AWS IAM Policy Requirements for GovCloud

The IAM user must have certain rights in order to allow Hyperglance to poll the relevant information from the API. See below for the full list of permissions Hyperglance needs.

This page describes the policy needed for a GovCloud account.

For a regular commercial account see a different page: IAM Policy Requirements

 

Hyperglance only needs a 'Read Only' policy applied to gather inventory, create diagrams and evaluate rules. To enable resource controls (Start, Stop, Add Tag etc) the Read-Write Policy must be applied.

 

NOTE: In order to send SNS notifications using Hyperglance's rules you need to add an SNS Publish permission to the policy:

"sns:Publish",

 


Generic Read Only Policy:

 

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"access-analyzer:List*",
"apigateway:GET",
"autoscaling:Describe*",
"backup:ListProtectedResources",
"cloudwatch:Describe*",
"cloudwatch:GetMetricStatistics",
"cloudwatch:ListMetrics",
"dynamodb:Describe*",
"dynamodb:ListTables",
"dynamodb:ListTagsOfResource",
"directconnect:Describe*",
"ec2:Describe*",
"ec2:Get*",
"ec2:Search*",
"ecs:Describe*",
"ecs:List*",
"eks:Describe*",
"eks:List*",
"elasticloadbalancing:Describe*",
"iam:List*",
"iam:Get*",
"iam:GenerateCredentialReport",
"lambda:List*",
"ram:GetResourceShareAssociations",
"redshift:Describe*",
"redshift:List*",
"rds:Describe*",
"rds:ListTagsForResource",
"route53:List*",
"route53:Get*",
"s3:Get*",
"s3:ListAllMyBuckets",
"sts:AssumeRole",
"sts:GetCallerIdentity",
"workspaces:Describe*",
"sns:List*",
"sns:Get*",
"sqs:List*",
"sqs:Get*"
],
"Resource": "*"
}
]
}




Detailed Read Only Policy:

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"access-analyzer:ListAnalyzers",
"apigateway:GET",
"autoscaling:Describe*",
"backup:ListProtectedResources",
"cloudwatch:Describe*",
"cloudwatch:GetMetricStatistics",
"cloudwatch:ListMetrics",
"dynamodb:Describe*",
"dynamodb:ListTables",
"dynamodb:ListTagsOfResource",
"directconnect:DescribeLags",
"directconnect:DescribeConnections",
"directconnect:DescribeVirtualInterfaces",
"directconnect:DescribeDirectConnectGateways",
"directconnect:DescribeDirectConnectGatewayAssociations",
"ec2:Describe*",
"ec2:GetEbsEncryptionByDefault",
"ec2:GetTransitGatewayRouteTablePropagations",
"ec2:SearchTransitGatewayRoutes",
"ecs:describeClusters",
"ecs:describeContainerInstances",
"ecs:describeServices",
"ecs:describeTasks",
"ecs:listClusters",
"ecs:listContainerInstances",
"ecs:listServices",
"ecs:listTasks",
"eks:DescribeCluster",
"eks:DescribeFargateProfile",
"eks:DescribeUpdate",
"eks:DescribeNodegroup",
"eks:ListClusters",
"eks:ListUpdates",
"eks:ListFargateProfiles",
"eks:ListNodegroups",
"eks:ListTagsForResource",
"elasticloadbalancing:Describe*",
"elasticloadbalancing:DescribeAccountLimits",
"elasticloadbalancing:DescribeInstanceHealth",
"elasticloadbalancing:DescribeListenerCertificates",
"elasticloadbalancing:DescribeListeners",
"elasticloadbalancing:DescribeLoadBalancerAttributes",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeRules",
"elasticloadbalancing:DescribeSSLPolicies",
"elasticloadbalancing:DescribeTags",
"elasticloadbalancing:DescribeTargetGroupAttributes",
"elasticloadbalancing:DescribeTargetGroups",
"elasticloadbalancing:DescribeTargetHealth",
"iam:ListUsers",
"iam:ListPolicies",
"iam:ListAttachedUserPolicies",
"iam:ListUserPolicies",
"iam:ListMFADevices",
"iam:ListServerCertificates",
"iam:ListGroupsForUser",
"iam:ListSSHPublicKeys",
"iam:ListAccessKeys",
"iam:GetAccessKeyLastUsed",
"iam:GetAccountPasswordPolicy",
"iam:GetCredentialReport",
"iam:GenerateCredentialReport",
"iam:GetPolicyVersion",
"lambda:List*",
"ram:GetResourceShareAssociations",
"redshift:describeClusterSubnetGroups",
"redshift:describeClusters",
"redshift:describeTags",
"rds:Describe*",
"rds:ListTagsForResource",
"route53:ListHostedZones",
"route53:ListResourceRecordSets",
"route53:GetHostedZone",
"s3:GetAccelerateConfiguration",
"s3:GetAnalyticsConfiguration",
"s3:GetBucketAcl",
"s3:GetBucketCORS",
"s3:GetBucketLocation",
"s3:GetBucketLogging",
"s3:GetBucketNotification",
"s3:GetBucketPolicy",
"s3:GetBucketRequestPayment",
"s3:GetBucketTagging",
"s3:GetBucketVersioning",
"s3:GetBucketWebsite",
"s3:GetEncryptionConfiguration",
"s3:GetInventoryConfiguration",
"s3:GetLifecycleConfiguration",
"s3:GetMetricsConfiguration",
"s3:GetBucketPublicAccessBlock",
"s3:GetReplicationConfiguration",
"s3:ListAllMyBuckets",
"sts:AssumeRole",
"sts:GetCallerIdentity",
"workspaces:DescribeWorkspaces",
"workspaces:DescribeWorkspaceDirectories",
"workspaces:DescribeWorkspaceBundles",
"workspaces:DescribeWorkspacesConnectionStatus",
"sns:ListTopics",
"sns:ListSubscriptions",
"sns:GetTopicAttributes",
"sns:ListTagsForResource",
"sqs:ListQueues",
"sqs:GetQueueAttributes",
"sqs:ListQueueTags"
],
"Resource": "*"
}
]
}



