Complete IAM Policy

Introduction

CloudCheckr has updated its least privilege policies to offer a more controlled method for managing permissions in your AWS account.

To ensure that users only have access to a discrete set of permissions, you can now enable permissions by categories that correspond to one of the core areas of functionality within our application:

  • Cost
  • Billing
  • Security/Compliance
  • Inventory
  • CloudWatch Flow Logs
  • CloudTrail

Using the New Policies

CloudCheckr CloudFormation Stack

The recommended method to use the CloudCheckr policies is via our CloudFormation stack.

  • With this CloudFormation stack, you automatically create a cross-account role that provides least privilege access to CloudCheckr.
  • You will have the option to choose all policy categories or just the specific categories you want.

See the topic on Creating AWS Credentials with CloudFormation.

You can download a JSON containing the CloudFormation stack here or click the expand below to copy the policy:

CloudFormation Stack

{
	"AWSTemplateFormatVersion": "2010-09-09",
	"Metadata":{
		"AWS::CloudFormation::Interface":{
			"ParameterGroups":[
				{
					"Label":{"default":"IAM Role"},
					"Parameters":["ExternalAccount","ExternalId"]
				},
				{
					"Label":{"default":"Inventory"},
					"Parameters":["InventoryAndUtilzation"]
				},
				{
					"Label":{"default":"Billing"},
					"Parameters":["CostPermissions","BillingBucket"]
				},
				{
					"Label":{"default":"Security"},
					"Parameters":["Security","CloudTrailBucket"]
				},
				{
					"Label":{"default":"CloudWatch Flow Logs"},
					"Parameters":["CloudWatchFlowLogs"]
				}
			]
		}
	},
	"Parameters": {
		"ExternalId":{
			"Type":"String",
			"Description":"CloudCheckr External ID"
		},
		"ExternalAccount":{
			"Type":"String",
			"Default":"352813966189",
			"Description":"CloudCheckr Account"
		},
		"Security":{
			"Type": "String",
			"Default": "True",
			"Description": "Use CloudCheckr to process security data?",
			"AllowedValues": ["True", "False"]
		},
		"InventoryAndUtilzation":{
			"Type": "String",
			"Default": "True",
			"Description": "Use CloudCheckr to process inventory and utilization data?",
			"AllowedValues": ["True", "False"]
		},
		"CostPermissions": {
			"Type": "String",
			"Default": "True",
			"Description": "Use CloudCheckr to process billing data?",
			"AllowedValues": ["True", "False"]
		},
		"BillingBucket":{
			"Type":"String",
			"Description":"AWS Detailed Billing Report Bucket"
		},
		"CloudTrailBucket":{
			"Type":"String",
			"Description":"AWS CloudTrail Bucket"
		},
		"CloudWatchFlowLogs":{
			"Type": "String",
			"Default": "True",
			"Description": "Use CloudCheckr to process CloudWatch Flow Logs data?",
			"AllowedValues": ["True", "False"]
		}
	},
	"Conditions": {
		"IncludeCost": {"Fn::Equals": [{"Ref": "CostPermissions"}, "True"]},
		"IncludeInventory": {"Fn::Equals": [{"Ref": "InventoryAndUtilzation"}, "True"]},
		"IncludeSecurity": {"Fn::Equals": [{"Ref": "Security"}, "True"]},
		"IncludeFlowLogs": {"Fn::Equals": [{"Ref": "CloudWatchFlowLogs"}, "True"]},
		"IncludeCloudTrailBucket": {"Fn::Not": [{"Fn::Equals": ["", {"Ref": "CloudTrailBucket"}]}]},
		"IncludeBillingBucket": {"Fn::Not": [{"Fn::Equals": ["", {"Ref": "BillingBucket"}]}]}
	},
	"Resources": {
		"IamRole": {
			"Type": "AWS::IAM::Role",
			"Properties": {
				"AssumeRolePolicyDocument": {
					"Version": "2012-10-17",
					"Statement": [{
						"Effect": "Allow",
						"Principal": {"AWS": {"Fn::Sub": "arn:aws:iam::${ExternalAccount}:root"}},
						"Action": "sts:AssumeRole",
						"Condition": {
							"StringEquals": {
								"sts:ExternalId": {
									"Ref": "ExternalId"
