Permissions for AWS Resource Discovery

Introduction

This document provides information regarding specific permissions required for discovering AWS resources. Instead of providing unrestricted read permissions in the AWS policy, a user can specify below set of permissions for AWS discovery:

“appmesh:DescribeMesh”,
“appmesh:ListMeshes”,
“appmesh:ListVirtualNodes”,
“appmesh:ListVirtualRouters”,
“appmesh:ListVirtualServices”,
“appstream:DescribeFleets”,
“appstream:DescribeStacks”,
“appstream:ListAssociatedFleets”,
“appstream:ListTagsForResource”,
“appsync:GetGraphqlApi”,
“appsync:ListGraphqlApis”,
“athena:GetWorkGroup”,
“athena:ListWorkGroups”,
“apigateway:GET”,
“autoscaling:DescribeAutoScalingGroups”,
“autoscaling:DescribeLaunchConfigurations”,
“autoscaling:DescribePolicies”,
“autoscaling:DescribeScheduledActions”,
“cloudformation:DescribeStackResources”,
“cloudformation:DescribeStacks”,
“cloudformation:ListStacks”,
“cloudfront:GetDistribution”,
“cloudfront:ListDistributions”,
“cloudfront:ListTagsForResource”,
“cloudhsm:DescribeClusters”,
“cloudsearch:DescribeDomains”,
“cloudwatch:GetMetricStatistics”,
“cloudwatch:ListMetrics”,
“codebuild:BatchGetProjects”,
“codebuild:ListProjects”,
“codecommit:BatchGetRepositories”,
“codecommit:GetRepository”,
“codecommit:ListRepositories”,
“codedeploy:BatchGetApplications”,
“codedeploy:BatchGetDeploymentGroups”,
“codedeploy:GetApplication”,
“codedeploy:ListApplications”,
“codedeploy:ListDeploymentGroups”,
“codepipeline:GetPipeline”,
“codepipeline:ListPipelines”,
“cognito-idp:DescribeUserPool”,
“cognito-idp:DescribeUserPoolClient”,
“cognito-idp:ListUserPoolClients”,
“cognito-idp:ListUserPools”,
“connect:DescribeContactFlow”,
“connect:DescribeInstance”,
“connect:ListContactFlows”,
“connect:ListInstances”,
“directconnect:DescribeConnections”,
“dms:DescribeEndpoints”,
“dms:DescribeReplicationInstances”,
“dms:DescribeReplicationTasks”,
“dynamodb:DescribeTable”,
“dynamodb:ListTables”,
“ec2:DescribeAddresses”,
“ec2:DescribeAvailabilityZones”,
“ec2:DescribeCustomerGateways”,
“ec2:DescribeHosts”,
“ec2:DescribeImages”,
“ec2:DescribeInstances”,
“ec2:DescribeInstanceStatus”,
“ec2:DescribeInternetGateways”,
“ec2:DescribeKeyPairs”,
“ec2:DescribeNatGateways”,
“ec2:DescribeNetworkAcls”,
“ec2:DescribeNetworkInterfaces”,
“ec2:DescribePlacementGroups”,
“ec2:DescribeRegions”,
“ec2:DescribeRouteTables”,
“ec2:DescribeSecurityGroups”,
“ec2:DescribeSnapshots”,
“ec2:DescribeSpotFleetInstances”,
“ec2:DescribeSpotFleetRequests”,
“ec2:DescribeSubnets”,
“ec2:DescribeTransitGatewayAttachments”,
“ec2:DescribeTransitGateways”,
“ec2:DescribeVolumes”,
“ec2:DescribeVolumeStatus”,
“ec2:DescribeVpcs”,
“ec2:DescribeVpnConnections”,
“ec2:DescribeVpnGateways”,
“ecs:DescribeClusters”,
