- 16 Oct 2024
- 3 Minutes to read
- Print
- DarkLight
- PDF
AWS Permissions
- Updated on 16 Oct 2024
- 3 Minutes to read
- Print
- DarkLight
- PDF
These tables summarize permissions that Axonius requires to fetch various AWS resources. Use this information both to enable required permissions, and to only apply necessary permissions.
Adapter Fetch Permissions
AWS Service | Permissions | Axonius Setting |
---|---|---|
API Gateway | GET | Fetch information about API Gateways |
ACM | acm:DescribeCertificate acm:ListCertificates | Basic fetch |
AppStream | appstream:DescribeUsers appstream:DescribeUserStackAssociations | Fetch information about AWS AppStream users |
appstream:DescribeStacks appstream:ListAssociatedFleets appstream:DescribeFleets | Fetch information about AWS AppStream devices | |
Athena | athena:ListDataCatalogs athena:ListDatabases athena:ListQueryExecutions | Fetch Athena tables as Devices - BETA |
Autoscaling | autoscaling:DescribeAutoScalingGroups autoscaling:DescribePolicies autoscaling:DescribeAutoScalingInstances | Basic Fetch |
Backup | backup:ListBackupPlans backup:ListBackupVaults | Fetch backup plans and vaults |
CloudFormation | cloudformation:DescribeStacks cloudformation:ListStackSets | Fetch information about CloudFormation |
Cloudfront | cloudfront:GetDistribution cloudfront:ListDistributions | Fetch information about Cloudfront |
Cloudwatch | cloudwatch:GetMetricStatistics, cloudwatch:DescribeAlarms cloudwatch:GetMetricStatistics | Disk volume used by Aurora DB from RDS cloudwatch, Fetch CloudWatch Alarms as assets. |
Direct Connect | directconnect:DescribeConnections directconnect:DescribeLags directconnect:DescribeVirtualGateways directconnect:DescribeVirtualInterfaces | Fetch Direct Connect Data |
DynamoDB | dynamodb:DescribeTable dynamodb:DescribeGlobalTable dynamodb:DescribeGlobalTableSettings dynamodb:ListGlobalTables dynamodb:ListTables dynamodb:ListTagsOfResource | Fetch information about DynamoDB |
EC2 | ec2:DescribeAddresses ec2:DescribeFlowLogs ec2:DescribeImages ec2:DescribeInstances ec2:DescribeInternetGateways ec2:DescribeNatGateways ec2:DescribeRouteTables ec2:DescribeSnapshotAttribute ec2:DescribeSnapshots ec2:DescribeSecurityGroups ec2:DescribeSubnets ec2:DescribeTags ec2:DescribeVolumes ec2:DescribeVpcPeeringConnections ec2:DescribeVpcs ec2:DescribeVpnConnections ec2:DescribeCustomerGateways ec2:DescribeTransitGatewayAttachments ec2:DescribeTransitGatewayPeeringAttachments ec2:DescribeTransitGatewayRouteTables ec2:DescribeTransitGateways | Basic Fetch ec2:DescribeVpnConnections - only required when the Fetch VPNs advanced configuration is turned on. |
ECR | ecr:DescribeImages ecr:DescribeRegistry ecr:DescribeRepositories ecr-public:DescribeImages ecr-public:DescribeRegistries ecr-public:DescribeRepositories | Fetch ECR images as devices Correlate ECR-hosted images with compatible containers |
ECS | ecs:DescribeClusters ecs:DescribeContainerInstances ecs:DescribeServices ecs:DescribeTasks ecs:ListClusters ecs:ListContainerInstances ecs:ListServices ecs:ListTagsForResource ecs:ListTasks | Basic Fetch |
EKS | eks:DescribeCluster eks:ListClusters | Basic Fetch |
ELB | elasticloadbalancing:DescribeLoadBalancerPolicies elasticloadbalancing:DescribeLoadBalancers elasticloadbalancing:DescribeListeners elasticloadbalancing:DescribeSSLPolicies elasticloadbalancing:DescribeTargetGroups elasticloadbalancing:DescribeTargetHealth elasticloadbalancing:DescribeTags | Fetch information about ELB (Elastic Load Balancers) |
Elastic Beanstalk | elasticbeanstalk:DescribeEnvironments | Fetch information about Elastic Beanstalk environments |
ElastiCache | elasticache:DescribeCacheClusters elasticache:DescribeReplicationsGroups elasticache:ListTagsForResource | Fetch information about ElastiCache cluster |
Elasticsearch | es:DescribeElasticsearchDomain es:ListDomainNames | Fetch information about Elasticsearch |