								}
							}
						}
					}]
				}
			}
		},
		"CloudWatchFlowLogsPolicy":{
			"Type":"AWS::IAM::Policy",
			"Condition":"IncludeFlowLogs",
			"DependsOn":"IamRole",
			"Properties":{
				"Roles":[{"Ref":"IamRole"}],
				"PolicyName":"CloudCheckr-CloudWatchFlowLogs-Policy",
				"PolicyDocument":{
					"Version":"2012-10-17",
					"Statement":[{
						"Sid":"CloudWatchLogsSpecific",
						"Effect":"Allow",
						"Action":[
							"logs:GetLogEvents",
							"logs:DescribeLogGroups",
							"logs:DescribeLogStreams"
						],
						"Resource":[
							"arn:aws:logs:*:*:*"
						]
					}]
				}
			}
		},
		"CloudTrailPolicy":{
			"Type":"AWS::IAM::Policy",
			"Condition":"IncludeCloudTrailBucket",
			"DependsOn":"IamRole",
			"Properties":{
				"Roles":[{"Ref":"IamRole"}],
				"PolicyName":"CloudCheckr-CloudTrail-Policy",
				"PolicyDocument":{
					"Version":"2012-10-17",
					"Statement":[{
						"Sid": "CloudTrailPermissions",
						"Effect": "Allow",
						"Action": [
							"s3:GetBucketACL",
							"s3:GetBucketLocation",
							"s3:GetBucketLogging",
							"s3:GetBucketPolicy",
							"s3:GetBucketTagging",
							"s3:GetBucketWebsite",
							"s3:GetBucketNotification",
							"s3:GetLifecycleConfiguration",
							"s3:GetNotificationConfiguration",
							"s3:GetObject",
							"s3:GetObjectMetadata",
							"s3:List*"
						],
						"Resource": [
							{"Fn::Sub":"arn:aws:s3:::${CloudTrailBucket}"},
							{"Fn::Sub":"arn:aws:s3:::${CloudTrailBucket}/*"}
						]
					}]
				}
			}
		},
		"SecurityPolicy":{
			"Type":"AWS::IAM::Policy",
			"Condition":"IncludeSecurity",
			"DependsOn":"IamRole",
			"Properties":{
				"Roles":[{"Ref":"IamRole"}],
				"PolicyName":"CloudCheckr-Security-Policy",
				"PolicyDocument":{
					"Version":"2012-10-17",
					"Statement":[{
						"Sid": "SecurityPermissons",
						"Effect":"Allow",
						"Action":[
								"acm:DescribeCertificate",
								"acm:ListCertificates",
								"acm:GetCertificate",
								"cloudtrail:DescribeTrails",
								"cloudtrail:GetTrailStatus",
								"logs:GetLogEvents",
								"logs:DescribeLogGroups",
								"logs:DescribeLogStreams",
								"config:DescribeConfigRules",
								"config:GetComplianceDetailsByConfigRule",
								"config:DescribeDeliveryChannels",
								"config:DescribeDeliveryChannelStatus",
								"config:DescribeConfigurationRecorders",
								"config:DescribeConfigurationRecorderStatus",
								"ec2:Describe*",
								"iam:Get*",
								"iam:List*",
								"iam:GenerateCredentialReport",
								"kms:DescribeKey",
								"kms:GetKeyPolicy",
								"kms:GetKeyRotationStatus",
								"kms:ListAliases",
								"kms:ListGrants",
								"kms:ListKeys",
								"kms:ListKeyPolicies",
								"kms:ListResourceTags",
								"rds:Describe*",
								"ses:ListIdentities",
								"ses:GetSendStatistics",
								"ses:GetIdentityDkimAttributes",
								"ses:GetIdentityVerificationAttributes",
								"ses:GetSendQuota",
								"sns:GetSnsTopic",
								"sns:GetTopicAttributes",
								"sns:GetSubscriptionAttributes",
								"sns:ListTopics",
								"sns:ListSubscriptionsByTopic",
								"sqs:ListQueues",
								"sqs:GetQueueAttributes"
							],
						"Resource": "*"
					}]
				}
			}
		},
		"InventoryPolicy":{
			"Type":"AWS::IAM::Policy",
			"Condition":"IncludeInventory",
			"DependsOn":"IamRole",
			"Properties":{
				"Roles":[{"Ref":"IamRole"}],
				"PolicyName":"CloudCheckr-Inventory-Policy",
				"PolicyDocument":{
					"Version":"2012-10-17",
					"Statement":[{
						"Sid":"InventoryAndUtilization",
						"Effect":"Allow",
						"Action":[
							"acm:DescribeCertificate",
							"acm:ListCertificates",
							"acm:GetCertificate",
