The following sections describe Cloud Discovery & Visibility (CDV) features and configuration specific to AWS environments.
Before you begin
- For Discovery, you must have an AWS Identity and Access Management (IAM)
User or Role that will be used to retrieve AWS data, with the following AWS IAM
Policies attached:
AmazonVPCReadOnlyAccess
AmazonEC2ReadOnlyAccess
AmazonEKSWorkerNodePolicy
AmazonEKSClusterPolicy
ElasticLoadBalancingReadOnly
AmazonRoute53ReadOnlyAccess
IAMReadOnlyAccess
- Active AWS Security Token Service (STS) for Global or the region that is in use.
Resources on the same account: If discovery and visibility resources are on the same AWS account as the host, the role must also have the following permissions:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "ec2:DescribeVpcs", "ec2:DescribeSubnets", "ec2:DescribeInstances", "ec2:DescribeNetworkInterfaces", "ec2:DescribeVpcEndpointServiceConfigurations", "ec2:DescribeVpcEndpoints", "ec2:DescribeVpcEndpointServices", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeTargetHealth", "elasticloadbalancing:DescribeTargetGroups", "eks:ListClusters", "eks:ListNodegroups", "eks:DescribeCluster", "eks:DescribeNodegroup", "route53:ListHostedZones", "route53:GetHostedZone", "route53:ListResourceRecordSets", "sts:GetCallerIdentity", "sts:GetSessionToken" ], "Resource": "*" } ] }
Resources on different accounts: If discovery and visibility resources are on different AWS accounts than the host, both the host account and the resource accounts require additional permissions.
-
The host account must have the following permissions:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "sts:AssumeRole", "sts:GetSessionToken", "sts:GetCallerIdentity" ], "Resource": "*" } ] }
-
The resource accounts must have the following permissions:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "ec2:DescribeVpcs", "ec2:DescribeSubnets", "ec2:DescribeInstances", "ec2:DescribeNetworkInterfaces", "ec2:DescribeVpcEndpointServiceConfigurations", "ec2:DescribeVpcEndpoints", "ec2:DescribeVpcEndpointServices", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeTargetHealth", "elasticloadbalancing:DescribeTargetGroups", "eks:ListClusters", "eks:ListNodegroups", "eks:DescribeCluster", "eks:DescribeNodegroup", "route53:ListHostedZones", "route53:GetHostedZone", "route53:ListResourceRecordSets" ], "Resource": "*" } ] }
- For Visibility, you must have an AWS IAM User or Role with one of the
following IAM Policies attached:
Full set of required IAM permissions (JSON format)
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "sqs:DeleteMessage", "sqs:TagQueue", "sqs:PurgeQueue", "sqs:DeleteQueue", "sqs:CreateQueue", "sqs:GetQueueAttributes", "sqs:ReceiveMessage", "sqs:SetQueueAttributes", "sqs:GetQueueUrl", "sns:DeleteTopic", "sns:ListTopics", "sns:Unsubscribe", "sns:SetTopicAttributes", "sns:Subscribe", "sns:ListSubscriptionsByTopic", "sns:GetTopicAttributes", "sns:CreateTopic", "sns:GetSubscriptionAttributes", "events:TagResource", "events:PutTargets", "events:DeleteRule", "events:DescribeRule", "events:PutRule", "events:ListRules", "events:RemoveTargets", "events:ListTargetsByRule" ], "Resource": "*" } ] }
Subset of required IAM permissions when SQS, SNS, and EventBridge rules are configured (JSON format)
The following contains a subset of permissions that are required if you have configured SQS, SNS, and EventBridge rules in your AWS environment. For more information on creating SQS, SNS, and EventBridge rules, see Manually configuring SQS, SNS, and EventBridge rules in AWS environments.
The permissions below are read only permissions that can be used for visibility without creating resources, or for performing discovery:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "sqs:DeleteMessage", "sqs:GetQueueUrl", "events:DescribeRule", "sns:ListSubscriptionsByTopic", "sns:GetTopicAttributes", "sqs:PurgeQueue", "sqs:ReceiveMessage", "sns:ListTopics", "events:ListRules", "sqs:GetQueueAttributes", "sns:GetSubscriptionAttributes", "events:ListTargetsByRule" ], "Resource": "*" } ] }
For more information on setting permissions and configuring policies, see Managing IAM Policies in the AWS Identity and Access Management User Guide.Attention: The following AWS Control Tower settings must not be enabled:- Disallow changes to Amazon SNS set up by AWS Control Tower
- Disallow changes to Amazon SNS subscriptions set up by AWS Control Tower
- You must configure AWS CloudTrail trails to capture API calls made by AWS on behalf of your AWS account, including visibility messages. For more information, refer to Manually configuring AWS CloudTrail.