Still can't find what you're looking for?Supported AWS Services
Cloudhouse Guardian (Guardian) supports a range of AWS services. The following topic describes the complete set of permissions that have been tested and confirmed by object and node type. For more information on how to add an AWS service/instance in Guardian, see Amazon Web Services (AWS) Node.
IAM Access Analyzer
AWS IAM Access Analyzer enables you to identify the resources in your organization and accounts, such as Amazon S3 buckets or IAM roles, shared with an external entity. For more information, see Using AWS Identity and Access Management Access Analyzer in the AWS User Guide.
Required Access Analyzer Permissions
The following code snippet describes the permissions required for the IAM Access Analyser service.
access-analyzer:ListAnalyzers
access-analyzer:ListPolicyGenerations
access-analyzer:ListTagsForResource
kms:GetKeyRotationStatus
kms:ListAliases
kms:ListResourceTagsAuto Scaling Group
Amazon Elastic Compute Cloud (EC2) Auto Scaling helps to ensure that you have the correct number of Amazon EC2 instances available to handle the load for your application. You create collections of EC2 instances, called Auto Scaling groups. Then you can specify the minimum number of instances in each Auto Scaling group. Amazon EC2 Auto Scaling then ensures that your group never goes below this size. For more information, see What is Amazon EC2 Auto Scaling? in the AWS User Guide.
Required Auto Scaling Group Permissions
The following code snippet describes the permissions required for the Auto Scaling Group service.
autoscaling:DescribeAutoScalingGroupsCloudFormation
CloudFormation is a service used by AWS to manage and deploy services across accounts and regions using Stacks and StackSets. To scan the StackSets, the account responsible for deploying them must have the correct permissions granted. For more information, see What is AWS CloudFormation? in the AWS User Guide.
Required CloudFormation Permissions
The following code snippet describes the permissions required for the CloudFormation service.
cloudformation:ListStackInstancesCloudTrail
CloudTrail is an AWS service that helps you enable operational and risk auditing, governance, and compliance of your AWS account. For more information, see What Is AWS CloudTrail? in the AWS User Guide.
Required CloudTrail Permissions
The following code snippet describes the permissions required for the CloudTrail service.
cloudtrail:DescribeTrails
cloudtrail:GetEventSelectors
cloudtrail:GetTrailStatus
cloudtrail:ListPublicKeys
cloudtrail:ListTrails
s3:GetBucketLogging
s3:GetBucketPolicyCloudWatch
AWS CloudWatch monitors your AWS resources and the applications you run on AWS in real time. You can use CloudWatch to collect and track metrics, which are variables you can measure for your resources and applications. For more information, see What is Amazon CloudWatch? in the AWS User Guide.
Required CloudWatch Permissions
The following code snippet describes the permissions required for the CloudWatch service.
cloudwatch:DescribeAlarms
cloudwatch:ListDashboards
cloudwatch:ListTagsForResource
logs:DescribeLogGroupsConfig Service
AWS Config Service provides a detailed view of the configuration of AWS resources in your AWS account. This includes how the resources are related to one another and how they were configured in the past so that you can see how the configurations and relationships change over time. For more information, see What Is AWS Config? in the AWS User Guide.
Required Config Service Permissions
The following code snippet describes the permissions required for the Config Service.
config:DescribeConfigurationRecordersElastic Block Store (EBS)
AWS Elastic Block Store (EBS) provides block level storage volumes for use within EC2 instances. EBS volumes behave like raw, unformatted block devices. You can mount these volumes as devices on your instances. For more information, see Amazon Elastic Block Store (Amazon EBS) in the AWS User Guide.
Required EBS Permissions
The following code snippet describes the permissions required for the EBS service.
ec2:DescribeVolumesElastic Compute Cloud (EC2)
AWS Elastic Compute Cloud (EC2) provides scalable computing capacity in the AWS Cloud. For more information, see Amazon Elastic Compute Cloud Documentation.