							"ec2:Describe*",
							"ec2:GetConsoleOutput",
							"cloudformation:DescribeStacks",
							"cloudformation:GetStackPolicy",
							"cloudformation:GetTemplate",
							"cloudformation:ListStackResources",
							"cloudfront:List*",
							"cloudfront:GetDistributionConfig",
							"cloudfront:GetStreamingDistributionConfig",
							"cloudhsm:Describe*",
							"cloudhsm:List*",
							"cloudsearch:Describe*",
							"cloudtrail:DescribeTrails",
							"cloudtrail:GetTrailStatus",
							"cloudwatch:DescribeAlarms",
							"cloudwatch:GetMetricStatistics",
							"cloudwatch:ListMetrics",
							"config:DescribeConfigRules",
							"config:GetComplianceDetailsByConfigRule",
							"config:Describe*",
							"datapipeline:ListPipelines",
							"datapipeline:GetPipelineDefinition",
							"datapipeline:DescribePipelines",
							"directconnect:DescribeLocations",
							"directconnect:DescribeConnections",
							"directconnect:DescribeVirtualInterfaces",
							"dynamodb:ListTables",
							"dynamodb:DescribeTable",
							"dynamodb:ListTagsOfResource",
							"ecs:ListClusters",
							"ecs:DescribeClusters",
							"ecs:ListContainerInstances",
							"ecs:DescribeContainerInstances",
							"ecs:ListServices",
							"ecs:DescribeServices",
							"ecs:ListTaskDefinitions",
							"ecs:DescribeTaskDefinition",
							"ecs:ListTasks",
							"ecs:DescribeTasks",
							"ssm:ListResourceDataSync",
							"ssm:ListAssociations",
							"ssm:ListDocumentVersions",
							"ssm:ListDocuments",
							"ssm:ListInstanceAssociations",
							"ssm:ListInventoryEntries",
							"elasticache:Describe*",
							"elasticache:List*",
							"elasticbeanstalk:Describe*",
							"elasticfilesystem:DescribeFileSystem",
							"elasticfilesystem:DescribeTags",
							"elasticloadbalancing:Describe*",
							"elasticmapreduce:Describe*",
							"elasticmapreduce:List*",
							"es:ListDomainNames",
							"es:DescribeElasticsearchDomains",
							"glacier:ListTagsForVault",
							"glacier:DescribeVault",
							"glacier:GetVaultNotifications",
							"glacier:DescribeJob",
							"glacier:GetJobOutput",
							"glacier:ListJobs",
							"glacier:ListVaults",
							"iam:Get*",
							"iam:List*",
							"iam:GenerateCredentialReport",
							"iot:DescribeThing",
							"iot:ListThings",
							"kms:DescribeKey",
							"kms:GetKeyPolicy",
							"kms:GetKeyRotationStatus",
							"kms:ListAliases",
							"kms:ListGrants",
							"kms:ListKeys",
							"kms:ListKeyPolicies",
							"kms:ListResourceTags",
							"kinesis:ListStreams",
							"kinesis:DescribeStream",
							"kinesis:GetShardIterator",
							"kinesis:GetRecords",
							"lambda:ListFunctions",
							"lambda:ListTags",
							"Organizations:List*",
							"Organizations:Describe*",
							"rds:Describe*",
							"rds:List*",
							"redshift:Describe*",
							"route53:ListHealthChecks",
							"route53:ListHostedZones",
							"route53:ListResourceRecordSets",
							"s3:GetBucketACL",
							"s3:GetBucketLocation",
							"s3:GetBucketLogging",
							"s3:GetBucketPolicy",
							"s3:GetBucketTagging",
							"s3:GetBucketWebsite",
							"s3:GetBucketNotification",
							"s3:GetLifecycleConfiguration",
							"s3:GetNotificationConfiguration",
							"s3:GetObjectMetadata",
							"s3:List*",
							"sdb:ListDomains",
							"sdb:DomainMetadata",
							"ses:ListIdentities",
							"ses:GetSendStatistics",
							"ses:GetIdentityDkimAttributes",
							"ses:GetIdentityVerificationAttributes",
							"ses:GetSendQuota",
							"sns:GetSnsTopic",
							"sns:GetTopicAttributes",
							"sns:GetSubscriptionAttributes",
							"sns:ListTopics",
							"sns:ListSubscriptionsByTopic",
