IAM permissions

Fix Security requires the below permissions to collect AWS resources.

Amazon Web Services (AWS)

Namespace	Service
acm	DescribeCertificate ListCertificates
apigateway	GET
athena	GetDataCatalog GetWorkGroup ListDataCatalogs ListTagsForResource ListWorkGroups
autoscaling	DescribeAutoScalingGroups
backup	ListBackupJobs ListBackupPlans ListBackupVaults ListCopyJobs ListFrameworks ListLegalHolds ListProtectedResources ListRecoveryPointsByBackupVault ListReportPlans ListRestoreJobs ListRestoreTestingPlans ListTags
cloudformation	DescribeStacks ListStackInstances ListStackResources ListStackSets ListStacks
cloudfront	GetDistribution ListCachePolicies ListDistributions ListFieldLevelEncryptionConfigs ListFieldLevelEncryptionProfiles ListFunctions ListOriginAccessControls ListPublicKeys ListRealtimeLogConfigs ListResponseHeadersPolicies ListStreamingDistributions TagResource UntagResource
cloudtrail	GetEventSelectors GetInsightSelectors GetTrail GetTrailStatus ListTags ListTrails
cloudwatch	DescribeAlarms GetMetricData
cognito-idp	ListGroups ListTagsForResource ListUserPools ListUsers
config	DescribeConfigurationRecorderStatus DescribeConfigurationRecorders
dynamodb	DescribeContinuousBackups DescribeGlobalTable DescribeTable ListGlobalTables ListTables ListTagsOfResource
ec2	DescribeAddresses DescribeFlowLogs DescribeHosts DescribeImages DescribeInstanceTypes DescribeInstances DescribeInternetGateways DescribeKeyPairs DescribeLaunchTemplateVersions DescribeNatGateways DescribeNetworkAcls DescribeNetworkInterfaces DescribeRegions DescribeReservedInstances DescribeRouteTables DescribeSecurityGroups DescribeSnapshots DescribeSubnets DescribeVolumes DescribeVpcEndpoints DescribeVpcPeeringConnections DescribeVpcs
ecr-public	DescribeRepositories
ecr	DescribeRepositories GetLifecyclePolicy
ecs	DescribeCapacityProviders DescribeClusters DescribeContainerInstances DescribeServices DescribeTaskDefinition DescribeTasks ListClusters ListContainerInstances ListServices ListTaskDefinitions ListTasks
eks	DescribeCluster DescribeNodegroup ListClusters ListNodegroups
elasticache	DescribeCacheClusters DescribeReplicationGroups ListTagsForResource
elasticbeanstalk	DescribeApplications DescribeEnvironmentResources DescribeEnvironments ListTagsForResource
elasticfilesystem	DescribeAccessPoints DescribeFileSystemPolicy DescribeFileSystems DescribeMountTargets
elasticloadbalancing	DescribeListeners DescribeLoadBalancerAttributes DescribeLoadBalancers DescribeTags DescribeTargetGroups DescribeTargetHealth
glacier	ListJobs ListTagsForVault ListVaults
iam	GenerateCredentialReport GetAccessKeyLastUsed GetAccountAuthorizationDetails GetAccountPasswordPolicy GetAccountSummary GetCredentialReport ListAccessKeys ListAccountAliases ListInstanceProfiles ListServerCertificates
kinesis	DescribeStream ListStreams ListTagsForStream
kms	DescribeKey GetKeyPolicy GetKeyRotationStatus ListKeys ListResourceTags
lambda	GetFunctionUrlConfig GetPolicy ListFunctions ListTags
logs	DescribeLogGroups DescribeMetricFilters
opensearch	DescribeDomainNames ListDomainNames
organizations	DescribeAccount ListAccounts
pricing	GetProducts
rds	DescribeDbClusterSnapshots DescribeDbClusters DescribeDbInstances DescribeDbSnapshots ListTagsForResource
redshift	DescribeClusters DescribeLoggingStatus
route53	ListHostedZones ListResourceRecordSets ListTagsForResource
s3	GetAccountPublicAccessBlock GetBucketAcl GetBucketLocation GetBucketLogging GetBucketPolicy GetBucketTagging GetBucketVersioning GetEncryptionConfiguration ListAllMyBuckets
sagemaker	DescribeAlgorithm DescribeApp DescribeArtifact DescribeAutoMlJob DescribeCompilationJob DescribeDomain DescribeEndpoint DescribeHyperParameterTuningJob DescribeImage DescribeInferenceRecommendationsJob DescribeLabelingJob DescribeModel DescribeNotebookInstance DescribePipeline DescribeProcessingJob DescribeTrainingJob DescribeTransformJob DescribeTrial ListAlgorithms ListApps ListArtifacts ListAutoMlJobs ListCodeRepositories ListCompilationJobs ListDomains ListEndpoints ListExperiments ListHyperParameterTuningJobs ListImages ListInferenceRecommendationsJobs ListLabelingJobs ListModels ListNotebookInstances ListPipelines ListProcessingJobs ListProjects ListTags ListTrainingJobs ListTransformJobs ListTrials ListUserProfiles ListWorkteams
secretsmanager	ListSecrets
servicequotas	ListServiceQuotas
sns	GetPlatformApplicationAttributes GetSubscriptionAttributes GetTopicAttributes ListEndpointsByPlatformApplication ListPlatformApplications ListSubscriptions ListTagsForResource ListTopics
sqs	GetQueueAttributes ListQueueTags ListQueues
ssm	DescribeDocument DescribeInstanceInformation GetDocument ListDocuments ListResourceComplianceSummaries
wafv2	GetLoggingConfiguration GetWebAcl ListResourcesForWebAcl ListWebAcls

Google Cloud

Namespace	Service
cloudsql	backupRuns.list databases.list instances.get instances.list users.list
compute	acceleratorTypes.list addresses.list autoscalers.list backendBuckets.list backendServices.list commitments.list diskTypes.list disks.list externalVpnGateways.list firewalls.list forwardingRules.list globalOperations.list healthChecks.list httpHealthChecks.list httpsHealthChecks.list images.list instanceGroupManagers.list instanceGroups.list instanceTemplates.list instances.list interconnectAttachments.list interconnectLocations.list interconnects.list licenses.list machineImages.list machineTypes.get machineTypes.list networkEdgeSecurityServices.list networkEndpointGroups.list networks.list nodeGroups.list nodeTemplates.list nodeTypes.list packetMirrorings.list publicAdvertisedPrefixes.list publicDelegatedPrefixes.list regionHealthCheckServices.list regionNotificationEndpoints.list resourcePolicies.list routers.list routes.list securityPolicies.list serviceAttachments.list snapshots.list sslCertificates.list sslPolicies.list subnetworks.list targetGrpcProxies.list targetHttpProxies.list targetHttpsProxies.list targetInstances.list targetPools.list targetSslProxies.list targetTcpProxies.list targetVpnGateways.list urlMaps.list vpnGateways.list vpnTunnels.list
container	clusters.list operations.list
storage	buckets.list