Enable Permissions for Best Practice Checks

Here is a list of all permissions for the Best Practice Checks (BPCs) that contain the Fix Now button. You can copy the required IAM permissions for a selected BPC and paste it into your secondary policy to ensure your account is compliant rather than reviewing each issue in the BPC list to determine what permissions are missing.

See Also: Enabling New Service Permissions for CloudCheckr


Expand All | Collapse All

EBS Volumes Without a Snapshot

"ec2:StopInstances",
"ec2:CreateSnapshot",
"ec2:StartInstances",  

Password Policy Minimum Length Too Short

"iam:GetAccountPasswordPolicy",
"iam:UpdateAccountPasswordPolicy",  

IAM Password Policy Disabled

"iam:GetAccountPasswordPolicy",
"iam:UpdateAccountPasswordPolicy",  

Password Policy Does Not Require Lowercase Letter

"iam:GetAccountPasswordPolicy",
"iam:UpdateAccountPasswordPolicy",  

Password Policy Does Not Require Non-Alphanumeric Character

"iam:GetAccountPasswordPolicy",
"iam:UpdateAccountPasswordPolicy",  

Password Policy Does Not Require Number

"iam:GetAccountPasswordPolicy",
"iam:UpdateAccountPasswordPolicy",  

Password Policy Does Not Require Uppercase Letter

"iam:GetAccountPasswordPolicy",
"iam:UpdateAccountPasswordPolicy",  

S3 Buckets With 'List' Permission Set to Everyone

"s3:GetACL",
"s3:PutACL", 

S3 Buckets With 'Upload/Delete' Permission Set to Everyone

"s3:GetACL",
"s3:PutACL",  

S3 Buckets With 'View Permissions' Permission Set to Everyone

"s3:GetACL",
"s3:PutACL",  

S3 Buckets With 'Edit Permissions' Permission Set to Everyone

"s3:GetACL",
"s3:PutACL",  

EC2-Classic Security Groups Inbound Rules Allowing Traffic from Broad IP Ranges

"ec2:DescribeSecurityGroups",
"ec2:RevokeSecurityGroupIngress",
"ec2:AuthorizeSecurityGroupIngress",

Under-Utilized EC2 Instances

"ec2:DescribeInstanceStatus",
"ec2:DescribeInstanceAttribute",
"ec2:StopInstances",
"ec2:ModifyInstanceAttribute",
"ec2:StartInstances",

Over-Utilized EC2 Instances

"ec2:DescribeInstanceStatus",
"ec2:DescribeInstanceAttribute",
"ec2:StopInstances",
"ec2:ModifyInstanceAttribute",
"ec2:StartInstances",

EBS Volumes with No Recent Snapshots (7 Days)

"ec2:StopInstances",
"ec2:CreateSnapshot",
"ec2:StartInstances",

EBS Volumes with No Recent Snapshots (30 Days)

"ec2:StopInstances",
"ec2:CreateSnapshot",
"ec2:StartInstances",

EC2-Classic Security Groups Inbound Rules with Dangerous Ports Exposed

"ec2:DescribeSecurityGroups",
"ec2:RevokeSecurityGroupIngress",
"ec2:AuthorizeSecurityGroupIngress",

EC2-Classic Security Groups Inbound Rules with Potentially Dangerous Ports Exposed

"ec2:DescribeSecurityGroups",
"ec2:RevokeSecurityGroupIngress",
"ec2:AuthorizeSecurityGroupIngress",

EC2-Classic Security Groups Inbound Rules Allowing Traffic from All IPs and All Ports

"ec2:DescribeSecurityGroups",
"ec2:RevokeSecurityGroupIngress",
"ec2:AuthorizeSecurityGroupIngress",

EBS Volumes with Excessive Snapshots

"ec2:DescribeSnapshots",
"ec2:DeleteSnapshot",

CloudTrail Unauthorized Access Attempts

"iam:DeleteUser",
"iam:ListUserPolicies",
"iam:DeleteUserPolicy",
"iam:ListGroupsForUser",
"iam:RemoveUserFromGroup",
"iam:DeleteAccessKey",
"iam:ListAccessKeys",