							"sqs:ListQueues",
							"sqs:GetQueueAttributes",
							"storagegateway:Describe*",
							"storagegateway:List*",
							"support:*",
							"swf:ListClosedWorkflowExecutions",
							"swf:ListDomains",
							"swf:ListActivityTypes",
							"swf:ListWorkflowTypes",
							"workspaces:DescribeWorkspaceDirectories",
							"workspaces:DescribeWorkspaceBundles",
							"workspaces:DescribeWorkspaces"
						],
						"Resource":"*"
					}]
				}
			}
		},
		"DbrPolicy":{
			"Type":"AWS::IAM::Policy",
			"Condition":"IncludeBillingBucket",
			"DependsOn":"IamRole",
			"Properties":{
				"Roles":[{"Ref":"IamRole"}],
				"PolicyName":"CloudCheckr-DBR-Policy",
				"PolicyDocument":{
					"Version":"2012-10-17",
					"Statement":[{
						"Sid":"CostReadDBR",
						"Effect":"Allow",
						"Action":[
							"s3:GetBucketACL",
							"s3:GetBucketLocation",
							"s3:GetBucketLogging",
							"s3:GetBucketPolicy",
							"s3:GetBucketTagging",
							"s3:GetBucketWebsite",
							"s3:GetBucketNotification",
							"s3:GetLifecycleConfiguration",
							"s3:GetNotificationConfiguration",
							"s3:GetObject",
							"s3:GetObjectMetadata"
						],
						"Resource":[
							{"Fn::Sub":"arn:aws:s3:::${BillingBucket}"},
							{"Fn::Sub":"arn:aws:s3:::${BillingBucket}/*"}
						]
					}]
				}
			}
		},
		"CostPolicy": {
			"Type": "AWS::IAM::Policy",
			"Condition": "IncludeCost",
			"DependsOn":"IamRole",
			"Properties": {
				"PolicyName": "CloudCheckr-Cost-Policy",
				"PolicyDocument": {
					"Version": "2012-10-17",
					"Statement": [{
							"Sid": "CloudCheckrCostPermissions",
							"Action": [
								"ec2:DescribeAccountAttributes",
								"ec2:DescribeAvailabilityZones",
								"ec2:DescribeReservedInstancesOfferings",
								"ec2:DescribeReservedInstances",
								"ec2:DescribeReservedInstancesListings",
								"ec2:DescribeHostReservationOfferings",
								"ec2:DescribeReservedInstancesModifications",
								"ec2:DescribeHostReservations",
								"ec2:DescribeInstances",
								"ec2:DescribeInstanceStatus",
								"ec2:DescribeRegions",
								"ec2:DescribeKeyPairs",
								"ec2:DescribePlacementGroups",
								"ec2:DescribeAddresses",
								"ec2:DescribeSpotInstanceRequests",
								"ec2:DescribeImages",
								"ec2:DescribeImageAttribute",
								"ec2:DescribeSnapshots",
								"ec2:DescribeVolumes",
								"ec2:DescribeTags",
								"ec2:DescribeNetworkInterfaces",
								"ec2:DescribeSecurityGroups",
								"ec2:DescribeInstanceAttribute",
								"ec2:DescribeVolumeStatus",
								"elasticache:DescribeReservedCacheNodes",
								"elasticache:DescribeReservedCacheNodesOfferings",
								"rds:DescribeReservedDBInstances",
								"rds:DescribeReservedDBInstancesOfferings",
								"rds:DescribeDBInstances",
								"redshift:DescribeReservedNodes",
								"redshift:DescribeReservedNodeOfferings",
								"s3:GetBucketACL",
								"s3:GetBucketLocation",
								"s3:GetBucketLogging",
								"s3:GetBucketPolicy",
								"s3:GetBucketTagging",
								"s3:GetBucketWebsite",
								"s3:GetBucketNotification",
								"s3:GetLifecycleConfiguration",
								"s3:GetNotificationConfiguration",
								"s3:GetObjectMetadata",
								"s3:List*",
								"dynamodb:DescribeReservedCapacity",
								"dynamodb:DescribeReservedCapacityOfferings",
								"iam:GetAccountAuthorizationDetails",
								"iam:ListRolePolicies",
								"iam:ListAttachedRolePolicies"
							],
							"Effect": "Allow",
							"Resource": "*"
						}]
					},
					"Roles":[{"Ref":"IamRole"}]
				}
			}
		},
		"Outputs": {
			"RoleArn":{
				"Description":"ARN of the IAM Role",
				"Value":{"Fn::GetAtt":["IamRole","Arn"]}
			}
		}
	}

