enhanced documentation for the AWS IAM Policy permissions needed by cloud custodian
See original GitHub issueI looked around but did not see good documentation for exactly which actions are necessary in order to create a fine-grained AWS IAM policy for cloud custodian.
So, I grep’d the code for “permissions =” and put it all together in the following. I believe this would make the nucleus of a good README-policy.md or some-such.
Of course, this has nothing but stars for the resources, so if someone wanted to REALLY get fine-grained, they’d have to break this up a little bit more … but it is good enough to provide a basic list of all the expected actions.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"health:DescribeEvents",
"health:DescribeAffectedEntities",
"health:DescribeEventDetails"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"lambda:DeleteFunction",
"lambda:GetPolicy",
"lambda:RemovePermission",
"lambda:TagResource",
"lambda:UntagResource",
"lambda:InvokeFunction"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"cloudtrail:CreateTrail",
"cloudtrail:DescribeTrails",
"cloudtrail:GetEventSelectors",
"cloudtrail:GetTrailStatus",
"config:DescribeDeliveryChannels",
"config:DescribeConfigurationRecorders",
"config:DescribeConfigurationRecorderStatus",
"config:GetResourceConfigHistory",
"support:CreateCase",
"support:DescribeTrustedAdvisorCheckResult",
"support:RefreshTrustedAdvisorCheck",
"shield:CreateSubscription",
"shield:DescribeSubscription",
"shield:DeleteSubscription"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"ec2:AssociateIamInstanceProfile",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:CreateSnapshot",
"ec2:CreateTags",
"ec2:CopySnapshot",
"ec2:CreateSnapshot",
"ec2:DeleteVolume",
"ec2:DeleteNatGateway",
"ec2:DeleteSecurityGroup",
"ec2:DeleteSnapshot",
"ec2:DeleteTags",
"ec2:DeregisterImage",
"ec2:DescribeImages",
"ec2:DescribeInstanceRecoveryAttribute",
"ec2:DescribeInstances",
"ec2:DescribeInstanceStatus",
"ec2:DescribeFlowLogs",
"ec2:DescribePrefixLists",
"ec2:DescribeRouteTables",
"ec2:DescribeStaleSecurityGroups",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeTags",
"ec2:DescribeVolumes",
"ec2:DescribeVpcs",
"ec2:DisassociateIamInstanceProfile",
"ec2:DescribeSnapshotAttribute",
"ec2:DescribeSnapshots",
"ec2:DetachVolume",
"ec2:ModifyVolumeAttribute",
"ec2:ModifyInstanceAttribute",
"ec2:ModifyNetworkInterfaceAttribute",
"ec2:RecoverInstances",
"ec2:ResetImageAttribute",
"ec2:RevokeSecurityGroupIngress",
"ec2:RevokeSecurityGroupEgress",
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:TerminateInstances"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"resourcegroupstaggingapi:TagResources",
"resourcegroupstaggingapi:UntagResources"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"waf-regional:AssociateWebACL",
"waf-regional:ListResourcesForWebACL",
"waf-regional:ListWebACLs"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"elasticloadbalancing:AddTags",
"elasticloadbalancing:ApplySecurityGroupsToLoadBalancer",
"elasticloadbalancing:CreateLoadBalancerPolicy",
"elasticloadbalancing:DeleteLoadBalancer",
"elasticloadbalancing:DescribeLoadBalancerAttributes",
"elasticloadbalancing:DescribeLoadBalancerPolicies",
"elasticloadbalancing:DescribeListeners",
"elasticloadbalancing:DescribeTargetGroups",
"elasticloadbalancing:ModifyLoadBalancerAttributes",
"elasticloadbalancing:ModifyListener",
"elasticloadbalancing:RemoveTags",
"elasticloadbalancing:SetLoadBalancerPoliciesOfListener"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"autoscaling:CreateOrUpdateTags",
"autoscaling:DescribeLaunchConfigurations",
"autoscaling:DeleteAutoScalingGroup",
"autoscaling:DeleteLaunchConfiguration",
"autoscaling:DeleteTags",
"autoscaling:UpdateAutoScalingGroup",
"autoscaling:SuspendProcesses",
"autoscaling:ResumeProcesses"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"cloudfront:UpdateDistribution",
"distribution:GetDistributionConfig",
"distribution:UpdateDistribution",
"streaming-distribution:GetStreamingDistributionConfig",
"streaming-distribution:UpdateStreamingDistribution",
"waf:ListWebACLs"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"cloudwatch:DeleteAlarms",
"cloudwatch:DescribeAlarmsForMetric",
"cloudwatch:GetMetricStatistics",
"cloudWatch:PutMetricData",
"logs:DeleteLogGroup",
"logs:DescribeLogStreams",
"logs:PutRetentionPolicy"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"dynamodb:DeleteTable",
"dynamodb:ListTagsOfResource",
"dynamodb:TagResource",
