Enabling Permissions for CloudCheckr

As CloudCheckr adds support for additional inventory and utilization reporting around new AWS Services you may find that the IAM policy you are using for CloudCheckr needs to be updated.

In these instances, CloudCheckr will notify you in the top-right corner of your account with the services it does not have permissions to check.

You can follow the steps outlined below to add support for these missing services.  You can find the needed policy, per service, at the bottom of this page.

NOTE: This does not impact billing reporting, only Inventory and Utilization.

Enabling Services for use with CloudCheckr

Step 1:

Log in to your Amazon Web Services Management Console.

Login

Step 2:

Under the Security, Identity & Compliance section, click IAM to load the IAM dashboard.

awsconsole_IAM

Step 3:

You’ll need to modify and attach a secondary policy to house any extra permissions not covered in the AWS ReadOnlyPolicy since AWS doesn’t allow you to modify their ReadOnly policy. Click here to learn how to create that secondary policy.

From the left navigation pane, click Policies.

 

 

Step 4:

A list of policies displays. Click the secondary policy you created earlier.

Step 5:

A summary of the policy displays. Click Edit Policy.

Step 6:

Modify the contents of the policy to reflect any additional permissions not included in the AWS ReadOnlyAccess policy.

Step 7:

Click Validate Policy when you are done modifying the policy.

Step 8:

A message will pop up indicating that the policy is valid. Click Save.

 

 

Step 9:

From the left navigation pane, click Roles.

 

Step 10:

Click the role that contains the AWS ReadOnlyPolicy.

12 role to edit

The role summary displays. Notice that the ReadOnlyAccess policy is already attached to this role.

Step 11:

Click Attach Policy.

Step 12:

From the list of policies, click the secondary policy that you just modified and click Attach policy.

And that’s it! Because you updated the secondary policy, your new permissions are now added and the next time your reports are updated, CloudCheckr will have access to that service.

Below we have added the full list of permissions, separated by AWS service for your convenience. Simply locate the permission you wish to add, copy the permissions and follow the steps above to paste them into your policy.


Expand All | Collapse All

AWS Certificate Manager

"acm:DescribeCertificate",
"acm:ListCertificates",
"acm:GetCertificate",  

Autoscaling

"autoscaling:Describe*",

CloudFormation

"cloudformation:DescribeStacks",
"cloudformation:GetStackPolicy",
"cloudformation:GetTemplate",
"cloudformation:ListStackResources",

CloudFront

"cloudfront:List*",
"cloudfront:GetDistributionConfig",
"cloudfront:GetStreamingDistributionConfig",

CloudHSM

"cloudhsm:Describe*",
"cloudhsm:List*",

CloudSearch

"cloudsearch:DescribeDomains",
"cloudsearch:DescribeServiceAccessPolicies",
"cloudsearch:DescribeStemmingOptions",
"cloudsearch:DescribeStopwordOptions",
"cloudsearch:DescribeSynonymOptions",
"cloudsearch:DescribeDefaultSearchField",
"cloudsearch:DescribeIndexFields",
"cloudsearch:DescribeRankExpressions",

CloudTrail

"cloudtrail:DescribeTrails",
"cloudtrail:GetTrailStatus",

CloudWatch

"cloudwatch:DescribeAlarms",
"cloudwatch:GetMetricStatistics",
"cloudwatch:ListMetrics",

CloudWatch Logs

"logs:GetLogEvents",
"logs:DescribeLogGroups",
"logs:DescribeLogStreams",

For Resource, use the following:

"arn:aws:logs:*:*:*",

AWS Config

"config:DescribeConfigRules",
"config:GetComplianceDetailsByConfigRule",
"config:DescribeDeliveryChannels",
"config:DescribeDeliveryChannelStatus",
"config:DescribeConfigurationRecorders",
"config:DescribeConfigurationRecorderStatus",

Data Pipeline

"datapipeline:ListPipelines",
"datapipeline:GetPipelineDefinition",
"datapipeline:DescribePipelines",

DirectConnect

"directconnect:DescribeLocations",
"directconnect:DescribeConnections",
"directconnect:DescribeVirtualInterfaces",

Dynamo DB

"dynamodb:ListTables",
"dynamodb:DescribeTable",
"dynamodb:ListTagsOfResource",

EC2

In order for CloudCheckr to work correctly you MUST have EC2 permissions attached to the AWS group which holds the user whose credentials you used to configure the application. Without the following permissions, your billing collectors will not run and you will not receive accurate data. The following permissions are what is required:

"ec2:Describe*",
"ec2:GetConsoleOutput",

EC2/VPC

"ec2:DescribeVpcs",
"ec2:DescribeVpcAttribute",
"ec2:DescribeVpcPeeringConnections",
"ec2:DescribeFlowLogs",
"ec2:DescribeVpcEndpoints",
"ec2:DescribeNatGateways",

EC2 Container Service (ECS)