Manual Role Creation

Besides the CloudFormation stack method, you can create a cross-account role manually and attach any of the least privilege policy categories to the role.

  • Click next to display the permissions of the selected category:
  • Cost

    {  
        "Version":"2012-10-17",
        "Statement":[  
           {  
              "Sid":"CloudCheckrCostPermissions",
              "Effect":"Allow",
              "Action":[  
                "ec2:DescribeAccountAttributes",
                "ec2:DescribeAvailabilityZones",
                "ec2:DescribeReservedInstancesOfferings",
                "ec2:DescribeReservedInstances",
                "ec2:DescribeReservedInstancesListings",
                "ec2:DescribeHostReservationOfferings",
                "ec2:DescribeReservedInstancesModifications",
                "ec2:DescribeHostReservations",
                "ec2:DescribeInstances",
                "ec2:DescribeInstanceStatus",
                "ec2:DescribeRegions",
                "ec2:DescribeKeyPairs",
                "ec2:DescribePlacementGroups",
                "ec2:DescribeAddresses",
                "ec2:DescribeSpotInstanceRequests",
                "ec2:DescribeImages",
                "ec2:DescribeImageAttribute",
                "ec2:DescribeSnapshots",
                "ec2:DescribeVolumes",
                "ec2:DescribeTags",
                "ec2:DescribeNetworkInterfaces",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeInstanceAttribute",
                "ec2:DescribeVolumeStatus",
                "elasticache:DescribeReservedCacheNodes",
                "elasticache:DescribeReservedCacheNodesOfferings",
                "rds:DescribeReservedDBInstances",
                "rds:DescribeReservedDBInstancesOfferings",
                "rds:DescribeDBInstances",
                "redshift:DescribeReservedNodes",
                "redshift:DescribeReservedNodeOfferings",
                "s3:GetBucketACL",
                "s3:GetBucketLocation",
                "s3:GetBucketLogging",
                "s3:GetBucketPolicy",
                "s3:GetBucketTagging",
                "s3:GetBucketWebsite",
                "s3:GetBucketNotification",
                "s3:GetLifecycleConfiguration",
                "s3:GetNotificationConfiguration",
                "s3:List*",
                "dynamodb:DescribeReservedCapacity",
                "dynamodb:DescribeReservedCapacityOfferings",
                "iam:GetAccountAuthorizationDetails",
                "iam:ListRolePolicies",
                "iam:ListAttachedRolePolicies"
              ],
              "Resource":"*"
           }
        ]
     }

