1. Help & Support
  2. Amazon Web Services (AWS)

AWS IAM Policy Requirements for GovCloud

The IAM user must have certain rights in order to allow Hyperglance to poll the relevant information from the API. See below for the full list of permissions Hyperglance needs.

This page describes the policy needed for a GovCloud account.

For a regular commercial account see a different page: IAM Policy Requirements

 

Hyperglance only needs a 'Read Only' policy applied to gather inventory, create diagrams and evaluate rules. To enable resource controls (Start, Stop, Add Tag etc) the Read-Write Policy must be applied.

 

NOTE: In order to send SNS notifications using Hyperglance's rules you need to add an SNS Publish permission to the policy:

"sns:Publish",

 


Generic Read Only Policy:

 

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"apigateway:GET",
"autoscaling:Describe*",
"cloudwatch:Describe*",
"cloudwatch:GetMetricStatistics",
"cloudwatch:ListMetrics",
"dynamodb:Describe*",
"dynamodb:ListTables",
"dynamodb:ListTagsOfResource",
"ec2:Describe*",
"ec2:GetTransitGatewayRouteTablePropagations",
"ecs:Describe*",
"ecs:List*",
"eks:Describe*",
"eks:List*",
"elasticloadbalancing:Describe*",
"iam:List*",
"iam:Get*",
"iam:GenerateCredentialReport"
"lambda:List*",
"ram:GetResourceShareAssociations",
"redshift:Describe*",
"redshift:List*",
"rds:Describe*",
"rds:ListTagsForResource",
"route53:List*",
"route53:Get*",
"s3:Get*",
"s3:ListAllMyBuckets",
"sts:AssumeRole",
"sts:GetCallerIdentity",
"workspaces:Describe*"
],
"Resource": "*"
}
]
}




Detailed Read Only Policy:

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"apigateway:GET",
"autoscaling:Describe*",
"cloudwatch:Describe*",
"cloudwatch:GetMetricStatistics",
"cloudwatch:ListMetrics",
"dynamodb:Describe*",
"dynamodb:ListTables",
"dynamodb:ListTagsOfResource",
"ec2:Describe*",
"ec2:GetTransitGatewayRouteTablePropagations",
"ecs:describeClusters",
"ecs:describeContainerInstances",
"ecs:describeServices",
"ecs:describeTasks",
"ecs:listClusters",
"ecs:listContainerInstances",
"ecs:listServices",
"ecs:listTasks",
"eks:DescribeCluster",
"eks:DescribeFargateProfile",
"eks:DescribeUpdate",
"eks:DescribeNodegroup",
"eks:ListClusters",
"eks:ListUpdates",
"eks:ListFargateProfiles",
"eks:ListNodegroups",
"eks:ListTagsForResource",
"elasticloadbalancing:Describe*",
"elasticloadbalancing:DescribeAccountLimits",
"elasticloadbalancing:DescribeInstanceHealth",
"elasticloadbalancing:DescribeListenerCertificates",
"elasticloadbalancing:DescribeListeners",
"elasticloadbalancing:DescribeLoadBalancerAttributes",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeRules",
"elasticloadbalancing:DescribeSSLPolicies",
"elasticloadbalancing:DescribeTags",
"elasticloadbalancing:DescribeTargetGroupAttributes",
"elasticloadbalancing:DescribeTargetGroups",
"elasticloadbalancing:DescribeTargetHealth",
"iam:ListUsers",
"iam:ListMFADevices",
"iam:ListServerCertificates",
"iam:ListGroupsForUser",
"iam:ListSSHPublicKeys",
"iam:ListAccessKeys",
"iam:GetAccessKeyLastUsed",
"iam:GetAccountPasswordPolicy",
"iam:GetCredentialReport",
"iam:GenerateCredentialReport",
"lambda:List*",
"ram:GetResourceShareAssociations",
"redshift:describeClusterSubnetGroups",
"redshift:describeClusters",
"redshift:describeTags",
"rds:Describe*",
"rds:ListTagsForResource",
"route53:ListHostedZones",
"route53:ListResourceRecordSets",
"route53:GetHostedZone",
"s3:GetAccelerateConfiguration",
"s3:GetAnalyticsConfiguration",
"s3:GetBucketAcl",
"s3:GetBucketCORS",
"s3:GetBucketLocation",
"s3:GetBucketLogging",
"s3:GetBucketNotification",
"s3:GetBucketPolicy",
"s3:GetBucketRequestPayment",
"s3:GetBucketTagging",
"s3:GetBucketVersioning",
"s3:GetBucketWebsite",
"s3:GetEncryptionConfiguration",
"s3:GetInventoryConfiguration",
"s3:GetLifecycleConfiguration",
"s3:GetMetricsConfiguration",
"s3:GetBucketPublicAccessBlock",
"s3:GetReplicationConfiguration",
"s3:ListAllMyBuckets",
"sts:AssumeRole",
"sts:GetCallerIdentity",
"workspaces:DescribeWorkspaces",
"workspaces:DescribeWorkspaceDirectories",
"workspaces:DescribeWorkspaceBundles",
"workspaces:DescribeWorkspacesConnectionStatus"
],
"Resource": "*"
}
]
}



