Axonius Documentation
Start typing to search…

AWS Permissions

These tables summarize permissions that Axonius requires to fetch various AWS resources. Use this information both to enable required permissions, and to only apply necessary permissions.

All permissions are also listed in JSON format under each table. Note that each JSON lists all permissions and resources, so when copying it, ensure to change it according to your needs.

Adapter Fetch Permissions

AWS Service

Permissions

Axonius Setting

API Gateway

  • GET
  • Fetch information about API Gateways

API Gateway v2

  • apigateway:GET
  • Fetch information about API Gateways v2

ACM

  • acm:DescribeCertificate
  • acm:ListCertificates
  • Basic fetch

AppStream

  • appstream:DescribeUsers appstream:DescribeUserStackAssociations
  • Fetch information about AWS AppStream users

AppStream

  • appstream:DescribeStacks appstream:ListAssociatedFleets appstream:DescribeFleets
  • Fetch information about AWS AppStream devices

Athena

  • athena:ListDataCatalogs
  • athena:ListDatabases
  • athena:ListQueryExecutions
  • athena:ListTableMetadata
  • Fetch Athena tables as Devices - BETA

Autoscaling

  • autoscaling:DescribeAutoScalingGroups autoscaling:DescribePolicies autoscaling:DescribeAutoScalingInstances
  • Basic Fetch

Backup

  • backup:ListBackupPlans
  • backup:ListBackupVaults
  • Fetch backup plans and vaults

CloudFormation

  • cloudformation:DescribeStacks
  • cloudformation:ListStackSets
  • cloudformation:ListStacks
  • Fetch information about CloudFormation

Cloudfront

  • cloudfront:GetDistribution
  • cloudfront:ListDistributions
  • Fetch information about Cloudfront

Cloudwatch

  • cloudwatch:GetMetricStatistics cloudwatch:DescribeAlarms
  • Disk volume used by Aurora DB from RDS cloudwatch, Fetch CloudWatch Alarms as assets.

Direct Connect

  • directconnect:DescribeConnections
  • directconnect:DescribeLags
  • directconnect:DescribeVirtualGateways
  • directconnect:DescribeVirtualInterfaces
  • Fetch Direct Connect Data

DynamoDB

  • dynamodb:DescribeTable
  • dynamodb:DescribeGlobalTable dynamodb:DescribeGlobalTableSettings dynamodb:ListGlobalTables
  • dynamodb:ListTables
  • dynamodb:ListTagsOfResource
  • Fetch information about DynamoDB

EC2

  • ec2:CreateSnapshot
  • ec2:DescribeAddresses
  • ec2:DescribeFlowLogs
  • ec2:DescribeImages
  • ec2:DescribeInstances
  • ec2:DescribeInstanceStatus
  • ec2:DescribeInternetGateways
  • ec2:DescribeManagedPrefixLists
  • ec2:DescribeNatGateways
  • ec2:DescribeRouteTables
  • ec2:DescribeSnapshotAttribute
  • ec2:DescribeSnapshots
  • ec2:DescribeSecurityGroups
  • ec2:DescribeSubnets
  • ec2:DescribeTags
  • ec2:DescribeVolumes
  • ec2:DescribeVpcPeeringConnections
  • ec2:DescribeVpcs
  • ec2:DescribeVpnConnections
  • ec2:DescribeCustomerGateways
  • ec2:DescribeTransitGatewayAttachments
  • ec2:DescribeTransitGatewayPeeringAttachments
  • ec2:DescribeTransitGatewayRouteTables
  • ec2:DescribeTransitGateways
  • Basic Fetch
  • ec2:DescribeVpnConnections - only required when the Fetch VPNs advanced configuration is turned on.