    Billing

    {  
        "Version":"2012-10-17",
        "Statement":[  
           {  
              "Sid":"CostReadDBR",
              "Effect":"Allow",
              "Action":[  
                "s3:GetBucketACL",
                "s3:GetBucketLocation",
                "s3:GetBucketLogging",
                "s3:GetBucketPolicy",
                "s3:GetBucketTagging",
                "s3:GetBucketWebsite",
                "s3:GetBucketNotification",
                "s3:GetLifecycleConfiguration",
                "s3:GetNotificationConfiguration",
                "s3:GetObject"
              ],
              "Resource":[
                 "arn:aws:s3:::[YOUR DETAILED BILLING REPORT BUCKET]",
                 "arn:aws:s3:::[YOUR DETAILED BILLING REPORT BUCKET]/*"
              ]
           }
        ]
     }

    Security/Compliance

    {  
        "Version":"2012-10-17",
        "Statement":[  
           {  
              "Sid":"SecurityPermissons",
              "Effect":"Allow",
              "Action":[  
                "acm:DescribeCertificate",
                "acm:ListCertificates",
                "acm:GetCertificate",
                "cloudtrail:DescribeTrails",
                "cloudtrail:GetTrailStatus",
                "logs:GetLogEvents",
                "logs:DescribeLogGroups",
                "logs:DescribeLogStreams",
                "config:DescribeConfigRules",
                "config:GetComplianceDetailsByConfigRule",
                "config:DescribeDeliveryChannels",
                "config:DescribeDeliveryChannelStatus",
                "config:DescribeConfigurationRecorders",
                "config:DescribeConfigurationRecorderStatus",
                "ec2:Describe*",
                "iam:Get*",
                "iam:List*",
                "iam:GenerateCredentialReport",
                "kms:DescribeKey",
                "kms:GetKeyPolicy",
                "kms:GetKeyRotationStatus",
                "kms:ListAliases",
                "kms:ListGrants",
                "kms:ListKeys",
                "kms:ListKeyPolicies",
                "kms:ListResourceTags",
                "rds:Describe*",
                "ses:ListIdentities",
                "ses:GetSendStatistics",
                "ses:GetIdentityDkimAttributes",
                "ses:GetIdentityVerificationAttributes",
                "ses:GetSendQuota",
                "sns:GetSnsTopic",
                "sns:GetTopicAttributes",
                "sns:GetSubscriptionAttributes",
                "sns:ListTopics",
                "sns:ListSubscriptionsByTopic",
                "sqs:ListQueues",
                "sqs:GetQueueAttributes"
              ],
              "Resource":"*"
           }
        ]
     }

