AWS IAM Policy Requirements

Hyperglance needs a 'Read Only' policy applied to gather inventory, create diagrams, and evaluate cost-saving, compliance, and security rules

Hyperglance IAM Permissions

If you're connecting Hyperglance to an AWS GovCloud account, follow these instructions instead.

The Hyperglance IAM user needs certain rights to poll the relevant information from the API.

Hyperglance only needs a 'Read Only' policy applied to gather inventory, create diagrams and evaluate rules.

If you'd like to use Hyperglance to enable resource controls (e.g. Start, Stop, Add Tag, etc.) then you'll need to apply a Read-Write Policy:

Generic Read-Only Policy

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"apigateway:GET",
"autoscaling:Describe*",
"cloudwatch:Describe*",
"cloudwatch:GetMetricStatistics",
"cloudwatch:ListMetrics",
"cur:DescribeReportDefinitions",
"dax:Describe*",
"dax:ListTags",
"dynamodb:Describe*",
"dynamodb:ListTables",
"dynamodb:ListTagsOfResource",
"ec2:Describe*",
"ec2:Get*",
"ec2:Search*",
"ecs:Describe*",
"ecs:List*",
"eks:Describe*",
"eks:List*",
"elasticloadbalancing:Describe*",
"iam:List*",
"iam:Get*",
"iam:GenerateCredentialReport",
"lambda:List*",
"ram:GetResourceShareAssociations",
"redshift:Describe*",
"redshift:List*",
"rds:Describe*",
"rds:ListTagsForResource",
"route53:List*",
"route53:Get*",
"s3:Get*",
"s3:ListAllMyBuckets",
"s3:ListBucket",
"sts:AssumeRole",
"sts:GetCallerIdentity",
"workspaces:Describe*"
],
"Resource": "*"
}
]
}

Detailed Read-Only Policy

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"apigateway:GET",
"autoscaling:Describe*",
"cloudwatch:Describe*",
"cloudwatch:GetMetricStatistics",
"cloudwatch:ListMetrics",
"cur:DescribeReportDefinitions",
"dax:Describe*",
"dax:ListTags",
"dynamodb:Describe*",
"dynamodb:ListTables",
"dynamodb:ListTagsOfResource",
"ec2:Describe*",
"ec2:GetTransitGatewayRouteTablePropagations",
"ec2:SearchTransitGatewayRoutes",
"ecs:describeClusters",
"ecs:describeContainerInstances",
"ecs:describeServices",
"ecs:describeTasks",
"ecs:listClusters",
"ecs:listContainerInstances",
"ecs:listServices",
"ecs:listTasks",
"eks:DescribeCluster",
"eks:DescribeFargateProfile",
"eks:DescribeUpdate",
"eks:DescribeNodegroup",
"eks:ListClusters",
"eks:ListUpdates",
"eks:ListFargateProfiles",
"eks:ListNodegroups",
"eks:ListTagsForResource",
"elasticloadbalancing:Describe*",
"elasticloadbalancing:DescribeAccountLimits",
"elasticloadbalancing:DescribeInstanceHealth",
"elasticloadbalancing:DescribeListenerCertificates",
"elasticloadbalancing:DescribeListeners",
"elasticloadbalancing:DescribeLoadBalancerAttributes",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeRules",
"elasticloadbalancing:DescribeSSLPolicies",
"elasticloadbalancing:DescribeTags",
"elasticloadbalancing:DescribeTargetGroupAttributes",
"elasticloadbalancing:DescribeTargetGroups",
"elasticloadbalancing:DescribeTargetHealth",
"iam:ListUsers",
"iam:ListMFADevices",
"iam:ListServerCertificates",
"iam:ListGroupsForUser",
"iam:ListSSHPublicKeys",
"iam:ListAccessKeys",
"iam:GetAccessKeyLastUsed",
"iam:GetAccountPasswordPolicy",
"iam:GetCredentialReport",
"iam:GenerateCredentialReport",
"lambda:List*",
"ram:GetResourceShareAssociations",
"redshift:describeClusterSubnetGroups",
"redshift:describeClusters",
"redshift:describeTags",
"rds:Describe*",
"rds:ListTagsForResource",
"route53:ListTrafficPolicyInstances",
"route53:ListTrafficPolicyVersions",
"route53:ListResourceRecordSets",
"route53:ListHostedZones",
"route53:GetHostedZone",
"s3:GetAccelerateConfiguration",
"s3:GetAnalyticsConfiguration",
"s3:GetBucketAcl",
"s3:GetBucketCORS",
"s3:GetBucketLocation",
"s3:GetBucketLogging",
"s3:GetBucketNotification",
"s3:GetBucketPolicy",
"s3:GetBucketRequestPayment",
"s3:GetBucketTagging",
"s3:GetBucketVersioning",
"s3:GetBucketWebsite",
"s3:GetEncryptionConfiguration",
"s3:GetInventoryConfiguration",
"s3:GetLifecycleConfiguration",
"s3:GetMetricsConfiguration",
"s3:GetBucketPublicAccessBlock",
"s3:GetReplicationConfiguration",
"s3:GetObject",
"s3:ListAllMyBuckets",
"s3:ListBucket",
"sts:AssumeRole",
"sts:GetCallerIdentity",
"workspaces:DescribeWorkspaces",
"workspaces:DescribeWorkspaceDirectories",
"workspaces:DescribeWorkspaceBundles",
"workspaces:DescribeWorkspacesConnectionStatus"
],
"Resource": "*"
}
]
}