"ecs:ListClusters",
"ecs:DescribeClusters",
"ecs:ListContainerInstances",
"ecs:DescribeContainerInstances",
"ecs:ListServices",
"ecs:DescribeServices",
"ecs:ListTaskDefinitions",
"ecs:DescribeTaskDefinition",
"ecs:ListTasks",
"ecs:DescribeTasks",

EC2 Systems Manager

"ssm:ListResourceDataSync",
"ssm:ListAssociations",
"ssm:ListDocumentVersions",
"ssm:ListDocuments",
"ssm:ListInstanceAssociations",
"ssm:ListInventoryEntries",

Elasticache

"elasticache:DescribeCacheClusters",
"elasticache:DescribeReservedCacheNodes",
"elasticache:DescribeCacheSecurityGroups",
"elasticache:DescribeCacheParameterGroups",
"elasticache:DescribeCacheParameters",
"elasticache:DescribeCacheSubnetGroups",
"elasticache:DescribeTags",
"elasticache:ListTagsForResource"

Elastic Beanstalk

"elasticbeanstalk:DescribeApplications",
"elasticbeanstalk:DescribeConfigurationSettings",
"elasticbeanstalk:DescribeEnvironments",
"elasticbeanstalk:DescribeEvents",

Elastic File System

"elasticfilesystem:DescribeTags",

Elastic Load Balancing

"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeInstanceHealth",
"elasticloadbalancing:DescribeLoadBalancerAttributes",

Elastic MapReduce

"elasticmapreduce:DescribeJobFlows",
"elasticmapreduce:DescribeStep",
"elasticmapreduce:DescribeCluster",
"elasticmapreduce:DescribeTags",
"elasticmapreduce:ListSteps",
"elasticmapreduce:ListInstanceGroups",
"elasticmapreduce:ListBootstrapActions",
"elasticmapreduce:ListClusters",
"elasticmapreduce:ListInstances",

Elasticsearch

"es:ListDomainNames",
"es:DescribeElasticsearchDomains",

Glacier

"glacier:ListTagsForVault",
"glacier:DescribeVault",
"glacier:GetVaultNotifications",
"glacier:DescribeJob",
"glacier:GetJobOutput",

Identity Access Management (IAM)

"iam:Get*",
"iam:List*",
"iam:GenerateCredentialReport",

Internet of Things (IoT)

"iot:DescribeThing",
"iot:ListThings",

Key Management Service

"kms:DescribeKey",
"kms:GetKeyPolicy",
"kms:GetKeyRotationStatus",
"kms:ListAliases",
"kms:ListKeys",
"kms:ListKeyPolicies",
"kms:ListResourceTags,"

Kinesis

"kinesis:ListStreams",
"kinesis:DescribeStream",
"kinesis:GetShardIterator",
"kinesis:GetRecords",

Lambda

"lambda:ListFunctions",
"lambda:ListTags",

RDS

"rds:DescribeReservedDBInstances",
"rds:DescribeDBInstances",
"rds:DescribeDBSubnetGroups",
"rds:DescribeDBSecurityGroups",
"rds:DescribeDBParameterGroups",
"rds:DescribeDBParameters",
"rds:DescribeDBSnapshots",
"rds:DescribeEvents",
"rds:DescribeEventSubscriptions",
"rds:DescribeDBEngineVersions",
"rds:DescribeOptionGroups",
"rds:ListTagsForResource",

Red Shift

"redshift:Describe*",
"redshift:ViewQueriesInConsole",

Route 53

"route53:ListHealthChecks",
"route53:ListHostedZones",
"route53:ListResourceRecordSets",

S3

"s3:GetBucketACL",
"s3:GetBucketLocation",
"s3:GetBucketLogging",
"s3:GetBucketPolicy",
"s3:GetBucketTagging",
"s3:GetBucketWebsite",
"s3:GetBucketNotification",
"s3:GetLifecycleConfiguration",
"s3:GetNotificationConfiguration",
"s3:GetObject",
"s3:GetObjectMetadata",
"s3:List*",

SDB

"sdb:ListDomains",
"sdb:DomainMetadata",

Simple Email Service (SES)

"ses:ListIdentities",
"ses:GetSendStatistics",
"ses:GetIdentityDkimAttributes",
"ses:GetIdentityVerificationAttributes",
"ses:GetSendQuota",

SNS

"sns:GetSnsTopic",
"sns:GetTopicAttributes",
"sns:GetSubscriptionAttributes",
"sns:ListTopics",
"sns:ListSubscriptionsByTopic",

SQS

"sqs:ListQueues",
"sqs:GetQueueAttributes",

Storage Gateway

"storagegateway:Describe*", 
"storagegateway:List*",

AWS Support and Trusted Advisor

In order for CloudCheckr to be able to access your AWS support charges and information as well as your Trusted Advisor information, you need to add the following permissions to your policy:

"support:*",

Simple Workflow

"swf:ListClosedWorkflowExecutions",
"swf:ListDomains",
"swf:ListActivityTypes",
"swf:ListWorkflowTypes",

Workspaces

"workspaces:DescribeWorkspaceDirectories",
"workspaces:DescribeWorkspaceBundles",
"workspaces:DescribeWorkspaces",