AWS Permissions

These tables summarize permissions that Axonius requires to fetch various AWS resources. Use this information both to enable required permissions, and to only apply necessary permissions.

All permissions are also listed in JSON format under each table. Note that each JSON lists all permissions and resources, so when copying it, ensure to change it according to your needs.

Adapter Fetch Permissions

AWS ServicePermissionsAxonius Setting
API Gateway
  • apigateway:GET
  • Fetch information about API Gateways
API Gateway v2
  • apigateway:GET
  • Fetch information about API Gateways v2
ACM
  • acm:DescribeCertificate
  • acm:ListCertificates
  • Basic fetch
AppStream
  • appstream:DescribeUser*
  • Fetch information about AWS AppStream users
AppStream
  • appstream:DescribeFleets
  • appstream:DescribeStacks
  • appstream:ListAssociatedFleets
  • Fetch information about AWS AppStream devices
Athena
  • athena:ListData*
  • athena:ListQueryExecutions
  • athena:ListTableMetadata
  • Fetch Athena tables as Devices - BETA
Autoscaling
  • autoscaling:DescribeAutoScalingGroups autoscaling:DescribePolicies autoscaling:DescribeAutoScalingInstances
  • Basic Fetch
Backup
  • backup:ListBackupPlans
  • backup:ListBackupVaults
  • Fetch backup plans and vaults
CloudFormation
  • cloudformation:DescribeStacks
  • cloudformation:ListStackSets
  • cloudformation:ListStacks
  • Fetch information about CloudFormation
Cloudfront
  • cloudfront:GetDistribution
  • cloudfront:ListDistributions
  • cloudfront:ListTagsForResource
  • Fetch information about Cloudfront
  • Enrich CloudFront Distributions with tags
Cloudwatch
  • cloudwatch:GetMetricStatistics cloudwatch:DescribeAlarms
  • Disk volume used by Aurora DB from RDS cloudwatch, Fetch CloudWatch Alarms as assets.
Cost Explorer
  • ce:GetCostAndUsage
  • Fetch cost and usage data from AWS Cost Explorer API
Direct Connect
  • directconnect:DescribeConnections
  • directconnect:DescribeLags
  • directconnect:DescribeVirtual*
  • Fetch Direct Connect Data
DynamoDB
  • dynamodb:DescribeGlobalTable*
  • dynamodb:DescribeTable
  • dynamodb:ListGlobalTables
  • dynamodb:ListTa*
  • Fetch information about DynamoDB
EC2
  • ec2:DescribeAddresses
  • ec2:DescribeFlowLogs
  • ec2:DescribeImages
  • ec2:DescribeInstances
  • ec2:DescribeInstanceStatus
  • ec2:DescribeInternetGateways
  • ec2:DescribeManagedPrefixLists
  • ec2:DescribeNatGateways
  • ec2:DescribeRouteTables
  • ec2:DescribeSnapshotAttribute
  • ec2:DescribeSnapshots
  • ec2:DescribeSecurityGroups
  • ec2:DescribeSubnets
  • ec2:DescribeTags
  • ec2:DescribeVolumes
  • ec2:DescribeVpcPeeringConnections
  • ec2:DescribeVpcs
  • ec2:DescribeVpnConnections
  • ec2:DescribeCustomerGateways
  • ec2:DescribeTransitGatewayAttachments
  • ec2:DescribeTransitGatewayPeeringAttachments
  • ec2:DescribeTransitGatewayRouteTables
  • ec2:DescribeTransitGateways
  • ec2:DescribeNetworkInterfaces
  • Basic Fetch
  • ec2:DescribeVpnConnections - only required when the Fetch VPNs advanced configuration is turned on.
ECR
  • ecr:DescribeImages
  • ecr:DescribeRegistry
  • ecr:DescribeRepositories
  • ecr-public:DescribeImages
  • ecr-public:DescribeRe*
  • Fetch ECR images as devices
  • Correlate ECR-hosted images with compatible containers
ECS
  • ecs:DescribeClusters
  • ecs:DescribeContainerInstances
  • ecs:DescribeServices
  • ecs:DescribeTasks
  • ecs:ListC*
  • ecs:ListServices
  • ecs:ListTagsForResource
