Enabling Permissions for CloudCheckr

As CloudCheckr adds support for additional inventory and utilization reporting around new AWS Services you may find that the IAM policy you are using for CloudCheckr needs to be updated.

In these instances, CloudCheckr will notify you in the top-right corner of your account with the services it does not have permissions to check.

You can follow the steps outlined below to add support for these missing services.  You can find the needed policy, per service, at the bottom of this page.

NOTE: This does not impact billing reporting, only Inventory and Utilization.

Enabling Services for use with CloudCheckr

Step 1:

Log in to your Amazon Web Services Management Console.

Login

Step 2:

Load the Identity and Access Management (IAM) Dashboard.

awsconsole_IAM

Step 3:

On the Left-hand IAM menu, click Roles, then search for the Role that contains your CloudCheckr policy.

12 role to edit

Step 4:

Scroll down to permissions and locate the policy you have attached and select ‘Edit Policy’.

Note: If you are only using the default AWS ReadOnly policy, you’ll need to create another policy to house these extra permissions as detailed here – AWS doesn’t allow you to modify their ReadOnly policy.

edit policy

Step 5:

Add the desired permissions and select ‘Apply Policy’.

add permissions and apply policy

And that’s it! Your permissions are now added and the next time your reports are updated, CloudCheckr will have access to that service.

Below we have added the full list of permissions, separated by AWS service for your convenience. Simply locate the permission you wish to add, copy the permissions and follow the steps above to paste them into your policy. If you would like the complete CloudCheckr Read Only policy, visit our Complete Policy for CloudCheckr page.


Expand All | Collapse All

AWS Certificate Manager

"acm:DescribeCertificate",
"acm:ListCertificates",
"acm:GetCertificate",  

Autoscaling

"autoscaling:Describe*",

CloudFormation

 "cloudformation:DescribeStacks",
"cloudformation:GetStackPolicy",
"cloudformation:GetTemplate",
"cloudformation:ListStackResources",

CloudFront

"cloudfront:List*",
"cloudfront:GetDistributionConfig",
"cloudfront:GetStreamingDistributionConfig",

CloudHSM

"cloudhsm:Describe*",
"cloudhsm:List*",

CloudSearch

"cloudsearch:DescribeDomains",
"cloudsearch:DescribeServiceAccessPolicies",
"cloudsearch:DescribeStemmingOptions",
"cloudsearch:DescribeStopwordOptions",
"cloudsearch:DescribeSynonymOptions",
"cloudsearch:DescribeDefaultSearchField",
"cloudsearch:DescribeIndexFields",
"cloudsearch:DescribeRankExpressions",

CloudTrail

"cloudtrail:DescribeTrails",
"cloudtrail:GetTrailStatus",

CloudWatch

"cloudwatch:DescribeAlarms",
"cloudwatch:GetMetricStatistics",
"cloudwatch:ListMetrics",

CloudWatch Logs

"logs:GetLogEvents",
"logs:DescribeLogGroups",
"logs:DescribeLogStreams",

For Resource, use the following:

"arn:aws:logs:*:*:*"

AWS Config

"config:DescribeConfigRules",
"config:GetComplianceDetailsByConfigRule",
"config:DescribeDeliveryChannels",
"config:DescribeDeliveryChannelStatus",
"config:DescribeConfigurationRecorders",
"config:DescribeConfigurationRecorderStatus",

Data Pipeline

"datapipeline:ListPipelines",
"datapipeline:GetPipelineDefinition",
"datapipeline:DescribePipelines",

DirectConnect

"directconnect:DescribeLocations",
"directconnect:DescribeConnections",
"directconnect:DescribeVirtualInterfaces",

Dynamo DB

"dynamodb:ListTables",
"dynamodb:DescribeTable",

EC2

In order for CloudCheckr to work correctly you MUST have EC2 permissions attached to the AWS group which holds the user whose credentials you used to configure the application. Without the following permissions, your billing collectors will not run and you will not receive accurate data. The following permissions are what is required:

"ec2:Describe*",
"ec2:GetConsoleOutput",

EC2/VPC

"ec2:DescribeVpcs",
"ec2:DescribeVpcAttribute",
"ec2:DescribeVpcPeeringConnections",
"ec2:DescribeFlowLogs",
"ec2:DescribeVpcEndpoints",
"ec2:DescribeNatGateways",

EC2 Container Service (ECS)

"ecs:ListClusters",
"ecs:DescribeClusters",
"ecs:ListContainerInstances",
"ecs:DescribeContainerInstances",
"ecs:ListServices",
"ecs:DescribeServices",
"ecs:ListTaskDefinitions",
"ecs:DescribeTaskDefinition",
"ecs:ListTasks",
"ecs:DescribeTasks",

