Login
    Contents x
    AWS Permissions
    • 28 Aug 2023
    • 1 Minute to read
    • Print
    • Dark
      Light
    • PDF
    Contents

    AWS Permissions

    • Updated on 28 Aug 2023
    • 1 Minute to read
    • Print
    • Dark
      Light
    • PDF
    Article Summary

    These tables summarize permissions that Axonius requires to fetch various AWS resources.
    Use this information both to enable required permissions, and to only apply necessary permissions.

    Adapter Fetch Permissions

    AWS ServicePermissionsAxonius Setting
    API GatewayGETFetch information about API Gateways
    ACMacm:DescribeCertificate
    acm:ListCertificates    		Basic fetch
    AppStreamappstream:DescribeUsers
    appstream:DescribeUserStackAssociations    		Fetch information about AWS AppStream users
    appstream:DescribeStacks
    appstream:ListAssociatedFleets
    appstream:DescribeFleets

    		Fetch information about AWS AppStream devices
    Autoscalingautoscaling:DescribeAutoScalingGroups
    autoscaling:DescribePolicies
    autoscaling:DescribeAutoScalingInstances    		Basic Fetch
     Backup

    backup:ListBackupPlans
    backup:ListBackupVaults

    		Fetch backup plans and vaults
    Cloudfrontcloudfront:GetDistribution
    cloudfront:ListDistributions    		Fetch information about Cloudfront
    DynamoDBdynamodb:DescribeTable
    dynamodb:DescribeGlobalTable
    dynamodb:DescribeGlobalTableSettings
    dynamodb:ListGlobalTables
    dynamodb:ListTables    		Fetch information about DynamoDB
    EC2ec2:DescribeAddresses
    ec2:DescribeFlowLogs
    ec2:DescribeImages
    ec2:DescribeInstances
    ec2:DescribeInternetGateways
    ec2:DescribeNatGateways
    ec2:DescribeRouteTables
    ec2:DescribeSnapshotAttribute
    ec2:DescribeSnapshots
    ec2:DescribeSecurityGroups
    ec2:DescribeSubnets
    ec2:DescribeTags
    ec2:DescribeVolumes
    ec2:DescribeVpcPeeringConnections
    ec2:DescribeVpcs    		Basic Fetch
    ECRecr:DescribeImages
    ecr:DescribeRegistry
    ecr:DescribeRepositories
    ecr-public:DescribeImages
    ecr-public:DescribeRegistries
    ecr-public:DescribeRepositories

    Fetch ECR images as devices

    Correlate ECR-hosted images with compatible containers

    ECSecs:DescribeClusters
    ecs:DescribeContainerInstances
    ecs:DescribeServices
    ecs:DescribeTasks
    ecs:ListClusters
    ecs:ListContainerInstances
    ecs:ListServices
    ecs:ListTagsForResource
    ecs:ListTasks    		Basic Fetch
    EKSeks:DescribeCluster
    eks:ListClusters    		Basic Fetch
    ELBelasticloadbalancing:DescribeLoadBalancerPolicies
    elasticloadbalancing:DescribeLoadBalancers
    elasticloadbalancing:DescribeListeners
    elasticloadbalancing:DescribeSSLPolicies
    elasticloadbalancing:DescribeTargetGroups
    elasticloadbalancing:DescribeTargetHealth    		Fetch information about ELB (Elastic Load Balancers)
    ElastiCache
    		elasticache:DescribeCacheClusters
    		Fetch information about ElastiCache cluster
    Elasticsearches:DescribeElasticsearchDomain
    es:ListDomainNames    		Fetch information about Elasticsearch
    FSxfsx:DescribeFileSystemsFetch FSx metadata
    Globalaccelerator

    globalaccelerator:ListAccelerators
    globalaccelerator:ListCustomRoutingAccelerators

    		Fetch Global Accelerators
    Glueglue:GetDatabases
    		Fetch Glue data
    GuardDutyguardduty:GetFindings
    guardduty:GetDetector
    guardduty:GetMembers
    guardduty:GetFilter
    guardduty:ListDetectors
    guardduty:ListFilters
    guardduty:ListMembers
    guardduty:ListFindings    		Add information about GuardDuty findings to assets
    IAMiam:GenerateCredentialReport
    iam:GenerateServiceLastAccessedDetails
    iam:GetAccessKeyLastUsed
    iam:GetAccountPasswordPolicy
    iam:GetAccountSummary
    iam:GetCredentialReport
    iam:GetLoginProfile
    iam:GetPolicy
    iam:GetPolicyVersion
    iam:GetRole
    iam:GetRolePolicy
    iam:GetServiceLastAccessedDetails
    iam:GetUser
    iam:GetUserPolicy
    iam:ListAccessKeys
    iam:ListAccountAliases
    iam:ListAttachedGroupPolicies
    iam:ListAttachedRolePolicies
    iam:ListAttachedUserPolicies
    iam:ListEntitiesForPolicy
    iam:ListGroups
    iam:ListGroupsForUser
    iam:ListInstanceProfilesForRole
    iam:ListMFADevices
    iam:ListPolicies
    iam:ListRolePolicies
    iam:ListRoles
    iam:ListUserPolicies
    iam:ListUserTags
    iam:ListUsers
    iam:ListVirtualMFADevices
    iam:GenerateCredentialReport

