AWS Permissions
  • 17 Jan 2024
  • 1 Minute to read
  • Dark
    Light
  • PDF

AWS Permissions

  • Dark
    Light
  • PDF

Article Summary

These tables summarize permissions that Axonius requires to fetch various AWS resources.
Use this information both to enable required permissions, and to only apply necessary permissions.

Adapter Fetch Permissions

AWS Service

Permissions

Axonius Setting

API Gateway

GET

Fetch information about API Gateways

ACM

acm:DescribeCertificate
acm:ListCertificates

Basic fetch

AppStream

appstream:DescribeUsers
appstream:DescribeUserStackAssociations

Fetch information about AWS AppStream users

appstream:DescribeStacks
appstream:ListAssociatedFleets
appstream:DescribeFleets

Fetch information about AWS AppStream devices

Autoscaling

autoscaling:DescribeAutoScalingGroups
autoscaling:DescribePolicies
autoscaling:DescribeAutoScalingInstances

Basic Fetch

 Backup

backup:ListBackupPlans
backup:ListBackupVaults

Fetch backup plans and vaults

Cloudfront

cloudfront:GetDistribution
cloudfront:ListDistributions

Fetch information about Cloudfront

Cloudwatch

Cloudwatch:GetMetricStatistics

Disk volume used by Aurora DB from RDS cloudwatch

DynamoDB

dynamodb:DescribeTable
dynamodb:DescribeGlobalTable
dynamodb:DescribeGlobalTableSettings
dynamodb:ListGlobalTables
dynamodb:ListTables

Fetch information about DynamoDB

EC2

ec2:DescribeAddresses
ec2:DescribeFlowLogs
ec2:DescribeImages
ec2:DescribeInstances
ec2:DescribeInternetGateways
ec2:DescribeNatGateways
ec2:DescribeRouteTables
ec2:DescribeSnapshotAttribute
ec2:DescribeSnapshots
ec2:DescribeSecurityGroups
ec2:DescribeSubnets
ec2:DescribeTags
ec2:DescribeVolumes
ec2:DescribeVpcPeeringConnections
ec2:DescribeVpcs

Basic Fetch

ECR

ecr:DescribeImages
ecr:DescribeRegistry
ecr:DescribeRepositories
ecr-public:DescribeImages
ecr-public:DescribeRegistries
ecr-public:DescribeRepositories

Fetch ECR images as devices

Correlate ECR-hosted images with compatible containers

ECS

ecs:DescribeClusters
ecs:DescribeContainerInstances
ecs:DescribeServices
ecs:DescribeTasks
ecs:ListClusters
ecs:ListContainerInstances
ecs:ListServices
ecs:ListTagsForResource
ecs:ListTasks

Basic Fetch

EKS

eks:DescribeCluster
eks:ListClusters

Basic Fetch

ELB

elasticloadbalancing:DescribeLoadBalancerPolicies
elasticloadbalancing:DescribeLoadBalancers
elasticloadbalancing:DescribeListeners
elasticloadbalancing:DescribeSSLPolicies
elasticloadbalancing:DescribeTargetGroups
elasticloadbalancing:DescribeTargetHealth

Fetch information about ELB (Elastic Load Balancers)

ElastiCache

elasticache:DescribeCacheClusters

Fetch information about ElastiCache cluster

Elasticsearch

es:DescribeElasticsearchDomain
es:ListDomainNames

Fetch information about Elasticsearch

FSx

fsx:DescribeFileSystems

Fetch FSx metadata

Globalaccelerator

globalaccelerator:ListAccelerators
globalaccelerator:ListCustomRoutingAccelerators

Fetch Global Accelerators

Glue

glue:GetDatabases

Fetch Glue data

GuardDuty

guardduty:GetFindings
guardduty:GetDetector
guardduty:GetMembers
guardduty:GetFilter
guardduty:ListDetectors
guardduty:ListFilters
guardduty:ListMembers
guardduty:ListFindings

Add information about GuardDuty findings to assets

IAM

iam:GenerateCredentialReport
iam:GenerateServiceLastAccessedDetails
iam:GetAccessKeyLastUsed
iam:GetAccountPasswordPolicy
iam:GetAccountSummary
iam:GetCredentialReport
iam:GetLoginProfile
iam:GetPolicy
iam:GetPolicyVersion
iam:GetRole
iam:GetRolePolicy
iam:GetServiceLastAccessedDetails
iam:GetUser
iam:GetUserPolicy
iam:ListAccessKeys
iam:ListAccountAliases
iam:ListAttachedGroupPolicies
iam:ListAttachedRolePolicies
iam:ListAttachedUserPolicies
iam:ListEntitiesForPolicy
iam:ListGroups
iam:ListGroupsForUser
iam:ListInstanceProfilesForRole
iam:ListMFADevices
iam:ListPolicies
iam:ListRolePolicies
iam:ListRoles
iam:ListUserPolicies
iam:ListUserTags
iam:ListUsers
iam:ListVirtualMFADevices
iam:GenerateCredentialReport

Fetch information about IAM Users

Fetch IAM roles as users

Parse IAM policies

Inspector

inspector:ListFindings
inspector:DescribeFindings
inspector:ListMembers
inspector2:ListFindings
inspector2:ListMembers