  • ecs:ListTasks
  • Basic Fetch
EKS
  • eks:DescribeCluster*
  • eks:ListClusters
  • Basic Fetch
ELB
  • elasticloadbalancing:DescribeLoadBalancerPolicies elasticloadbalancing:DescribeLoadBalancers elasticloadbalancing:DescribeListeners elasticloadbalancing:DescribeSSLPolicies elasticloadbalancing:DescribeTargetGroups elasticloadbalancing:DescribeTargetHealth
  • elasticloadbalancing:DescribeTags
  • elasticloadbalancing:DescribeRules
  • Fetch information about ELB (Elastic Load Balancers)
ELB v2
  • elasticloadbalancing:DescribeLoadBalancers
  • elasticloadbalancing:DescribeTags
  • elasticloadbalancing:DescribeListeners
  • elasticloadbalancing:DescribeTargetGroups
  • elasticloadbalancing:DescribeRules
  • Fetch information about ELB (Elastic Load Balancers) v2
Elastic Beanstalk
  • elasticbeanstalk:DescribeEnvironments
  • Fetch information about Elastic Beanstalk environments
ElastiCache
  • elasticache:DescribeCacheClusters
  • elasticache:DescribeReplicationGroups
  • elasticache:ListTagsForResource
  • Fetch information about ElastiCache cluster
Elasticsearch
  • es:DescribeElasticsearchDomains
  • es:ListDomainNames
  • Fetch information about Elasticsearch
FSx
  • fsx:DescribeFileSystems
  • Fetch FSx metadata
Globalaccelerator
  • globalaccelerator:List*Accelerators
  • Fetch Global Accelerators
Glue
  • glue:GetDatabases
  • glue:GetTables
  • glue:GetTags
  • Fetch Glue data
  • Enrich Glue Databases with tags
GuardDuty
  • guardduty:GetDetector
  • guardduty:GetFilter
  • guardduty:GetFindings
  • guardduty:GetMembers
  • guardduty:ListDetectors
  • guardduty:ListFi*
  • guardduty:ListMembers
  • Add information about GuardDuty findings to assets
IAM
  • iam:GenerateCredentialReport
  • iam:GenerateServiceLastAccessedDetails
  • iam:GetAccessKeyLastUsed
  • iam:GetAccountPasswordPolicy
  • iam:GetAccountSummary
  • iam:GetCredentialReport
  • iam:GetGroup
  • iam:GetLoginProfile
  • iam:GetPolicy*
  • iam:GetRole*
  • iam:GetServiceLastAccessedDetails
  • iam:GetUser*
  • iam:ListAcc*
  • iam:ListAttached*
  • iam:ListEntitiesForPolicy
  • iam:ListGroups*
  • iam:ListInstanceProfilesForRole
  • iam:ListMFADevices
  • iam:ListPolicies
  • iam:ListRolePolicies
  • iam:ListRoles
  • iam:ListUser*
  • iam:ListVirtualMFADevices
  • Fetch information about IAM Users
  • Fetch IAM roles as users
  • Parse IAM policies
Identity Store
  • identitystore:ListGroups
  • identitystore:ListUsers
  • sso:ListInstances
  • sso:ListPermissionSets
  • sso:ListAccountsForProvisionedPermissionSet
  • sso:ListAccountAssignments
  • identitystore:ListGroupMembershipsForMember
  • Fetch Identity Store users and groups
Inspector
  • inspector:ListFindings
  • inspector:DescribeFindings
  • inspector2:ListFindings
  • inspector2:ListMembers
  • Fetch Inspector Findings
Kinesis
  • kinesis:ListStreams
  • Fetch Kinesis Data Stream
Kinesis Data Analytics
  • kinesisanalytics:DescribeApplication, kinesisanalytics:ListApplications
  • kinesis:DescribeStream
  • Kinesis Data Analytics as devices.
Lambda
  • lambda:GetPolicy
  • lambda:GetFunctionUrlConfig
  • lambda:ListFunctions
  • lambda:ListTags
  • Fetch information about Lambdas
Lightsail
  • lightsail:GetInstances
  • Fetch Lightsail Instances
Macie
  • macie2:GetFindings
  • macie2:ListFindings
  • macie2:ListMembers
  • Fetch information about Macie findings
Organizations - Base