    Fetch information about IAM Users

    Fetch IAM roles as users

    Parse IAM policies

    Inspectorinspector:ListFindings
    inspector:DescribeFindings
    inspector:ListMembers
    inspector2:ListFindings
    inspector2:ListMembers    		Fetch Inspector Findings
    Lambdalambda:GetPolicy
    lambda:GetFunctionUrlConfig
    lambda:ListFunctions
    lambda:ListTags    		Fetch information about Lambdas
    Maciemacie2:GetFindings
    macie2:ListFindings
    macie2:ListMembers    		Fetch information about Macie findings
    Organizations - Baseorganizations:DescribeAccount
    organizations:DescribeOrganization
    organizations:ListPoliciesForTarget
    organizations:ListTagsForResource    		Basic Fetch
    Organizations - Account Nameorganizations:ListAccountsRequired for discovery of member accounts when fetching AWS Organizations
    Organizations - Completeorganizations:DescribeOrganization
    organizations:DescribeEffectivePolicy
    organizations:DescribePolicy    		Fetch Organizations as assets
    RDSrds:DescribeDBClusters
    rds:DescribeDBInstances
    rds:DescribeOptionGroups    		Fetch information about RDS (Relational Database Service)
    RDS (Relational Database Service) Instances, Clusters and Global Clusters
    Redshift
    		redshift:DescribeClusters
    		Fetch Redshift Clusters as devices
    Route53route53:ListHostedZones
    route53:ListResourceRecordSets

    route53domains:ListDomains
    route53domains:GetDomainDetail

    		Fetch information about Route 53
    S3s3:GetAccountPublicAccessBlock
    s3:GetBucketAcl
    s3:GetBucketLocation
    s3:GetBucketLogging
    s3:GetBucketPolicy
    s3:GetBucketPolicyStatus
    s3:GetBucketPublicAccessBlock
    s3:GetBucketTagging
    s3:GetEncryptionConfiguration
    s3:ListAllMyBuckets
    s3:ListBucket    		Fetch information about S3
    SageMaker
    		sagemaker:ListNotebookInstances

    Fetch SageMaker notebooks as devices

    SecurityHubsecurityhub:DescribeHub
    securityhub:GetFindings
    securityhub:ListMembers
    securityhub:ListTagsForResource    		Add information about Security Hub findings to assets
    SNSsns:ListSubscriptionsByTopicFetch SNS topics as devices
    Secrets Managersecretsmanager:ListSecrets
    secretsmanager:GetResourcePolicy    		Fetch information about Secrets Manager
    SQS Queues
    		sqs:ListQueues
    		Fetch SQS queues as devices
    SSMssm:DescribeAvailablePatches
    ssm:DescribeInstanceInformation
    ssm:DescribeInstancePatches
    ssm:DescribePatchGroups
    ssm:GetInventorySchema
    ssm:ListInventoryEntries
    ssm:ListResourceComplianceSummaries
    ssm:ListTagsForResource    		Fetch information about SSM (System Manager)
    WAFv1waf:GetWebACL
    waf:ListWebACLs    		Add WAF to devices
    WAFRegionalwaf-regional:GetWebACL
    waf-regional:GetWebACLForResource
    waf-regional:ListWebACLs    		Add WAF to devices
    WAFv2wafv2:GetWebACL
    wafv2:GetWebACLForResource
    wafv2:ListWebACLs    		Add WAF to devices
    Workspacesworkspaces:DescribeTags
    workspaces:DescribeWorkspaceDirectories
    workspaces:DescribeWorkspaces
    workspaces:DescribeWorkspacesConnectionStatus    		Fetch information about Workspaces

    Enforcement Center Permissions

    AWS ServicePermissionsResource ScopeAxonius Setting
    S3s3:GetObject
    s3:HeadBucket
    s3:PutObject
    s3:ListAllMyBuckets
    s3:PutObjectTagging
    s3:DeleteObject
    s3:HeadBucket    		These permissions should be scoped to a bucket/objects that are specifically created for Axonius to write to. Do not scope these permissions to all resources.Enforcement Center Actions that involve sending data to S3. For more information, see the Enforcement Center Action Index

    Cloud Asset Compliance Permissions

    AWS ServicePermissionsResource ScopeAxonius Setting
    CloudTrailcloudtrail:DescribeTrails
    cloudtrail:GetEventSelectors
    cloudtrail:GetTrailStatus    		*Axonius Cloud Asset Compliance
    Cloudwatchcloudwatch:DescribeAlarmsForMetric*Axonius Cloud Asset Compliance
    Configconfig:DescribeConfigurationRecorderStatus
    config:DescribeConfigurationRecorders    		*Axonius Cloud Asset Compliance
    KMSkms:ListKeys*Axonius Cloud Asset Compliance

    Other Permissions

    AWS ServicePermissionsResource ScopeAxonius Setting
    S3 - Data Sync (Central Core)kms:GenerateDataKey
    kms:Decrypt    		Needs to be scoped to a specific key store that has been created for AxoniusCentral Core
    S3 - AssumeRole FetchS3:GetObjectSpecific bucket and object that contains the roles to assume fileAdvanced Configuration File setting: remote_roles_to_assume
    SecretsManager- Vaultsecretsmanager:GetSecretValueCan be scoped to all resources; however, Axonius recommends managing access to secrets within SecretsManager through resource-based policiesOnly needed if using AWS Secrets Manager as a Vault
    SSMssm:CreateAssocation
    ssm:RegisterTaskWithMaintenanceWindow
    		*EC Action for Install Software and Patches Instances
    STSsts:AssumeRoleShould be scoped to roles utilized by Axonius as a part of our roles to assume/organizations discovery implementationRoles to Assume


    What's Next
    Change password!
    Changing your password will log you out immediately. Use the new password to log back in.
    Change profile
    Success!
    First name must have atleast 2 characters. Numbers and special characters are not allowed.
    Last name must have atleast 1 characters. Numbers and special characters are not allowed.
    Enter a valid email
    Enter a valid password
    Your profile has been successfully updated.
    Logout