“ecs:DescribeServices”,
“ecs:ListClusters”,
“ecs:ListContainerInstances”,
“ecs:ListServices”,
“ecs:ListTagsForResource”,
“elasticache:DescribeCacheClusters”,
“elasticache:ListTagsForResource”,
“elasticbeanstalk:DescribeEnvironmentResources”,
“elasticbeanstalk:DescribeEnvironments”,
“elasticbeanstalk:ListTagsForResource”,
“elasticfilesystem:DescribeFileSystems”,
“elasticfilesystem:DescribeTags”,
“elasticloadbalancing:DescribeInstanceHealth”,
“elasticloadbalancing:DescribeLoadBalancers”,
“elasticloadbalancing:DescribeTags”,
“elasticloadbalancing:DescribeTargetGroups”,
“elasticmapreduce:DescribeCluster”,
“elasticmapreduce:DescribeStep”,
“elasticmapreduce:ListBootstrapActions”,
“elasticmapreduce:ListClusters”,
“elasticmapreduce:ListInstanceGroups”,
“elasticmapreduce:ListInstances”,
“elasticmapreduce:ListSteps”,
“elastictranscoder:ListPipelines”,
“elastictranscoder:ReadPipeline”,
“es:DescribeElasticsearchDomainConfig”,
“es:DescribeElasticsearchDomains”,
“es:ListDomainNames”,
“es:ListTags”,
“events:DescribeEventBus”,
“events:DescribeRule”,
“events:ListEventBuses”,
“events:ListRules”,
“events:ListTagsForResource”,
“firehose:DescribeDeliveryStream”,
“firehose:ListDeliveryStreams”,
“gamelift:DescribeAlias”,
“gamelift:DescribeBuild”,
“gamelift:DescribeFleetAttributes”,
“gamelift:DescribeGameSessionQueues”,
“gamelift:DescribeMatchmakingConfigurations”,
“gamelift:DescribeMatchmakingRuleSets”,
“gamelift:DescribeScript”,
“gamelift:ListAliases”,
“gamelift:ListBuilds”,
“gamelift:ListFleets”,
“gamelift:ListScripts”,
“glue:GetCrawler”,
“glue:GetCrawlers”,
“glue:GetDatabase”,
“glue:GetDatabases”,
“glue:GetDevEndpoint”,
“glue:GetDevEndpoints”,
“glue:GetJob”,
“glue:GetJobRuns”,
“glue:GetJobs”,
“glue:GetMLTransform”,
“glue:GetMLTransforms”,
“glue:GetTable”,
“glue:GetTables”,
“guardduty:GetIPSet”,
“guardduty:GetThreatIntelSet”,
“guardduty:ListDetectors”,
“guardduty:ListIPSets”,
“guardduty:ListThreatIntelSets”,
“inspector:DescribeAssessmentTargets”,
“inspector:DescribeAssessmentTemplates”,
“inspector:ListAssessmentTemplates”,
“iot:DescribeJob”,
“iot:GetTopicRule”,
“iot:ListJobs”,
“iot:ListTagsForResource”,
“iot:ListTopicRules”,
“kafka:DescribeCluster”,
“kafka:ListClusters”,
“kafka:ListNodes”,
“kinesis:DescribeStream”,
“kinesis:ListStreams”,
“kinesis:ListTagsForStream”,
“kms:DescribeCustomKeyStores”,
“kms:DescribeKey”,
“kms:ListKeys”,
“lambda:GetFunctionConfiguration”,
“lambda:ListEventSourceMappings”,
“lambda:ListFunctions”,
“lambda:ListTags”,
“lex:GetBot”,
“lex:GetBotAliases”,
“lex:GetBotChannelAssociation”,
“lex:GetBotChannelAssociations”,
“lex:GetBots”,
“lightsail:GetInstance”,
“lightsail:GetInstances”,
“machinelearning:DescribeBatchPredictions”,
“machinelearning:DescribeDataSources”,
