Enable New Service Permissions for CloudCheckr

Introduction

Cloudcheckr will notify you when it adds support for inventory and utilization reporting on new AWS services. Since AWS does not allow you to modify the AWS Read-Only policy, you must use a secondary policy to house any extra permissions not covered by AWS.


Procedure

This procedure shows you how to modify the CloudCheckr secondary policy to enable the new AWS services for use with Cloudcheckr. You can find the needed permissions, per service, at the bottom of this page.

Note: These modifications do not impact billing reporting—only inventory and utilization.

Note: Before you start this procedure, you need to create a cross-account role and attach the AWS read-only policy.

  1. Login to the AWS Management Console.
  2. Scroll down to the Security, Identity & Compliance section and select IAM.



  3. The Welcome to Identity and Access Management screen displays.


  4. From the dashboard, click Policies.
  5. Select the secondary policy from the list.

  6. What If I Don't See the Secondary Policy on the List?

    Copy the policy:
    Updated 2017-09-13

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "AdditionalPermissions",
                "Effect": "Allow",
                "Action": [
                    "cloudformation:GetStackPolicy",
                    "cloudhsm:Describe*",
                    "cloudhsm:List*",
                    "glacier:List*",
                    "glacier:DescribeVault",
                    "glacier:GetVaultNotifications",
                    "glacier:DescribeJob",
                    "glacier:GetJobOutput",
                    "sdb:DomainMetadata",
                    "support:*",
                    "workspaces:DescribeWorkspaceDirectories",
                    "workspaces:DescribeWorkspaceBundles",
                    "workspaces:DescribeWorkspaces"
                ],
                "Resource": "*"
            },
            {
                "Sid": "CloudWatchLogsSpecific",
                "Effect": "Allow",
                "Action": [
                    "logs:GetLogEvents",
                    "logs:DescribeLogGroups",
                    "logs:DescribeLogStreams"
                ],
                "Resource": [
                    "arn:aws:logs:*:*:*"
                ]
            }
        ]
    }
    

    Note: You can also download and copy the secondary policy from here.

    A summary of the policy displays.

  7.  Click Edit Policy.
  8. Click the JSON tab.
  9. Modify the contents of the policy to reflect any additional permissions not included in the AWS Read-Only Access policy.
  10. Click Review policy when you are done.
  11.  Click Save changes.
  12. The summary of the policy displays again.

  13. From the dashboard, click Policies.
  14. In the Search text field, type the name of your secondary policy to filter the list of policies.
  15. Select the checkbox next to the secondary policy.
  16. From the Policy actions drop-down menu, select Attach.
  17. From the list of policies, click the secondary policy and click Attach policy.
  18. The Attach Policy page opens.

  19. Select the cross-account role that you created earlier, which already has the AWS Read-Only policy attached.
  20. Click Attach policy.
  21. A message indicates that your secondary policy is now attached to your cross-account role.


New Service Permissions

Here is a complete list of permissions separated by AWS service. To add any additional permissions, copy the selected permissions and paste them into your secondary policy using the above procedure.

Expand All | Collapse All

AWS Certificate Manager

"acm:DescribeCertificate",
"acm:ListCertificates",
"acm:GetCertificate",  

AWS Config

"config:DescribeConfigRules",
"config:GetComplianceDetailsByConfigRule",
"config:DescribeDeliveryChannels",
"config:DescribeDeliveryChannelStatus",
"config:DescribeConfigurationRecorders",
"config:DescribeConfigurationRecorderStatus",

Autoscaling

"autoscaling:Describe*",

CloudFormation

"cloudformation:DescribeStacks",
"cloudformation:GetStackPolicy",
"cloudformation:GetTemplate",
"cloudformation:ListStackResources",

CloudFront

"cloudfront:List*",
"cloudfront:GetDistributionConfig",
"cloudfront:GetStreamingDistributionConfig",

CloudHSM

"cloudhsm:Describe*",
"cloudhsm:List*",

CloudSearch

"cloudsearch:DescribeDomains",
"cloudsearch:DescribeServiceAccessPolicies",
"cloudsearch:DescribeStemmingOptions",
"cloudsearch:DescribeStopwordOptions",
"cloudsearch:DescribeSynonymOptions",
"cloudsearch:DescribeDefaultSearchField",
"cloudsearch:DescribeIndexFields",
"cloudsearch:DescribeRankExpressions",

CloudTrail

"cloudtrail:DescribeTrails",
"cloudtrail:GetTrailStatus",

CloudWatch

"cloudwatch:DescribeAlarms",
"cloudwatch:GetMetricStatistics",
"cloudwatch:ListMetrics",

CloudWatch Logs

"logs:GetLogEvents",
"logs:DescribeLogGroups",
"logs:DescribeLogStreams",

For Resource, use the following:

On Standard AWS accounts, use

“arn:aws:logs:*:*:*”,

On GovCloud accounts, use

“arn:aws-us-gov:logs:*:*:*”,

On China Region accounts, use

“arn:aws-cn:logs:*:*:*”,

Cognito

"cognito-idp:List*",

Data Pipeline

"datapipeline:ListPipelines",
"datapipeline:GetPipelineDefinition",
"datapipeline:DescribePipelines",

DirectConnect

"directconnect:DescribeLocations",
"directconnect:DescribeConnections",
"directconnect:DescribeVirtualInterfaces",

Dynamo DB

"dynamodb:ListTables",
"dynamodb:DescribeTable",
"dynamodb:ListTagsOfResource",

EC2

In order for CloudCheckr to work correctly you MUST have EC2 permissions attached to the AWS group which holds the user whose credentials you used to configure the application. Without the following permissions, your billing collectors will not run and you will not receive accurate data. The following permissions are what is required:

"ec2:Describe*",
"ec2:GetConsoleOutput",

EC2/VPC

"ec2:DescribeVpcs",
"ec2:DescribeVpcAttribute",
"ec2:DescribeVpcPeeringConnections",
"ec2:DescribeFlowLogs",
"ec2:DescribeVpcEndpoints",
"ec2:DescribeNatGateways",

EC2 Container Service (ECS)

"ecs:ListClusters",
"ecs:DescribeClusters",
"ecs:ListContainerInstances",
"ecs:DescribeContainerInstances",
"ecs:ListServices",
"ecs:DescribeServices",
"ecs:ListTaskDefinitions",
"ecs:DescribeTaskDefinition",
"ecs:ListTasks",
"ecs:DescribeTasks",

EC2 Systems Manager

"ssm:ListResourceDataSync",
"ssm:ListAssociations",
"ssm:ListDocumentVersions",
"ssm:ListDocuments",
"ssm:ListInstanceAssociations",
"ssm:ListInventoryEntries",

Elasticache

"elasticache:DescribeCacheClusters",
"elasticache:DescribeReservedCacheNodes",
"elasticache:DescribeCacheSecurityGroups",
"elasticache:DescribeCacheParameterGroups",
"elasticache:DescribeCacheParameters",
"elasticache:DescribeCacheSubnetGroups",
"elasticache:DescribeTags",
"elasticache:ListTagsForResource"

Elastic Beanstalk

"elasticbeanstalk:DescribeApplications",
"elasticbeanstalk:DescribeConfigurationSettings",
"elasticbeanstalk:DescribeEnvironments",
"elasticbeanstalk:DescribeEvents",

Elastic File System

"elasticfilesystem:Describe*",

Elastic Load Balancing

"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeInstanceHealth",
"elasticloadbalancing:DescribeLoadBalancerAttributes",

Elastic MapReduce

"elasticmapreduce:DescribeJobFlows",
"elasticmapreduce:DescribeStep",
"elasticmapreduce:DescribeCluster",
"elasticmapreduce:DescribeTags",
"elasticmapreduce:ListSteps",
"elasticmapreduce:ListInstanceGroups",
"elasticmapreduce:ListBootstrapActions",
"elasticmapreduce:ListClusters",
"elasticmapreduce:ListInstances",

Elasticsearch

"es:ListDomainNames",
"es:DescribeElasticsearchDomains",

Glacier

"glacier:ListTagsForVault",
"glacier:DescribeVault",
"glacier:GetVaultNotifications",
"glacier:DescribeJob",
"glacier:GetJobOutput",

Identity Access Management (IAM)

"iam:Get*",
"iam:List*",
"iam:GenerateCredentialReport",

Internet of Things (IoT)

"iot:DescribeThing",
"iot:ListThings",

Key Management Service

"kms:DescribeKey",
"kms:GetKeyPolicy",
"kms:GetKeyRotationStatus",
"kms:ListAliases",
"kms:ListKeys",
"kms:ListKeyPolicies",
"kms:ListResourceTags,"

Kinesis

"kinesis:ListStreams",
"kinesis:DescribeStream",
"kinesis:GetShardIterator",
"kinesis:GetRecords",

Lambda

"lambda:ListFunctions",
"lambda:ListTags",

RDS

"rds:DescribeReservedDBInstances",
"rds:DescribeDBInstances",
"rds:DescribeDBSubnetGroups",
"rds:DescribeDBSecurityGroups",
"rds:DescribeDBParameterGroups",
"rds:DescribeDBParameters",
"rds:DescribeDBSnapshots",
"rds:DescribeEvents",
"rds:DescribeEventSubscriptions",
"rds:DescribeDBEngineVersions",
"rds:DescribeOptionGroups",
"rds:ListTagsForResource",

Red Shift

"redshift:Describe*",
"redshift:ViewQueriesInConsole",

Route 53

"route53:ListHealthChecks",
"route53:ListHostedZones",
"route53:ListResourceRecordSets",

S3

"s3:GetBucketACL",
"s3:GetBucketLocation",
"s3:GetBucketLogging",
"s3:GetBucketPolicy",
"s3:GetBucketTagging",
"s3:GetBucketWebsite",
"s3:GetBucketNotification",
"s3:GetLifecycleConfiguration",
"s3:GetNotificationConfiguration",
"s3:GetObject",
"s3:GetObjectMetadata",
"s3:List*",

SDB

"sdb:ListDomains",
"sdb:DomainMetadata",

Simple Email Service (SES)

"ses:ListIdentities",
"ses:GetSendStatistics",
"ses:GetIdentityDkimAttributes",
"ses:GetIdentityVerificationAttributes",
"ses:GetSendQuota",

SNS

"sns:GetSnsTopic",
"sns:GetTopicAttributes",
"sns:GetSubscriptionAttributes",
"sns:ListTopics",
"sns:ListSubscriptionsByTopic",

SQS

"sqs:ListQueues",
"sqs:GetQueueAttributes",

Storage Gateway

"storagegateway:Describe*", 
"storagegateway:List*",

AWS Support and Trusted Advisor

In order for CloudCheckr to be able to access your AWS support charges and information as well as your Trusted Advisor information, you need to add the following permissions to your policy:

"support:*",

Simple Workflow

"swf:ListClosedWorkflowExecutions",
"swf:ListDomains",
"swf:ListActivityTypes",
"swf:ListWorkflowTypes",

Workspaces

"workspaces:DescribeWorkspaceDirectories",
"workspaces:DescribeWorkspaceBundles",
"workspaces:DescribeWorkspaces",