    Inventory

    {  
        "Version":"2012-10-17",
        "Statement":[  
           {  
              "Sid":"InventoryAndUtilization",
              "Effect":"Allow",
              "Action":[  
                "acm:DescribeCertificate",
                "acm:ListCertificates",
                "acm:GetCertificate",
                "ec2:Describe*",
                "ec2:GetConsoleOutput",
                "autoscaling:Describe*",
                "cloudformation:DescribeStacks",
                "cloudformation:GetStackPolicy",
                "cloudformation:GetTemplate",
                "cloudformation:ListStackResources",
                "cloudfront:List*",
                "cloudfront:GetDistributionConfig",
                "cloudfront:GetStreamingDistributionConfig",
                "cloudhsm:Describe*",
                "cloudhsm:List*",
                "cloudsearch:Describe*",
                "cloudtrail:DescribeTrails",
                "cloudtrail:GetTrailStatus",
                "cloudwatch:DescribeAlarms",
                "cloudwatch:GetMetricStatistics",
                "cloudwatch:ListMetrics",
                "config:DescribeConfigRules",
                "config:GetComplianceDetailsByConfigRule",
                "config:Describe*",
                "datapipeline:ListPipelines",
                "datapipeline:GetPipelineDefinition",
                "datapipeline:DescribePipelines",
                "directconnect:DescribeLocations",
                "directconnect:DescribeConnections",
                "directconnect:DescribeVirtualInterfaces",
                "dynamodb:ListTables",
                "dynamodb:DescribeTable",
                "dynamodb:ListTagsOfResource",
                "ecs:ListClusters",
                "ecs:DescribeClusters",
                "ecs:ListContainerInstances",
                "ecs:DescribeContainerInstances",
                "ecs:ListServices",
                "ecs:DescribeServices",
                "ecs:ListTaskDefinitions",
                "ecs:DescribeTaskDefinition",
                "ecs:ListTasks",
                "ecs:DescribeTasks",
                "ssm:ListResourceDataSync",
                "ssm:ListAssociations",
                "ssm:ListDocumentVersions",
                "ssm:ListDocuments",
                "ssm:ListInstanceAssociations",
                "ssm:ListInventoryEntries",
                "elasticache:Describe*",
                "elasticache:List*",
                "elasticbeanstalk:Describe*",
                "elasticfilesystem:DescribeFileSystems",
                "elasticfilesystem:DescribeTags",
                "elasticloadbalancing:Describe*",
                "elasticmapreduce:Describe*",
                "elasticmapreduce:List*",
                "es:ListDomainNames",
                "es:DescribeElasticsearchDomains",
                "glacier:ListTagsForVault",
                "glacier:DescribeVault",
                "glacier:GetVaultNotifications",
                "glacier:DescribeJob",
                "glacier:GetJobOutput",
                "glacier:ListJobs",
                "glacier:ListVaults",
                "iam:Get*",
                "iam:List*",
                "iam:GenerateCredentialReport",
                "iot:DescribeThing",
                "iot:ListThings",
                "kms:DescribeKey",
                "kms:GetKeyPolicy",
                "kms:GetKeyRotationStatus",
                "kms:ListAliases",
                "kms:ListGrants",
                "kms:ListKeys",
                "kms:ListKeyPolicies",
                "kms:ListResourceTags",
                "kinesis:ListStreams",
                "kinesis:DescribeStream",
                "kinesis:GetShardIterator",
                "lambda:ListFunctions",
                "lambda:ListTags",
                "Organizations:List*",
                "Organizations:Describe*",
                "rds:Describe*",
                "rds:List*",
                "redshift:Describe*",
                "route53:ListHealthChecks",
                "route53:ListHostedZones",
                "route53:ListResourceRecordSets",
                "s3:GetBucketACL",
                "s3:GetBucketLocation",
                "s3:GetBucketLogging",
                "s3:GetBucketPolicy",
                "s3:GetBucketTagging",
                "s3:GetBucketWebsite",
                "s3:GetBucketNotification",
                "s3:GetLifecycleConfiguration",
                "s3:GetNotificationConfiguration",
                "s3:List*",
                "sdb:ListDomains",
                "sdb:DomainMetadata",
                "ses:ListIdentities",
                "ses:GetSendStatistics",
                "ses:GetIdentityDkimAttributes",
                "ses:GetIdentityVerificationAttributes",
                "ses:GetSendQuota",
                "sns:GetSnsTopic",
                "sns:GetTopicAttributes",
                "sns:GetSubscriptionAttributes",
                "sns:ListTopics",
                "sns:ListSubscriptionsByTopic",
                "sqs:ListQueues",
                "sqs:GetQueueAttributes",
                "storagegateway:Describe*",
                "storagegateway:List*",
                "support:*",
                "swf:ListClosedWorkflowExecutions",
                "swf:ListDomains",
                "swf:ListActivityTypes",
                "swf:ListWorkflowTypes",
                "workspaces:DescribeWorkspaceDirectories",
                "workspaces:DescribeWorkspaceBundles",
                "workspaces:DescribeWorkspaces"
              ],
              "Resource":"*"
           }
        ]
     }