FSx | fsx:DescribeFileSystems | Fetch FSx metadata |
Globalaccelerator | globalaccelerator:ListAccelerators globalaccelerator:ListCustomRoutingAccelerators | Fetch Global Accelerators |
Glue | glue:GetDatabases glue:GetTables | Fetch Glue data |
GuardDuty | guardduty:GetFindings guardduty:GetDetector guardduty:GetMembers guardduty:GetFilter guardduty:ListDetectors guardduty:ListFilters guardduty:ListMembers guardduty:ListFindings | Add information about GuardDuty findings to assets |
IAM | iam:GenerateCredentialReport iam:GenerateServiceLastAccessedDetails iam:GetAccessKeyLastUsed iam:GetAccountPasswordPolicy iam:GetAccountSummary iam:GetCredentialReport iam:GetLoginProfile iam:GetPolicy iam:GetPolicyVersion iam:GetRole iam:GetRolePolicy iam:GetServiceLastAccessedDetails iam:GetUser iam:GetUserPolicy iam:ListAccessKeys iam:ListAccountAliases iam:ListAttachedGroupPolicies iam:ListAttachedRolePolicies iam:ListAttachedUserPolicies iam:ListEntitiesForPolicy iam:ListGroups iam:ListGroupsForUser iam:ListInstanceProfilesForRole iam:ListMFADevices iam:ListPolicies iam:ListRolePolicies iam:ListRoles iam:ListUserPolicies iam:ListUserTags iam:ListUsers iam:ListVirtualMFADevices iam:GenerateCredentialReport | Fetch information about IAM Users Fetch IAM roles as users Parse IAM policies |
Identity Store | identitystore:ListGroups identitystore:ListUsers sso-admin:ListInstances | Fetch Identity Store users and groups |
Inspector | inspector:ListFindings inspector:DescribeFindings inspector2:ListFindings inspector2:ListMembers | Fetch Inspector Findings |
Kinesis | kinesis:ListStreams | Fetch Kinesis Data Stream |
Kinesis Data Analytics | kinesisanalytics:DescribeApplication, kinesisanalytics:ListApplications | Kinesis Data Analytics as devices. |
Lambda | lambda:GetPolicy lambda:GetFunctionUrlConfig lambda:ListFunctions lambda:ListTags | Fetch information about Lambdas |
Lightsail | lightsail:GetInstances | Fetch Lightsail Instances |
Macie | macie2:GetFindings macie2:ListFindings macie2:ListMembers | Fetch information about Macie findings |
Organizations - Base | organizations:DescribeAccount organizations:DescribeOrganization organizations:ListPoliciesForTarget organizations:ListTagsForResource | Basic Fetch |
Organizations - Account Name | organizations:ListAccounts | Required for discovery of member accounts when fetching AWS Organizations |
Organizations - Complete | organizations:DescribeOrganization organizations:DescribeEffectivePolicy organizations:DescribePolicy | Fetch Organizations as assets |
Outposts | outposts:ListAssets outposts:ListSites outposts:ListOutposts | Fetch information about AWS Outposts assets |
RDS | rds:DescribeDBClusters rds:DescribeDBInstances rds:DescribeOptionGroups | Fetch information about RDS (Relational Database Service) RDS (Relational Database Service) Instances, Clusters and Global Clusters |
Redshift | redshift:DescribeClusters | Fetch Redshift Clusters as devices |
Route53 | route53:ListHostedZones route53:ListResourceRecordSets route53domains:ListDomains route53domains:GetDomainDetail route53resolver:ListResolverRules route53resolver:ListResolverRuleAssociations | Fetch information about Route 53 |
S3 | s3:GetAccountPublicAccessBlock s3:GetBucketAcl s3:GetBucketLocation s3:GetBucketLogging s3:GetBucketPolicy s3:GetBucketPolicyStatus s3:GetBucketPublicAccessBlock s3:GetBucketTagging s3:GetEncryptionConfiguration s3:ListAllMyBuckets s3:ListBucket | Fetch information about S3 |
SageMaker | sagemaker:ListNotebookInstances sagemaker:DescribeNotebookInstance sagemaker:ListTags | Fetch SageMaker notebooks as devices |
SecurityHub | securityhub:DescribeHub securityhub:GetFindings securityhub:ListMembers securityhub:ListTagsForResource | Add information about Security Hub findings to assets |
SNS | sns:ListSubscriptionsByTopic | Fetch SNS topics as devices |