  • organizations:DescribeAccount organizations:DescribeOrganization organizations:ListPoliciesForTarget organizations:ListTagsForResource
  • Basic Fetch
Organizations - Account Name
  • organizations:ListAccounts
  • Required for discovery of member accounts when fetching AWS Organizations
Organizations - Complete
  • organizations:DescribeOrganization organizations:DescribeEffectivePolicy organizations:DescribePolicy
  • Fetch Organizations as assets
Outposts
  • outposts:ListAssets
  • outposts:ListSites
  • outposts:ListOutposts
  • Fetch information about AWS Outposts assets
RDS
  • rds:DescribeDBClusters
  • rds:DescribeDBInstances
  • rds:DescribeOptionGroups
  • rds:DescribePendingMaintenanceActions
  • Fetch information about RDS (Relational Database Service) RDS (Relational Database Service) Instances, Clusters and Global Clusters
Redshift
  • redshift:DescribeClusters
  • Fetch Redshift Clusters as devices
Route53
  • route53:ListHostedZones
  • route53:ListResourceRecordSets
  • route53:ListTagsForResource
  • route53domains:GetDomainDetail
  • route53domains:ListDomains
  • route53resolver:ListResolverRuleAssociations
  • route53resolver:ListResolverRules
  • Fetch information about Route 53
  • Enrich Route 53 Hosted Zones with tags
S3
  • s3:GetAccountPublicAccessBlock
  • s3:GetBucketAcl
  • s3:GetBucketLocation
  • s3:GetBucketLogging
  • s3:GetBucketPolicy
  • s3:GetBucketPolicyStatus s3:GetBucketPublicAccessBlock
  • s3:GetBucketTagging
  • s3:GetEncryptionConfiguration
  • s3:ListAllMyBuckets
  • s3:ListBucket
  • Fetch information about S3
S3 Outposts
  • outposts:ListOutposts
  • s3-outposts:ListOutpostsWithS3
  • s3-outposts:ListRegionalBuckets
  • Fetch information about S3
  • Fetch information about Outpost as Compute Service Assets
SageMaker
  • sagemaker:ListNotebookInstances
  • sagemaker:DescribeNotebookInstance
  • sagemaker:ListTags
  • Fetch SageMaker notebooks as devices
SecurityHub
  • securityhub:DescribeHub
  • securityhub:GetFindings
  • securityhub:ListMembers securityhub:ListTagsForResource
  • Add information about Security Hub findings to assets
SNS
  • sns:ListSubscriptionsByTopic
  • Fetch SNS topics as devices
Step Functions
  • states:DescribeStateMachine
  • states:ListStateMachines
  • Fetch step functions
Service Catalog
  • servicecatalog:ListPortfolios, servicecatalog:DescribePortfolio
  • Fetch Services Catalog as assets
Secrets Manager
  • secretsmanager:ListSecrets secretsmanager:GetResourcePolicy
  • Fetch information about Secrets Manager
SQS Queues
  • sqs:ListQueues
  • sqs:GetQueueAttributes
  • sqs:ListQueueTags
  • Fetch SQS queues as devices
  • Enrich SQS queues with tags
SSM
  • ssm:DescribeAvailablePatches ssm:DescribeInstanceInformation ssm:DescribeInstancePatches ssm:DescribePatchGroups ssm:GetInventorySchema ssm:ListInventoryEntries ssm:ListResourceComplianceSummaries ssm:ListTagsForResource
  • ssm:DescribeParameters
  • ssm:GetParameter
  • Fetch information about SSM (System Manager)
WAFv1
  • waf:GetWebACL
  • waf:ListWebACLs
  • Add WAF to devices
WAFRegional
  • waf-regional:GetWebACL
  • waf-regional:GetWebACLForResource
  • waf-regional:ListWebACLs
  • Add WAF to devices
WAFv2
  • wafv2:GetWebACL
  • wafv2:GetWebACLForResource
  • wafv2:ListWebACLs
  • Add WAF to devices
Workspaces
  • workspaces:DescribeTags workspaces:DescribeWorkspaceDirectories workspaces:DescribeWorkspaces workspaces:DescribeWorkspacesConnectionStatus
  • Fetch information about Workspaces