    CloudWatch Flow Logs

    {  
        "Version":"2012-10-17",
        "Statement":[  
           {  
              "Sid":"CloudWatchLogsSpecific",
              "Effect":"Allow",
              "Action":[  
                 "logs:GetLogEvents",
                 "logs:DescribeLogGroups",
                 "logs:DescribeLogStreams"
              ],
              "Resource":[  
                 "arn:aws:logs:*:*:*"
              ]
           }
        ]
     }

    CloudTrail

    {  
        "Version":"2012-10-17",
        "Statement":[  
           {  
              "Sid":"CloudTrailPermissions",
              "Effect":"Allow",
              "Action":[  
                 "s3:GetBucketACL",
                 "s3:GetBucketLocation",
                 "s3:GetBucketLogging",
                 "s3:GetBucketPolicy",
                 "s3:GetBucketTagging",
                 "s3:GetBucketWebsite",
                 "s3:GetBucketNotification",
                 "s3:GetLifecycleConfiguration",
                 "s3:GetNotificationConfiguration",
                 "s3:GetObject",
                 "s3:List*"
              ],
              "Resource":[
                 "arn:aws:s3:::[YOUR CLOUDTRAIL BUCKET]",
                 "arn:aws:s3:::[YOUR CLOUDTRAIL BUCKET]/*"
              ]
           }
        ]
     }


See the topic on Creating a Cross-Account Role Manually.


A Note on the New Policy Structure

CloudCheckr will attempt to ingest data from all of the categories to populate the Cost, Billing, Security, Inventory, and CloudWatch Flow Log reports.

Since CloudCheckr must make calls even to those categories where you have not enabled permissions, you will see Unauthorized Access attempts in your CloudTrail logs. Please be assured that these logs are only an indication of the CloudCheckr workflow and in no way reflect an attempt on the part of CloudCheckr to collect unauthorized information from our customers.


Additional Notes

S3 Encryption Details Report: By default, the Security/Compliance policy does not include any s3:GetObject permissions. If you want to have CloudCheckr scan your encrypted S3 buckets for the S3 Encryption Details report, we recommend restricting the s3:GetObject permission to only the specific S3 bucket(s) that you choose.

List of VPCs Report: By default, the Security/Compliance policy does not include any s3:GetObject permissions. For the List of VPCs report, the result is that the ‘Number of Elastic Beanstalk Applications’ within a VPC will always display 0. If you want to ingest data on the Elastic Beanstalk applications for this report, you will need to add the s3:GetObject* permission to your Security/Compliance policy.


Deprecated Complete IAM Policy

For current customers who use the complete IAM policy to manage user permissions, that policy will be available until December 23, 2018, after which CloudCheckr will deprecate the policy.
All new customers will be directed to use the new IAM policy described in this topic.