Skip to main content

IAM permissions

Fix Security requires the below permissions to collect AWS resources.

Amazon Web Services (AWS)

NamespaceService
acm
  • DescribeCertificate
  • ListCertificates
apigateway
  • GET
athena
  • GetDataCatalog
  • GetWorkGroup
  • ListDataCatalogs
  • ListTagsForResource
  • ListWorkGroups
autoscaling
  • DescribeAutoScalingGroups
backup
  • ListBackupJobs
  • ListBackupPlans
  • ListBackupVaults
  • ListCopyJobs
  • ListFrameworks
  • ListLegalHolds
  • ListProtectedResources
  • ListRecoveryPointsByBackupVault
  • ListReportPlans
  • ListRestoreJobs
  • ListRestoreTestingPlans
  • ListTags
cloudformation
  • DescribeStacks
  • ListStackInstances
  • ListStackResources
  • ListStackSets
  • ListStacks
cloudfront
  • GetDistribution
  • ListCachePolicies
  • ListDistributions
  • ListFieldLevelEncryptionConfigs
  • ListFieldLevelEncryptionProfiles
  • ListFunctions
  • ListOriginAccessControls
  • ListPublicKeys
  • ListRealtimeLogConfigs
  • ListResponseHeadersPolicies
  • ListStreamingDistributions
  • TagResource
  • UntagResource
cloudtrail
  • GetEventSelectors
  • GetInsightSelectors
  • GetTrail
  • GetTrailStatus
  • ListTags
  • ListTrails
cloudwatch
  • DescribeAlarms
  • GetMetricData
cognito-idp
  • ListGroups
  • ListTagsForResource
  • ListUserPools
  • ListUsers
config
  • DescribeConfigurationRecorderStatus
  • DescribeConfigurationRecorders
dynamodb
  • DescribeContinuousBackups
  • DescribeGlobalTable
  • DescribeTable
  • ListGlobalTables
  • ListTables
  • ListTagsOfResource
ec2
  • DescribeAddresses
  • DescribeFlowLogs
  • DescribeHosts
  • DescribeImages
  • DescribeInstanceTypes
  • DescribeInstances
  • DescribeInternetGateways
  • DescribeKeyPairs
  • DescribeLaunchTemplateVersions
  • DescribeNatGateways
  • DescribeNetworkAcls
  • DescribeNetworkInterfaces
  • DescribeRegions
  • DescribeReservedInstances
  • DescribeRouteTables
  • DescribeSecurityGroups
  • DescribeSnapshots
  • DescribeSubnets
  • DescribeVolumes
  • DescribeVpcEndpoints
  • DescribeVpcPeeringConnections
  • DescribeVpcs
ecr-public
  • DescribeRepositories
ecr
  • DescribeRepositories
  • GetLifecyclePolicy
ecs
  • DescribeCapacityProviders
  • DescribeClusters
  • DescribeContainerInstances
  • DescribeServices
  • DescribeTaskDefinition
  • DescribeTasks
  • ListClusters
  • ListContainerInstances
  • ListServices
  • ListTaskDefinitions
  • ListTasks
eks
  • DescribeCluster
  • DescribeNodegroup
  • ListClusters
  • ListNodegroups
elasticache
  • DescribeCacheClusters
  • DescribeReplicationGroups
  • ListTagsForResource
elasticbeanstalk
  • DescribeApplications
  • DescribeEnvironmentResources
  • DescribeEnvironments
  • ListTagsForResource
elasticfilesystem
  • DescribeAccessPoints
  • DescribeFileSystemPolicy
  • DescribeFileSystems
  • DescribeMountTargets
elasticloadbalancing
  • DescribeListeners
  • DescribeLoadBalancerAttributes
  • DescribeLoadBalancers
  • DescribeTags
  • DescribeTargetGroups
  • DescribeTargetHealth
glacier
  • ListJobs
  • ListTagsForVault
  • ListVaults
iam
  • GenerateCredentialReport
  • GetAccessKeyLastUsed
  • GetAccountAuthorizationDetails
  • GetAccountPasswordPolicy
  • GetAccountSummary
  • GetCredentialReport
  • ListAccessKeys
  • ListAccountAliases
  • ListInstanceProfiles
  • ListServerCertificates
kinesis
  • DescribeStream
  • ListStreams
  • ListTagsForStream
kms
  • DescribeKey
  • GetKeyPolicy
  • GetKeyRotationStatus
  • ListKeys
  • ListResourceTags
lambda
  • GetFunctionUrlConfig
  • GetPolicy
  • ListFunctions
  • ListTags
logs
  • DescribeLogGroups
  • DescribeMetricFilters
opensearch
  • DescribeDomainNames
  • ListDomainNames
organizations
  • DescribeAccount
  • ListAccounts
pricing
  • GetProducts
rds
  • DescribeDbClusterSnapshots
  • DescribeDbClusters
  • DescribeDbInstances
  • DescribeDbSnapshots
  • ListTagsForResource
redshift
  • DescribeClusters
  • DescribeLoggingStatus
route53
  • ListHostedZones
  • ListResourceRecordSets
  • ListTagsForResource
s3
  • GetAccountPublicAccessBlock
  • GetBucketAcl
  • GetBucketLocation
  • GetBucketLogging
  • GetBucketPolicy
  • GetBucketTagging
  • GetBucketVersioning
  • GetEncryptionConfiguration
  • ListAllMyBuckets
sagemaker
  • DescribeAlgorithm
  • DescribeApp
  • DescribeArtifact
  • DescribeAutoMlJob
  • DescribeCompilationJob
  • DescribeDomain
  • DescribeEndpoint
  • DescribeHyperParameterTuningJob
  • DescribeImage
  • DescribeInferenceRecommendationsJob
  • DescribeLabelingJob
  • DescribeModel
  • DescribeNotebookInstance
  • DescribePipeline
  • DescribeProcessingJob
  • DescribeTrainingJob
  • DescribeTransformJob
  • DescribeTrial
  • ListAlgorithms
  • ListApps
  • ListArtifacts
  • ListAutoMlJobs
  • ListCodeRepositories
  • ListCompilationJobs
  • ListDomains
  • ListEndpoints
  • ListExperiments
  • ListHyperParameterTuningJobs
  • ListImages
  • ListInferenceRecommendationsJobs
  • ListLabelingJobs
  • ListModels
  • ListNotebookInstances
  • ListPipelines
  • ListProcessingJobs
  • ListProjects
  • ListTags
  • ListTrainingJobs
  • ListTransformJobs
  • ListTrials
  • ListUserProfiles
  • ListWorkteams
secretsmanager
  • ListSecrets
servicequotas
  • ListServiceQuotas
sns
  • GetPlatformApplicationAttributes
  • GetSubscriptionAttributes
  • GetTopicAttributes
  • ListEndpointsByPlatformApplication
  • ListPlatformApplications
  • ListSubscriptions
  • ListTagsForResource
  • ListTopics
sqs
  • GetQueueAttributes
  • ListQueueTags
  • ListQueues
ssm
  • DescribeDocument
  • DescribeInstanceInformation
  • GetDocument
  • ListDocuments
  • ListResourceComplianceSummaries
wafv2
  • GetLoggingConfiguration
  • GetWebAcl
  • ListResourcesForWebAcl
  • ListWebAcls