Adapter Fetch Permissions - JSON

Expand/Collapse
  {
    "Version": "2012-10-17",
    "Statement": [
    	{
    		"Sid": "AdapterFetchPermissions",
    		"Effect": "Allow",
    		"Action": [
    			"acm:DescribeCertificate",
        "acm:ListCertificates",
        "apigateway:GET",
        "appstream:DescribeFleets",
        "appstream:DescribeStacks",
        "appstream:DescribeUser*",
        "appstream:ListAssociatedFleets",
        "athena:ListData*",
        "athena:ListQueryExecutions",
        "athena:ListTableMetadata",
        "autoscaling:DescribeAutoScalingGroups",
        "autoscaling:DescribeAutoScalingInstances",
        "autoscaling:DescribePolicies",
        "backup:ListBackupPlans",
        "backup:ListBackupVaults",
        "ce:GetCostAndUsage",
        "cloudformation:DescribeStacks",
        "cloudformation:ListStackSets",
        "cloudformation:ListStacks",
        "cloudfront:GetDistribution",
        "cloudfront:ListDistributions",
        "cloudfront:ListTagsForResource",
        "cloudwatch:DescribeAlarms",
        "cloudwatch:GetMetricStatistics",
        "directconnect:DescribeConnections",
        "directconnect:DescribeLags",
        "directconnect:DescribeVirtual*",
        "dynamodb:DescribeGlobalTable*",
        "dynamodb:DescribeTable",
        "dynamodb:ListGlobalTables",
        "dynamodb:ListTa*",
        "ec2:DescribeAddresses",
        "ec2:DescribeCustomerGateways",
        "ec2:DescribeFlowLogs",
        "ec2:DescribeImages",
        "ec2:DescribeInstanceStatus",
        "ec2:DescribeInstances",
        "ec2:DescribeInternetGateways",
        "ec2:DescribeManagedPrefixLists",
        "ec2:DescribeNatGateways",
        "ec2:DescribeNetworkInterfaces",
        "ec2:DescribeRouteTables",
        "ec2:DescribeSecurityGroups",
        "ec2:DescribeSnapshotAttribute",
        "ec2:DescribeSnapshots",
        "ec2:DescribeSubnets",
        "ec2:DescribeTags",
        "ec2:DescribeTransitGatewayAttachments",
        "ec2:DescribeTransitGatewayPeeringAttachments",
        "ec2:DescribeTransitGatewayRouteTables",
        "ec2:DescribeTransitGateways",
        "ec2:DescribeVolumes",
        "ec2:DescribeVpcPeeringConnections",
        "ec2:DescribeVpcs",
        "ec2:DescribeVpnConnections",
        "ecr-public:DescribeImages",
        "ecr-public:DescribeRe*",
        "ecr:DescribeImages",
        "ecr:DescribeRegistry",
        "ecr:DescribeRepositories",
        "ecs:DescribeClusters",
        "ecs:DescribeContainerInstances",
        "ecs:DescribeServices",
        "ecs:DescribeTasks",
        "ecs:ListC*",
        "ecs:ListServices",
        "ecs:ListTagsForResource",
        "ecs:ListTasks",
        "eks:DescribeCluster*",
        "eks:ListClusters",
        "elasticache:DescribeCacheClusters",
        "elasticache:DescribeReplicationGroups",
        "elasticache:ListTagsForResource",
        "elasticbeanstalk:DescribeEnvironments",
        "elasticloadbalancing:DescribeListeners",
        "elasticloadbalancing:DescribeLoadBalancerPolicies",
        "elasticloadbalancing:DescribeLoadBalancers",
        "elasticloadbalancing:DescribeRules",
        "elasticloadbalancing:DescribeSSLPolicies",
        "elasticloadbalancing:DescribeTags",
        "elasticloadbalancing:DescribeTargetGroups",
        "elasticloadbalancing:DescribeTargetHealth",
        "es:DescribeElasticsearchDomains",
        "es:ListDomainNames",
        "fsx:DescribeFileSystems",
        "globalaccelerator:List*Accelerators",
        "glue:GetDatabases",
        "glue:GetTables",
        "glue:GetTags",
        "guardduty:GetDetector",
        "guardduty:GetFilter",
        "guardduty:GetFindings",
        "guardduty:GetMembers",
        "guardduty:ListDetectors",
        "guardduty:ListFi*",
        "guardduty:ListMembers",
        "iam:GenerateCredentialReport",
        "iam:GenerateServiceLastAccessedDetails",
        "iam:GetAccessKeyLastUsed",
        "iam:GetAccountPasswordPolicy",
        "iam:GetAccountSummary",
        "iam:GetCredentialReport",
        "iam:GetGroup",
        "iam:GetLoginProfile",
        "iam:GetPolicy*",