Detailed Full Read/Write Policy: 

 

NOTE: You can selectively choose which actions to enable in the policy without Hyperglance complaining! (i.e. Only allowing Create/Delete tags)

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"apigateway:GET",
"autoscaling:Describe*",
"cloudwatch:Describe*",
"cloudwatch:GetMetricStatistics",
"cloudwatch:ListMetrics",
"dynamodb:Describe*",
"dynamodb:ListTables",
"dynamodb:ListTagsOfResource",
"ec2:CreateImage",
"ec2:CreateTags",
"ec2:DeleteTags",
"ec2:Describe*",
"ec2:GetTransitGatewayRouteTablePropagations",
"ec2:RebootInstances",
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:TerminateInstances",
"ecs:describeClusters",
"ecs:describeContainerInstances",
"ecs:describeServices",
"ecs:describeTasks",
"ecs:listClusters",
"ecs:listContainerInstances",
"ecs:listServices",
"ecs:listTasks",
"eks:DescribeCluster",
"eks:DescribeFargateProfile",
"eks:DescribeUpdate",
"eks:DescribeNodegroup",
"eks:ListClusters",
"eks:ListUpdates",
"eks:ListFargateProfiles",
"eks:ListNodegroups",
"eks:ListTagsForResource",
"elasticloadbalancing:DescribeAccountLimits",
"elasticloadbalancing:DescribeInstanceHealth",
"elasticloadbalancing:DescribeListenerCertificates",
"elasticloadbalancing:DescribeListeners",
"elasticloadbalancing:DescribeLoadBalancerAttributes",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeRules",
"elasticloadbalancing:DescribeSSLPolicies",
"elasticloadbalancing:DescribeTags",
"elasticloadbalancing:DescribeTargetGroupAttributes",
"elasticloadbalancing:DescribeTargetGroups",
"elasticloadbalancing:DescribeTargetHealth",
"iam:ListUsers",
"iam:ListMFADevices",
"iam:ListServerCertificates",
"iam:ListGroupsForUser",
"iam:ListSSHPublicKeys",
"iam:ListAccessKeys",
"iam:GetAccessKeyLastUsed",
"iam:GetAccountPasswordPolicy",
"iam:GetCredentialReport",
"iam:GenerateCredentialReport",
"lambda:List*",
"lambda:TagResource",
"lambda:UntagResource",
"ram:GetResourceShareAssociations",
"rds:AddTagsToResource",
"rds:DeleteDBInstance",
"rds:Describe*",
"rds:ListTagsForResource",
"rds:RebootDBInstance",
"rds:RemoveTagsFromResource",
"rds:StartDBInstance",
"rds:StopDBInstance",
"rds:DeleteDBCluster",
"rds:StartDBCluster",
"rds:StopDBCluster",
"redshift:describeClusterSubnetGroups",
"redshift:describeClusters",
"redshift:describeTags",
"redshift:createTags",
"redshift:deleteTags",
"route53:ListHostedZones",
"route53:ListResourceRecordSets",
"route53:GetHostedZone",
"s3:GetAccelerateConfiguration",
"s3:GetAnalyticsConfiguration",
"s3:GetBucketAcl",
"s3:GetBucketCORS",
"s3:GetBucketLocation",
"s3:GetBucketLogging",
"s3:GetBucketNotification",
"s3:GetBucketPolicy",
"s3:GetBucketRequestPayment",
"s3:GetBucketTagging",
"s3:GetBucketVersioning",
"s3:GetBucketWebsite",
"s3:GetEncryptionConfiguration",
"s3:GetInventoryConfiguration",
"s3:GetLifecycleConfiguration",
"s3:GetMetricsConfiguration",
"s3:GetBucketPublicAccessBlock",
"s3:GetReplicationConfiguration",
"s3:ListAllMyBuckets",
"s3:PutBucketTagging",
"sts:AssumeRole",
"sts:GetCallerIdentity",
"workspaces:describeWorkspaces",
"workspaces:describeWorkspaceDirectories",
"workspaces:describeWorkspaceBundles",
"workspaces:DescribeWorkspacesConnectionStatus"
],
"Resource": "*"
}
]
}