AWS Permissions

API Gateway

GET

Fetch information about API Gateways

ACM

acm:DescribeCertificate acm:ListCertificates

Basic fetch

AppStream

appstream:DescribeUsers appstream:DescribeUserStackAssociations

Fetch information about AWS AppStream users

appstream:DescribeStacks appstream:ListAssociatedFleets appstream:DescribeFleets

Fetch information about AWS AppStream devices

Athena

athena:ListDataCatalogs

athena:ListDatabases

athena:ListQueryExecutions
athena:ListTableMetadata

Fetch Athena tables as Devices - BETA

Autoscaling

autoscaling:DescribeAutoScalingGroups autoscaling:DescribePolicies autoscaling:DescribeAutoScalingInstances

Basic Fetch

 Backup

backup:ListBackupPlans

backup:ListBackupVaults

Fetch backup plans and vaults

CloudFormation

cloudformation:DescribeStacks cloudformation:ListStackSets

Fetch information about CloudFormation

Cloudfront

cloudfront:GetDistribution

cloudfront:ListDistributions

Fetch information about Cloudfront

Cloudwatch

cloudwatch:GetMetricStatistics, cloudwatch:DescribeAlarms

Disk volume used by Aurora DB from RDS cloudwatch, Fetch CloudWatch Alarms as assets.

Direct Connect

directconnect:DescribeConnections

directconnect:DescribeLags

directconnect:DescribeVirtualGateways

directconnect:DescribeVirtualInterfaces

Fetch Direct Connect Data

DynamoDB

dynamodb:DescribeTable

dynamodb:DescribeGlobalTable dynamodb:DescribeGlobalTableSettings dynamodb:ListGlobalTables

dynamodb:ListTables

dynamodb:ListTagsOfResource

Fetch information about DynamoDB

EC2

ec2:DescribeAddresses

ec2:DescribeFlowLogs

ec2:DescribeImages

ec2:DescribeInstances

ec2:DescribeInternetGateways

ec2:DescribeNatGateways

ec2:DescribeRouteTables

ec2:DescribeSnapshotAttribute

ec2:DescribeSnapshots

ec2:DescribeSecurityGroups

ec2:DescribeSubnets

ec2:DescribeTags ec2:DescribeVolumes ec2:DescribeVpcPeeringConnections

ec2:DescribeVpcs

ec2:DescribeVpnConnections

ec2:DescribeCustomerGateways

ec2:DescribeTransitGatewayAttachments

ec2:DescribeTransitGatewayPeeringAttachments

ec2:DescribeTransitGatewayRouteTables

ec2:DescribeTransitGateways

Basic Fetch

ec2:DescribeVpnConnections - only required when the Fetch VPNs advanced configuration is turned on.

ECR

ecr:DescribeImages ecr:DescribeRegistry ecr:DescribeRepositories ecr-public:DescribeImages ecr-public:DescribeRegistries ecr-public:DescribeRepositories

Fetch ECR images as devices

Correlate ECR-hosted images with compatible containers

ECS

ecs:DescribeClusters ecs:DescribeContainerInstances ecs:DescribeServices ecs:DescribeTasks ecs:ListClusters ecs:ListContainerInstances ecs:ListServices ecs:ListTagsForResource ecs:ListTasks

Basic Fetch

EKS

eks:DescribeCluster eks:ListClusters

Basic Fetch

ELB

elasticloadbalancing:DescribeLoadBalancerPolicies elasticloadbalancing:DescribeLoadBalancers elasticloadbalancing:DescribeListeners elasticloadbalancing:DescribeSSLPolicies elasticloadbalancing:DescribeTargetGroups elasticloadbalancing:DescribeTargetHealth

elasticloadbalancing:DescribeTags

Fetch information about ELB (Elastic Load Balancers)

ElastiCache

elasticache:DescribeCacheClusters

elasticache:DescribeReplicationsGroups

Fetch information about ElastiCache cluster

Elasticsearch

es:DescribeElasticsearchDomain es:ListDomainNames

Fetch information about Elasticsearch

FSx

fsx:DescribeFileSystems

Fetch FSx metadata

Globalaccelerator

globalaccelerator:ListAccelerators globalaccelerator:ListCustomRoutingAccelerators

