Hyperglance needs an IAM role/policy applied to gather inventory, create diagrams, and evaluate cost-saving, compliance, and security rules
Hyperglance IAM Permissions
If you're connecting Hyperglance to an AWS GovCloud account, follow these instructions instead.
The Hyperglance IAM user needs certain rights to poll the relevant information from the API.
Hyperglance only needs a 'Read Only' policy applied to gather inventory, create diagrams and evaluate rules.
If you'd like to use Hyperglance to enable resource controls (e.g. Start, Stop, Add Tag, etc.) then you'll need to apply a Read-Write Policy:
- Generic Read-Only Policy
- Detailed Read-Only Policy
- Detailed Full Read-Write Policy
- Sending SNS Notifications
Generic Read-Only Policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"access-analyzer:List*",
"apigateway:GET",
"autoscaling:Describe*",
"backup:ListProtectedResources",
"cloudwatch:Describe*",
"cloudwatch:GetMetricStatistics",
"cloudwatch:ListMetrics",
"cur:DescribeReportDefinitions",
"dax:Describe*",
"dax:ListTags",
"dynamodb:Describe*",
"dynamodb:ListTables",
"dynamodb:ListTagsOfResource",
"directconnect:Describe*",
"ec2:Describe*",
"ec2:Get*",
"ec2:Search*",
"ecs:Describe*",
"ecs:List*",
"eks:Describe*",
"eks:List*",
"elasticloadbalancing:Describe*",
"iam:List*",
"iam:Get*",
"iam:GenerateCredentialReport",
"lambda:List*",
"ram:GetResourceShareAssociations",
"redshift:Describe*",
"redshift:List*",
"rds:Describe*",
"rds:ListTagsForResource",
"route53:List*",
"route53:Get*",
"s3:Get*",
"s3:ListAllMyBuckets",
"s3:ListBucket",
"sts:AssumeRole",
"sts:GetCallerIdentity",
"workspaces:Describe*",
"sns:List*",
"sns:Get*",
"sqs:List*",
"sqs:Get*"
],
"Resource": "*"
}
]
}
Detailed Read-Only Policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"access-analyzer:ListAnalyzers",
"apigateway:GET",
"autoscaling:Describe*",
"backup:ListProtectedResources",
"cloudwatch:Describe*",
"cloudwatch:GetMetricStatistics",
"cloudwatch:ListMetrics",
"cur:DescribeReportDefinitions",
"dax:Describe*",
"dax:ListTags",
"dynamodb:Describe*",
"dynamodb:ListTables",
"dynamodb:ListTagsOfResource",
"directconnect:DescribeLags",
"directconnect:DescribeConnections",
"directconnect:DescribeVirtualInterfaces",
"directconnect:DescribeDirectConnectGateways",
"directconnect:DescribeDirectConnectGatewayAssociations",
"ec2:Describe*",
"ec2:GetEbsEncryptionByDefault",
"ec2:GetTransitGatewayRouteTablePropagations",
"ec2:SearchTransitGatewayRoutes",
"ecs:describeClusters",
"ecs:describeContainerInstances",
"ecs:describeServices",
"ecs:describeTasks",
"ecs:listClusters",
"ecs:listContainerInstances",
"ecs:listServices",
"ecs:listTasks",
"eks:DescribeCluster",
"eks:DescribeFargateProfile",
"eks:DescribeUpdate",
"eks:DescribeNodegroup",
"eks:ListClusters",
"eks:ListUpdates",
"eks:ListFargateProfiles",
"eks:ListNodegroups",
"eks:ListTagsForResource",
"elasticloadbalancing:Describe*",
"elasticloadbalancing:DescribeAccountLimits",
"elasticloadbalancing:DescribeInstanceHealth",
"elasticloadbalancing:DescribeListenerCertificates",
"elasticloadbalancing:DescribeListeners",