Step Functions | states:listStateMachines states:describeStateMachine | Fetch step functions |
Service Catalog | servicecatalog:ListPortfolios, servicecatalog:DescribePortfolio | Fetch Services Catalog as assets |
Secrets Manager | secretsmanager:ListSecrets secretsmanager:GetResourcePolicy | Fetch information about Secrets Manager |
SQS Queues | sqs:ListQueues sqs:GetQueueAttributes | Fetch SQS queues as devices |
SSM | ssm:DescribeAvailablePatches ssm:DescribeInstanceInformation ssm:DescribeInstancePatches ssm:DescribePatchGroups ssm:GetInventorySchema ssm:ListInventoryEntries ssm:ListResourceComplianceSummaries ssm:ListTagsForResource ssm:DescribeParameter ssm:GetParameter | Fetch information about SSM (System Manager) |
WAFv1 | waf:GetWebACL waf:ListWebACLs | Add WAF to devices |
WAFRegional | waf-regional:GetWebACL waf-regional:GetWebACLForResource waf-regional:ListWebACLs | Add WAF to devices |
WAFv2 | wafv2:GetWebACL wafv2:GetWebACLForResource wafv2:ListWebACLs | Add WAF to devices |
Workspaces | workspaces:DescribeTags workspaces:DescribeWorkspaceDirectories workspaces:DescribeWorkspaces workspaces:DescribeWorkspacesConnectionStatus | Fetch information about Workspaces |
Enforcement Center Permissions
AWS Service | Permissions | Resource Scope | Axonius Setting |
---|---|---|---|
S3 | s3:GetObject s3:HeadBucket s3:PutObject s3:ListAllMyBuckets s3:PutObjectTagging s3:DeleteObject s3:HeadBucket s3:UploadFileObject | These permissions should be scoped to a bucket/objects that are specifically created for Axonius to write to. Do not scope these permissions to all resources. | Enforcement Center Actions that involve sending data to S3. For more information, see the Enforcement Center Action Index |
EC2 | ec2:StartInstances ec2:StopInstances tag:GetResources tag:TagResources tag:UntagResources tag:getTagKeys tag:getTagValues iam:ListUserTags iam:TagUser iam:UntagUser | Enforcement Center Actions that start and stop EC2 instances. Enforcement Center Actions that manage tags on EC2 instances. | |
IAM | iam:UpdateLoginProfile iam:DeleteUser iam:ListGroupsForUser iam:RemoveUserFromGroup iam:ListAccessKeys iam:DeleteAccessKey | Enforcement Center Actions that manage IAM users. | |
SSM | ssm:CreateAssociation ssm:RegisterTaskWithMaintenanceWindow | Enforcement Center Actions that install and patch software using SSM. |
Cloud Asset Compliance Permissions
AWS Service | Permissions | Resource Scope | Axonius Setting |
---|---|---|---|
CloudTrail | cloudtrail:DescribeTrails cloudtrail:GetEventSelectors cloudtrail:GetTrailStatus | * | Axonius Cloud Asset Compliance |
Cloudwatch | cloudwatch:DescribeAlarmsForMetric | * | Axonius Cloud Asset Compliance |
Config | config:DescribeConfigurationRecorderStatus config:DescribeConfigurationRecorders | * | Axonius Cloud Asset Compliance |
Logs | logs:DescribeMetricFilters | * | Axonius Cloud Asset Compliance |
KMS | kms:ListKeys | * | Axonius Cloud Asset Compliance |
Other Permissions
AWS Service | Permissions | Resource Scope | Axonius Setting |
---|---|---|---|
S3 - Data Sync (Central Core) | kms:GenerateDataKey kms:Decrypt | Needs to be scoped to a specific key store that has been created for Axonius | Central Core |
S3 - AssumeRole Fetch | S3:GetObject | Specific bucket and object that contains the roles to assume file | Advanced Configuration File setting: remote_roles_to_assume |
SecretsManager- Vault | secretsmanager:GetSecretValue | Can be scoped to all resources; however, Axonius recommends managing access to secrets within SecretsManager through resource-based policies | Only needed if using AWS Secrets Manager as a Vault |
SSM | ssm:CreateAssocation ssm:RegisterTaskWithMaintenanceWindow | * | EC Action for Install Software and Patches Instances |
STS | sts:AssumeRole | Should be scoped to roles utilized by Axonius as a part of our roles to assume/organizations discovery implementation | Roles to Assume |