S3 Buckets that Allow Everyone Access to CloudTrail Log Files

"s3:GetACL",
"s3:PutACL",

S3 Buckets that Allow Everyone Access to S3 Log Files

"s3:GetACL",
"s3:PutACL",

Regions Without AWS Config Enabled

"awsConfig:PutConfigurationRecorder",
"awsConfig:PutDeliveryChannel",

Publicly Accessible RDS DB Instances

"rds:ModifyDBInstance",

EC2-Classic Security Groups Inbound Rules Allowing Traffic from Any IP Address

"ec2:DescribeSecurityGroups",
"ec2:RevokeSecurityGroupIngress",
"ec2:AuthorizeSecurityGroupIngress",

EC2-VPC Security Groups Inbound Rules Set to All Ports

"ec2:DescribeSecurityGroups",
"ec2:RevokeSecurityGroupIngress",
"ec2:AuthorizeSecurityGroupIngress",

EC2-VPC Security Groups Inbound Rules Allowing Traffic from Any IP Address

"ec2:DescribeSecurityGroups",
"ec2:RevokeSecurityGroupIngress",
"ec2:AuthorizeSecurityGroupIngress",

EC2-VPC Security Groups Inbound Rules Set to All IPs and All Ports

"ec2:DescribeSecurityGroups",
"ec2:RevokeSecurityGroupIngress",
"ec2:AuthorizeSecurityGroupIngress",

EC2-VPC Security Groups Inbound Rules with Potentially Dangerous Ports Exposed

"ec2:DescribeSecurityGroups",
"ec2:RevokeSecurityGroupIngress",
"ec2:AuthorizeSecurityGroupIngress",

EC2-VPC Security Groups Inbound Rules with Dangerous Ports Exposed

"ec2:DescribeSecurityGroups",
"ec2:RevokeSecurityGroupIngress",
"ec2:AuthorizeSecurityGroupIngress",

EC2-VPC Security Groups Inbound Rules Allowing Traffic from Broad IP Ranges

"ec2:DescribeSecurityGroups",
"ec2:RevokeSecurityGroupIngress",
"ec2:AuthorizeSecurityGroupIngress",

S3 Buckets With 'Edit Permission' Permission Set to Authenticated Users

"s3:GetACL",
"s3:PutACL",

S3 Buckets With 'View Permissions' Permission Set to Authenticated Users

"s3:GetACL",
"s3:PutACL",

S3 Buckets with Any Permission Set to Authenticated Users

"s3:GetACL",
"s3:PutACL",

S3 Buckets with 'Upload/Delete' Permission Set to Authenticated User

"s3:GetACL",
"s3:PutACL",

S3 Buckets with 'List' Permission Set to Authenticated Users

"s3:GetACL",
"s3:PutACL",

SNS Topic with Permission Set to Everyone

"sns:RemovePermission",

SQS Queue with Permission Set to Everyone

"sqs:RemovePermission",

S3 Buckets that Allow Authenticated Users to Access CloudTrail Log Files

"s3:GetACL",
"s3:PutACL",

S3 Buckets that Allow Authenticated Users to Access S3 Log Files

"s3:GetACL",
"s3:PutACL",

Enable Password Expiration

"iam:GetAccountPasswordPolicy",
"iam:UpdateAccountPasswordPolicy",

Prevent Password Reuse

"iam:GetAccountPasswordPolicy",
"iam:UpdateAccountPasswordPolicy",

EC2-Classic Security Groups Inbound Rules Set to All IPs and All Ports

"ec2:DescribeSecurityGroups",
"ec2:RevokeSecurityGroupIngress",
"ec2:AuthorizeSecurityGroupIngress",

Publicly Accessible RDS DB Instances with Open Security Group

"rds:ModifyDBInstance",

EC2-Classic Security Groups Inbound Rules Allowing Traffic from Broad IP Ranges (No Resources)

"ec2:DescribeSecurityGroups",
"ec2:RevokeSecurityGroupIngress",
"ec2:AuthorizeSecurityGroupIngress",

EC2-Classic Security Groups Inbound Rules Set to All Ports (No Resources)

"ec2:DescribeSecurityGroups",
"ec2:RevokeSecurityGroupIngress",
"ec2:AuthorizeSecurityGroupIngress",