Detailed Full Read-Write Policy

You can choose which actions to enable in the policy without Hyperglance complaining, e.g. only allowing create/delete tags

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"apigateway:GET",
"autoscaling:Describe*",
"cloudwatch:Describe*",
"cloudwatch:GetMetricStatistics",
"cloudwatch:ListMetrics",
"cur:DescribeReportDefinitions",
"dax:DeleteCluster",
"dax:Describe*",
"dax:ListTags",
"dax:TagResource",
"dax:UntagResource",
"dynamodb:Describe*",
"dynamodb:ListTables",
"dynamodb:ListTagsOfResource",
"ec2:CreateImage",
"ec2:CreateTags",
"ec2:DeleteTags",
"ec2:Describe*",
"ec2:GetTransitGatewayRouteTablePropagations",
"ec2:SearchTransitGatewayRoutes",
"ec2:RebootInstances",
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:TerminateInstances",
"ecs:describeClusters",
"ecs:describeContainerInstances",
"ecs:describeServices",
"ecs:describeTasks",
"ecs:listClusters",
"ecs:listContainerInstances",
"ecs:listServices",
"ecs:listTasks",
"eks:DescribeCluster",
"eks:DescribeFargateProfile",
"eks:DescribeUpdate",
"eks:DescribeNodegroup",
"eks:ListClusters",
"eks:ListUpdates",
"eks:ListFargateProfiles",
"eks:ListNodegroups",
"eks:ListTagsForResource",
"elasticloadbalancing:DescribeAccountLimits",
"elasticloadbalancing:DescribeInstanceHealth",
"elasticloadbalancing:DescribeListenerCertificates",
"elasticloadbalancing:DescribeListeners",
"elasticloadbalancing:DescribeLoadBalancerAttributes",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeRules",
"elasticloadbalancing:DescribeSSLPolicies",
"elasticloadbalancing:DescribeTags",
"elasticloadbalancing:DescribeTargetGroupAttributes",
"elasticloadbalancing:DescribeTargetGroups",
"elasticloadbalancing:DescribeTargetHealth",
"iam:ListUsers",
"iam:ListMFADevices",
"iam:ListServerCertificates",
"iam:ListGroupsForUser",
"iam:ListSSHPublicKeys",
"iam:ListAccessKeys",
"iam:GetAccessKeyLastUsed",
"iam:GetAccountPasswordPolicy",
"iam:GetCredentialReport",
"iam:GenerateCredentialReport",
"lambda:List*",
"lambda:TagResource",
"lambda:UntagResource",
"ram:GetResourceShareAssociations",
"rds:AddTagsToResource",
"rds:DeleteDBInstance",
"rds:Describe*",
"rds:ListTagsForResource",
"rds:RebootDBInstance",
"rds:RemoveTagsFromResource",
"rds:StartDBInstance",
"rds:StopDBInstance",
"rds:DeleteDBCluster",
"rds:StartDBCluster",
"rds:StopDBCluster",
"redshift:describeClusterSubnetGroups",
"redshift:describeClusters",
"redshift:describeTags",
"redshift:createTags",
"redshift:deleteTags",
"route53:ListTrafficPolicyInstances",
"route53:ListTrafficPolicyVersions",
"route53:ListResourceRecordSets",
"route53:ListHostedZones",
"route53:GetHostedZone",
"s3:GetAccelerateConfiguration",
"s3:GetAnalyticsConfiguration",
"s3:GetBucketAcl",
"s3:GetBucketCORS",
"s3:GetBucketLocation",
"s3:GetBucketLogging",
"s3:GetBucketNotification",
"s3:GetBucketPolicy",
"s3:GetBucketRequestPayment",
"s3:GetBucketTagging",
"s3:GetBucketVersioning",
"s3:GetBucketWebsite",
"s3:GetEncryptionConfiguration",
"s3:GetInventoryConfiguration",
"s3:GetLifecycleConfiguration",
"s3:GetMetricsConfiguration",
"s3:GetBucketPublicAccessBlock",
"s3:GetReplicationConfiguration",
"s3:GetObject",
"s3:ListAllMyBuckets",
"s3:ListBucket",
"s3:PutBucketTagging",
"sts:AssumeRole",
"sts:GetCallerIdentity",
"workspaces:DescribeWorkspaces",
"workspaces:DescribeWorkspaceDirectories",
"workspaces:DescribeWorkspaceBundles",
"workspaces:DescribeWorkspacesConnectionStatus"
],
"Resource": "*"
}
]
}

Sending SNS Notifications

In order to send SNS notifications using Hyperglance's rules, you'll need to add an SNS Publish permission to the policy:

"sns:Publish",