Elasticache

"elasticache:DescribeCacheClusters",
"elasticache:DescribeReservedCacheNodes",
"elasticache:DescribeCacheSecurityGroups",
"elasticache:DescribeCacheParameterGroups",
"elasticache:DescribeCacheParameters",
"elasticache:DescribeCacheSubnetGroups",

Elastic Beanstalk

"elasticbeanstalk:DescribeApplications",
"elasticbeanstalk:DescribeConfigurationSettings",
"elasticbeanstalk:DescribeEnvironments",
"elasticbeanstalk:DescribeEvents",

Elastic File System

"elasticfilesystem:Describe*",

Elastic Load Balancing

"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeInstanceHealth",
"elasticloadbalancing:DescribeLoadBalancerAttributes",

Elastic MapReduce

"elasticmapreduce:DescribeJobFlows",
"elasticmapreduce:DescribeStep",
"elasticmapreduce:DescribeCluster",
"elasticmapreduce:DescribeTags",
"elasticmapreduce:ListSteps",
"elasticmapreduce:ListInstanceGroups",
"elasticmapreduce:ListBootstrapActions",
"elasticmapreduce:ListClusters",
"elasticmapreduce:ListInstances",

Elasticsearch

"es:ListDomainNames",
"es:DescribeElasticsearchDomains",

Glacier

"glacier:List*",
"glacier:DescribeVault",
"glacier:GetVaultNotifications",
"glacier:DescribeJob",
"glacier:GetJobOutput",

Identity Access Management (IAM)

"iam:Get*",
"iam:List*",
"iam:GenerateCredentialReport",

Internet of Things (IoT)

"iot:DescribeThing",
"iot:ListThings",

Key Management Service

“kms:DescribeKey”,
“kms:GetKeyPolicy”,
“kms:GetKeyRotationStatus”,
“kms:ListAliases”,
“kms:ListKeys”,
“kms:ListKeyPolicies”,

Kinesis

"kinesis:ListStreams",
"kinesis:DescribeStream",
"kinesis:GetShardIterator",
"kinesis:GetRecords",

Lambda

"lambda:ListFunctions",

RDS

"rds:DescribeReservedDBInstances",
"rds:DescribeDBInstances",
"rds:DescribeDBSubnetGroups",
"rds:DescribeDBSecurityGroups",
"rds:DescribeDBParameterGroups",
"rds:DescribeDBParameters",
"rds:DescribeDBSnapshots",
"rds:DescribeEvents",
"rds:DescribeEventSubscriptions",
"rds:DescribeDBEngineVersions",
"rds:DescribeOptionGroups",
"rds:ListTagsForResource",

Red Shift

"redshift:Describe*",
"redshift:ViewQueriesInConsole",

Route 53

"route53:ListHealthChecks",
"route53:ListHostedZones",
"route53:ListResourceRecordSets",

S3

"s3:GetBucketACL",
"s3:GetBucketLocation",
"s3:GetBucketLogging",
"s3:GetBucketPolicy",
"s3:GetBucketTagging",
"s3:GetBucketWebsite",
"s3:GetBucketNotification",
"s3:GetLifecycleConfiguration",
"s3:GetNotificationConfiguration",
"s3:GetObject",
"s3:GetObjectMetadata",
"s3:List*",

SDB

"sdb:ListDomains",
"sdb:DomainMetadata",

Simple Email Service (SES)

"ses:ListIdentities",
"ses:GetSendStatistics",
"ses:GetIdentityDkimAttributes",
"ses:GetIdentityVerificationAttributes",
"ses:GetSendQuota",

SNS

"sns:GetSnsTopic",
"sns:GetTopicAttributes",
"sns:GetSubscriptionAttributes",
"sns:ListTopics",
"sns:ListSubscriptionsByTopic",

SQS

"sqs:ListQueues",
"sqs:GetQueueAttributes",

Storage Gateway

"storagegateway:Describe*", 
"storagegateway:List*",

AWS Support and Trusted Advisor

In order for CloudCheckr to be able to access your AWS support charges and information as well as your Trusted Advisor information, you need to add the following permissions to your policy:

"support:*",

Simple Workflow

"swf:ListClosedWorkflowExecutions",
"swf:ListDomains",
"swf:ListActivityTypes",
"swf:ListWorkflowTypes",

Workspaces

"workspaces:DescribeWorkspaceDirectories",
"workspaces:DescribeWorkspaceBundles",
"workspaces:DescribeWorkspaces"