AWS Permissions
- 28 Aug 2023
- 1 Minute to read
- Print
- DarkLight
- PDF
AWS Permissions
- Updated on 28 Aug 2023
- 1 Minute to read
- Print
- DarkLight
- PDF
Article Summary
Share feedback
Thanks for sharing your feedback!
These tables summarize permissions that Axonius requires to fetch various AWS resources.
Use this information both to enable required permissions, and to only apply necessary permissions.
Adapter Fetch Permissions
AWS Service | Permissions | Axonius Setting |
---|---|---|
API Gateway | GET | Fetch information about API Gateways |
ACM | acm:DescribeCertificate acm:ListCertificates | Basic fetch |
AppStream | appstream:DescribeUsers appstream:DescribeUserStackAssociations | Fetch information about AWS AppStream users |
appstream:DescribeStacks appstream:ListAssociatedFleets appstream:DescribeFleets | Fetch information about AWS AppStream devices | |
Autoscaling | autoscaling:DescribeAutoScalingGroups autoscaling:DescribePolicies autoscaling:DescribeAutoScalingInstances | Basic Fetch |
Backup | backup:ListBackupPlans | Fetch backup plans and vaults |
Cloudfront | cloudfront:GetDistribution cloudfront:ListDistributions | Fetch information about Cloudfront |
DynamoDB | dynamodb:DescribeTable dynamodb:DescribeGlobalTable dynamodb:DescribeGlobalTableSettings dynamodb:ListGlobalTables dynamodb:ListTables | Fetch information about DynamoDB |
EC2 | ec2:DescribeAddresses ec2:DescribeFlowLogs ec2:DescribeImages ec2:DescribeInstances ec2:DescribeInternetGateways ec2:DescribeNatGateways ec2:DescribeRouteTables ec2:DescribeSnapshotAttribute ec2:DescribeSnapshots ec2:DescribeSecurityGroups ec2:DescribeSubnets ec2:DescribeTags ec2:DescribeVolumes ec2:DescribeVpcPeeringConnections ec2:DescribeVpcs | Basic Fetch |
ECR | ecr:DescribeImages ecr:DescribeRegistry ecr:DescribeRepositories ecr-public:DescribeImages ecr-public:DescribeRegistries ecr-public:DescribeRepositories | Fetch ECR images as devices Correlate ECR-hosted images with compatible containers |
ECS | ecs:DescribeClusters ecs:DescribeContainerInstances ecs:DescribeServices ecs:DescribeTasks ecs:ListClusters ecs:ListContainerInstances ecs:ListServices ecs:ListTagsForResource ecs:ListTasks | Basic Fetch |
EKS | eks:DescribeCluster eks:ListClusters | Basic Fetch |
ELB | elasticloadbalancing:DescribeLoadBalancerPolicies elasticloadbalancing:DescribeLoadBalancers elasticloadbalancing:DescribeListeners elasticloadbalancing:DescribeSSLPolicies elasticloadbalancing:DescribeTargetGroups elasticloadbalancing:DescribeTargetHealth | Fetch information about ELB (Elastic Load Balancers) |
ElastiCache | elasticache:DescribeCacheClusters | Fetch information about ElastiCache cluster |
Elasticsearch | es:DescribeElasticsearchDomain es:ListDomainNames | Fetch information about Elasticsearch |
FSx | fsx:DescribeFileSystems | Fetch FSx metadata |
Globalaccelerator | globalaccelerator:ListAccelerators | Fetch Global Accelerators |
Glue | glue:GetDatabases | Fetch Glue data |
GuardDuty | guardduty:GetFindings guardduty:GetDetector guardduty:GetMembers guardduty:GetFilter guardduty:ListDetectors guardduty:ListFilters guardduty:ListMembers guardduty:ListFindings | Add information about GuardDuty findings to assets |
IAM | iam:GenerateCredentialReport iam:GenerateServiceLastAccessedDetails iam:GetAccessKeyLastUsed iam:GetAccountPasswordPolicy iam:GetAccountSummary iam:GetCredentialReport iam:GetLoginProfile iam:GetPolicy iam:GetPolicyVersion iam:GetRole iam:GetRolePolicy iam:GetServiceLastAccessedDetails iam:GetUser iam:GetUserPolicy iam:ListAccessKeys iam:ListAccountAliases iam:ListAttachedGroupPolicies iam:ListAttachedRolePolicies iam:ListAttachedUserPolicies iam:ListEntitiesForPolicy iam:ListGroups iam:ListGroupsForUser iam:ListInstanceProfilesForRole iam:ListMFADevices iam:ListPolicies iam:ListRolePolicies iam:ListRoles iam:ListUserPolicies iam:ListUserTags iam:ListUsers iam:ListVirtualMFADevices iam:GenerateCredentialReport | Fetch information about IAM Users Fetch IAM roles as users Parse IAM policies |
Inspector | inspector:ListFindings inspector:DescribeFindings inspector:ListMembers inspector2:ListFindings inspector2:ListMembers | Fetch Inspector Findings |
Lambda | lambda:GetPolicy lambda:GetFunctionUrlConfig lambda:ListFunctions lambda:ListTags | Fetch information about Lambdas |
Macie | macie2:GetFindings macie2:ListFindings macie2:ListMembers | Fetch information about Macie findings |
