AWS Permissions

Updated on 02 Mar 2025
3 Minutes to read

Print
Share
Dark
Light
PDF

Article summary

Did you find this summary helpful?

Thank you for your feedback

These tables summarize permissions that Axonius requires to fetch various AWS resources. Use this information both to enable required permissions, and to only apply necessary permissions.

Adapter Fetch Permissions

AWS Service	Permissions	Axonius Setting
API Gateway	GET	Fetch information about API Gateways
ACM	acm:DescribeCertificate acm:ListCertificates	Basic fetch
AppStream	appstream:DescribeUsers appstream:DescribeUserStackAssociations	Fetch information about AWS AppStream users
AppStream	appstream:DescribeStacks appstream:ListAssociatedFleets appstream:DescribeFleets	Fetch information about AWS AppStream devices
Athena	athena:ListDataCatalogs athena:ListDatabases athena:ListQueryExecutions athena:ListTableMetadata	Fetch Athena tables as Devices - BETA
Autoscaling	autoscaling:DescribeAutoScalingGroups autoscaling:DescribePolicies autoscaling:DescribeAutoScalingInstances	Basic Fetch
Backup	backup:ListBackupPlans backup:ListBackupVaults	Fetch backup plans and vaults
CloudFormation	cloudformation:DescribeStacks cloudformation:ListStackSets cloudformation:ListStacks	Fetch information about CloudFormation
Cloudfront	cloudfront:GetDistribution cloudfront:ListDistributions	Fetch information about Cloudfront
Cloudwatch	cloudwatch:GetMetricStatistics, cloudwatch:DescribeAlarms cloudwatch:GetMetricStatistics	Disk volume used by Aurora DB from RDS cloudwatch, Fetch CloudWatch Alarms as assets.
Direct Connect	directconnect:DescribeConnections directconnect:DescribeLags directconnect:DescribeVirtualGateways directconnect:DescribeVirtualInterfaces	Fetch Direct Connect Data
DynamoDB	dynamodb:DescribeTable dynamodb:DescribeGlobalTable dynamodb:DescribeGlobalTableSettings dynamodb:ListGlobalTables dynamodb:ListTables dynamodb:ListTagsOfResource	Fetch information about DynamoDB
EC2	ec2:CreateSnapshot ec2:DescribeAddresses ec2:DescribeFlowLogs ec2:DescribeImages ec2:DescribeInstances ec2:DescribeInstanceStatus ec2:DescribeInternetGateways ec2:DescribeNatGateways ec2:DescribeRouteTables ec2:DescribeSnapshotAttribute ec2:DescribeSnapshots ec2:DescribeSecurityGroups ec2:DescribeSubnets ec2:DescribeTags ec2:DescribeVolumes ec2:DescribeVpcPeeringConnections ec2:DescribeVpcs ec2:DescribeVpnConnections ec2:DescribeCustomerGateways ec2:DescribeTransitGatewayAttachments ec2:DescribeTransitGatewayPeeringAttachments ec2:DescribeTransitGatewayRouteTables ec2:DescribeTransitGateways	Basic Fetch ec2:DescribeVpnConnections - only required when the Fetch VPNs advanced configuration is turned on.
ECR	ecr:DescribeImages ecr:DescribeRegistry ecr:DescribeRepositories ecr-public:DescribeImages ecr-public:DescribeRegistries ecr-public:DescribeRepositories	Fetch ECR images as devices Correlate ECR-hosted images with compatible containers
ECS	ecs:DescribeClusters ecs:DescribeContainerInstances ecs:DescribeServices ecs:DescribeTasks ecs:ListClusters ecs:ListContainerInstances ecs:ListServices ecs:ListTagsForResource ecs:ListTasks	Basic Fetch
EKS	eks:DescribeCluster eks:ListClusters	Basic Fetch
ELB	elasticloadbalancing:DescribeLoadBalancerPolicies elasticloadbalancing:DescribeLoadBalancers elasticloadbalancing:DescribeListeners elasticloadbalancing:DescribeSSLPolicies elasticloadbalancing:DescribeTargetGroups elasticloadbalancing:DescribeTargetHealth elasticloadbalancing:DescribeTags elasticloadbalancing:DescribeRules	Fetch information about ELB (Elastic Load Balancers)
Elastic Beanstalk	elasticbeanstalk:DescribeEnvironments	Fetch information about Elastic Beanstalk environments
ElastiCache	elasticache:DescribeCacheClusters elasticache:DescribeReplicationsGroups elasticache:ListTagsForResource	Fetch information about ElastiCache cluster
Elasticsearch	es:DescribeElasticsearchDomain es:ListDomainNames	Fetch information about Elasticsearch
FSx	fsx:DescribeFileSystems	Fetch FSx metadata
Globalaccelerator	globalaccelerator:ListAccelerators globalaccelerator:ListCustomRoutingAccelerators	Fetch Global Accelerators
Glue	glue:GetDatabases glue:GetTables	Fetch Glue data
GuardDuty	guardduty:GetFindings guardduty:GetDetector guardduty:GetMembers guardduty:GetFilter guardduty:ListDetectors guardduty:ListFilters guardduty:ListMembers guardduty:ListFindings	Add information about GuardDuty findings to assets
