Enabling Permissions for CloudCheckr

Cloudcheckr will notify you when it adds support for inventory and utilization reporting on new AWS services. Since AWS does not allow you to modify the AWS Read Only policy, you must use a secondary policy to house any extra permissions not covered by AWS.

This procedure shows you how to enable the new services for use with Cloudcheckr by modifying your secondary policy.  You can find the needed permissions, per service, at the bottom of this page.

Note: These modifications do not impact billing reporting—only inventory and utilization.

  1. Log in to your Amazon Web Service (AWS) Management Console.
  2. Under the Security, Identity & Compliance section, click IAM to load the IAM dashboard.
  3. From the left navigation pane, click Policies.
  4. A list of policies displays.

    Note: Click here to learn how to create that secondary policy.

  5. Click the secondary policy.
  6. A summary of the policy displays.

  7.  Click Edit Policy.
  8. Modify the contents of the policy to reflect any additional permissions not included in the AWS Read Only Access policy.
  9. Click Validate Policy when you are done modifying the policy.
  10. A message indicates that the policy is valid.

  11.  Click Save.
  12. From the left navigation pane, click Roles.
  13. Click the role that contains the AWS Read Only policy.
  14. 12 role to edit

    The role summary displays. Notice that the ReadOnlyAccess policy is already attached to this role.

  15. Click Attach Policy.
  16. From the list of policies, click the secondary policy and click Attach policy.
  17. The next time your reports are updated, CloudCheckr will have access to that service.

    Here is a complete list of permissions separated by AWS service. To add any additional permissions, copy the selected permissions and paste them into your secondary policy using this procedure.


    Expand All | Collapse All

    AWS Certificate Manager

    "acm:DescribeCertificate",
    "acm:ListCertificates",
    "acm:GetCertificate",  

    Autoscaling

    "autoscaling:Describe*",

    CloudFormation

    "cloudformation:DescribeStacks",
    "cloudformation:GetStackPolicy",
    "cloudformation:GetTemplate",
    "cloudformation:ListStackResources",

    CloudFront

    "cloudfront:List*",
    "cloudfront:GetDistributionConfig",
    "cloudfront:GetStreamingDistributionConfig",

    CloudHSM

    "cloudhsm:Describe*",
    "cloudhsm:List*",

    CloudSearch

    "cloudsearch:DescribeDomains",
    "cloudsearch:DescribeServiceAccessPolicies",
    "cloudsearch:DescribeStemmingOptions",
    "cloudsearch:DescribeStopwordOptions",
    "cloudsearch:DescribeSynonymOptions",
    "cloudsearch:DescribeDefaultSearchField",
    "cloudsearch:DescribeIndexFields",
    "cloudsearch:DescribeRankExpressions",

    CloudTrail

    "cloudtrail:DescribeTrails",
    "cloudtrail:GetTrailStatus",

    CloudWatch

    "cloudwatch:DescribeAlarms",
    "cloudwatch:GetMetricStatistics",
    "cloudwatch:ListMetrics",

    CloudWatch Logs

    "logs:GetLogEvents",
    "logs:DescribeLogGroups",
    "logs:DescribeLogStreams",

    For Resource, use the following:

    "arn:aws:logs:*:*:*",

    AWS Config

    "config:DescribeConfigRules",
    "config:GetComplianceDetailsByConfigRule",
    "config:DescribeDeliveryChannels",
    "config:DescribeDeliveryChannelStatus",
    "config:DescribeConfigurationRecorders",
    "config:DescribeConfigurationRecorderStatus",

    Data Pipeline

    "datapipeline:ListPipelines",
    "datapipeline:GetPipelineDefinition",
    "datapipeline:DescribePipelines",

    DirectConnect

    "directconnect:DescribeLocations",
    "directconnect:DescribeConnections",
    "directconnect:DescribeVirtualInterfaces",

    Dynamo DB

    "dynamodb:ListTables",
    "dynamodb:DescribeTable",
    "dynamodb:ListTagsOfResource",

    EC2

    In order for CloudCheckr to work correctly you MUST have EC2 permissions attached to the AWS group which holds the user whose credentials you used to configure the application. Without the following permissions, your billing collectors will not run and you will not receive accurate data. The following permissions are what is required:

    "ec2:Describe*",
    "ec2:GetConsoleOutput",
    

    EC2/VPC

    "ec2:DescribeVpcs",
    "ec2:DescribeVpcAttribute",
    "ec2:DescribeVpcPeeringConnections",
    "ec2:DescribeFlowLogs",
    "ec2:DescribeVpcEndpoints",
    "ec2:DescribeNatGateways",

    EC2 Container Service (ECS)

    "ecs:ListClusters",
    "ecs:DescribeClusters",
    "ecs:ListContainerInstances",
    "ecs:DescribeContainerInstances",
    "ecs:ListServices",
    "ecs:DescribeServices",
    "ecs:ListTaskDefinitions",
    "ecs:DescribeTaskDefinition",
    "ecs:ListTasks",
    "ecs:DescribeTasks",