        "iam:GetRole*",
        "iam:GetServiceLastAccessedDetails",
        "iam:GetUser*",
        "iam:ListAcc*",
        "iam:ListAttached*",
        "iam:ListEntitiesForPolicy",
        "iam:ListGroups*",
        "iam:ListInstanceProfilesForRole",
        "iam:ListMFADevices",
        "iam:ListPolicies",
        "iam:ListRolePolicies",
        "iam:ListRoles",
        "iam:ListUser*",
        "iam:ListVirtualMFADevices",
        "identitystore:ListGroupMembershipsForMember",
        "identitystore:ListGroups",
        "identitystore:ListUsers",
        "inspector2:ListFindings",
        "inspector2:ListMembers",
        "inspector:DescribeFindings",
        "inspector:ListFindings",
        "kinesis:DescribeStream",
        "kinesis:ListStreams",
        "kinesisanalytics:DescribeApplication",
        "kinesisanalytics:ListApplications",
        "lambda:GetFunctionUrlConfig",
        "lambda:GetPolicy",
        "lambda:ListFunctions",
        "lambda:ListTags",
        "lightsail:GetInstances",
        "macie2:GetFindings",
        "macie2:ListFindings",
        "macie2:ListMembers",
        "organizations:DescribeAccount",
        "organizations:DescribeEffectivePolicy",
        "organizations:DescribeOrganization",
        "organizations:DescribePolicy",
        "organizations:ListAccounts",
        "organizations:ListPoliciesForTarget",
        "organizations:ListTagsForResource",
        "outposts:ListAssets",
        "outposts:ListOutposts",
        "outposts:ListSites",
        "rds:DescribeDBClusters",
        "rds:DescribeDBInstances",
        "rds:DescribeOptionGroups",
        "rds:DescribePendingMaintenanceActions",
        "redshift:DescribeClusters",
        "route53:ListHostedZones",
        "route53:ListResourceRecordSets",
        "route53:ListTagsForResource",
        "route53domains:GetDomainDetail",
        "route53domains:ListDomains",
        "route53resolver:ListResolverRuleAssociations",
        "route53resolver:ListResolverRules",
        "s3-outposts:ListOutpostsWithS3",
        "s3-outposts:ListRegionalBuckets",
        "s3:GetAccountPublicAccessBlock",
        "s3:GetBucketAcl",
        "s3:GetBucketLocation",
        "s3:GetBucketLogging",
        "s3:GetBucketPolicy",
        "s3:GetBucketPolicyStatus",
        "s3:GetBucketPublicAccessBlock",
        "s3:GetBucketTagging",
        "s3:GetEncryptionConfiguration",
        "s3:ListAllMyBuckets",
        "s3:ListBucket",
        "sagemaker:DescribeNotebookInstance",
        "sagemaker:ListNotebookInstances",
        "sagemaker:ListTags",
        "secretsmanager:GetResourcePolicy",
        "secretsmanager:ListSecrets",
        "securityhub:DescribeHub",
        "securityhub:GetFindings",
        "securityhub:ListMembers",
        "securityhub:ListTagsForResource",
        "servicecatalog:DescribePortfolio",
        "servicecatalog:ListPortfolios",
        "sns:ListSubscriptionsByTopic",
        "sqs:GetQueueAttributes",
        "sqs:ListQueueTags",
        "sqs:ListQueues",
        "ssm:DescribeAvailablePatches",
        "ssm:DescribeInstanceInformation",
        "ssm:DescribeInstancePatches",
        "ssm:DescribeParameters",
        "ssm:DescribePatchGroups",
        "ssm:GetInventorySchema",
        "ssm:GetParameter",
        "ssm:ListInventoryEntries",
        "ssm:ListResourceComplianceSummaries",
        "ssm:ListTagsForResource",
        "sso:ListAccountAssignments",
        "sso:ListAccountsForProvisionedPermissionSet",
        "sso:ListInstances",
        "sso:ListPermissionSets",
        "states:DescribeStateMachine",
        "states:ListStateMachines",
        "waf-regional:GetWebACL",
        "waf-regional:GetWebACLForResource",
        "waf-regional:ListWebACLs",
        "waf:GetWebACL",
        "waf:ListWebACLs",
        "wafv2:GetWebACL",
        "wafv2:GetWebACLForResource",
        "wafv2:ListWebACLs",
        "workspaces:DescribeTags",
        "workspaces:DescribeWorkspaceDirectories",
        "workspaces:DescribeWorkspaces",
        "workspaces:DescribeWorkspacesConnectionStatus"
      ],
      "Resource": "*"
    }
  ]
}