IAM	iam:GenerateCredentialReport iam:GenerateServiceLastAccessedDetails iam:GetAccessKeyLastUsed iam:GetAccountPasswordPolicy iam:GetAccountSummary iam:GetCredentialReport iam:GetLoginProfile iam:GetPolicy iam:GetPolicyVersion iam:GetRole iam:GetRolePolicy iam:GetServiceLastAccessedDetails iam:GetUser iam:GetUserPolicy iam:ListAccessKeys iam:ListAccountAliases iam:ListAttachedGroupPolicies iam:ListAttachedRolePolicies iam:ListAttachedUserPolicies iam:ListEntitiesForPolicy iam:ListGroups iam:ListGroupsForUser iam:ListInstanceProfilesForRole iam:ListMFADevices iam:ListPolicies iam:ListRolePolicies iam:ListRoles iam:ListUserPolicies iam:ListUserTags iam:ListUsers iam:ListVirtualMFADevices iam:GenerateCredentialReport	Fetch information about IAM Users Fetch IAM roles as users Parse IAM policies
Identity Store	identitystore:ListGroups identitystore:ListUsers sso:ListInstances	Fetch Identity Store users and groups
Inspector	inspector:ListFindings inspector:DescribeFindings inspector2:ListFindings inspector2:ListMembers	Fetch Inspector Findings
Kinesis	kinesis:ListStreams	Fetch Kinesis Data Stream
Kinesis Data Analytics	kinesisanalytics:DescribeApplication, kinesisanalytics:ListApplications	Kinesis Data Analytics as devices.
Lambda	lambda:GetPolicy lambda:GetFunctionUrlConfig lambda:ListFunctions lambda:ListTags	Fetch information about Lambdas
Lightsail	lightsail:GetInstances	Fetch Lightsail Instances
Macie	macie2:GetFindings macie2:ListFindings macie2:ListMembers	Fetch information about Macie findings
Organizations - Base	organizations:DescribeAccount organizations:DescribeOrganization organizations:ListPoliciesForTarget organizations:ListTagsForResource	Basic Fetch
Organizations - Account Name	organizations:ListAccounts	Required for discovery of member accounts when fetching AWS Organizations
Organizations - Complete	organizations:DescribeOrganization organizations:DescribeEffectivePolicy organizations:DescribePolicy	Fetch Organizations as assets
Outposts	outposts:ListAssets outposts:ListSites outposts:ListOutposts	Fetch information about AWS Outposts assets
RDS	rds:DescribeDBClusters rds:DescribeDBInstances rds:DescribeOptionGroups rds:describePendingMaintenanceActions	Fetch information about RDS (Relational Database Service) RDS (Relational Database Service) Instances, Clusters and Global Clusters
Redshift	redshift:DescribeClusters	Fetch Redshift Clusters as devices
Route53	route53:ListHostedZones route53:ListResourceRecordSets route53domains:ListDomains route53domains:GetDomainDetail route53resolver:ListResolverRules route53resolver:ListResolverRuleAssociations	Fetch information about Route 53
S3	s3:GetAccountPublicAccessBlock s3:GetBucketAcl s3:GetBucketLocation s3:GetBucketLogging s3:GetBucketPolicy s3:GetBucketPolicyStatus s3:GetBucketPublicAccessBlock s3:GetBucketTagging s3:GetEncryptionConfiguration s3:ListAllMyBuckets s3:ListBucket	Fetch information about S3
SageMaker	sagemaker:ListNotebookInstances sagemaker:DescribeNotebookInstance sagemaker:ListTags	Fetch SageMaker notebooks as devices
SecurityHub	securityhub:DescribeHub securityhub:GetFindings securityhub:ListMembers securityhub:ListTagsForResource	Add information about Security Hub findings to assets
SNS	sns:ListSubscriptionsByTopic	Fetch SNS topics as devices
Step Functions	states:listStateMachines states:describeStateMachine	Fetch step functions
Service Catalog	servicecatalog:ListPortfolios, servicecatalog:DescribePortfolio	Fetch Services Catalog as assets
Secrets Manager	secretsmanager:ListSecrets secretsmanager:GetResourcePolicy	Fetch information about Secrets Manager
SQS Queues	sqs:ListQueues sqs:GetQueueAttributes	Fetch SQS queues as devices
SSM	ssm:DescribeAvailablePatches ssm:DescribeInstanceInformation ssm:DescribeInstancePatches ssm:DescribePatchGroups ssm:GetInventorySchema ssm:ListInventoryEntries ssm:ListResourceComplianceSummaries ssm:ListTagsForResource ssm:DescribeParameter ssm:GetParameter	Fetch information about SSM (System Manager)
WAFv1	waf:GetWebACL waf:ListWebACLs	Add WAF to devices
WAFRegional	waf-regional:GetWebACL waf-regional:GetWebACLForResource waf-regional:ListWebACLs	Add WAF to devices
WAFv2	wafv2:GetWebACL wafv2:GetWebACLForResource wafv2:ListWebACLs	Add WAF to devices
Workspaces	workspaces:DescribeTags workspaces:DescribeWorkspaceDirectories workspaces:DescribeWorkspaces workspaces:DescribeWorkspacesConnectionStatus	Fetch information about Workspaces

