AWS Permissions
  • 28 Aug 2023
  • 1 Minute to read
  • Dark
    Light
  • PDF

AWS Permissions

  • Dark
    Light
  • PDF

Article Summary

These tables summarize permissions that Axonius requires to fetch various AWS resources.
Use this information both to enable required permissions, and to only apply necessary permissions.

Adapter Fetch Permissions

AWS ServicePermissionsAxonius Setting
API GatewayGETFetch information about API Gateways
ACMacm:DescribeCertificate
acm:ListCertificates
Basic fetch
AppStreamappstream:DescribeUsers
appstream:DescribeUserStackAssociations
Fetch information about AWS AppStream users
appstream:DescribeStacks
appstream:ListAssociatedFleets
appstream:DescribeFleets

Fetch information about AWS AppStream devices
Autoscalingautoscaling:DescribeAutoScalingGroups
autoscaling:DescribePolicies
autoscaling:DescribeAutoScalingInstances
Basic Fetch
 Backup

backup:ListBackupPlans
backup:ListBackupVaults

Fetch backup plans and vaults
Cloudfrontcloudfront:GetDistribution
cloudfront:ListDistributions
Fetch information about Cloudfront
DynamoDBdynamodb:DescribeTable
dynamodb:DescribeGlobalTable
dynamodb:DescribeGlobalTableSettings
dynamodb:ListGlobalTables
dynamodb:ListTables
Fetch information about DynamoDB
EC2ec2:DescribeAddresses
ec2:DescribeFlowLogs
ec2:DescribeImages
ec2:DescribeInstances
ec2:DescribeInternetGateways
ec2:DescribeNatGateways
ec2:DescribeRouteTables
ec2:DescribeSnapshotAttribute
ec2:DescribeSnapshots
ec2:DescribeSecurityGroups
ec2:DescribeSubnets
ec2:DescribeTags
ec2:DescribeVolumes
ec2:DescribeVpcPeeringConnections
ec2:DescribeVpcs
Basic Fetch
ECRecr:DescribeImages
ecr:DescribeRegistry
ecr:DescribeRepositories
ecr-public:DescribeImages
ecr-public:DescribeRegistries
ecr-public:DescribeRepositories

Fetch ECR images as devices

Correlate ECR-hosted images with compatible containers

ECSecs:DescribeClusters
ecs:DescribeContainerInstances
ecs:DescribeServices
ecs:DescribeTasks
ecs:ListClusters
ecs:ListContainerInstances
ecs:ListServices
ecs:ListTagsForResource
ecs:ListTasks
Basic Fetch
EKSeks:DescribeCluster
eks:ListClusters
Basic Fetch
ELBelasticloadbalancing:DescribeLoadBalancerPolicies
elasticloadbalancing:DescribeLoadBalancers
elasticloadbalancing:DescribeListeners
elasticloadbalancing:DescribeSSLPolicies
elasticloadbalancing:DescribeTargetGroups
elasticloadbalancing:DescribeTargetHealth
Fetch information about ELB (Elastic Load Balancers)
ElastiCache
elasticache:DescribeCacheClusters
Fetch information about ElastiCache cluster
Elasticsearches:DescribeElasticsearchDomain
es:ListDomainNames
Fetch information about Elasticsearch
FSxfsx:DescribeFileSystemsFetch FSx metadata
Globalaccelerator

globalaccelerator:ListAccelerators
globalaccelerator:ListCustomRoutingAccelerators

Fetch Global Accelerators
Glueglue:GetDatabases
Fetch Glue data
GuardDutyguardduty:GetFindings
guardduty:GetDetector
guardduty:GetMembers
guardduty:GetFilter
guardduty:ListDetectors
guardduty:ListFilters
guardduty:ListMembers
guardduty:ListFindings
Add information about GuardDuty findings to assets
IAMiam:GenerateCredentialReport
iam:GenerateServiceLastAccessedDetails
iam:GetAccessKeyLastUsed
iam:GetAccountPasswordPolicy
iam:GetAccountSummary
iam:GetCredentialReport
iam:GetLoginProfile
iam:GetPolicy
iam:GetPolicyVersion
iam:GetRole
iam:GetRolePolicy
iam:GetServiceLastAccessedDetails
iam:GetUser
iam:GetUserPolicy
iam:ListAccessKeys
iam:ListAccountAliases
iam:ListAttachedGroupPolicies
iam:ListAttachedRolePolicies
iam:ListAttachedUserPolicies
iam:ListEntitiesForPolicy
iam:ListGroups
iam:ListGroupsForUser
iam:ListInstanceProfilesForRole
iam:ListMFADevices
iam:ListPolicies
iam:ListRolePolicies
iam:ListRoles
iam:ListUserPolicies
iam:ListUserTags
iam:ListUsers
iam:ListVirtualMFADevices
iam:GenerateCredentialReport