Required EC2 Permissions
The following code snippet describes the permissions required for EC2.
ec2:DescribeInstances
ec2:DescribeRouteTables
ec2:DescribeSecurityGroups
elasticloadbalancing:DescribeLoadBalancersIdentity and Access Management (IAM)
AWS Identity and Access Management (IAM) is a web service that helps you securely control access to AWS resources. You use IAM to control who is authenticated (signed in) and authorized (has permissions) to use resources. For more information, see What is IAM? in the AWS User Guide.
Required IAM Permissions
The following code snippet describes the permissions required for IAM.
iam:GenerateCredentialReport
iam:GetAccessKeyLastUsed
iam:GetAccountPasswordPolicy
iam:GetAccountSummary
iam:GetCredentialReport
iam:GetPolicyVersion
iam:ListAccessKeys
iam:ListAttachedGroupPolicies
iam:ListAttachedRolePolicies
iam:ListAttachedUserPolicies
iam:ListGroupPolicies
iam:ListGroups
iam:ListGroupsForUser
iam:ListMFADevices
iam:ListPolicies
iam:ListRolePolicies
iam:ListRoles
iam:ListServerCertificates
iam:ListUserPolicies
iam:ListUsers
iam:ListUserTags
iam:ListVirtualMFADevices
Inventory Items are an additional section generated by the Connection Manager. It's useful for displaying meta data related to the node, such as version and account numbers. Each node will present different data, however, some nodes may require the user to have the optional permissions below to access certain information.
Optional Inventory Items Permissions
The following code snippet describes the permissions required for the Inventory service.
sts:GetAccessKeyInfoKey Management Service (KMS)
AWS Key Management Service (KMS) is an encryption and key management service scaled for the cloud. AWS KMS keys and functionality are used by other AWS services, and you can use them to protect data in your own applications that use AWS. For more information, see AWS Key Management Service Documentation.
Required KMS Permissions
The following code snippet describes the permissions required for KMS.
kms:DescribeKey
kms:ListAliasesLambda
Lambda is a compute service that lets you run code without provisioning or managing servers. For more information, see AWS Lambda Documentation.
Required Lambda Permissions
The following code snippet describes the permissions required for the Lambda service.
lambda:GetFunction
lambda:ListTagsLoad Balancer V1/V2
Elastic Load Balancers automatically distribute your incoming traffic across multiple targets, such as EC2 instances, containers, and IP addresses, in one or more Availability Zones. For more information, see Elastic Load Balancing Documentation.
Required Load Balancer Permissions
The following code snippet describes the permissions required for the Load Balancer service.
elasticloadbalancing:DescribeListeners
elasticloadbalancing:DescribeLoadBalancers
elasticloadbalancing:DescribeTagsRelational Database Service (RDS)
AWS Relational Database Service (RDS) is a web service that makes it easier to set up, operate, and scale a relational database in the AWS Cloud. For more information, see What is Amazon Relational Database Service (Amazon RDS)? in the AWS User Guide.
Required RDS Permissions
The following code snippet describes the permissions required for RDS.
rds:DescribeDBInstances
rds:ListTagsForResourceSimple Storage Service (S3)
AWS Simple Storage Service (S3) is an object storage service that offers industry-leading scalability, data availability, security, and performance. Customers of all sizes and industries can use Amazon S3 to store and protect any amount of data for a range of use cases, such as data lakes, websites, mobile applications, backup and restore, archive, enterprise applications, IoT devices, and big data analytics. For more information, see What is Amazon S3? in the AWS User Guide.
Required S3 Permissions
The following code snippet describes the permissions required for S3.
s3:GetBucketAcl
s3:GetBucketCORS
s3:GetBucketEncryption
s3:GetBucketEncryptionConfiguration
s3:GetBucketLocation
s3:GetBucketLogging
s3:GetBucketPolicy
s3:GetBucketPublicAccessBlock
s3:GetBucketReplication
s3:GetBucketTagging
s3:GetBucketVersioning
s3:GetObjectAcl
s3:ListAllMyBucketsSecurity Groups
AWS security groups control the traffic that is allowed to reach and leave the resources that they are associated with. For more information, see Control traffic to your AWS resources using security groups in the AWS User Guide.