ECR

  • ecr:DescribeImages
  • ecr:DescribeRegistry
  • ecr:DescribeRepositories
  • ecr-public:DescribeImages
  • ecr-public:DescribeRegistries
  • ecr-public:DescribeRepositories
  • Fetch ECR images as devices
  • Correlate ECR-hosted images with compatible containers

ECS

  • ecs:DescribeClusters
  • ecs:DescribeContainerInstances
  • ecs:DescribeServices
  • ecs:DescribeTasks
  • ecs:ListClusters
  • ecs:ListContainerInstances
  • ecs:ListServices
  • ecs:ListTagsForResource
  • ecs:ListTasks
  • Basic Fetch

EKS

  • eks:DescribeCluster
  • eks:ListClusters
  • eks:DescribeClusterVersions
  • Basic Fetch

ELB

  • elasticloadbalancing:DescribeLoadBalancerPolicies elasticloadbalancing:DescribeLoadBalancers elasticloadbalancing:DescribeListeners elasticloadbalancing:DescribeSSLPolicies elasticloadbalancing:DescribeTargetGroups elasticloadbalancing:DescribeTargetHealth
  • elasticloadbalancing:DescribeTags
  • elasticloadbalancing:DescribeRules
  • Fetch information about ELB (Elastic Load Balancers)

ELB v2

  • elasticloadbalancing:DescribeLoadBalancers
  • elasticloadbalancing:DescribeTags
  • elasticloadbalancing:DescribeListeners
  • elasticloadbalancing:DescribeTargetGroups
  • Fetch information about ELB (Elastic Load Balancers) v2

Elastic Beanstalk

  • elasticbeanstalk:DescribeEnvironments
  • Fetch information about Elastic Beanstalk environments

ElastiCache

  • elasticache:DescribeCacheClusters
  • elasticache:DescribeReplicationGroups
  • elasticache:ListTagsForResource
  • Fetch information about ElastiCache cluster

Elasticsearch

  • es:DescribeElasticsearchDomain es:ListDomainNames
  • Fetch information about Elasticsearch

FSx

  • fsx:DescribeFileSystems
  • Fetch FSx metadata

Globalaccelerator

  • globalaccelerator:ListAccelerators globalaccelerator:ListCustomRoutingAccelerators
  • Fetch Global Accelerators

Glue

  • glue:GetDatabases
  • glue:GetTables
  • Fetch Glue data

GuardDuty

  • guardduty:GetFindings
  • guardduty:GetDetector
  • guardduty:GetMembers
  • guardduty:GetFilter
  • guardduty:ListDetectors
  • guardduty:ListFilters
  • guardduty:ListMembers
  • guardduty:ListFindings
  • Add information about GuardDuty findings to assets

IAM

  • iam:GenerateCredentialReport iam:GenerateServiceLastAccessedDetails iam:GetAccessKeyLastUsed iam:GetAccountPasswordPolicy iam:GetAccountSummary
  • iam:GetCredentialReport
  • iam:GetLoginProfile
  • iam:GetPolicy
  • iam:GetPolicyVersion
  • iam:GetRole
  • iam:GetRolePolicy iam:GetServiceLastAccessedDetails
  • iam:GetUser
  • iam:GetUserPolicy
  • iam:ListAccessKeys
  • iam:ListAccountAliases iam:ListAttachedGroupPolicies iam:ListAttachedRolePolicies iam:ListAttachedUserPolicies iam:ListEntitiesForPolicy
  • iam:ListGroups
  • iam:ListGroupsForUser iam:ListInstanceProfilesForRole
  • iam:ListMFADevices
  • iam:ListPolicies
  • iam:ListRolePolicies
  • iam:ListRoles
  • iam:ListUserPolicies
  • iam:ListUserTags
  • iam:ListUsers
  • iam:ListVirtualMFADevices
  • iam:GetGroup (used when Fetch groups as users is set)
  • Fetch information about IAM Users
  • Fetch IAM roles as users
  • Parse IAM policies

Identity Store

  • identitystore:ListGroups
  • identitystore:ListUsers
  • sso:ListInstances
  • sso:ListPermissionSets
  • sso:ListAccountsForProvisionedPermissionSet
  • sso:ListAccountAssignments
  • identitystore:ListGroupMembershipsForMember
  • Fetch Identity Store users and groups

Inspector

  • inspector:ListFindings
  • inspector:DescribeFindings
  • inspector2:ListFindings
  • inspector2:ListMembers
  • Fetch Inspector Findings

Kinesis

  • kinesis:ListStreams
  • Fetch Kinesis Data Stream

Kinesis Data Analytics

  • kinesisanalytics:DescribeApplication, kinesisanalytics:ListApplications
  • Kinesis Data Analytics as devices.

