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"access-analyzer:ListAnalyzers",
"apigateway:GET",
"autoscaling:Describe*",
"backup:ListProtectedResources",
"cloudwatch:Describe*",
"cloudwatch:GetMetricStatistics",
"cloudwatch:ListMetrics",
"cur:DescribeReportDefinitions",
"dax:DeleteCluster",
"dax:Describe*",
"dax:ListTags",
"dax:TagResource",
"dax:UntagResource",
"dynamodb:Describe*",
"dynamodb:ListTables",
"dynamodb:ListTagsOfResource",
 "directconnect:DescribeLags",
"directconnect:DescribeConnections",
"directconnect:DescribeVirtualInterfaces",
"directconnect:DescribeDirectConnectGateways",
"directconnect:DescribeDirectConnectGatewayAssociations",
"ec2:CreateImage",
"ec2:CreateTags",
"ec2:DeleteTags",
"ec2:Describe*",
"ec2:GetEbsEncryptionByDefault",
"ec2:GetTransitGatewayRouteTablePropagations",
"ec2:SearchTransitGatewayRoutes",
"ec2:RebootInstances",
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:TerminateInstances",
"ecs:describeClusters",
"ecs:describeContainerInstances",
"ecs:describeServices",
"ecs:describeTasks",
"ecs:listClusters",
"ecs:listContainerInstances",
"ecs:listServices",
"ecs:listTasks",
"eks:DescribeCluster",
"eks:DescribeFargateProfile",
"eks:DescribeUpdate",
"eks:DescribeNodegroup",
"eks:ListClusters",
"eks:ListUpdates",
"eks:ListFargateProfiles",
"eks:ListNodegroups",
"eks:ListTagsForResource",
"elasticloadbalancing:Describe*",
"elasticloadbalancing:DescribeAccountLimits",
"elasticloadbalancing:DescribeInstanceHealth",
"elasticloadbalancing:DescribeListenerCertificates",
"elasticloadbalancing:DescribeListeners",
"elasticloadbalancing:DescribeLoadBalancerAttributes",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeRules",
"elasticloadbalancing:DescribeSSLPolicies",
"elasticloadbalancing:DescribeTags",
"elasticloadbalancing:DescribeTargetGroupAttributes",
"elasticloadbalancing:DescribeTargetGroups",
"elasticloadbalancing:DescribeTargetHealth",
"iam:ListAttachedUserPolicies",
"iam:ListEntitiesForPolicy",
"iam:ListPolicies",
"iam:ListUserPolicies",
"iam:ListUsers",
"iam:ListMFADevices",
"iam:ListServerCertificates",
"iam:ListGroupsForUser",
"iam:ListSSHPublicKeys",
"iam:ListAccessKeys",
"iam:GetAccessKeyLastUsed",
"iam:GetAccountPasswordPolicy",
"iam:GetCredentialReport",
"iam:GetPolicyVersion",
"iam:GenerateCredentialReport",
"lambda:List*",
"lambda:TagResource",
"lambda:UntagResource",
"ram:GetResourceShareAssociations",
"rds:AddTagsToResource",
"rds:DeleteDBInstance",
"rds:Describe*",
"rds:ListTagsForResource",
"rds:RebootDBInstance",
"rds:RemoveTagsFromResource",
"rds:StartDBInstance",
"rds:StopDBInstance",
"rds:DeleteDBCluster",
"rds:StartDBCluster",
"rds:StopDBCluster",
"redshift:describeClusterSubnetGroups",
"redshift:describeClusters",
"redshift:describeTags",
"redshift:createTags",
"redshift:deleteTags",
"route53:ListTrafficPolicyInstances",
"route53:ListTrafficPolicyVersions",
"route53:ListResourceRecordSets",
"route53:ListHostedZones",
"route53:GetHostedZone",
"s3:GetAccelerateConfiguration",
"s3:GetAnalyticsConfiguration",
"s3:GetBucketAcl",
"s3:GetBucketCORS",
"s3:GetBucketLocation",
"s3:GetBucketLogging",
"s3:GetBucketNotification",
"s3:GetBucketPolicy",
"s3:GetBucketRequestPayment",
"s3:GetBucketTagging",
"s3:GetBucketVersioning",
"s3:GetBucketWebsite",
"s3:GetEncryptionConfiguration",
"s3:GetInventoryConfiguration",
"s3:GetLifecycleConfiguration",
"s3:GetMetricsConfiguration",
"s3:GetBucketPublicAccessBlock",
"s3:GetReplicationConfiguration",
"s3:GetObject",
"s3:ListAllMyBuckets",
"s3:ListBucket",
"s3:PutBucketTagging",
"sts:AssumeRole",
"sts:GetCallerIdentity",
"workspaces:DescribeWorkspaces",
"workspaces:DescribeWorkspaceDirectories",
"workspaces:DescribeWorkspaceBundles",
"workspaces:DescribeWorkspacesConnectionStatus",
"sns:ListTopics",
"sns:ListSubscriptions",
"sns:ListTagsForResource",
"sns:GetTopicAttributes",
"sqs:ListQueues",
"sqs:GetQueueAttributes",
"sqs:ListQueueTags"
],
"Resource": "*"
}
]
}

Sending SNS Notifications

In order to send SNS notifications using Hyperglance's rules, you'll need to add an SNS Publish permission to the policy:

"sns:Publish",