How to configure Hyperglance's AWS IAM requirements

Hyperglance needs an IAM role/policy applied to gather inventory, create diagrams, and evaluate cost-saving, compliance, and security rules

Hyperglance IAM Permissions

If you're connecting Hyperglance to an AWS GovCloud account, follow these instructions instead.

The Hyperglance IAM user needs certain rights to poll the relevant information from the API.

Hyperglance only needs a 'Read Only' policy applied to gather inventory, create diagrams and evaluate rules. Choose between our general read policy or our high-specific one that grants minimum-required permissions:

General Read-Only Policy

The general policy broadly wildcards lots of the read and list permissions. This is easier to maintain and means less maintenance of the policy for you as we add more features to Hyperglance. If you would rather be more specific on the permissions then see or specific policy further down.

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"access-analyzer:List*",
"apigateway:GET",
"autoscaling:Describe*",
"backup:ListProtectedResources",
"cloudwatch:Describe*",
"cloudwatch:GetMetricStatistics",
"cloudwatch:ListMetrics",
"cur:DescribeReportDefinitions",
"dax:Describe*",
"dax:ListTags",
"dynamodb:Describe*",
"dynamodb:ListTables",
"dynamodb:ListTagsOfResource",
"directconnect:Describe*",
"ec2:Describe*",
"ec2:Get*",
"ec2:Search*",
"ecs:Describe*",
"ecs:List*",
"eks:Describe*",
"eks:List*",
"elasticloadbalancing:Describe*",
"iam:List*",
"iam:Get*",
"iam:GenerateCredentialReport",
"lambda:List*",
"ram:GetResourceShareAssociations",
"redshift:Describe*",
"redshift:List*",
"rds:Describe*",
"rds:ListTagsForResource",
"route53:List*",
"route53:Get*",
"s3:Get*",
"s3:ListAllMyBuckets",
"s3:ListBucket",
"sts:AssumeRole",
"sts:GetCallerIdentity",
"workspaces:Describe*",
"sns:List*",
"sns:Get*",
"sqs:List*",
"sqs:Get*",
"pricing:GetProducts"
],
"Resource": "*"
}
]
}

Specific Read-Only Policy

The specific policy grants only the exact permissions that Hyperglance needs. However as we add more coverage to Hyperglance you will have to amend the policy more frequently.

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"access-analyzer:ListAnalyzers",
"apigateway:GET",
"autoscaling:Describe*",
"backup:ListProtectedResources",
"cloudwatch:Describe*",
"cloudwatch:GetMetricStatistics",
"cloudwatch:ListMetrics",
"cur:DescribeReportDefinitions",
"dax:Describe*",
"dax:ListTags",
"dynamodb:Describe*",
"dynamodb:ListTables",
"dynamodb:ListTagsOfResource",
 "directconnect:DescribeLags",
"directconnect:DescribeConnections",
"directconnect:DescribeVirtualInterfaces",
"directconnect:DescribeDirectConnectGateways",
"directconnect:DescribeDirectConnectGatewayAssociations",
"ec2:Describe*",
"ec2:GetEbsEncryptionByDefault",
"ec2:GetTransitGatewayRouteTablePropagations",
"ec2:SearchTransitGatewayRoutes",
"ecs:describeClusters",
"ecs:describeContainerInstances",
"ecs:describeServices",
"ecs:describeTasks",
"ecs:listClusters",
"ecs:listContainerInstances",
"ecs:listServices",
"ecs:listTasks",
"eks:DescribeCluster",
"eks:DescribeFargateProfile",
"eks:DescribeUpdate",
"eks:DescribeNodegroup",
"eks:ListClusters",
"eks:ListUpdates",
"eks:ListFargateProfiles",
"eks:ListNodegroups",
"eks:ListTagsForResource",
"elasticloadbalancing:Describe*",
"elasticloadbalancing:DescribeAccountLimits",
"elasticloadbalancing:DescribeInstanceHealth",
"elasticloadbalancing:DescribeListenerCertificates",
"elasticloadbalancing:DescribeListeners",
"elasticloadbalancing:DescribeLoadBalancerAttributes",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeRules",
"elasticloadbalancing:DescribeSSLPolicies",
"elasticloadbalancing:DescribeTags",
"elasticloadbalancing:DescribeTargetGroupAttributes",
"elasticloadbalancing:DescribeTargetGroups",
"elasticloadbalancing:DescribeTargetHealth",
"iam:ListAttachedUserPolicies",
"iam:ListEntitiesForPolicy",
"iam:ListPolicies",
"iam:ListUserPolicies",
"iam:ListUsers",
"iam:ListMFADevices",
"iam:ListServerCertificates",
"iam:ListGroupsForUser",
"iam:ListSSHPublicKeys",
"iam:ListAccessKeys",
"iam:GetAccessKeyLastUsed",
"iam:GetAccountPasswordPolicy",
"iam:GetCredentialReport",
"iam:GetPolicyVersion",
"iam:GenerateCredentialReport",
"lambda:List*",
"ram:GetResourceShareAssociations",
"redshift:describeClusterSubnetGroups",
"redshift:describeClusters",
"redshift:describeTags",
"rds:Describe*",
"rds:ListTagsForResource",
"route53:ListTrafficPolicyInstances",
"route53:ListTrafficPolicyVersions",
"route53:ListResourceRecordSets",
"route53:ListHostedZones",
"route53:GetHostedZone",
"s3:GetAccelerateConfiguration",
"s3:GetAnalyticsConfiguration",
"s3:GetBucketAcl",
"s3:GetBucketCORS",
"s3:GetBucketLocation",
"s3:GetBucketLogging",
"s3:GetBucketNotification",
"s3:GetBucketPolicy",
"s3:GetBucketRequestPayment",
"s3:GetBucketTagging",
"s3:GetBucketVersioning",
"s3:GetBucketWebsite",
"s3:GetEncryptionConfiguration",
"s3:GetInventoryConfiguration",
"s3:GetLifecycleConfiguration",
"s3:GetMetricsConfiguration",
"s3:GetBucketPublicAccessBlock",
"s3:GetReplicationConfiguration",
"s3:GetObject",
"s3:ListAllMyBuckets",
"s3:ListBucket",
"sts:AssumeRole",
"sts:GetCallerIdentity",
"workspaces:DescribeWorkspaces",
"workspaces:DescribeWorkspaceDirectories",
"workspaces:DescribeWorkspaceBundles",
"workspaces:DescribeWorkspacesConnectionStatus",
"sns:ListTopics",
"sns:ListSubscriptions",
"sns:ListTagsForResource",
"sns:GetTopicAttributes",
"sqs:ListQueues",
"sqs:GetQueueAttributes",
"sqs:ListQueueTags",
"pricing:GetProducts"
],
"Resource": "*"
}
]
}

Sending SNS Notifications

In order to send SNS notifications using Hyperglance's rules, you'll need to add an SNS Publish permission to the policy:

"sns:Publish",