Lambda

  • lambda:GetPolicy
  • lambda:GetFunctionUrlConfig
  • lambda:ListFunctions
  • lambda:ListTags
  • Fetch information about Lambdas

Lightsail

  • lightsail:GetInstances
  • Fetch Lightsail Instances

Macie

  • macie2:GetFindings
  • macie2:ListFindings
  • macie2:ListMembers
  • Fetch information about Macie findings

Organizations - Base

  • organizations:DescribeAccount organizations:DescribeOrganization organizations:ListPoliciesForTarget organizations:ListTagsForResource
  • Basic Fetch

Organizations - Account Name

  • organizations:ListAccounts
  • Required for discovery of member accounts when fetching AWS Organizations

Organizations - Complete

  • organizations:DescribeOrganization organizations:DescribeEffectivePolicy organizations:DescribePolicy
  • Fetch Organizations as assets

Outposts

  • outposts:ListAssets
  • outposts:ListSites
  • outposts:ListOutposts
  • Fetch information about AWS Outposts assets

RDS

  • rds:DescribeDBClusters
  • rds:DescribeDBInstances
  • rds:DescribeOptionGroups
  • rds:describePendingMaintenanceActions
  • Fetch information about RDS (Relational Database Service) RDS (Relational Database Service) Instances, Clusters and Global Clusters

Redshift

  • redshift:DescribeClusters
  • Fetch Redshift Clusters as devices

Route53

  • route53:ListHostedZones route53:ListResourceRecordSets
  • route53domains:ListDomains route53domains:GetDomainDetail route53resolver:ListResolverRules route53resolver:ListResolverRuleAssociations
  • route53domains:ListDomains
  • Fetch information about Route 53

S3

  • s3:GetAccountPublicAccessBlock
  • s3:GetBucketAcl
  • s3:GetBucketLocation
  • s3:GetBucketLogging
  • s3:GetBucketPolicy
  • s3:GetBucketPolicyStatus s3:GetBucketPublicAccessBlock
  • s3:GetBucketTagging
  • s3:GetEncryptionConfiguration
  • s3:ListAllMyBuckets
  • s3:ListBucket
  • Fetch information about S3

S3 Outposts

  • outposts:ListOutposts
  • s3-outposts:ListOutpostsWithS3
  • s3-outposts:ListRegionalBuckets
  • Fetch information about S3
  • Fetch information about Outpost as Compute Service Assets

SageMaker

  • sagemaker:ListNotebookInstances
  • sagemaker:DescribeNotebookInstance
  • sagemaker:ListTags
  • Fetch SageMaker notebooks as devices

SecurityHub

  • securityhub:DescribeHub
  • securityhub:GetFindings
  • securityhub:ListMembers securityhub:ListTagsForResource
  • Add information about Security Hub findings to assets

SNS

  • sns:ListSubscriptionsByTopic
  • Fetch SNS topics as devices

Step Functions

  • states:listStateMachines
  • states:describeStateMachine
  • Fetch step functions

Service Catalog

  • servicecatalog:ListPortfolios, servicecatalog:DescribePortfolio
  • Fetch Services Catalog as assets

Secrets Manager

  • secretsmanager:ListSecrets secretsmanager:GetResourcePolicy
  • Fetch information about Secrets Manager

SQS Queues

  • sqs:ListQueues
  • sqs:GetQueueAttributes
  • Fetch SQS queues as devices

SSM

  • ssm:DescribeAvailablePatches ssm:DescribeInstanceInformation ssm:DescribeInstancePatches ssm:DescribePatchGroups ssm:GetInventorySchema ssm:ListInventoryEntries ssm:ListResourceComplianceSummaries ssm:ListTagsForResource
  • ssm:DescribeParameters
  • ssm:GetParameter
  • Fetch information about SSM (System Manager)

