The IAM user must have certain rights in order to allow Hyperglance to poll the relevant information from the API. See below for the full list of permissions Hyperglance needs. 


Hyperglance only needs a 'Read Only' policy applied to gather inventory, create diagrams and evaluate rules. To enable resource controls (Start, Stop, Add Tag etc) a Read-Write Policy isbe applied.


NOTE: In order to send SNS notifications using Hyperglance's rules you need to add an SNS Publish permission to the policy:


"sns:Publish",


R
ead Only Policy:


{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "autoscaling:Describe*",
        "cloudwatch:Describe*",
        "cloudwatch:GetMetricStatistics",
        "cloudwatch:ListMetrics",
        "dax:Describe*",
        "dax:ListTags",
        "dynamodb:Describe*",
        "dynamodb:ListTables",
        "dynamodb:ListTagsOfResource",
        "ec2:Describe*",
        "ec2:GetTransitGatewayRouteTablePropagations",
		"ecs:describeClusters",
		"ecs:describeContainerInstances",
		"ecs:describeServices",
		"ecs:describeTasks",
		"ecs:listClusters",
		"ecs:listContainerInstances",
		"ecs:listServices",
		"ecs:listTasks",
        "elasticloadbalancing:Describe*",
        "elasticloadbalancing:DescribeAccountLimits",
        "elasticloadbalancing:DescribeInstanceHealth",
        "elasticloadbalancing:DescribeListenerCertificates",
        "elasticloadbalancing:DescribeListeners",
        "elasticloadbalancing:DescribeLoadBalancerAttributes",
        "elasticloadbalancing:DescribeLoadBalancers",
        "elasticloadbalancing:DescribeRules",
        "elasticloadbalancing:DescribeSSLPolicies",
        "elasticloadbalancing:DescribeTags",
        "elasticloadbalancing:DescribeTargetGroupAttributes",
        "elasticloadbalancing:DescribeTargetGroups",
        "elasticloadbalancing:DescribeTargetHealth",
        "lambda:List*",
        "ram:GetResourceShareAssociations",
		"redshift:describeClusterSubnetGroups",
		"redshift:describeClusters",
		"redshift:describeTags",
        "rds:Describe*",
        "rds:ListTagsForResource",
        "route53:ListTrafficPolicyInstances",
        "route53:ListTrafficPolicyVersions",
        "s3:GetAccelerateConfiguration",
        "s3:GetAnalyticsConfiguration",
        "s3:GetBucketAcl",
        "s3:GetBucketCORS",
        "s3:GetBucketLocation",
        "s3:GetBucketLogging",
        "s3:GetBucketNotification",
        "s3:GetBucketPolicy",
        "s3:GetBucketRequestPayment",
        "s3:GetBucketTagging",
        "s3:GetBucketVersioning",
        "s3:GetBucketWebsite",
        "s3:GetEncryptionConfiguration",
        "s3:GetInventoryConfiguration",
        "s3:GetLifecycleConfiguration",
        "s3:GetMetricsConfiguration",
        "s3:GetReplicationConfiguration",
        "s3:ListAllMyBuckets",
        "sts:AssumeRole",
        "sts:GetCallerIdentity"
      ],
      "Resource": "*"
    }
  ]
}



Full Read/Write Policy: 


NOTE: You can selectively choose which actions to enable in the policy without Hyperglance complaining! (i.e. Only allowing Create/Delete tags)

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Effect": "Allow",
			"Action": [
				"autoscaling:Describe*",
				"cloudwatch:Describe*",
				"cloudwatch:GetMetricStatistics",
				"cloudwatch:ListMetrics",
				"dax:DeleteCluster",
				"dax:Describe*",
				"dax:ListTags",
				"dax:TagResource",
				"dax:UntagResource",
				"dynamodb:Describe*",
				"dynamodb:ListTables",
				"dynamodb:ListTagsOfResource",
				"ec2:CreateImage",
				"ec2:CreateTags",
				"ec2:DeleteTags",
				"ec2:Describe*",
				"ec2:GetTransitGatewayRouteTablePropagations",
				"ec2:RebootInstances",
				"ec2:StartInstances",
				"ec2:StopInstances",
				"ec2:TerminateInstances",
				"ecs:describeClusters",
				"ecs:describeContainerInstances",
				"ecs:describeServices",
				"ecs:describeTasks",
				"ecs:listClusters",
				"ecs:listContainerInstances",
				"ecs:listServices",
				"ecs:listTasks",
				"elasticloadbalancing:DescribeAccountLimits",
				"elasticloadbalancing:DescribeInstanceHealth",
				"elasticloadbalancing:DescribeListenerCertificates",
				"elasticloadbalancing:DescribeListeners",
				"elasticloadbalancing:DescribeLoadBalancerAttributes",
				"elasticloadbalancing:DescribeLoadBalancers",
				"elasticloadbalancing:DescribeRules",
				"elasticloadbalancing:DescribeSSLPolicies",
				"elasticloadbalancing:DescribeTags",
				"elasticloadbalancing:DescribeTargetGroupAttributes",
				"elasticloadbalancing:DescribeTargetGroups",
				"elasticloadbalancing:DescribeTargetHealth",
				"lambda:List*",
				"lambda:TagResource",
				"lambda:UntagResource",
				"ram:GetResourceShareAssociations",
				"rds:AddTagsToResource",
				"rds:DeleteDBInstance",
				"rds:Describe*",
				"rds:ListTagsForResource",
				"rds:RebootDBInstance",
				"rds:RemoveTagsFromResource",
				"rds:StartDBInstance",
				"rds:StopDBInstance",
				"rds:DeleteDBCluster",
				"rds:StartDBCluster",
				"rds:StopDBCluster",
				"redshift:describeClusterSubnetGroups",
				"redshift:describeClusters",
				"redshift:describeTags",
				"redshift:createTags",
				"redshift:deleteTags",
				"route53:ListTrafficPolicyInstances",
				"route53:ListTrafficPolicyVersions",
				"s3:GetAccelerateConfiguration",
				"s3:GetAnalyticsConfiguration",
				"s3:GetBucketAcl",
				"s3:GetBucketCORS",
				"s3:GetBucketLocation",
				"s3:GetBucketLogging",
				"s3:GetBucketNotification",
				"s3:GetBucketPolicy",
				"s3:GetBucketRequestPayment",
				"s3:GetBucketTagging",
				"s3:GetBucketVersioning",
				"s3:GetBucketWebsite",
				"s3:GetEncryptionConfiguration",
				"s3:GetInventoryConfiguration",
				"s3:GetLifecycleConfiguration",
				"s3:GetMetricsConfiguration",
				"s3:GetReplicationConfiguration",
				"s3:ListAllMyBuckets",
				"s3:PutBucketTagging",
				"sts:AssumeRole",
				"sts:GetCallerIdentity"
			],
			"Resource": "*"
		}
	]
}