Organizations - Base | organizations:DescribeAccount organizations:DescribeOrganization organizations:ListPoliciesForTarget organizations:ListTagsForResource | Basic Fetch |
Organizations - Account Name | organizations:ListAccounts | Required for discovery of member accounts when fetching AWS Organizations |
Organizations - Complete | organizations:DescribeOrganization organizations:DescribeEffectivePolicy organizations:DescribePolicy | Fetch Organizations as assets |
RDS | rds:DescribeDBClusters rds:DescribeDBInstances rds:DescribeOptionGroups | Fetch information about RDS (Relational Database Service) RDS (Relational Database Service) Instances, Clusters and Global Clusters |
Redshift | redshift:DescribeClusters | Fetch Redshift Clusters as devices |
Route53 | route53:ListHostedZones route53:ListResourceRecordSets route53domains:ListDomains | Fetch information about Route 53 |
S3 | s3:GetAccountPublicAccessBlock s3:GetBucketAcl s3:GetBucketLocation s3:GetBucketLogging s3:GetBucketPolicy s3:GetBucketPolicyStatus s3:GetBucketPublicAccessBlock s3:GetBucketTagging s3:GetEncryptionConfiguration s3:ListAllMyBuckets s3:ListBucket | Fetch information about S3 |
SageMaker | sagemaker:ListNotebookInstances | Fetch SageMaker notebooks as devices |
SecurityHub | securityhub:DescribeHub securityhub:GetFindings securityhub:ListMembers securityhub:ListTagsForResource | Add information about Security Hub findings to assets |
SNS | sns:ListSubscriptionsByTopic | Fetch SNS topics as devices |
Secrets Manager | secretsmanager:ListSecrets secretsmanager:GetResourcePolicy | Fetch information about Secrets Manager |
SQS Queues | sqs:ListQueues | Fetch SQS queues as devices |
SSM | ssm:DescribeAvailablePatches ssm:DescribeInstanceInformation ssm:DescribeInstancePatches ssm:DescribePatchGroups ssm:GetInventorySchema ssm:ListInventoryEntries ssm:ListResourceComplianceSummaries ssm:ListTagsForResource | Fetch information about SSM (System Manager) |
WAFv1 | waf:GetWebACL waf:ListWebACLs | Add WAF to devices |
WAFRegional | waf-regional:GetWebACL waf-regional:GetWebACLForResource waf-regional:ListWebACLs | Add WAF to devices |
WAFv2 | wafv2:GetWebACL wafv2:GetWebACLForResource wafv2:ListWebACLs | Add WAF to devices |
Workspaces | workspaces:DescribeTags workspaces:DescribeWorkspaceDirectories workspaces:DescribeWorkspaces workspaces:DescribeWorkspacesConnectionStatus | Fetch information about Workspaces |
Enforcement Center Permissions
AWS Service | Permissions | Resource Scope | Axonius Setting |
---|---|---|---|
S3 | s3:GetObject s3:HeadBucket s3:PutObject s3:ListAllMyBuckets s3:PutObjectTagging s3:DeleteObject s3:HeadBucket | These permissions should be scoped to a bucket/objects that are specifically created for Axonius to write to. Do not scope these permissions to all resources. | Enforcement Center Actions that involve sending data to S3. For more information, see the Enforcement Center Action Index |
Cloud Asset Compliance Permissions
AWS Service | Permissions | Resource Scope | Axonius Setting |
---|---|---|---|
CloudTrail | cloudtrail:DescribeTrails cloudtrail:GetEventSelectors cloudtrail:GetTrailStatus | * | Axonius Cloud Asset Compliance |
Cloudwatch | cloudwatch:DescribeAlarmsForMetric | * | Axonius Cloud Asset Compliance |
Config | config:DescribeConfigurationRecorderStatus config:DescribeConfigurationRecorders | * | Axonius Cloud Asset Compliance |
KMS | kms:ListKeys | * | Axonius Cloud Asset Compliance |
Other Permissions
AWS Service | Permissions | Resource Scope | Axonius Setting |
---|---|---|---|
S3 - Data Sync (Central Core) | kms:GenerateDataKey kms:Decrypt | Needs to be scoped to a specific key store that has been created for Axonius | Central Core |
S3 - AssumeRole Fetch | S3:GetObject | Specific bucket and object that contains the roles to assume file | Advanced Configuration File setting: remote_roles_to_assume |
SecretsManager- Vault | secretsmanager:GetSecretValue | Can be scoped to all resources; however, Axonius recommends managing access to secrets within SecretsManager through resource-based policies | Only needed if using AWS Secrets Manager as a Vault |
SSM | ssm:CreateAssocation ssm:RegisterTaskWithMaintenanceWindow | * | EC Action for Install Software and Patches Instances |
STS | sts:AssumeRole | Should be scoped to roles utilized by Axonius as a part of our roles to assume/organizations discovery implementation | Roles to Assume |