Login
    Contents x
    AWS Permissions
    • 01 Apr 2024
    • 2 Minutes to read
    • Print
    • Dark
      Light
    • PDF
    Contents

    AWS Permissions

    • Updated on 01 Apr 2024
    • 2 Minutes to read
    • Print
    • Dark
      Light
    • PDF
    Article Summary

    These tables summarize permissions that Axonius requires to fetch various AWS resources. Use this information both to enable required permissions, and to only apply necessary permissions.

    Adapter Fetch Permissions

    AWS Service

    Permissions

    Axonius Setting

    API Gateway

    GET

    Fetch information about API Gateways

    ACM

    acm:DescribeCertificate acm:ListCertificates

    Basic fetch

    AppStream

    appstream:DescribeUsers appstream:DescribeUserStackAssociations

    Fetch information about AWS AppStream users

    appstream:DescribeStacks appstream:ListAssociatedFleets appstream:DescribeFleets

    Fetch information about AWS AppStream devices

    Autoscaling

    autoscaling:DescribeAutoScalingGroups autoscaling:DescribePolicies autoscaling:DescribeAutoScalingInstances

    Basic Fetch

     Backup

    backup:ListBackupPlans backup:ListBackupVaults

    Fetch backup plans and vaults

    CloudFormation

    cloudformation:DescribeStacks cloudformation:ListStackSets

    Fetch information about CloudFormation

    Cloudfront

    cloudfront:GetDistribution cloudfront:ListDistributions

    Fetch information about Cloudfront

    Cloudwatch

    Cloudwatch:GetMetricStatistics, cloudwatch:Describe Alarms

    Disk volume used by Aurora DB from RDS cloudwatch, Fetch CloudWatch Alarms as assets.

    Direct Connect

    directconnect:DescribeConnections, directconnect:DescribeLags, directconnect:DescribeVirtualGateways, directconnect:DescribeVirtualInterfaces

    Fetch Direct Connect Data

    DynamoDB

    dynamodb:DescribeTable dynamodb:DescribeGlobalTable dynamodb:DescribeGlobalTableSettings dynamodb:ListGlobalTables dynamodb:ListTables

    Fetch information about DynamoDB

    EC2

    ec2:DescribeAddresses ec2:DescribeFlowLogs ec2:DescribeImages ec2:DescribeInstances ec2:DescribeInternetGateways ec2:DescribeNatGateways ec2:DescribeRouteTables ec2:DescribeSnapshotAttribute ec2:DescribeSnapshots ec2:DescribeSecurityGroups ec2:DescribeSubnets ec2:DescribeTags ec2:DescribeVolumes ec2:DescribeVpcPeeringConnections ec2:DescribeVpcs

    ec2:DescribeVpnConnections

    Basic Fetch

    ec2:DescribeVpnConnections - only required when the Fetch VPNs advanced configuration is turned on.

    ECR

    ecr:DescribeImages ecr:DescribeRegistry ecr:DescribeRepositories ecr-public:DescribeImages ecr-public:DescribeRegistries ecr-public:DescribeRepositories

    Fetch ECR images as devices

    Correlate ECR-hosted images with compatible containers

    ECS

    ecs:DescribeClusters ecs:DescribeContainerInstances ecs:DescribeServices ecs:DescribeTasks ecs:ListClusters ecs:ListContainerInstances ecs:ListServices ecs:ListTagsForResource ecs:ListTasks

    Basic Fetch

    EKS

    eks:DescribeCluster eks:ListClusters

    Basic Fetch

    ELB

    elasticloadbalancing:DescribeLoadBalancerPolicies elasticloadbalancing:DescribeLoadBalancers elasticloadbalancing:DescribeListeners elasticloadbalancing:DescribeSSLPolicies elasticloadbalancing:DescribeTargetGroups elasticloadbalancing:DescribeTargetHealth

    elasticloadbalancing:DescribeTags

    Fetch information about ELB (Elastic Load Balancers)