"dynamodb:UntagResource"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"ecr:GetRepositoryPolicy",
"ecr:SetRepositoryPolicy"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"efs:DeleteFileSystem",
"efs:DeleteMountTargets",
"efs:DescribeMountTargets"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"elasticache:CreateSnapshot",
"elasticache:ListTagsForResource",
"elasticache:ModifyReplicationGroup",
"elasticache:DeleteCacheCluster",
"elasticache:DeleteReplicationGroup",
"elasticache:DeleteSnapshot"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"sqs:DeleteQueue",
"sqs:GetQueueAttributes",
"sqs:SetQueueAttributes"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"sns:GetTopicAttributes",
"sns:SetTopicAttributes"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"es:DeleteElastisearchDomain"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"rds:AddTagsToResource",
"rds:CopyDBSnapshot",
"rds:CreateDBSnapshot",
"rds:DeleteDBInstance",
"rds:DeleteDBSnapshot",
"rds:DescribeDBEngineVersions",
"rds:DescribeDBInstances",
"rds:DescribeDBParameters",
"rds:DescribeDBSnapshotAttributes",
"rds:DescribeDBSnapshots",
"rds:ModifyDBCluster",
"rds:ModifyDBInstance",
"rds:ModifyDBParameterGroup",
"rds:RemoveTagsFromResource",
"rds:RebootDBInstance"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"sts:AssumeRole",
"iam:DeleteAccessKey",
"iam:GenerateCredentialReport",
"iam:GetAccountSummary",
"iam:GetAccountPasswordPolicy",
"iam:GetCredentialReport",
"iam:GetGroup",
"iam:ListAccessKeys",
"iam:ListAttachedUserPolicies",
"iam:ListAttachedRolePolicies",
"iam:ListPolicyVersions",
"iam:ListGroupPolicies",
"iam:ListGroupsForUser",
"iam:ListMfaDevices",
"iam:ListPolicies",
"iam:ListRolePolicies",
"iam:ListVirtualMFADevices",
"iam:UpdateAccessKey"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"s3:DeleteBucketPolicy",
"s3:DeleteBucketWebsite",
"s3:ListAllMyBuckets",
"s3:ListBucket",
"s3:GetBucketPolicy",
"s3:GetObject",
"s3:GetBucketNotification",
"s3:GetBucketPolicy",
"s3:GetInventoryConfiguration",
"s3:PutBucketAcl",
"s3:PutBucketPolicy",
"s3:PutBucketVersioning",
"s3:PutBucketLogging",
"s3:PutBucketNotification",
"s3:PutInventoryConfiguration",
"s3:PutObject"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"cloudtrail:DescribeTrails",
"cloudtrail:GetEventSelectors"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
Issue Analytics
- State:
- Created 6 years ago
- Reactions:10
- Comments:6 (2 by maintainers)
Top Results From Across the Web
aws.iam-policy — Cloud Custodian documentation
Check if IAM policy resource(s) have allow-all IAM policy statement block. ... required: - type. Permissions - iam:ListPolicies, iam:ListPolicyVersions ...
Read more >cloud-custodian/cloud-custodian - Gitter
Hi Guys, Im trying to get list of non-compliant resources from config-rules. I understand that config-compliance filter is available for the resources which...
Read more >Compliance as code and auto-remediation with Cloud ... - AWS
Based on the Cloud Custodian policies, we must create IAM policy with the following permissions.
Read more >26 AWS Security Best Practices to Adopt in Production - Sysdig
AWS Security best practices with open source – Cloud Custodian is a Cloud ... The output should be the requested IAM policy document:....
Read more >Security Engineering - I Love AWS
AWS -recommended security best practices that you can implement to enhance the ... How IAM evaluates policies https://docs.aws.amazon.com/IAM/latest/ ...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
what iam policy you need is very dependent on what custodian policies your running. at the moment we have some advisory annotations in place on filters/actions. i’d like to bring some additional tooling to bear on generating iam policies for a given set of custodian policies (permissions annotations required by tests), and then use it for our functional tests (generate a user/role with iam policy based on annotations to use when running the functional tests).
In the past I created a separate iam role for each custodian policy but it was always trial and error to see what it required. To make it easier, I used your above policy but I wanted to terraform it to make it easier to manage.
I noticed that some of those iam permissions have changed over time. Here is an updated gist of cloud-custodian-iam-policy.tf. I also added a programmatic way to extract the perms and convert it to terraform with a script which should make this easier to update as the cloud-custodian code changes.