Required Security Groups Permissions
The following code snippet describes the permissions required for the security groups service.
ec2:DescribeSecurityGroupsVirtual Private Cloud (VPC)
AWS Virtual Private Cloud (VPC) enables you to provision a logically isolated section of the AWS cloud where you can launch AWS resources in a virtual network that you’ve defined. For more information, see Amazon Virtual Private Cloud Documentation in the AWS User Guide.
Required VPC Permissions
The following code snippet describes the permissions required for the VPC service.
ec2:DescribeFlowLogs
ec2:DescribeVpcsVPC FlowLogs
VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. For more information, see the AWS User Guide.
Required VPC FlowLogs Permissions
The following code snippet describes the permissions required for the VPC Flow Logs service. For more information, see Logging IP traffic using VPC Flow Logs in the AWS User Guide.
eC2:DescribeFlowLogsVPC Peering Connections
A VPC peering connection is a networking connection between two VPCs that enables you to route traffic between them using private IPv4 addresses or IPv6 addresses. For more information, see What is VPC peering? in the AWS User Guide.
Required VPC Peering Connection Permissions
The following code snippet describes the permissions required for the VPC peering connection service.
ec2:DescribeVpcPeeringConnections
ec2:DescribeVpcsVPC Subnet
The VPC subnet is a range of IP addresses in your VPC. Each subnet must reside entirely within one Availability Zone and cannot span across multiple zones. By launching instances in separate Availability Zones, you can protect your applications from the failure of a single zone. For more information, see Subnets for your VPC in the AWS User Guide.
Required VPC Subnet Permissions
The following code snippet describes the permissions required for the VPC subnet service.
ec2:DescribeSubnetsMaster List of AWS Permissions
The following code snippet provides a full list of permissions required to detect, sync, and scan all AWS service types.
access-analyzer:ListAnalyzers
access-analyzer:ListPolicyGenerations
access-analyzer:ListTagsForResource
cloudtrail:DescribeTrails
cloudtrail:GetEventSelectors
cloudtrail:GetTrailStatus
cloudtrail:ListPublicKeys
cloudtrail:ListTrails
cloudwatch:DescribeAlarms
cloudwatch:ListDashboards
cloudwatch:ListTagsForResource
config:DescribeConfigurationRecorderStatus
ec2:DescribeFlowLogs
ec2:DescribeInstances
ec2:DescribeRouteTables
ec2:DescribeSecurityGroups
ec2:DescribeSubnets
ec2:DescribeVolumes
ec2:DescribeVpcPeeringConnections
ec2:DescribeVpcs
ec2:DescribeVpnConnections
elasticloadbalancing:DescribeListeners
elasticloadbalancing:DescribeLoadBalancers
elasticloadbalancing:DescribeTags
iam:GenerateCredentialReport
iam:GetAccessKeyLastUsed
iam:GetAccountPasswordPolicy
iam:GetAccountSummary
iam:GetCredentialReport
iam:GetPolicyVersion
iam:ListAccessKeys
iam:ListAttachedGroupPolicies
iam:ListAttachedRolePolicies
iam:ListAttachedUserPolicies
iam:ListGroupPolicies
iam:ListGroups
iam:ListGroupsForUser
iam:ListMFADevices
iam:ListPolicies
iam:ListRolePolicies
iam:ListRoles
iam:ListServerCertificates
iam:ListUserPolicies
iam:ListUsers
iam:ListUserTags
iam:ListVirtualMFADevices
kms:DescribeKey
kms:GetKeyRotationStatus
kms:ListAliases
kms:ListResourceTags
lambda:GetFunction
lambda:ListTags
logs:DescribeLogGroups
rds:DescribeDBInstances
rds:ListTagsForResource
s3:GetBucketAcl
s3:GetBucketCORS
s3:GetBucketEncryption
s3:GetBucketEncryptionConfiguration
s3:GetBucketLocation
s3:GetBucketLogging
s3:GetBucketPolicy
s3:GetBucketPublicAccessBlock
s3:GetBucketReplication
s3:GetBucketTagging
s3:GetBucketVersioning
s3:GetObjectAcl
s3:ListAllMyBuckets
sts:GetAccessKeyInfo