Fetch information about IAM Users

Fetch IAM roles as users

Parse IAM policies

Inspectorinspector:ListFindings
inspector:DescribeFindings
inspector:ListMembers
inspector2:ListFindings
inspector2:ListMembers
Fetch Inspector Findings
Lambdalambda:GetPolicy
lambda:GetFunctionUrlConfig
lambda:ListFunctions
lambda:ListTags
Fetch information about Lambdas
Maciemacie2:GetFindings
macie2:ListFindings
macie2:ListMembers
Fetch information about Macie findings
Organizations - Baseorganizations:DescribeAccount
organizations:DescribeOrganization
organizations:ListPoliciesForTarget
organizations:ListTagsForResource
Basic Fetch
Organizations - Account Nameorganizations:ListAccountsRequired for discovery of member accounts when fetching AWS Organizations
Organizations - Completeorganizations:DescribeOrganization
organizations:DescribeEffectivePolicy
organizations:DescribePolicy
Fetch Organizations as assets
RDSrds:DescribeDBClusters
rds:DescribeDBInstances
rds:DescribeOptionGroups
Fetch information about RDS (Relational Database Service)
RDS (Relational Database Service) Instances, Clusters and Global Clusters
Redshift
redshift:DescribeClusters
Fetch Redshift Clusters as devices
Route53route53:ListHostedZones
route53:ListResourceRecordSets

route53domains:ListDomains
route53domains:GetDomainDetail

Fetch information about Route 53
S3s3:GetAccountPublicAccessBlock
s3:GetBucketAcl
s3:GetBucketLocation
s3:GetBucketLogging
s3:GetBucketPolicy
s3:GetBucketPolicyStatus
s3:GetBucketPublicAccessBlock
s3:GetBucketTagging
s3:GetEncryptionConfiguration
s3:ListAllMyBuckets
s3:ListBucket
Fetch information about S3
SageMaker
sagemaker:ListNotebookInstances

Fetch SageMaker notebooks as devices

SecurityHubsecurityhub:DescribeHub
securityhub:GetFindings
securityhub:ListMembers
securityhub:ListTagsForResource
Add information about Security Hub findings to assets
SNSsns:ListSubscriptionsByTopicFetch SNS topics as devices
Secrets Managersecretsmanager:ListSecrets
secretsmanager:GetResourcePolicy
Fetch information about Secrets Manager
SQS Queues
sqs:ListQueues
Fetch SQS queues as devices
SSMssm:DescribeAvailablePatches
ssm:DescribeInstanceInformation
ssm:DescribeInstancePatches
ssm:DescribePatchGroups
ssm:GetInventorySchema
ssm:ListInventoryEntries
ssm:ListResourceComplianceSummaries
ssm:ListTagsForResource
Fetch information about SSM (System Manager)
WAFv1waf:GetWebACL
waf:ListWebACLs
Add WAF to devices
WAFRegionalwaf-regional:GetWebACL
waf-regional:GetWebACLForResource
waf-regional:ListWebACLs
Add WAF to devices
WAFv2wafv2:GetWebACL
wafv2:GetWebACLForResource
wafv2:ListWebACLs
Add WAF to devices
Workspacesworkspaces:DescribeTags
workspaces:DescribeWorkspaceDirectories
workspaces:DescribeWorkspaces
workspaces:DescribeWorkspacesConnectionStatus
Fetch information about Workspaces

Enforcement Center Permissions

AWS ServicePermissionsResource ScopeAxonius Setting
S3s3:GetObject
s3:HeadBucket
s3:PutObject
s3:ListAllMyBuckets
s3:PutObjectTagging
s3:DeleteObject
s3:HeadBucket
These permissions should be scoped to a bucket/objects that are specifically created for Axonius to write to. Do not scope these permissions to all resources.Enforcement Center Actions that involve sending data to S3. For more information, see the Enforcement Center Action Index

Cloud Asset Compliance Permissions

AWS ServicePermissionsResource ScopeAxonius Setting
CloudTrailcloudtrail:DescribeTrails
cloudtrail:GetEventSelectors
cloudtrail:GetTrailStatus
*Axonius Cloud Asset Compliance
Cloudwatchcloudwatch:DescribeAlarmsForMetric*Axonius Cloud Asset Compliance
Configconfig:DescribeConfigurationRecorderStatus
config:DescribeConfigurationRecorders
*Axonius Cloud Asset Compliance
KMSkms:ListKeys*Axonius Cloud Asset Compliance

Other Permissions

AWS ServicePermissionsResource ScopeAxonius Setting
S3 - Data Sync (Central Core)kms:GenerateDataKey
kms:Decrypt
Needs to be scoped to a specific key store that has been created for AxoniusCentral Core
S3 - AssumeRole FetchS3:GetObjectSpecific bucket and object that contains the roles to assume fileAdvanced Configuration File setting: remote_roles_to_assume
SecretsManager- Vaultsecretsmanager:GetSecretValueCan be scoped to all resources; however, Axonius recommends managing access to secrets within SecretsManager through resource-based policiesOnly needed if using AWS Secrets Manager as a Vault
SSMssm:CreateAssocation
ssm:RegisterTaskWithMaintenanceWindow
*EC Action for Install Software and Patches Instances
STSsts:AssumeRoleShould be scoped to roles utilized by Axonius as a part of our roles to assume/organizations discovery implementationRoles to Assume



Changing your password will log you out immediately. Use the new password to log back in.
First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.