    ElastiCache

    elasticache:DescribeCacheClusters

    Fetch information about ElastiCache cluster

    Elasticsearch

    es:DescribeElasticsearchDomain es:ListDomainNames

    Fetch information about Elasticsearch

    FSx

    fsx:DescribeFileSystems

    Fetch FSx metadata

    Globalaccelerator

    globalaccelerator:ListAccelerators globalaccelerator:ListCustomRoutingAccelerators

    Fetch Global Accelerators

    Glue

    glue:GetDatabases

    Fetch Glue data

    GuardDuty

    guardduty:GetFindings guardduty:GetDetector guardduty:GetMembers guardduty:GetFilter guardduty:ListDetectors guardduty:ListFilters guardduty:ListMembers guardduty:ListFindings

    Add information about GuardDuty findings to assets

    IAM

    iam:GenerateCredentialReport iam:GenerateServiceLastAccessedDetails iam:GetAccessKeyLastUsed iam:GetAccountPasswordPolicy iam:GetAccountSummary iam:GetCredentialReport iam:GetLoginProfile iam:GetPolicy iam:GetPolicyVersion iam:GetRole iam:GetRolePolicy iam:GetServiceLastAccessedDetails iam:GetUser iam:GetUserPolicy iam:ListAccessKeys iam:ListAccountAliases iam:ListAttachedGroupPolicies iam:ListAttachedRolePolicies iam:ListAttachedUserPolicies iam:ListEntitiesForPolicy iam:ListGroups iam:ListGroupsForUser iam:ListInstanceProfilesForRole iam:ListMFADevices iam:ListPolicies iam:ListRolePolicies iam:ListRoles iam:ListUserPolicies iam:ListUserTags iam:ListUsers iam:ListVirtualMFADevices iam:GenerateCredentialReport

    Fetch information about IAM Users

    Fetch IAM roles as users

    Parse IAM policies

    Inspector

    inspector:ListFindings inspector:DescribeFindings inspector:ListMembers inspector2:ListFindings inspector2:ListMembers

    Fetch Inspector Findings

    Kinesis Data Analytics

    kinesisanalyticsv2:DescribeApplication,  kinesisanalyticsv2:ListApplications

    Kinesis Data Analytics as devices.

    Lambda

    lambda:GetPolicy lambda:GetFunctionUrlConfig lambda:ListFunctions lambda:ListTags

    Fetch information about Lambdas

    Macie

    macie2:GetFindings macie2:ListFindings macie2:ListMembers

    Fetch information about Macie findings

    Organizations - Base

    organizations:DescribeAccount organizations:DescribeOrganization organizations:ListPoliciesForTarget organizations:ListTagsForResource

    Basic Fetch

    Organizations - Account Name

    organizations:ListAccounts

    Required for discovery of member accounts when fetching AWS Organizations

    Organizations - Complete

    organizations:DescribeOrganization organizations:DescribeEffectivePolicy organizations:DescribePolicy

    Fetch Organizations as assets

    RDS

    rds:DescribeDBClusters rds:DescribeDBInstances rds:DescribeOptionGroups

    Fetch information about RDS (Relational Database Service) RDS (Relational Database Service) Instances, Clusters and Global Clusters

    Redshift

    redshift:DescribeClusters

    Fetch Redshift Clusters as devices

    Route53

    route53:ListHostedZones route53:ListResourceRecordSets

    route53domains:ListDomains route53domains:GetDomainDetail route53resolver:ListResolverRules route53resolver:ListResolverRuleAssociations

    Fetch information about Route 53

    S3

    s3:GetAccountPublicAccessBlock s3:GetBucketAcl s3:GetBucketLocation s3:GetBucketLogging s3:GetBucketPolicy s3:GetBucketPolicyStatus s3:GetBucketPublicAccessBlock s3:GetBucketTagging s3:GetEncryptionConfiguration s3:ListAllMyBuckets s3:ListBucket

    Fetch information about S3

    SageMaker

    sagemaker:ListNotebookInstances

    Fetch SageMaker notebooks as devices

    SecurityHub

    securityhub:DescribeHub securityhub:GetFindings securityhub:ListMembers securityhub:ListTagsForResource