Detailed Full Read/Write Policy: 

 

NOTE: You can selectively choose which actions to enable in the policy without Hyperglance complaining! (i.e. Only allowing Create/Delete tags)

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"access-analyzer:ListAnalyzers",
"apigateway:GET",
"autoscaling:Describe*",
"backup:ListProtectedResources",
"cloudwatch:Describe*",
"cloudwatch:GetMetricStatistics",
"cloudwatch:ListMetrics",
"dynamodb:Describe*",
"dynamodb:ListTables",
"dynamodb:ListTagsOfResource",
"directconnect:DescribeLags",
"directconnect:DescribeConnections",
"directconnect:DescribeVirtualInterfaces",
"directconnect:DescribeDirectConnectGateways",
"directconnect:DescribeDirectConnectGatewayAssociations",
"ec2:CreateImage",
"ec2:CreateTags",
"ec2:DeleteTags",
"ec2:Describe*",
"ec2:GetEbsEncryptionByDefault",
"ec2:GetTransitGatewayRouteTablePropagations",
"ec2:SearchTransitGatewayRoutes",
"ec2:RebootInstances",
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:TerminateInstances",
"ecs:describeClusters",
"ecs:describeContainerInstances",
"ecs:describeServices",
"ecs:describeTasks",
"ecs:listClusters",
"ecs:listContainerInstances",
"ecs:listServices",
"ecs:listTasks",
"eks:DescribeCluster",
"eks:DescribeFargateProfile",
"eks:DescribeUpdate",
"eks:DescribeNodegroup",
"eks:ListClusters",
"eks:ListUpdates",
"eks:ListFargateProfiles",
"eks:ListNodegroups",
"eks:ListTagsForResource",
"elasticloadbalancing:DescribeAccountLimits",
"elasticloadbalancing:DescribeInstanceHealth",
"elasticloadbalancing:DescribeListenerCertificates",
"elasticloadbalancing:DescribeListeners",
"elasticloadbalancing:DescribeLoadBalancerAttributes",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeRules",
"elasticloadbalancing:DescribeSSLPolicies",
"elasticloadbalancing:DescribeTags",
"elasticloadbalancing:DescribeTargetGroupAttributes",
"elasticloadbalancing:DescribeTargetGroups",
"elasticloadbalancing:DescribeTargetHealth",
"iam:ListUsers",
"iam:ListPolicies",
"iam:ListAttachedUserPolicies",
"iam:ListUserPolicies",
"iam:ListMFADevices",
"iam:ListServerCertificates",
"iam:ListGroupsForUser",
"iam:ListSSHPublicKeys",
"iam:ListAccessKeys",
"iam:GetAccessKeyLastUsed",
"iam:GetAccountPasswordPolicy",
"iam:GetCredentialReport",
"iam:GenerateCredentialReport",
"iam:GetPolicyVersion",
"lambda:List*",
"lambda:TagResource",
"lambda:UntagResource",
"ram:GetResourceShareAssociations",
"rds:AddTagsToResource",
"rds:DeleteDBInstance",
"rds:Describe*",
"rds:ListTagsForResource",
"rds:RebootDBInstance",
"rds:RemoveTagsFromResource",
"rds:StartDBInstance",
"rds:StopDBInstance",
"rds:DeleteDBCluster",
"rds:StartDBCluster",
"rds:StopDBCluster",
"redshift:describeClusterSubnetGroups",
"redshift:describeClusters",
"redshift:describeTags",
"redshift:createTags",
"redshift:deleteTags",
"route53:ListHostedZones",
"route53:ListResourceRecordSets",
"route53:GetHostedZone",
"s3:GetAccelerateConfiguration",
"s3:GetAnalyticsConfiguration",
"s3:GetBucketAcl",
"s3:GetBucketCORS",
"s3:GetBucketLocation",
"s3:GetBucketLogging",
"s3:GetBucketNotification",
"s3:GetBucketPolicy",
"s3:GetBucketRequestPayment",
"s3:GetBucketTagging",
"s3:GetBucketVersioning",
"s3:GetBucketWebsite",
"s3:GetEncryptionConfiguration",
"s3:GetInventoryConfiguration",
"s3:GetLifecycleConfiguration",
"s3:GetMetricsConfiguration",
"s3:GetBucketPublicAccessBlock",
"s3:GetReplicationConfiguration",
"s3:ListAllMyBuckets",
"s3:PutBucketTagging",
"sts:AssumeRole",
"sts:GetCallerIdentity",
"workspaces:describeWorkspaces",
"workspaces:describeWorkspaceDirectories",
"workspaces:describeWorkspaceBundles",
"workspaces:DescribeWorkspacesConnectionStatus",
"sns:ListTopics",
"sns:ListSubscriptions",
"sns:GetTopicAttributes",
"sns:ListTagsForResource",
"sqs:ListQueues",
"sqs:GetQueueAttributes",
"sqs:ListQueueTags"
],
"Resource": "*"
}
]
}