Fetch Global Accelerators

Glue

glue:GetDatabases

glue:GetTables

Fetch Glue data

GuardDuty

guardduty:GetFindings guardduty:GetDetector guardduty:GetMembers guardduty:GetFilter guardduty:ListDetectors guardduty:ListFilters guardduty:ListMembers guardduty:ListFindings

Add information about GuardDuty findings to assets

IAM

iam:GenerateCredentialReport iam:GenerateServiceLastAccessedDetails iam:GetAccessKeyLastUsed iam:GetAccountPasswordPolicy iam:GetAccountSummary iam:GetCredentialReport iam:GetLoginProfile iam:GetPolicy iam:GetPolicyVersion iam:GetRole iam:GetRolePolicy iam:GetServiceLastAccessedDetails iam:GetUser iam:GetUserPolicy iam:ListAccessKeys iam:ListAccountAliases iam:ListAttachedGroupPolicies iam:ListAttachedRolePolicies iam:ListAttachedUserPolicies iam:ListEntitiesForPolicy iam:ListGroups iam:ListGroupsForUser iam:ListInstanceProfilesForRole iam:ListMFADevices iam:ListPolicies iam:ListRolePolicies iam:ListRoles iam:ListUserPolicies iam:ListUserTags iam:ListUsers iam:ListVirtualMFADevices iam:GenerateCredentialReport

Fetch information about IAM Users

Fetch IAM roles as users

Parse IAM policies

Inspector

inspector:ListFindings inspector:DescribeFindings inspector2:ListFindings inspector2:ListMembers

Fetch Inspector Findings

Kinesis

kinesis:ListStreams

Fetch Kinesis Data Stream

Kinesis Data Analytics

kinesisanalytics:DescribeApplication, kinesisanalytics:ListApplications

Kinesis Data Analytics as devices.

Lambda

lambda:GetPolicy lambda:GetFunctionUrlConfig lambda:ListFunctions lambda:ListTags

Fetch information about Lambdas

Macie

macie2:GetFindings macie2:ListFindings macie2:ListMembers

Fetch information about Macie findings

Organizations - Base

organizations:DescribeAccount organizations:DescribeOrganization organizations:ListPoliciesForTarget organizations:ListTagsForResource

Basic Fetch

Organizations - Account Name

organizations:ListAccounts

Required for discovery of member accounts when fetching AWS Organizations

Organizations - Complete

organizations:DescribeOrganization organizations:DescribeEffectivePolicy organizations:DescribePolicy

Fetch Organizations as assets

RDS

rds:DescribeDBClusters rds:DescribeDBInstances rds:DescribeOptionGroups

Fetch information about RDS (Relational Database Service) RDS (Relational Database Service) Instances, Clusters and Global Clusters

Redshift

redshift:DescribeClusters

Fetch Redshift Clusters as devices

Route53

route53:ListHostedZones route53:ListResourceRecordSets

route53domains:ListDomains route53domains:GetDomainDetail route53resolver:ListResolverRules route53resolver:ListResolverRuleAssociations

Fetch information about Route 53

S3

s3:GetAccountPublicAccessBlock s3:GetBucketAcl s3:GetBucketLocation s3:GetBucketLogging s3:GetBucketPolicy s3:GetBucketPolicyStatus s3:GetBucketPublicAccessBlock s3:GetBucketTagging s3:GetEncryptionConfiguration s3:ListAllMyBuckets s3:ListBucket

Fetch information about S3

SageMaker

sagemaker:ListNotebookInstances

sagemaker:DescribeNotebookInstance

Fetch SageMaker notebooks as devices

SecurityHub

securityhub:DescribeHub securityhub:GetFindings securityhub:ListMembers securityhub:ListTagsForResource