Enforcement Center Permissions

AWS ServicePermissionsResource ScopeAxonius Setting
S3
  • s3:GetObject
  • s3:PutObject
  • s3:ListAllMyBuckets
  • s3:PutObjectTagging
  • s3:DeleteObject
  • s3:ListBucket
These permissions should be scoped to a bucket/objects that are specifically created for Axonius to write to. Do not scope these permissions to all resources.Enforcement Center Actions that involve sending data to S3. For more information, see the Enforcement Center Action Index
EC2
  • ec2:CreateSnapshot
  • ec2:StartInstances
  • ec2:StopInstances
  • tag:GetResources
  • tag:TagResources
  • tag:UntagResources
  • tag:getTagKeys
  • tag:getTagValues
  • iam:ListUserTags
  • iam:TagUser
  • iam:UntagUser
Enforcement Center Actions that start and stop EC2 instances.
Enforcement Center Actions that manage tags on EC2 instances.
IAM
  • iam:UpdateLoginProfile
  • iam:DeleteUser
  • iam:ListGroupsForUser
  • iam:RemoveUserFromGroup
  • iam:ListAccessKeys
  • iam:DeleteAccessKey
Enforcement Center Actions that manage IAM users.
SSM
  • ssm:CreateAssociation
  • ssm:RegisterTaskWithMaintenanceWindow
Enforcement Center Actions that install and patch software using SSM.

Enforcement Center Permissions - JSON

Expand/Collapse
  {
  "Version": "2012-10-17",
  "Statement":[
    {
      "Effect":"Allow",
      "Action":[
        "s3:GetObject",
        "s3:ListBucket",
        "s3:PutObject",
        "s3:ListAllMyBuckets",
        "s3:PutObjectTagging",
        "s3:DeleteObject",
        "ec2:StartInstances",
        "ec2:StopInstances",
        "tag:GetResources",
        "tag:TagResources",
        "tag:UntagResources",
        "tag:GetTagKeys",
        "tag:GetTagValues",
        "iam:ListUserTags",
        "iam:TagUser",
        "iam:UntagUser",
        "iam:UpdateLoginProfile",
        "iam:DeleteUser",
        "iam:ListGroupsForUser",
        "iam:RemoveUserFromGroup",
        "iam:ListAccessKeys",
        "iam:DeleteAccessKey",
        "ssm:CreateAssociation",
        "ssm:RegisterTaskWithMaintenanceWindow"
      ],
      "Resource":"*"
    }
  ]
  }