"elasticloadbalancing:DescribeLoadBalancerAttributes",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeRules",
"elasticloadbalancing:DescribeSSLPolicies",
"elasticloadbalancing:DescribeTags",
"elasticloadbalancing:DescribeTargetGroupAttributes",
"elasticloadbalancing:DescribeTargetGroups",
"elasticloadbalancing:DescribeTargetHealth",
"iam:ListAttachedUserPolicies",
"iam:ListEntitiesForPolicy",
"iam:ListPolicies",
"iam:ListUserPolicies",
"iam:ListUsers",
"iam:ListMFADevices",
"iam:ListServerCertificates",
"iam:ListGroupsForUser",
"iam:ListSSHPublicKeys",
"iam:ListAccessKeys",
"iam:GetAccessKeyLastUsed",
"iam:GetAccountPasswordPolicy",
"iam:GetCredentialReport",
"iam:GetPolicyVersion",
"iam:GenerateCredentialReport",
"lambda:List*",
"ram:GetResourceShareAssociations",
"redshift:describeClusterSubnetGroups",
"redshift:describeClusters",
"redshift:describeTags",
"rds:Describe*",
"rds:ListTagsForResource",
"route53:ListTrafficPolicyInstances",
"route53:ListTrafficPolicyVersions",
"route53:ListResourceRecordSets",
"route53:ListHostedZones",
"route53:GetHostedZone",
"s3:GetAccelerateConfiguration",
"s3:GetAnalyticsConfiguration",
"s3:GetBucketAcl",
"s3:GetBucketCORS",
"s3:GetBucketLocation",
"s3:GetBucketLogging",
"s3:GetBucketNotification",
"s3:GetBucketPolicy",
"s3:GetBucketRequestPayment",
"s3:GetBucketTagging",
"s3:GetBucketVersioning",
"s3:GetBucketWebsite",
"s3:GetEncryptionConfiguration",
"s3:GetInventoryConfiguration",
"s3:GetLifecycleConfiguration",
"s3:GetMetricsConfiguration",
"s3:GetBucketPublicAccessBlock",
"s3:GetReplicationConfiguration",
"s3:GetObject",
"s3:ListAllMyBuckets",
"s3:ListBucket",
"sts:AssumeRole",
"sts:GetCallerIdentity",
"workspaces:DescribeWorkspaces",
"workspaces:DescribeWorkspaceDirectories",
"workspaces:DescribeWorkspaceBundles",
"workspaces:DescribeWorkspacesConnectionStatus",
"sns:ListTopics",
"sns:ListSubscriptions",
"sns:ListTagsForResource",
"sns:GetTopicAttributes",
"sqs:ListQueues",
"sqs:GetQueueAttributes",
"sqs:ListQueueTags"
],
"Resource": "*"
}
]
}
Detailed Full Read-Write Policy
You can choose which actions to enable in the policy without Hyperglance complaining, e.g. only allowing create/delete tags
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"access-analyzer:ListAnalyzers",
"apigateway:GET",
"autoscaling:Describe*",
"backup:ListProtectedResources",
"cloudwatch:Describe*",
"cloudwatch:GetMetricStatistics",
"cloudwatch:ListMetrics",
"cur:DescribeReportDefinitions",
"dax:DeleteCluster",
"dax:Describe*",
"dax:ListTags",
"dax:TagResource",
"dax:UntagResource",
"dynamodb:Describe*",
"dynamodb:ListTables",
"dynamodb:ListTagsOfResource",
"directconnect:DescribeLags",
"directconnect:DescribeConnections",
"directconnect:DescribeVirtualInterfaces",
"directconnect:DescribeDirectConnectGateways",
"directconnect:DescribeDirectConnectGatewayAssociations",
"ec2:CreateImage",
"ec2:CreateTags",
"ec2:DeleteTags",
"ec2:Describe*",
"ec2:GetEbsEncryptionByDefault",
"ec2:GetTransitGatewayRouteTablePropagations",
"ec2:SearchTransitGatewayRoutes",
"ec2:RebootInstances",
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:TerminateInstances",
"ecs:describeClusters",