EC2-Classic Security Groups Inbound Rules with Dangerous Ports Exposed (No Resources)

"ec2:DescribeSecurityGroups",
"ec2:RevokeSecurityGroupIngress",
"ec2:AuthorizeSecurityGroupIngress",

EC2-Classic Security Groups Inbound Rules with Potentially Dangerous Ports Exposed (No Resources)

"ec2:DescribeSecurityGroups",
"ec2:RevokeSecurityGroupIngress",
"ec2:AuthorizeSecurityGroupIngress",

EC2-Classic Security Groups Inbound Rules Allowing Traffic from All IPs and All Ports (No Resources)

"ec2:DescribeSecurityGroups",
"ec2:RevokeSecurityGroupIngress",
"ec2:AuthorizeSecurityGroupIngress",

EC2-Classic Security Groups Inbound Rules Allowing Traffic from Any IP Address (No Resources)

"ec2:DescribeSecurityGroups",
"ec2:RevokeSecurityGroupIngress",
"ec2:AuthorizeSecurityGroupIngress",

EC2-Classic Security Groups Inbound Rules Set to All IPs and All Ports (No Resources)

"ec2:DescribeSecurityGroups",
"ec2:RevokeSecurityGroupIngress",
"ec2:AuthorizeSecurityGroupIngress",

EC2-VPC Security Groups Inbound Rules Set to All Ports (No Resources)

"ec2:DescribeSecurityGroups",
"ec2:RevokeSecurityGroupIngress",
"ec2:AuthorizeSecurityGroupIngress",

EC2-VPC Security Groups Inbound Rules Allowing Traffic from Any IP Address (No Resources)

"ec2:DescribeSecurityGroups",
"ec2:RevokeSecurityGroupIngress",
"ec2:AuthorizeSecurityGroupIngress",

EC2-VPC Security Groups Inbound Rules Set to All IPs and All Ports (No Resources)

"ec2:DescribeSecurityGroups",
"ec2:RevokeSecurityGroupIngress",
"ec2:AuthorizeSecurityGroupIngress",

EC2-VPC Security Groups Inbound Rules with Potentially Dangerous Ports Exposed (No Resources)

"ec2:DescribeSecurityGroups",
"ec2:RevokeSecurityGroupIngress",
"ec2:AuthorizeSecurityGroupIngress",

EC2-VPC Security Groups Inbound Rules with Dangerous Ports Exposed (No Resources)

"ec2:DescribeSecurityGroups",
"ec2:RevokeSecurityGroupIngress",
"ec2:AuthorizeSecurityGroupIngress",

EC2-VPC Security Groups Inbound Rules Allowing Traffic from Broad IP Ranges (No Resources)

"ec2:DescribeSecurityGroups",
"ec2:RevokeSecurityGroupIngress",
"ec2:AuthorizeSecurityGroupIngress",

EC2-Classic Security Groups Inbound Rules with Specific Ports Exposed from Any IP Address

"ec2:DescribeSecurityGroups",
"ec2:RevokeSecurityGroupIngress",
"ec2:AuthorizeSecurityGroupIngress",

EC2-Classic Security Groups Inbound Rules with Specific Ports Exposed from Any IP Address (No Resources)

"ec2:DescribeSecurityGroups",
"ec2:RevokeSecurityGroupIngress",
"ec2:AuthorizeSecurityGroupIngress",

EC2-VPC Security Groups Inbound Rules with Specific Ports Exposed from Any IP Address

"ec2:DescribeSecurityGroups",
"ec2:RevokeSecurityGroupIngress",
"ec2:AuthorizeSecurityGroupIngress",

EC2-VPC Security Groups Inbound Rules with Specific Ports Exposed from Any IP Address (No Resources)

"ec2:DescribeSecurityGroups",
"ec2:RevokeSecurityGroupIngress",
"ec2:AuthorizeSecurityGroupIngress",

Redis Cache with a Non-SSL Port Enabled

"iam:MicrosoftCacheWrite",

Multi-Region CloudTrail Enabled

"cloudtrail:CreateTrail",
"cloudtrail:StartLogging",
"cloudtrail:DescribeTrail",
"cloudtrail:GetTrailStatus",
"cloudtrail:UpdateTrail",