WAFv1

  • waf:GetWebACL
  • waf:ListWebACLs
  • Add WAF to devices

WAFRegional

  • waf-regional:GetWebACL
  • waf-regional:GetWebACLForResource
  • waf-regional:ListWebACLs
  • Add WAF to devices

WAFv2

  • wafv2:GetWebACL
  • wafv2:GetWebACLForResource
  • wafv2:ListWebACLs
  • Add WAF to devices

Workspaces

  • workspaces:DescribeTags workspaces:DescribeWorkspaceDirectories workspaces:DescribeWorkspaces workspaces:DescribeWorkspacesConnectionStatus
  • Fetch information about Workspaces

Adapter Fetch Permissions - JSON

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "AdapterFetchPermissions",
			"Effect": "Allow",
			"Action": [
				"apigateway:GET",
				"acm:DescribeCertificate",
				"acm:ListCertificates",
				"appstream:DescribeUsers",
				"appstream:DescribeUserStackAssociations",
				"appstream:DescribeStacks",
				"appstream:ListAssociatedFleets",
				"appstream:DescribeFleets",
				"athena:ListDataCatalogs",
				"athena:ListDatabases",
				"athena:ListQueryExecutions",
				"athena:ListTableMetadata",
				"autoscaling:DescribeAutoScalingGroups",
				"autoscaling:DescribePolicies",
				"autoscaling:DescribeAutoScalingInstances",
				"backup:ListBackupPlans",
				"backup:ListBackupVaults",
				"cloudformation:DescribeStacks",
				"cloudformation:ListStackSets",
				"cloudformation:ListStacks",
				"cloudfront:GetDistribution",
				"cloudfront:ListDistributions",
				"cloudwatch:GetMetricStatistics",
				"cloudwatch:DescribeAlarms",
				"directconnect:DescribeConnections",
				"directconnect:DescribeLags",
				"directconnect:DescribeVirtualGateways",
				"directconnect:DescribeVirtualInterfaces",
				"dynamodb:DescribeTable",
				"dynamodb:DescribeGlobalTable",
				"dynamodb:DescribeGlobalTableSettings",
				"dynamodb:ListGlobalTables",
				"dynamodb:ListTables",
				"dynamodb:ListTagsOfResource",
				"ec2:CreateSnapshot",
				"ec2:DescribeAddresses",
				"ec2:DescribeFlowLogs",
				"ec2:DescribeImages",
				"ec2:DescribeInstances",
				"ec2:DescribeInstanceStatus",
				"ec2:DescribeInternetGateways",
				"ec2:DescribeNatGateways",
				"ec2:DescribeRouteTables",
				"ec2:DescribeSnapshotAttribute",
				"ec2:DescribeSnapshots",
				"ec2:DescribeSecurityGroups",
				"ec2:DescribeSubnets",
				"ec2:DescribeTags",
				"ec2:DescribeVolumes",
				"ec2:DescribeVpcPeeringConnections",
				"ec2:DescribeVpcs",
				"ec2:DescribeVpnConnections",
				"ec2:DescribeCustomerGateways",
				"ec2:DescribeTransitGatewayAttachments",
				"ec2:DescribeTransitGatewayPeeringAttachments",
				"ec2:DescribeTransitGatewayRouteTables",
				"ec2:DescribeTransitGateways",
				"ecr:DescribeImages",
				"ecr:DescribeRegistry",
				"ecr:DescribeRepositories",
				"ecr-public:DescribeImages",
				"ecr-public:DescribeRegistries",
				"ecr-public:DescribeRepositories",
				"ecs:DescribeClusters",
				"ecs:DescribeContainerInstances",
				"ecs:DescribeServices",
				"ecs:DescribeTasks",
				"ecs:ListClusters",
				"ecs:ListContainerInstances",
				"ecs:ListServices",
				"ecs:ListTagsForResource",
				"ecs:ListTasks",
				"eks:DescribeCluster",
				"eks:ListClusters",
				"elasticloadbalancing:DescribeLoadBalancerPolicies",
				"elasticloadbalancing:DescribeLoadBalancers",
				"elasticloadbalancing:DescribeListeners",
				"elasticloadbalancing:DescribeSSLPolicies",
				"elasticloadbalancing:DescribeTargetGroups",
				"elasticloadbalancing:DescribeTargetHealth",
				"elasticloadbalancing:DescribeTags",
				"elasticloadbalancing:DescribeRules",
				"elasticbeanstalk:DescribeEnvironments",
				"elasticache:DescribeCacheClusters",
				"elasticache:DescribeReplicationGroups",
				"elasticache:ListTagsForResource",
				"es:DescribeElasticsearchDomain",
				"es:ListDomainNames",
				"fsx:DescribeFileSystems",
				"globalaccelerator:ListAccelerators",
				"globalaccelerator:ListCustomRoutingAccelerators",
				"glue:GetDatabases",
				"glue:GetTables",
				"guardduty:GetFindings",
				"guardduty:GetDetector",
				"guardduty:GetMembers",
				"guardduty:GetFilter",
				"guardduty:ListDetectors",
				"guardduty:ListFilters",
				"guardduty:ListMembers",
				"guardduty:ListFindings",
				"iam:GenerateCredentialReport",
				"iam:GenerateServiceLastAccessedDetails",