Fetch Inspector Findings

Lambda

lambda:GetPolicy
lambda:GetFunctionUrlConfig
lambda:ListFunctions
lambda:ListTags

Fetch information about Lambdas

Macie

macie2:GetFindings
macie2:ListFindings
macie2:ListMembers

Fetch information about Macie findings

Organizations - Base

organizations:DescribeAccount
organizations:DescribeOrganization
organizations:ListPoliciesForTarget
organizations:ListTagsForResource

Basic Fetch

Organizations - Account Name

organizations:ListAccounts

Required for discovery of member accounts when fetching AWS Organizations

Organizations - Complete

organizations:DescribeOrganization
organizations:DescribeEffectivePolicy
organizations:DescribePolicy

Fetch Organizations as assets

RDS

rds:DescribeDBClusters
rds:DescribeDBInstances
rds:DescribeOptionGroups

Fetch information about RDS (Relational Database Service)
RDS (Relational Database Service) Instances, Clusters and Global Clusters

Redshift

redshift:DescribeClusters

Fetch Redshift Clusters as devices

Route53

route53:ListHostedZones
route53:ListResourceRecordSets

route53domains:ListDomains
route53domains:GetDomainDetail
route53resolver:ListResolverRules
route53resolver:ListResolverRuleAssociations

Fetch information about Route 53

S3

s3:GetAccountPublicAccessBlock
s3:GetBucketAcl
s3:GetBucketLocation
s3:GetBucketLogging
s3:GetBucketPolicy
s3:GetBucketPolicyStatus
s3:GetBucketPublicAccessBlock
s3:GetBucketTagging
s3:GetEncryptionConfiguration
s3:ListAllMyBuckets
s3:ListBucket

Fetch information about S3

SageMaker

sagemaker:ListNotebookInstances

Fetch SageMaker notebooks as devices

SecurityHub

securityhub:DescribeHub
securityhub:GetFindings
securityhub:ListMembers
securityhub:ListTagsForResource

Add information about Security Hub findings to assets

SNS

sns:ListSubscriptionsByTopic

Fetch SNS topics as devices

Secrets Manager

secretsmanager:ListSecrets
secretsmanager:GetResourcePolicy

Fetch information about Secrets Manager

SQS Queues

sqs:ListQueues

Fetch SQS queues as devices

SSM

ssm:DescribeAvailablePatches
ssm:DescribeInstanceInformation
ssm:DescribeInstancePatches
ssm:DescribePatchGroups
ssm:GetInventorySchema
ssm:ListInventoryEntries
ssm:ListResourceComplianceSummaries
ssm:ListTagsForResource

Fetch information about SSM (System Manager)

WAFv1

waf:GetWebACL
waf:ListWebACLs

Add WAF to devices

WAFRegional

waf-regional:GetWebACL
waf-regional:GetWebACLForResource
waf-regional:ListWebACLs

Add WAF to devices

WAFv2

wafv2:GetWebACL
wafv2:GetWebACLForResource
wafv2:ListWebACLs

Add WAF to devices

Workspaces

workspaces:DescribeTags
workspaces:DescribeWorkspaceDirectories
workspaces:DescribeWorkspaces
workspaces:DescribeWorkspacesConnectionStatus

Fetch information about Workspaces

Enforcement Center Permissions

AWS Service

Permissions

Resource Scope

Axonius Setting

S3

s3:GetObject
s3:HeadBucket
s3:PutObject
s3:ListAllMyBuckets
s3:PutObjectTagging
s3:DeleteObject
s3:HeadBucket

These permissions should be scoped to a bucket/objects that are specifically created for Axonius to write to. Do not scope these permissions to all resources.

Enforcement Center Actions that involve sending data to S3. For more information, see the Enforcement Center Action Index

Cloud Asset Compliance Permissions

AWS Service

Permissions

Resource Scope

Axonius Setting

CloudTrail

cloudtrail:DescribeTrails
cloudtrail:GetEventSelectors
cloudtrail:GetTrailStatus

*

Axonius Cloud Asset Compliance

Cloudwatch

cloudwatch:DescribeAlarmsForMetric

*

Axonius Cloud Asset Compliance

Config

config:DescribeConfigurationRecorderStatus
config:DescribeConfigurationRecorders

*

Axonius Cloud Asset Compliance

KMS

kms:ListKeys

*

Axonius Cloud Asset Compliance

Other Permissions

AWS Service

Permissions

Resource Scope

Axonius Setting

S3 - Data Sync (Central Core)

kms:GenerateDataKey
kms:Decrypt

Needs to be scoped to a specific key store that has been created for Axonius

Central Core

S3 - AssumeRole Fetch

S3:GetObject

Specific bucket and object that contains the roles to assume file

Advanced Configuration File setting: remote_roles_to_assume

SecretsManager- Vault

secretsmanager:GetSecretValue

Can be scoped to all resources; however, Axonius recommends managing access to secrets within SecretsManager through resource-based policies

Only needed if using AWS Secrets Manager as a Vault

SSM

ssm:CreateAssocation
ssm:RegisterTaskWithMaintenanceWindow

*

EC Action for Install Software and Patches Instances

STS

sts:AssumeRole

Should be scoped to roles utilized by Axonius as a part of our roles to assume/organizations discovery implementation

Roles to Assume



Was this article helpful?

What's Next
Changing your password will log you out immediately. Use the new password to log back in.
First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.