Enforcement Center Permissions

AWS Service	Permissions	Resource Scope	Axonius Setting
S3	s3:GetObject s3:HeadBucket s3:PutObject s3:ListAllMyBuckets s3:PutObjectTagging s3:DeleteObject s3:HeadBucket s3:UploadFileObject	These permissions should be scoped to a bucket/objects that are specifically created for Axonius to write to. Do not scope these permissions to all resources.	Enforcement Center Actions that involve sending data to S3. For more information, see the Enforcement Center Action Index
EC2	ec2:StartInstances ec2:StopInstances tag:GetResources tag:TagResources tag:UntagResources tag:getTagKeys tag:getTagValues iam:ListUserTags iam:TagUser iam:UntagUser		Enforcement Center Actions that start and stop EC2 instances. Enforcement Center Actions that manage tags on EC2 instances.
IAM	iam:UpdateLoginProfile iam:DeleteUser iam:ListGroupsForUser iam:RemoveUserFromGroup iam:ListAccessKeys iam:DeleteAccessKey		Enforcement Center Actions that manage IAM users.
SSM	ssm:CreateAssociation ssm:RegisterTaskWithMaintenanceWindow		Enforcement Center Actions that install and patch software using SSM.

Cloud Asset Compliance Permissions

AWS Service	Permissions	Resource Scope	Axonius Setting
CloudTrail	cloudtrail:DescribeTrails cloudtrail:GetEventSelectors cloudtrail:GetTrailStatus	*	Axonius Cloud Asset Compliance
Cloudwatch	cloudwatch:DescribeAlarmsForMetric	*	Axonius Cloud Asset Compliance
IAM	iam:GenerateCredentialReport	*	Axonius Cloud Asset Compliance
Config	config:DescribeConfigurationRecorderStatus config:DescribeConfigurationRecorders	*	Axonius Cloud Asset Compliance
Logs	logs:DescribeMetricFilters	*	Axonius Cloud Asset Compliance
KMS	kms:ListKeys	*	Axonius Cloud Asset Compliance
EC2	ec2:DescribeInstances ec2:GetEbsEncryptionByDefault ec2:DescribeRouteTables	*	Axonius Cloud Asset Compliance
RDS	rds:DescribeDbInstances	*	Axonius Cloud Asset Compliance
Elastic File System	elasticfilesystem:DescribeFileSystems	*	Axonius Cloud Asset Compliance
Security Hub	DescribeHub	*	Axonius Cloud Asset Compliance
SNS	sns:ListSubscriptionsByTopic	*	Axonius Cloud Asset Compliance

Other Permissions

AWS Service	Permissions	Resource Scope	Axonius Setting
S3 - Data Sync (Central Core)	kms:GenerateDataKey kms:Decrypt	Needs to be scoped to a specific key store that has been created for Axonius	Central Core
S3 - AssumeRole Fetch	S3:GetObject	Specific bucket and object that contains the roles to assume file	Advanced Configuration File setting: remote_roles_to_assume
SecretsManager- Vault	secretsmanager:GetSecretValue	Can be scoped to all resources; however, Axonius recommends managing access to secrets within SecretsManager through resource-based policies	Only needed if using AWS Secrets Manager as a Vault
SSM	ssm:CreateAssocation ssm:RegisterTaskWithMaintenanceWindow	*	EC Action for Install Software and Patches Instances
STS	sts:AssumeRole	Should be scoped to roles utilized by Axonius as a part of our roles to assume/organizations discovery implementation	Roles to Assume

Was this article helpful?

What's Next

Configuring an S3 Bucket to use with Axonius

Table of contents

Adapter Fetch Permissions
Enforcement Center Permissions
Cloud Asset Compliance Permissions
Other Permissions