				"iam:GetAccessKeyLastUsed",
				"iam:GetAccountPasswordPolicy",
				"iam:GetAccountSummary",
				"iam:GetCredentialReport",
				"iam:GetLoginProfile",
				"iam:GetPolicy",
				"iam:GetPolicyVersion",
				"iam:GetRole",
				"iam:GetRolePolicy",
				"iam:GetServiceLastAccessedDetails",
				"iam:GetUser",
				"iam:GetUserPolicy",
				"iam:ListAccessKeys",
				"iam:ListAccountAliases",
				"iam:ListAttachedGroupPolicies",
				"iam:ListAttachedRolePolicies",
				"iam:ListAttachedUserPolicies",
				"iam:ListEntitiesForPolicy",
				"iam:ListGroups",
				"iam:ListGroupsForUser",
				"iam:ListInstanceProfilesForRole",
				"iam:ListMFADevices",
				"iam:ListPolicies",
				"iam:ListRolePolicies",
				"iam:ListRoles",
				"iam:ListUserPolicies",
				"iam:ListUserTags",
				"iam:ListUsers",
				"iam:ListVirtualMFADevices",
				"identitystore:ListGroups",
				"identitystore:ListUsers",
				"identitystore:ListGroupMembershipsForMember",
				"sso:ListInstances",
				"sso:ListPermissionSets",
				"sso:ListAccountsForProvisionedPermissionSet",
				"sso:ListAccountAssignments",
				"inspector:ListFindings",
				"inspector:DescribeFindings",
				"inspector2:ListFindings",
				"inspector2:ListMembers",
				"kinesis:ListStreams",
				"kinesisanalytics:DescribeApplication",
				"kinesisanalytics:ListApplications",
				"lambda:GetPolicy",
				"lambda:GetFunctionUrlConfig",
				"lambda:ListFunctions",
				"lambda:ListTags",
				"lightsail:GetInstances",
				"macie2:GetFindings",
				"macie2:ListFindings",
				"macie2:ListMembers",
				"organizations:DescribeAccount",
				"organizations:DescribeOrganization",
				"organizations:ListPoliciesForTarget",
				"organizations:ListTagsForResource",
				"organizations:ListAccounts",
				"organizations:DescribeEffectivePolicy",
				"organizations:DescribePolicy",
				"outposts:ListAssets",
				"outposts:ListSites",
				"outposts:ListOutposts",
				"rds:DescribeDBClusters",
				"rds:DescribeDBInstances",
				"rds:DescribeOptionGroups",
				"rds:DescribePendingMaintenanceActions",
				"redshift:DescribeClusters",
				"route53:ListHostedZones",
				"route53:ListResourceRecordSets",
				"route53domains:ListDomains",
				"route53domains:GetDomainDetail",
				"route53resolver:ListResolverRules",
				"route53resolver:ListResolverRuleAssociations",
				"s3:GetAccountPublicAccessBlock",
				"s3:GetBucketAcl",
				"s3:GetBucketLocation",
				"s3:GetBucketLogging",
				"s3:GetBucketPolicy",
				"s3:GetBucketPolicyStatus",
				"s3:GetBucketPublicAccessBlock",
				"s3:GetBucketTagging",
				"s3:GetEncryptionConfiguration",
				"s3:ListAllMyBuckets",
				"s3:ListBucket",
				"sagemaker:ListNotebookInstances",
				"sagemaker:DescribeNotebookInstance",
				"sagemaker:ListTags",
				"securityhub:DescribeHub",
				"securityhub:GetFindings",
				"securityhub:ListMembers",
				"securityhub:ListTagsForResource",
				"sns:ListSubscriptionsByTopic",
				"states:ListStateMachines",
				"states:DescribeStateMachine",
				"servicecatalog:ListPortfolios",
				"servicecatalog:DescribePortfolio",
				"secretsmanager:ListSecrets",
				"secretsmanager:GetResourcePolicy",
				"sqs:ListQueues",
				"sqs:GetQueueAttributes",
                "ssm:DescribeAvailablePatches",
                "ssm:DescribeInstanceInformation",
                "ssm:DescribeInstancePatches",
                "ssm:DescribePatchGroups",
                "ssm:GetInventorySchema",
                "ssm:ListInventoryEntries",
                "ssm:ListResourceComplianceSummaries",
                "ssm:ListTagsForResource",
                "ssm:DescribeParameters",
                "ssm:GetParameter",
                "waf:GetWebACL",
                "waf:ListWebACLs",
                "waf-regional:GetWebACL",
                "waf-regional:GetWebACLForResource",
                "waf-regional:ListWebACLs",
                "wafv2:GetWebACL",
                "wafv2:GetWebACLForResource",
                "wafv2:ListWebACLs",
                "workspaces:DescribeTags",
                "workspaces:DescribeWorkspaceDirectories",
                "workspaces:DescribeWorkspaces",
                "workspaces:DescribeWorkspacesConnectionStatus"
			],
			"Resource": "*"
		}
	]
}

