Introduction
This document provides information regarding specific permissions required for discovering AWS resources. Instead of providing unrestricted read permissions in the AWS policy, a user can specify below set of permissions for AWS discovery:
“appmesh:DescribeMesh”,“appmesh:ListMeshes”,“appmesh:ListVirtualNodes”,“appmesh:ListVirtualRouters”,“appmesh:ListVirtualServices”,“appstream:DescribeFleets”,“appstream:DescribeStacks”,“appstream:ListAssociatedFleets”,“appstream:ListTagsForResource”,“appsync:GetGraphqlApi”,“appsync:ListGraphqlApis”,“athena:GetWorkGroup”,“athena:ListWorkGroups”,“apigateway:GET”,“autoscaling:DescribeAutoScalingGroups”,“autoscaling:DescribeLaunchConfigurations”,“autoscaling:DescribePolicies”,“autoscaling:DescribeScheduledActions”,“ce:GetCostAndUsage”,“cloudformation:DescribeStackResources”,“cloudformation:DescribeStacks”,“cloudformation:ListStacks”,“cloudfront:GetDistribution”,“cloudfront:ListDistributions”,“cloudfront:ListTagsForResource”,“cloudhsm:DescribeClusters”,“cloudsearch:DescribeDomains”,“cloudwatch:GetMetricData”,“cloudwatch:GetMetricStatistics”,“cloudwatch:ListMetrics”,“codebuild:BatchGetProjects”,“codebuild:ListProjects”,“codecommit:BatchGetRepositories”,“codecommit:GetRepository”,“codecommit:ListRepositories”,“codedeploy:BatchGetApplications”,“codedeploy:BatchGetDeploymentGroups”,“codedeploy:GetApplication”,“codedeploy:ListApplications”,“codedeploy:ListDeploymentGroups”,“codepipeline:GetPipeline”,“codepipeline:ListPipelines”,“cognito-idp:DescribeUserPool”,“cognito-idp:DescribeUserPoolClient”,“cognito-idp:ListUserPoolClients”,“cognito-idp:ListUserPools”,“connect:DescribeContactFlow”,“connect:DescribeInstance”,“connect:ListContactFlows”,“connect:ListInstances”,“directconnect:DescribeConnections”,“dms:DescribeEndpoints”,“dms:DescribeReplicationInstances”,“dms:DescribeReplicationTasks”,“drs:DescribeSourceServers”,“ds:DescribeDirectories”,“dynamodb:DescribeTable”,“dynamodb:ListTables”,“ec2:DescribeAddresses”,“ec2:DescribeAvailabilityZones”,“ec2:DescribeCustomerGateways”,“ec2:DescribeHosts”,“ec2:DescribeImages”,“ec2:DescribeInstances”,“ec2:DescribeInstanceStatus”,“ec2:DescribeInternetGateways”,“ec2:DescribeKeyPairs”,“ec2:DescribeNatGateways”,“ec2:DescribeNetworkAcls”,“ec2:DescribeNetworkInterfaces”,“ec2:DescribePlacementGroups”,“ec2:DescribeRegions”,“ec2:DescribeRouteTables”,“ec2:DescribeSecurityGroups”,“ec2:DescribeSnapshots”,“ec2:DescribeSpotFleetInstances”,“ec2:DescribeSpotFleetRequests”,“ec2:DescribeSubnets”,“ec2:DescribeTransitGatewayAttachments”,“ec2:DescribeTransitGateways”,“ec2:DescribeVolumes”,“ec2:DescribeVolumeStatus”,“ec2:DescribeVpcs”,“ec2:DescribeVpnConnections”,“ec2:DescribeVpnGateways”,“ecs:DescribeClusters”,“ecs:DescribeServices”,“ecs:ListClusters”,“ecs:ListContainerInstances”,“ecs:ListServices”,“ecs:ListTagsForResource”,“elasticache:DescribeCacheClusters”,“elasticache:DescribeServerlessCaches”,“elasticache:ListTagsForResource”,“elasticbeanstalk:DescribeEnvironmentResources”,“elasticbeanstalk:DescribeEnvironments”,“elasticbeanstalk:ListTagsForResource”,“elasticfilesystem:DescribeFileSystems”,“elasticfilesystem:DescribeTags”,“elasticloadbalancing:DescribeInstanceHealth”,“elasticloadbalancing:DescribeLoadBalancers”,“elasticloadbalancing:DescribeTags”,“elasticloadbalancing:DescribeTargetGroups”,“elasticmapreduce:DescribeCluster”,“elasticmapreduce:DescribeStep”,“elasticmapreduce:ListBootstrapActions”,“elasticmapreduce:ListClusters”,“elasticmapreduce:ListInstanceGroups”,“elasticmapreduce:ListInstances”,“elasticmapreduce:ListSteps”,“elastictranscoder:ListPipelines”,“elastictranscoder:ReadPipeline”,“es:DescribeElasticsearchDomainConfig”,“es:DescribeElasticsearchDomain”,“es:DescribeElasticsearchDomains”,“es:ListDomainNames”,“es:ListTags”,“events:DescribeEventBus”,“events:DescribeRule”,“events:ListEventBuses”,“events:ListRules”,“events:ListTagsForResource”,“firehose:DescribeDeliveryStream”,“firehose:ListDeliveryStreams”,“fsx:DescribeFileSystems”,“gamelift:DescribeAlias”,“gamelift:DescribeBuild”,“gamelift:DescribeFleetAttributes”,“gamelift:DescribeGameSessionQueues”,“gamelift:DescribeMatchmakingConfigurations”,“gamelift:DescribeMatchmakingRuleSets”,“gamelift:DescribeScript”,“gamelift:ListAliases”,“gamelift:ListBuilds”,“gamelift:ListFleets”,“gamelift:ListScripts”,“glue:GetCrawler”,“glue:GetCrawlers”,“glue:GetDatabase”,“glue:GetDatabases”,“glue:GetDevEndpoint”,“glue:GetDevEndpoints”,“glue:GetJob”,“glue:GetJobRuns”,“glue:GetJobs”,“glue:GetMLTransform”,“glue:GetMLTransforms”,“glue:GetTable”,“glue:GetTables”,“guardduty:GetIPSet”,“guardduty:GetThreatIntelSet”,“guardduty:ListDetectors”,“guardduty:ListIPSets”,“guardduty:ListThreatIntelSets”,“inspector:DescribeAssessmentTargets”,“inspector:DescribeAssessmentTemplates”,“inspector:ListAssessmentTemplates”,“iot:DescribeJob”,“iot:GetTopicRule”,“iot:ListJobs”,“iot:ListTagsForResource”,“iot:ListTopicRules”,“kafka:DescribeCluster”,“kafka:ListClusters”,“kafka:ListNodes”,“kinesis:DescribeStream”,“kinesis:ListStreams”,“kinesis:ListTagsForStream”,“kms:DescribeCustomKeyStores”,“kms:DescribeKey”,“kms:ListKeys”,“lambda:GetFunctionConfiguration”,“lambda:ListEventSourceMappings”,“lambda:ListFunctions”,“lambda:ListTags”,“lex:GetBot”,“lex:GetBotAliases”,“lex:GetBotChannelAssociation”,“lex:GetBotChannelAssociations”,“lex:GetBots”,“lightsail:GetInstance”,“lightsail:GetInstances”,“machinelearning:DescribeBatchPredictions”,“machinelearning:DescribeDataSources”,“machinelearning:DescribeEvaluations”,“machinelearning:DescribeMLModels”,“machinelearning:DescribeTags”,“machinelearning:GetBatchPrediction”,“machinelearning:GetDataSource”,“machinelearning:GetEvaluation”,“machinelearning:GetMLModel”,“mediaconnect:DescribeFlow”,“mediaconnect:ListFlows”,“mediaconvert:DescribeEndpoints”,“mediaconvert:GetJob”,“mediaconvert:GetJobTemplate”,“mediaconvert:GetPreset”,“mediaconvert:GetQueue”,“mediaconvert:ListJobs”,“mediaconvert:ListJobTemplates”,“mediaconvert:ListPresets”,“mediaconvert:ListQueues”,“mediapackage:DescribeChannel”,“mediapackage:DescribeHarvestJob”,“mediapackage:DescribeOriginEndpoint”,“mediapackage:ListChannels”,“mediapackage:ListHarvestJobs”,“mediapackage:ListOriginEndpoints”,“mediatailor:GetPlaybackConfiguration”,“mediatailor:ListPlaybackConfigurations”,“mq:DescribeBroker”,“mq:ListBrokers”,“opsworks:DescribeInstances”,“opsworks:DescribeLayers”,“opsworks:DescribeStacks”,“opsworks:ListTags”,“rds:DescribeDBClusters”,“rds:DescribeDBInstances”,“rds:DescribeDBSnapshots”,“rds:DescribeDBSubnetGroups”,“rds:ListTagsForResource”,“redshift:DescribeClusterParameterGroups”,“redshift:DescribeClusters”,“redshift:DescribeClusterSubnetGroups”,“route53:GetHealthCheck”,“route53:GetHostedZone”,“route53:ListHealthChecks”,“route53:ListHostedZones”,“route53:ListTagsForResource”,“s3:GetBucketLocation”,“s3:GetBucketTagging”,“s3:GetMetricsConfiguration”,“s3:GetObject”,“s3:ListAllMyBuckets”,“s3:ListBucket”,“sagemaker:DescribeEndpoint”,“sagemaker:DescribeEndpointConfig”,“sagemaker:DescribeLabelingJob”,“sagemaker:DescribeModel”,“sagemaker:DescribeTrainingJob”,“sagemaker:DescribeTransformJob”,“sagemaker:ListEndpoints”,“sagemaker:ListLabelingJobs”,“sagemaker:ListTrainingJobs”,“sagemaker:ListTransformJobs”,“sns:ListTagsForResource”,“sns:ListTopics”,“sqs:ListQueues”,“sqs:ListQueueTags”,“states:DescribeStateMachine”,“states:ListStateMachines”,“states:ListTagsForResource”,“storagegateway:DescribeCachediSCSIVolumes”,“storagegateway:DescribeGatewayInformation”,“storagegateway:ListGateways”,“storagegateway:ListTagsForResource”,“storagegateway:ListVolumes”,“swf:DescribeDomain”,“swf:DescribeWorkflowExecution”,“swf:ListActivityTypes”,“swf:ListClosedWorkflowExecutions”,“swf:ListDomains”,“swf:ListWorkflowTypes”,“translate:DescribeTextTranslationJob”,“translate:ListTextTranslationJobs”,“waf-regional:GetRule”,“waf-regional:GetWebACL”,“waf-regional:ListWebACLs”,“waf:GetRule”,“waf:GetWebACL”,“waf:ListWebACLs”,“wafv2:GetWebACL”,“wafv2:ListResourcesForWebACL”,“wafv2:ListWebACLs”,“workspaces:DescribeTags”,“workspaces:DescribeWorkspaceBundles”,“workspaces:DescribeWorkspaceDirectories”,“workspaces:DescribeWorkspaces”,