Complete IAM Policy

To give your CloudCheckr account the proper permissions for visibility into your AWS deployment, you have a few different options. You can use the ReadOnly policy from AWS with a small additional policy, or you can use our Complete CloudCheckr IAM Policy as detailed in this page.

Over time, as AWS adds new services CloudCheckr will notify you in the top-right corner of your account, which services we do not have permissions to check. These notification messages will also provide instructions on how to add these individual permissions. You can follow those steps and add permissions for those services. Or, you can utilize the list below, which provides a breakdown of each AWS IAM permission needed for CloudCheckr to fully report on your AWS deployment.

If you have any questions about this, or need assistance adding these permissions to AWS please contact support@cloudcheckr.com.

You can download the full IAM policy here, or copy below.

IMPORTANT: Please note that you will need to add this policy to an IAM Group within AWS, as it is too many characters to be applied directly to a user.

Updated on 2017-08-08

{
    'Version': '2012-10-17',
    'Statement': [
        {
            'Sid': 'FullPolicy',
            'Action': [
                'acm:DescribeCertificate',
                'acm:ListCertificates',
                'acm:GetCertificate',
                'autoscaling:Describe*',
                'cloudformation:DescribeStacks',
                'cloudformation:GetStackPolicy',
                'cloudformation:GetTemplate',
                'cloudformation:ListStackResources',
                'cloudfront:List*',
                'cloudfront:GetDistributionConfig',
                'cloudfront:GetStreamingDistributionConfig',
                'cloudhsm:Describe*',
                'cloudhsm:List*',
                'cloudsearch:Describe*',
                'cloudtrail:DescribeTrails',
                'cloudtrail:GetTrailStatus',
                'cloudwatch:DescribeAlarms',
                'cloudwatch:GetMetricStatistics',
                'cloudwatch:ListMetrics',
                'config:DescribeConfigRules',
                'config:GetComplianceDetailsByConfigRule',
                'config:Describe*',
                'datapipeline:ListPipelines',
                'datapipeline:GetPipelineDefinition',
                'datapipeline:DescribePipelines',
                'directconnect:DescribeLocations',
                'directconnect:DescribeConnections',
                'directconnect:DescribeVirtualInterfaces',
                'dynamodb:ListTables',
                'dynamodb:DescribeTable',
                'ec2:Describe*',
                'ec2:GetConsoleOutput',
                'ecs:ListClusters',
                'ecs:DescribeClusters',
                'ecs:ListContainerInstances',
                'ecs:DescribeContainerInstances',
                'ecs:ListServices',
                'ecs:DescribeServices',
                'ecs:ListTaskDefinitions',
                'ecs:DescribeTaskDefinition',
                'ecs:ListTasks',
                'ecs:DescribeTasks',
                'elasticache:Describe*',
                'elasticbeanstalk:Describe*',
                'elasticfilesystem:Describe*',
                'elasticloadbalancing:Describe*',
                'elasticmapreduce:Describe*',
                'elasticmapreduce:ListSteps',
                'elasticmapreduce:ListInstanceGroups',
                'elasticmapreduce:ListBootstrapActions',
                'elasticmapreduce:ListClusters',
                'elasticmapreduce:ListInstances',
                'es:ListDomainNames',
                'es:DescribeElasticsearchDomains',
                'glacier:List*',
                'glacier:DescribeVault',
                'glacier:GetVaultNotifications',
                'glacier:DescribeJob',
                'glacier:GetJobOutput',
                'iam:Get*',
                'iam:List*',
                'iot:DescribeThing',
                'iot:ListThings',
                'iam:GenerateCredentialReport',
                'kinesis:ListStreams',
                'kinesis:DescribeStream',
                'kinesis:GetShardIterator',
                'kinesis:GetRecords',
                'kms:Describe*',
                'kms:Get*',
                'kms:List*',
                'lambda:ListFunctions',
                'rds:Describe*',
                'rds:ListTagsForResource',
                'redshift:Describe*',
                'redshift:ViewQueriesInConsole',
                'route53:ListHealthChecks',
                'route53:ListHostedZones',
                'route53:ListResourceRecordSets',
                's3:GetBucketACL',
                's3:GetBucketLocation',
                's3:GetBucketLogging',
                's3:GetBucketPolicy',
                's3:GetBucketTagging',
                's3:GetBucketWebsite',
                's3:GetBucketNotification',
                's3:GetLifecycleConfiguration',
                's3:GetNotificationConfiguration',
                's3:GetObject',
                's3:GetObjectMetadata',
                's3:List*',
                's3:GetAcl',
                's3:PutAcl',
                'ses:ListIdentities',
                'ses:GetSendStatistics',
                'ses:GetIdentityDkimAttributes',
                'ses:GetIdentityVerificationAttributes',
                'ses:GetSendQuota',
                'sdb:ListDomains',
                'sdb:DomainMetadata',
                'support:*',
                'swf:ListClosedWorkflowExecutions',
                'swf:ListDomains',
                'swf:ListActivityTypes',
                'swf:ListWorkflowTypes',
                'sns:GetSnsTopic',
                'sns:GetTopicAttributes',
                'sns:GetSubscriptionAttributes',
                'sns:ListTopics',
                'sns:ListSubscriptionsByTopic',
                'sqs:ListQueues',
                'sqs:GetQueueAttributes',
                'ssm:ListResourceDataSync',
                'storagegateway:Describe*',
                'storagegateway:List*',
                'workspaces:DescribeWorkspaceDirectories',
                'workspaces:DescribeWorkspaceBundles',
                'workspaces:DescribeWorkspaces'
            ],
            'Effect': 'Allow',
            'Resource': '*'
        },
        {
            'Sid': 'CloudWatchLogsSpecific',
            'Effect': 'Allow',
            'Action': [
                'logs:GetLogEvents',
                'logs:DescribeLogGroups',
                'logs:DescribeLogStreams'
            ],
            'Resource': [
                'arn:aws:logs:*:*:*'
            ]
        }
    ]
}