"ecs:describeContainerInstances",
"ecs:describeServices",
"ecs:describeTasks",
"ecs:listClusters",
"ecs:listContainerInstances",
"ecs:listServices",
"ecs:listTasks",
"eks:DescribeCluster",
"eks:DescribeFargateProfile",
"eks:DescribeUpdate",
"eks:DescribeNodegroup",
"eks:ListClusters",
"eks:ListUpdates",
"eks:ListFargateProfiles",
"eks:ListNodegroups",
"eks:ListTagsForResource",
"elasticloadbalancing:Describe*",
"elasticloadbalancing:DescribeAccountLimits",
"elasticloadbalancing:DescribeInstanceHealth",
"elasticloadbalancing:DescribeListenerCertificates",
"elasticloadbalancing:DescribeListeners",
"elasticloadbalancing:DescribeLoadBalancerAttributes",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeRules",
"elasticloadbalancing:DescribeSSLPolicies",
"elasticloadbalancing:DescribeTags",
"elasticloadbalancing:DescribeTargetGroupAttributes",
"elasticloadbalancing:DescribeTargetGroups",
"elasticloadbalancing:DescribeTargetHealth",
"iam:ListAttachedUserPolicies",
"iam:ListEntitiesForPolicy",
"iam:ListPolicies",
"iam:ListUserPolicies",
"iam:ListUsers",
"iam:ListMFADevices",
"iam:ListServerCertificates",
"iam:ListGroupsForUser",
"iam:ListSSHPublicKeys",
"iam:ListAccessKeys",
"iam:GetAccessKeyLastUsed",
"iam:GetAccountPasswordPolicy",
"iam:GetCredentialReport",
"iam:GetPolicyVersion",
"iam:GenerateCredentialReport",
"lambda:List*",
"lambda:TagResource",
"lambda:UntagResource",
"ram:GetResourceShareAssociations",
"rds:AddTagsToResource",
"rds:DeleteDBInstance",
"rds:Describe*",
"rds:ListTagsForResource",
"rds:RebootDBInstance",
"rds:RemoveTagsFromResource",
"rds:StartDBInstance",
"rds:StopDBInstance",
"rds:DeleteDBCluster",
"rds:StartDBCluster",
"rds:StopDBCluster",
"redshift:describeClusterSubnetGroups",
"redshift:describeClusters",
"redshift:describeTags",
"redshift:createTags",
"redshift:deleteTags",
"route53:ListTrafficPolicyInstances",
"route53:ListTrafficPolicyVersions",
"route53:ListResourceRecordSets",
"route53:ListHostedZones",
"route53:GetHostedZone",
"s3:GetAccelerateConfiguration",
"s3:GetAnalyticsConfiguration",
"s3:GetBucketAcl",
"s3:GetBucketCORS",
"s3:GetBucketLocation",
"s3:GetBucketLogging",
"s3:GetBucketNotification",
"s3:GetBucketPolicy",
"s3:GetBucketRequestPayment",
"s3:GetBucketTagging",
"s3:GetBucketVersioning",
"s3:GetBucketWebsite",
"s3:GetEncryptionConfiguration",
"s3:GetInventoryConfiguration",
"s3:GetLifecycleConfiguration",
"s3:GetMetricsConfiguration",
"s3:GetBucketPublicAccessBlock",
"s3:GetReplicationConfiguration",
"s3:GetObject",
"s3:ListAllMyBuckets",
"s3:ListBucket",
"s3:PutBucketTagging",
"sts:AssumeRole",
"sts:GetCallerIdentity",
"workspaces:DescribeWorkspaces",
"workspaces:DescribeWorkspaceDirectories",
"workspaces:DescribeWorkspaceBundles",
"workspaces:DescribeWorkspacesConnectionStatus",
"sns:ListTopics",
"sns:ListSubscriptions",
"sns:ListTagsForResource",
"sns:GetTopicAttributes",
"sqs:ListQueues",
"sqs:GetQueueAttributes",
"sqs:ListQueueTags"
],
"Resource": "*"
}
]
}
Sending SNS Notifications
In order to send SNS notifications using Hyperglance's rules, you'll need to add an SNS Publish permission to the policy:
"sns:Publish",