The following sections describe Cloud Discovery & Visibility (CDV) features and configuration specific to AWS environments.
Before you begin
You must be running Address Manager v9.2.0 or greater
- For Discovery, you must have an AWS account that will be used to retrieve AWS data, with the following permissions:
AmazonVPCReadOnlyAccessAmazonEC2ReadOnlyAccessAmazonEKSWorkerNodePolicyAmazonEKSClusterPolicyElasticLoadBalancingReadOnlyAmazonRoute53ReadOnlyAccessIAMReadOnlyAccess- Active AWS Security Token Service (STS) for Global or the region that is in use.
For Visibility, you must have an AWS account with one of the following sets of Identity and Access Management (IAM) role permissions:
Full set of required IAM permissions (JSON format)
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "sqs:DeleteMessage", "sqs:TagQueue", "sqs:PurgeQueue", "sqs:DeleteQueue", "sqs:CreateQueue", "sqs:GetQueueAttributes", "sqs:ReceiveMessage", "sqs:SetQueueAttributes", "sqs:GetQueueUrl", "sns:DeleteTopic", "sns:ListTopics", "sns:Unsubscribe", "sns:SetTopicAttributes", "sns:Subscribe", "sns:ListSubscriptionsByTopic", "sns:GetTopicAttributes", "sns:CreateTopic", "sns:GetSubscriptionAttributes", "events:TagResource", "events:PutTargets", "events:DeleteRule", "events:DescribeRule", "events:PutRule", "events:ListRules", "events:RemoveTargets", "events:ListTargetsByRule" ], "Resource": "*" } ] }Subset of required IAM permissions when manually configuring SQS, SNS, and EventBridge rules (JSON format)
To use only this subset of permissions, you must have manually configured SQS, SNS, and Eventbridge rules in your AWS environments. For more details, see Manually configuring SQS, SNS, and EventBridge rules in AWS environments.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "sqs:DeleteMessage", "sqs:GetQueueUrl", "events:DescribeRule", "sns:ListSubscriptionsByTopic", "sns:GetTopicAttributes", "sqs:PurgeQueue", "sqs:ReceiveMessage", "sns:ListTopics", "events:ListRules", "sqs:GetQueueAttributes", "sns:GetSubscriptionAttributes", "events:ListTargetsByRule" ], "Resource": "*" } ] }
- Disallow changes to Amazon SNS set up by AWS Control Tower
- Disallow changes to Amazon SNS subscriptions set up by AWS Control Tower