Enforcement Center Permissions

AWS Service

Permissions

Resource Scope

Axonius Setting

S3

  • s3:GetObject
  • s3:PutObject
  • s3:ListAllMyBuckets
  • s3:PutObjectTagging
  • s3:DeleteObject
  • s3:ListBucket

These permissions should be scoped to a bucket/objects that are specifically created for Axonius to write to. Do not scope these permissions to all resources.

Enforcement Center Actions that involve sending data to S3. For more information, see the Enforcement Center Action Index

EC2

  • ec2:StartInstances
  • ec2:StopInstances
  • tag:GetResources
  • tag:TagResources
  • tag:UntagResources
  • tag:getTagKeys
  • tag:getTagValues
  • iam:ListUserTags
  • iam:TagUser
  • iam:UntagUser

Enforcement Center Actions that start and stop EC2 instances. Enforcement Center Actions that manage tags on EC2 instances.

IAM

  • iam:UpdateLoginProfile
  • iam:DeleteUser
  • iam:ListGroupsForUser
  • iam:RemoveUserFromGroup
  • iam:ListAccessKeys
  • iam:DeleteAccessKey

Enforcement Center Actions that manage IAM users.

SSM

  • ssm:CreateAssociation
  • ssm:RegisterTaskWithMaintenanceWindow

Enforcement Center Actions that install and patch software using SSM.

Enforcement Center Permissions - JSON

{
  "Version": "2012-10-17",
  "Statement":[
    {
      "Effect":"Allow",
      "Action":[
        "s3:GetObject",
        "s3:ListBucket",
        "s3:PutObject",
        "s3:ListAllMyBuckets",
        "s3:PutObjectTagging",
        "s3:DeleteObject",
        "ec2:StartInstances",
        "ec2:StopInstances",
        "tag:GetResources",
        "tag:TagResources",
        "tag:UntagResources",
        "tag:GetTagKeys",
        "tag:GetTagValues",
        "iam:ListUserTags",
        "iam:TagUser",
        "iam:UntagUser",
        "iam:UpdateLoginProfile",
        "iam:DeleteUser",
        "iam:ListGroupsForUser",
        "iam:RemoveUserFromGroup",
        "iam:ListAccessKeys",
        "iam:DeleteAccessKey",
        "ssm:CreateAssociation",
        "ssm:RegisterTaskWithMaintenanceWindow"
      ],
      "Resource":"*"
    }
  ]
}

