The following sections describe Cloud Discovery & Visibility (CDV) features and configuration specific to AWS environments.
- For Discovery, you must have an AWS Identity and Access Management (IAM)
User or Role that will be used to retrieve AWS data, with the following AWS IAM
Policies attached:
AmazonVPCReadOnlyAccessAmazonEC2ReadOnlyAccessAmazonEKSWorkerNodePolicyAmazonEKSClusterPolicyElasticLoadBalancingReadOnlyAmazonRoute53ReadOnlyAccessIAMReadOnlyAccess- An active AWS Security Token Service (STS) for Global or the region that is in use.
Standard discovery permissions: To perform standard discovery operations, the host must have the following permissions. You might require additional permissions beyond these depending on your situation, such as if you will be performing Organization-level discovery or if the hosts and resources are on different accounts.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "iam:SimulatePrincipalPolicy", "sts:GetCallerIdentity", "ec2:DescribeVpcs", "ec2:DescribeSubnets", "ec2:DescribeInstances", "ec2:DescribeNetworkInterfaces", "ec2:DescribeVpcEndpoints", "ec2:DescribeVpcEndpointServices", "elasticloadbalancing:DescribeTags", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeTargetHealth", "elasticloadbalancing:DescribeTargetGroups", "eks:ListClusters", "eks:DescribeCluster", "eks:ListNodegroups", "eks:DescribeNodegroup", "route53:ListHostedZones", "route53:ListTrafficPolicyInstances", "route53:GetHostedZone", "route53:ListResourceRecordSets", "route53:GetTrafficPolicy", "route53:ListTrafficPolicyInstancesByPolicy" ], "Resource": "*" } ] }If you will be performing discoveries at the Organization level, the role requires the following additional permissions:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "DelegatingNecessaryDescribeListActions", "Effect": "Allow", "Action": [ "organizations:ListRoots", "organizations:ListOrganizationalUnitsForParent", "organizations:ListAccountsForParent", "organizations:ListAccounts", "organizations:ListTagsForResource" ], "Resource": "*" } ] }Resources on different accounts: If discovery and visibility resources are on different AWS accounts than the host, then the host account requires additional permissions and the resource accounts require trust relationships with the host account.
-
The host account must have the following additional permissions:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor4", "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": "arn:aws:iam::<Resource account>:role/<Role name>" } ] } -
You must create a role in the resource accounts with the appropriate Discovery permissions and a trust relationship with the host account:
Trust relationships:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::<Host account>:root" } "Action": "sts:AssumeRole", "Condition": {} } ] }
For Visibility, you must have an AWS IAM User or Role with one of the following IAM Policies attached:
Full set of required IAM permissions (JSON format)
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "ec2:DescribeNatGateways", "events:ListRules", "events:PutRule", "events:PutTargets", "events:ListTargetsByRule", "events:RemoveTargets", "events:DeleteRule", "events:DescribeRule", "sns:ListTopics", "sns:CreateTopic", "sns:SetTopicAttributes", "sns:Subscribe", "sns:Unsubscribe", "sns:ListSubscriptionsByTopic", "sns:DeleteTopic", "sns:GetTopicAttributes", "sns:GetSubscriptionAttributes", "sqs:CreateQueue", "sqs:SetQueueAttributes", "sqs:ListQueues", "sqs:GetQueueUrl", "sqs:ReceiveMessage", "sqs:DeleteMessage", "sqs:GetQueueAttributes", "sqs:PurgeQueue", "sqs:DeleteQueue", "sqs:TagQueue" ], "Resource": "*" } ] }Subset of required IAM permissions when SQS, SNS, and EventBridge rules are configured (JSON format)
The following contains a subset of permissions that are required if you have configured SQS, SNS, and EventBridge rules in your AWS environment. For more information on creating SQS, SNS, and EventBridge rules, see Manually configuring SQS, SNS, and EventBridge rules in AWS environments.
The permissions below are read only permissions that can be used for visibility without creating resources, or for performing discovery:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "sqs:DeleteMessage", "sqs:GetQueueUrl", "events:DescribeRule", "sns:ListSubscriptionsByTopic", "sns:GetTopicAttributes", "sqs:PurgeQueue", "sqs:ReceiveMessage", "sns:ListTopics", "events:ListRules", "sqs:GetQueueAttributes", "sns:GetSubscriptionAttributes", "events:ListTargetsByRule" ], "Resource": "*" } ] }For more information on setting permissions and configuring policies, see Managing IAM Policies in the AWS Identity and Access Management User Guide.Attention: The following AWS Control Tower settings must not be enabled:- Disallow changes to Amazon SNS set up by AWS Control Tower
- Disallow changes to Amazon SNS subscriptions set up by AWS Control Tower
- You must configure AWS CloudTrail trails to capture API calls made by AWS on behalf of your AWS account, including visibility messages. For more information, refer to Manually configuring AWS CloudTrail.