Google Cloud

NamespaceService
cloudsql
  • backupRuns.list
  • databases.list
  • instances.get
  • instances.list
  • users.list
compute
  • acceleratorTypes.list
  • addresses.list
  • autoscalers.list
  • backendBuckets.list
  • backendServices.list
  • commitments.list
  • diskTypes.list
  • disks.list
  • externalVpnGateways.list
  • firewalls.list
  • forwardingRules.list
  • globalOperations.list
  • healthChecks.list
  • httpHealthChecks.list
  • httpsHealthChecks.list
  • images.list
  • instanceGroupManagers.list
  • instanceGroups.list
  • instanceTemplates.list
  • instances.list
  • interconnectAttachments.list
  • interconnectLocations.list
  • interconnects.list
  • licenses.list
  • machineImages.list
  • machineTypes.get
  • machineTypes.list
  • networkEdgeSecurityServices.list
  • networkEndpointGroups.list
  • networks.list
  • nodeGroups.list
  • nodeTemplates.list
  • nodeTypes.list
  • packetMirrorings.list
  • publicAdvertisedPrefixes.list
  • publicDelegatedPrefixes.list
  • regionHealthCheckServices.list
  • regionNotificationEndpoints.list
  • resourcePolicies.list
  • routers.list
  • routes.list
  • securityPolicies.list
  • serviceAttachments.list
  • snapshots.list
  • sslCertificates.list
  • sslPolicies.list
  • subnetworks.list
  • targetGrpcProxies.list
  • targetHttpProxies.list
  • targetHttpsProxies.list
  • targetInstances.list
  • targetPools.list
  • targetSslProxies.list
  • targetTcpProxies.list
  • targetVpnGateways.list
  • urlMaps.list
  • vpnGateways.list
  • vpnTunnels.list
container
  • clusters.list
  • operations.list
storage
  • buckets.list