    Add information about Security Hub findings to assets

    SNS

    sns:ListSubscriptionsByTopic

    Fetch SNS topics as devices

    Serverless Functions

    stepfunctions:listStateMachines, stepfunctions:describeStateMachine

    Fetch step functions

    Service Catalog

    servicecatalog:ListPortfolios, servicecatalog:DescribePortfolio

    Fetch Services Catalog as assets

    Secrets Manager

    secretsmanager:ListSecrets secretsmanager:GetResourcePolicy

    Fetch information about Secrets Manager

    SQS Queues

    sqs:ListQueues

    Fetch SQS queues as devices

    SSM

    ssm:DescribeAvailablePatches ssm:DescribeInstanceInformation ssm:DescribeInstancePatches ssm:DescribePatchGroups ssm:GetInventorySchema ssm:ListInventoryEntries ssm:ListResourceComplianceSummaries ssm:ListTagsForResource

    Fetch information about SSM (System Manager)

    WAFv1

    waf:GetWebACL waf:ListWebACLs

    Add WAF to devices

    WAFRegional

    waf-regional:GetWebACL waf-regional:GetWebACLForResource waf-regional:ListWebACLs

    Add WAF to devices

    WAFv2

    wafv2:GetWebACL wafv2:GetWebACLForResource wafv2:ListWebACLs

    Add WAF to devices

    Workspaces

    workspaces:DescribeTags workspaces:DescribeWorkspaceDirectories workspaces:DescribeWorkspaces workspaces:DescribeWorkspacesConnectionStatus

    Fetch information about Workspaces

    Enforcement Center Permissions

    AWS Service

    Permissions

    Resource Scope

    Axonius Setting

    S3

    s3:GetObject s3:HeadBucket s3:PutObject s3:ListAllMyBuckets s3:PutObjectTagging s3:DeleteObject s3:HeadBucket

    These permissions should be scoped to a bucket/objects that are specifically created for Axonius to write to. Do not scope these permissions to all resources.

    Enforcement Center Actions that involve sending data to S3. For more information, see the Enforcement Center Action Index

    Cloud Asset Compliance Permissions

    AWS Service

    Permissions

    Resource Scope

    Axonius Setting

    CloudTrail

    cloudtrail:DescribeTrails cloudtrail:GetEventSelectors cloudtrail:GetTrailStatus

    *

    Axonius Cloud Asset Compliance

    Cloudwatch

    cloudwatch:DescribeAlarmsForMetric

    *

    Axonius Cloud Asset Compliance

    Config

    config:DescribeConfigurationRecorderStatus config:DescribeConfigurationRecorders

    *

    Axonius Cloud Asset Compliance

    KMS

    kms:ListKeys

    *

    Axonius Cloud Asset Compliance

    Other Permissions

    AWS Service

    Permissions

    Resource Scope

    Axonius Setting

    S3 - Data Sync (Central Core)

    kms:GenerateDataKey kms:Decrypt

    Needs to be scoped to a specific key store that has been created for Axonius

    Central Core

    S3 - AssumeRole Fetch

    S3:GetObject

    Specific bucket and object that contains the roles to assume file

    Advanced Configuration File setting: remote_roles_to_assume

    SecretsManager- Vault

    secretsmanager:GetSecretValue

    Can be scoped to all resources; however, Axonius recommends managing access to secrets within SecretsManager through resource-based policies

    Only needed if using AWS Secrets Manager as a Vault

    SSM

    ssm:CreateAssocation ssm:RegisterTaskWithMaintenanceWindow

    *

    EC Action for Install Software and Patches Instances

    STS

    sts:AssumeRole

    Should be scoped to roles utilized by Axonius as a part of our roles to assume/organizations discovery implementation

    Roles to Assume

    Was this article helpful?
    What's Next
    Change password!
    Changing your password will log you out immediately. Use the new password to log back in.
    Change profile
    Success!
    First name must have atleast 2 characters. Numbers and special characters are not allowed.
    Last name must have atleast 1 characters. Numbers and special characters are not allowed.
    Enter a valid email
    Enter a valid password
    Your profile has been successfully updated.
    Logout