Cloud Asset Compliance Permissions

AWS ServicePermissionsResource ScopeAxonius Setting
CloudTrail
  • cloudtrail:DescribeTrails
  • cloudtrail:GetEventSelectors
  • cloudtrail:GetTrailStatus
Axonius Cloud Asset Compliance
Cloudwatch
  • cloudwatch:DescribeAlarmsForMetric
Axonius Cloud Asset Compliance
IAM
  • iam:GenerateCredentialReport
Axonius Cloud Asset Compliance
Config
  • config:DescribeConfigurationRecorderStatus
  • config:DescribeConfigurationRecorders
Axonius Cloud Asset Compliance
Logs
  • logs:DescribeMetricFilters
Axonius Cloud Asset Compliance
KMS
  • kms:ListKeys
Axonius Cloud Asset Compliance
EC2
  • ec2:DescribeInstances
  • ec2:GetEbsEncryptionByDefault
  • ec2:DescribeRouteTables
Axonius Cloud Asset Compliance
RDS
  • rds:DescribeDbInstances
Axonius Cloud Asset Compliance
Elastic File System
  • elasticfilesystem:DescribeFileSystems
Axonius Cloud Asset Compliance
Security Hub
  • DescribeHub
Axonius Cloud Asset Compliance
SNS
  • sns:ListSubscriptionsByTopic
Axonius Cloud Asset Compliance

Cloud Asset Compliance Permissions - JSON

Expand/Collapse
  {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "CloudAssetCompliance",
      "Effect": "Allow",
      "Action": [
        "cloudtrail:DescribeTrails",
        "cloudtrail:GetEventSelectors",
        "cloudtrail:GetTrailStatus",
        "cloudwatch:DescribeAlarmsForMetric",
        "iam:GenerateCredentialReport",
        "config:DescribeConfigurationRecorderStatus",
        "config:DescribeConfigurationRecorders",
        "logs:DescribeMetricFilters",
        "kms:ListKeys",
        "ec2:DescribeInstances",
        "ec2:GetEbsEncryptionByDefault",
        "ec2:DescribeRouteTables",
        "rds:DescribeDbInstances",
        "elasticfilesystem:DescribeFileSystems",
        "securityhub:DescribeHub",
        "sns:ListSubscriptionsByTopic"
      ],
      "Resource": "*"
    }
  ]
  }

Other Permissions

AWS ServicePermissionsResource ScopeAxonius Setting
S3 – Data Sync (Central Core)
  • kms:GenerateDataKey
  • kms:Decrypt
Needs to be scoped to a specific key store that has been created for Axonius.Central Core
S3 – AssumeRole Fetch
  • s3:GetObject
Specific bucket and object that contains the roles-to-assume file.Advanced Configuration File setting: remote_roles_to_assume
Secrets Manager – Vault
  • secretsmanager:GetSecretValue
Can be scoped to all resources; however, Axonius recommends managing access to secrets within Secrets Manager through resource-based policies.Only needed if using AWS Secrets Manager as a Vault.
SSM
  • ssm:CreateAssociation
  • ssm:RegisterTaskWithMaintenanceWindow
EC Action for Install Software and Patches Instances
STS
  • sts:AssumeRole
Should be scoped to roles utilized by Axonius as a part of our Roles-to-Assume / Organizations Discovery implementation.Roles to Assume

Other Permissions - JSON

Expand/Collapse
  {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "OtherPermissions",
      "Effect": "Allow",
      "Action": [
        "kms:GenerateDataKey",
        "kms:Decrypt",
        "s3:GetObject",
        "secretsmanager:GetSecretValue",
        "ssm:CreateAssociation",
        "ssm:RegisterTaskWithMaintenanceWindow",
        "sts:AssumeRole"
      ],
      "Resource": "*"
    }
  ]
  }