    EC2 Systems Manager

    "ssm:ListResourceDataSync",
    "ssm:ListAssociations",
    "ssm:ListDocumentVersions",
    "ssm:ListDocuments",
    "ssm:ListInstanceAssociations",
    "ssm:ListInventoryEntries",
    

    Elasticache

    "elasticache:DescribeCacheClusters",
    "elasticache:DescribeReservedCacheNodes",
    "elasticache:DescribeCacheSecurityGroups",
    "elasticache:DescribeCacheParameterGroups",
    "elasticache:DescribeCacheParameters",
    "elasticache:DescribeCacheSubnetGroups",
    "elasticache:DescribeTags",
    "elasticache:ListTagsForResource"

    Elastic Beanstalk

    "elasticbeanstalk:DescribeApplications",
    "elasticbeanstalk:DescribeConfigurationSettings",
    "elasticbeanstalk:DescribeEnvironments",
    "elasticbeanstalk:DescribeEvents",

    Elastic File System

    "elasticfilesystem:DescribeTags",

    Elastic Load Balancing

    "elasticloadbalancing:DescribeLoadBalancers",
    "elasticloadbalancing:DescribeInstanceHealth",
    "elasticloadbalancing:DescribeLoadBalancerAttributes",

    Elastic MapReduce

    "elasticmapreduce:DescribeJobFlows",
    "elasticmapreduce:DescribeStep",
    "elasticmapreduce:DescribeCluster",
    "elasticmapreduce:DescribeTags",
    "elasticmapreduce:ListSteps",
    "elasticmapreduce:ListInstanceGroups",
    "elasticmapreduce:ListBootstrapActions",
    "elasticmapreduce:ListClusters",
    "elasticmapreduce:ListInstances",

    Elasticsearch

    "es:ListDomainNames",
    "es:DescribeElasticsearchDomains",

    Glacier

    "glacier:ListTagsForVault",
    "glacier:DescribeVault",
    "glacier:GetVaultNotifications",
    "glacier:DescribeJob",
    "glacier:GetJobOutput",

    Identity Access Management (IAM)

    "iam:Get*",
    "iam:List*",
    "iam:GenerateCredentialReport",

    Internet of Things (IoT)

    "iot:DescribeThing",
    "iot:ListThings",

    Key Management Service

    "kms:DescribeKey",
    "kms:GetKeyPolicy",
    "kms:GetKeyRotationStatus",
    "kms:ListAliases",
    "kms:ListKeys",
    "kms:ListKeyPolicies",
    "kms:ListResourceTags,"

    Kinesis

    "kinesis:ListStreams",
    "kinesis:DescribeStream",
    "kinesis:GetShardIterator",
    "kinesis:GetRecords",

    Lambda

    "lambda:ListFunctions",
    "lambda:ListTags",
    

    RDS

    "rds:DescribeReservedDBInstances",
    "rds:DescribeDBInstances",
    "rds:DescribeDBSubnetGroups",
    "rds:DescribeDBSecurityGroups",
    "rds:DescribeDBParameterGroups",
    "rds:DescribeDBParameters",
    "rds:DescribeDBSnapshots",
    "rds:DescribeEvents",
    "rds:DescribeEventSubscriptions",
    "rds:DescribeDBEngineVersions",
    "rds:DescribeOptionGroups",
    "rds:ListTagsForResource",

    Red Shift

    "redshift:Describe*",
    "redshift:ViewQueriesInConsole",

    Route 53

    "route53:ListHealthChecks",
    "route53:ListHostedZones",
    "route53:ListResourceRecordSets",

    S3

    "s3:GetBucketACL",
    "s3:GetBucketLocation",
    "s3:GetBucketLogging",
    "s3:GetBucketPolicy",
    "s3:GetBucketTagging",
    "s3:GetBucketWebsite",
    "s3:GetBucketNotification",
    "s3:GetLifecycleConfiguration",
    "s3:GetNotificationConfiguration",
    "s3:GetObject",
    "s3:GetObjectMetadata",
    "s3:List*",

    SDB

    "sdb:ListDomains",
    "sdb:DomainMetadata",

    Simple Email Service (SES)

    "ses:ListIdentities",
    "ses:GetSendStatistics",
    "ses:GetIdentityDkimAttributes",
    "ses:GetIdentityVerificationAttributes",
    "ses:GetSendQuota",

    SNS

    "sns:GetSnsTopic",
    "sns:GetTopicAttributes",
    "sns:GetSubscriptionAttributes",
    "sns:ListTopics",
    "sns:ListSubscriptionsByTopic",

    SQS

    "sqs:ListQueues",
    "sqs:GetQueueAttributes",

    Storage Gateway

    "storagegateway:Describe*", 
    "storagegateway:List*",

    AWS Support and Trusted Advisor

    In order for CloudCheckr to be able to access your AWS support charges and information as well as your Trusted Advisor information, you need to add the following permissions to your policy:

    "support:*",

    Simple Workflow

    "swf:ListClosedWorkflowExecutions",
    "swf:ListDomains",
    "swf:ListActivityTypes",
    "swf:ListWorkflowTypes",

    Workspaces

    "workspaces:DescribeWorkspaceDirectories",
    "workspaces:DescribeWorkspaceBundles",
    "workspaces:DescribeWorkspaces",