Cloud Asset Compliance Permissions

AWS Service

Permissions

Resource Scope

Axonius Setting

CloudTrail

  • cloudtrail:DescribeTrails
  • cloudtrail:GetEventSelectors
  • cloudtrail:GetTrailStatus

Axonius Cloud Asset Compliance

Cloudwatch

  • cloudwatch:DescribeAlarmsForMetric

Axonius Cloud Asset Compliance

IAM

  • iam:GenerateCredentialReport

Axonius Cloud Asset Compliance

Config

  • config:DescribeConfigurationRecorderStatus
  • config:DescribeConfigurationRecorders

Axonius Cloud Asset Compliance

Logs

  • logs:DescribeMetricFilters

Axonius Cloud Asset Compliance

KMS

  • kms:ListKeys

Axonius Cloud Asset Compliance

EC2

  • ec2:DescribeInstances
  • ec2:GetEbsEncryptionByDefault
  • ec2:DescribeRouteTables

Axonius Cloud Asset Compliance

RDS

  • rds:DescribeDbInstances

Axonius Cloud Asset Compliance

Elastic File System

  • elasticfilesystem:DescribeFileSystems

Axonius Cloud Asset Compliance

Security Hub

  • DescribeHub

Axonius Cloud Asset Compliance

SNS

  • sns:ListSubscriptionsByTopic

Axonius Cloud Asset Compliance

Cloud Asset Compliance Permissions

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "CloudAssetCompliance",
      "Effect": "Allow",
      "Action": [
        "cloudtrail:DescribeTrails",
        "cloudtrail:GetEventSelectors",
        "cloudtrail:GetTrailStatus",
        "cloudwatch:DescribeAlarmsForMetric",
        "iam:GenerateCredentialReport",
        "config:DescribeConfigurationRecorderStatus",
        "config:DescribeConfigurationRecorders",
        "logs:DescribeMetricFilters",
        "kms:ListKeys",
        "ec2:DescribeInstances",
        "ec2:GetEbsEncryptionByDefault",
        "ec2:DescribeRouteTables",
        "rds:DescribeDbInstances",
        "elasticfilesystem:DescribeFileSystems",
        "securityhub:DescribeHub",
        "sns:ListSubscriptionsByTopic"
      ],
      "Resource": "*"
    }
  ]
}

Other Permissions

AWS Service

Permissions

Resource Scope

Axonius Setting

S3 – Data Sync (Central Core)

  • kms:GenerateDataKey
  • kms:Decrypt

Needs to be scoped to a specific key store that has been created for Axonius.

Central Core

S3 – AssumeRole Fetch

  • s3:GetObject

Specific bucket and object that contains the roles-to-assume file.

Advanced Configuration File setting: remote_roles_to_assume

Secrets Manager – Vault

  • secretsmanager:GetSecretValue

Can be scoped to all resources; however, Axonius recommends managing access to secrets within Secrets Manager through resource-based policies.

Only needed if using AWS Secrets Manager as a Vault.

SSM

  • ssm:CreateAssociation
  • ssm:RegisterTaskWithMaintenanceWindow

EC Action for Install Software and Patches Instances

STS

  • sts:AssumeRole

Should be scoped to roles utilized by Axonius as a part of our Roles-to-Assume / Organizations Discovery implementation.

Roles to Assume

Other Permissions - JSON

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "OtherPermissions",
      "Effect": "Allow",
      "Action": [
        "kms:GenerateDataKey",
        "kms:Decrypt",
        "s3:GetObject",
        "secretsmanager:GetSecretValue",
        "ssm:CreateAssociation",
        "ssm:RegisterTaskWithMaintenanceWindow",
        "sts:AssumeRole"
      ],
      "Resource": "*"
    }
  ]
}

Updated 5 days ago