“machinelearning:DescribeEvaluations”,
“machinelearning:DescribeMLModels”,
“machinelearning:DescribeTags”,
“machinelearning:GetBatchPrediction”,
“machinelearning:GetDataSource”,
“machinelearning:GetEvaluation”,
“machinelearning:GetMLModel”,
“mediaconnect:DescribeFlow”,
“mediaconnect:ListFlows”,
“mediaconvert:DescribeEndpoints”,
“mediaconvert:GetJob”,
“mediaconvert:GetJobTemplate”,
“mediaconvert:GetPreset”,
“mediaconvert:GetQueue”,
“mediaconvert:ListJobs”,
“mediaconvert:ListJobTemplates”,
“mediaconvert:ListPresets”,
“mediaconvert:ListQueues”,
“mediapackage:DescribeChannel”,
“mediapackage:DescribeHarvestJob”,
“mediapackage:DescribeOriginEndpoint”,
“mediapackage:ListChannels”,
“mediapackage:ListHarvestJobs”,
“mediapackage:ListOriginEndpoints”,
“mediatailor:GetPlaybackConfiguration”,
“mediatailor:ListPlaybackConfigurations”,
“mq:DescribeBroker”,
“mq:ListBrokers”,
“opsworks:DescribeInstances”,
“opsworks:DescribeLayers”,
“opsworks:DescribeStacks”,
“opsworks:ListTags”,
“rds:DescribeDBClusters”,
“rds:DescribeDBInstances”,
“rds:DescribeDBSnapshots”,
“rds:DescribeDBSubnetGroups”,
“rds:ListTagsForResource”,
“redshift:DescribeClusterParameterGroups”,
“redshift:DescribeClusters”,
“redshift:DescribeClusterSubnetGroups”,
“route53:GetHealthCheck”,
“route53:GetHostedZone”,
“route53:ListHealthChecks”,
“route53:ListHostedZones”,
“route53:ListTagsForResource”,
“s3:GetBucketLocation”,
“s3:GetBucketTagging”,
“s3:GetMetricsConfiguration”,
“s3:GetObject”,
“s3:ListAllMyBuckets”,
“s3:ListBucket”,
“sagemaker:DescribeEndpoint”,
“sagemaker:DescribeEndpointConfig”,
“sagemaker:DescribeLabelingJob”,
“sagemaker:DescribeModel”,
“sagemaker:DescribeTrainingJob”,
“sagemaker:DescribeTransformJob”,
“sagemaker:ListEndpoints”,
“sagemaker:ListLabelingJobs”,
“sagemaker:ListTrainingJobs”,
“sagemaker:ListTransformJobs”,
“sns:ListTagsForResource”,
“sns:ListTopics”,
“sqs:ListQueues”,
“sqs:ListQueueTags”,
“states:DescribeStateMachine”,
“states:ListStateMachines”,
“states:ListTagsForResource”,
“storagegateway:DescribeCachediSCSIVolumes”,
“storagegateway:DescribeGatewayInformation”,
“storagegateway:ListGateways”,
“storagegateway:ListTagsForResource”,
“storagegateway:ListVolumes”,
“swf:DescribeDomain”,
“swf:DescribeWorkflowExecution”,
“swf:ListActivityTypes”,
“swf:ListClosedWorkflowExecutions”,
“swf:ListDomains”,
“swf:ListWorkflowTypes”,
“translate:DescribeTextTranslationJob”,
“translate:ListTextTranslationJobs”,
“waf-regional:GetRule”,
“waf-regional:GetWebACL”,
“waf-regional:ListWebACLs”,
“waf:GetRule”,
“waf:GetWebACL”,
“waf:ListWebACLs”,
“wafv2:GetWebACL”,
“wafv2:ListResourcesForWebACL”,
“wafv2:ListWebACLs”,
“workspaces:DescribeTags”,
“workspaces:DescribeWorkspaceBundles”,
“workspaces:DescribeWorkspaceDirectories”,
“workspaces:DescribeWorkspaces”,