Add information about Security Hub findings to assets

SNS

sns:ListSubscriptionsByTopic

Fetch SNS topics as devices

Step Functions

states:listStateMachines states:describeStateMachine

Fetch step functions

Service Catalog

servicecatalog:ListPortfolios, servicecatalog:DescribePortfolio

Fetch Services Catalog as assets

Secrets Manager

secretsmanager:ListSecrets secretsmanager:GetResourcePolicy

Fetch information about Secrets Manager

SQS Queues

sqs:ListQueues

sqs:GetQueueAttributes

Fetch SQS queues as devices

SSM

ssm:DescribeAvailablePatches ssm:DescribeInstanceInformation ssm:DescribeInstancePatches ssm:DescribePatchGroups ssm:GetInventorySchema ssm:ListInventoryEntries ssm:ListResourceComplianceSummaries ssm:ListTagsForResource

Fetch information about SSM (System Manager)

WAFv1

waf:GetWebACL waf:ListWebACLs

Add WAF to devices

WAFRegional

waf-regional:GetWebACL waf-regional:GetWebACLForResource waf-regional:ListWebACLs

Add WAF to devices

WAFv2

wafv2:GetWebACL wafv2:GetWebACLForResource wafv2:ListWebACLs

Add WAF to devices

Workspaces

workspaces:DescribeTags workspaces:DescribeWorkspaceDirectories workspaces:DescribeWorkspaces workspaces:DescribeWorkspacesConnectionStatus

Fetch information about Workspaces

S3

s3:GetObject s3:HeadBucket s3:PutObject s3:ListAllMyBuckets s3:PutObjectTagging s3:DeleteObject s3:HeadBucket

These permissions should be scoped to a bucket/objects that are specifically created for Axonius to write to. Do not scope these permissions to all resources.

Enforcement Center Actions that involve sending data to S3. For more information, see the Enforcement Center Action Index

EC2

ec2:StartInstances

ec2:StopInstances

tag:GetResources

tag:TagResources

tag:UntagResources

tag:getTagKeys

tag:getTagValues

iam:ListUserTags

iam:TagUser

iam:UntagUser

Enforcement Center Actions that start and stop EC2 instances.

Enforcement Center Actions that manage tags on EC2 instances.

IAM

iam:UpdateLoginProfile

iam:DeleteUser

iam:ListGroupsForUser

iam:RemoveUserFromGroup

iam:ListAccessKeys

iam:DeleteAccessKey

Enforcement Center Actions that manage IAM users.

SSM

ssm:CreateAssociation

ssm:RegisterTaskWithMaintenanceWindow

Enforcement Center Actions that install and patch software using SSM.

CloudTrail

cloudtrail:DescribeTrails cloudtrail:GetEventSelectors cloudtrail:GetTrailStatus

*

Axonius Cloud Asset Compliance

Cloudwatch

cloudwatch:DescribeAlarmsForMetric

*

Axonius Cloud Asset Compliance

Config

config:DescribeConfigurationRecorderStatus config:DescribeConfigurationRecorders

*

Axonius Cloud Asset Compliance

Logs

logs:DescribeMetricFilters

*

Axonius Cloud Asset Compliance

KMS

kms:ListKeys

*

Axonius Cloud Asset Compliance

S3 - Data Sync (Central Core)

kms:GenerateDataKey kms:Decrypt

Needs to be scoped to a specific key store that has been created for Axonius

Central Core

S3 - AssumeRole Fetch

S3:GetObject

Specific bucket and object that contains the roles to assume file

Advanced Configuration File setting: remote_roles_to_assume

SecretsManager- Vault

secretsmanager:GetSecretValue

Can be scoped to all resources; however, Axonius recommends managing access to secrets within SecretsManager through resource-based policies

Only needed if using AWS Secrets Manager as a Vault

SSM

ssm:CreateAssocation ssm:RegisterTaskWithMaintenanceWindow

*

EC Action for Install Software and Patches Instances

STS

sts:AssumeRole

Should be scoped to roles utilized by Axonius as a part of our roles to assume/organizations discovery implementation

Roles to Assume