Skip to main content

IAM Permissions

Fix requires the below permissions to collect AWS resources.

NamespaceService
acm
  • DescribeCertificate
  • ListCertificates
apigateway
  • GET
athena
  • GetDataCatalog
  • GetWorkGroup
  • ListDataCatalogs
  • ListTagsForResource
  • ListWorkGroups
autoscaling
  • DescribeAutoScalingGroups
cloudformation
  • DescribeStacks
  • ListStackInstances
  • ListStackResources
  • ListStackSets
  • ListStacks
cloudfront
  • GetDistribution
  • ListCachePolicies
  • ListDistributions
  • ListFieldLevelEncryptionConfigs
  • ListFieldLevelEncryptionProfiles
  • ListFunctions
  • ListOriginAccessControls
  • ListPublicKeys
  • ListRealtimeLogConfigs
  • ListResponseHeadersPolicies
  • ListStreamingDistributions
  • TagResource
  • UntagResource
cloudtrail
  • GetEventSelectors
  • GetInsightSelectors
  • GetTrail
  • GetTrailStatus
  • ListTags
  • ListTrails
cloudwatch
  • DescribeAlarms
  • GetMetricData
cognito-idp
  • ListGroups
  • ListTagsForResource
  • ListUserPools
  • ListUsers
config
  • DescribeConfigurationRecorderStatus
  • DescribeConfigurationRecorders
dynamodb
  • DescribeGlobalTable
  • DescribeTable
  • ListGlobalTables
  • ListTables
  • ListTagsOfResource
ec2
  • DescribeAddresses
  • DescribeFlowLogs
  • DescribeHosts
  • DescribeImages
  • DescribeInstanceTypes
  • DescribeInstances
  • DescribeInternetGateways
  • DescribeKeyPairs
  • DescribeLaunchTemplateVersions
  • DescribeNatGateways
  • DescribeNetworkAcls
  • DescribeNetworkInterfaces
  • DescribeRegions
  • DescribeReservedInstances
  • DescribeRouteTables
  • DescribeSecurityGroups
  • DescribeSnapshots
  • DescribeSubnets
  • DescribeVolumes
  • DescribeVpcEndpoints
  • DescribeVpcPeeringConnections
  • DescribeVpcs
ecr-public
  • DescribeRepositories
ecr
  • DescribeRepositories
  • GetLifecyclePolicy
ecs
  • DescribeCapacityProviders
  • DescribeClusters
  • DescribeContainerInstances
  • DescribeServices
  • DescribeTaskDefinition
  • DescribeTasks
  • ListClusters
  • ListContainerInstances
  • ListServices
  • ListTaskDefinitions
  • ListTasks
eks
  • DescribeCluster
  • DescribeNodegroup
  • ListClusters
  • ListNodegroups
elasticache
  • DescribeCacheClusters
  • DescribeReplicationGroups
  • ListTagsForResource
elasticbeanstalk
  • DescribeApplications
  • DescribeEnvironmentResources
  • DescribeEnvironments
  • ListTagsForResource
elasticfilesystem
  • DescribeAccessPoints
  • DescribeFileSystemPolicy
  • DescribeFileSystems
  • DescribeMountTargets
elasticloadbalancing
  • DescribeListeners
  • DescribeLoadBalancerAttributes
  • DescribeLoadBalancers
  • DescribeTags
  • DescribeTargetGroups
  • DescribeTargetHealth
glacier
  • ListJobs
  • ListTagsForVault
  • ListVaults
iam
  • GenerateCredentialReport
  • GetAccessKeyLastUsed
  • GetAccountAuthorizationDetails
  • GetAccountPasswordPolicy
  • GetAccountSummary
  • GetCredentialReport
  • ListAccessKeys
  • ListAccountAliases
  • ListInstanceProfiles
  • ListServerCertificates
kinesis
  • DescribeStream
  • ListStreams
  • ListTagsForStream
kms
  • DescribeKey
  • GetKeyPolicy
  • GetKeyRotationStatus
  • ListKeys
  • ListResourceTags
lambda
  • GetFunctionUrlConfig
  • GetPolicy
  • ListFunctions
  • ListTags
logs
  • DescribeLogGroups
  • DescribeMetricFilters
opensearch
  • DescribeDomainNames
  • ListDomainNames
organizations
  • DescribeAccount
  • ListAccounts
pricing
  • GetProducts
rds
  • DescribeDbClusterSnapshots
  • DescribeDbClusters
  • DescribeDbInstances
  • DescribeDbSnapshots
  • ListTagsForResource
redshift
  • DescribeClusters
  • DescribeLoggingStatus
route53
  • ListHostedZones
  • ListResourceRecordSets
  • ListTagsForResource
s3
  • GetAccountPublicAccessBlock
  • GetBucketAcl
  • GetBucketLocation
  • GetBucketLogging
  • GetBucketPolicy
  • GetBucketTagging
  • GetBucketVersioning
  • GetEncryptionConfiguration
  • ListAllMyBuckets
sagemaker
  • DescribeAlgorithm
  • DescribeApp
  • DescribeArtifact
  • DescribeAutoMlJob
  • DescribeCompilationJob
  • DescribeDomain
  • DescribeEdgePackagingJob
  • DescribeEndpoint
  • DescribeHyperParameterTuningJob
  • DescribeImage
  • DescribeInferenceRecommendationsJob
  • DescribeLabelingJob
  • DescribeModel
  • DescribeNotebookInstance
  • DescribePipeline
  • DescribeProcessingJob
  • DescribeTrainingJob
  • DescribeTransformJob
  • DescribeTrial
  • ListAlgorithms
  • ListApps
  • ListArtifacts
  • ListAutoMlJobs
  • ListCodeRepositories
  • ListCompilationJobs
  • ListDomains
  • ListEdgePackagingJobs
  • ListEndpoints
  • ListExperiments
  • ListHyperParameterTuningJobs
  • ListImages
  • ListInferenceRecommendationsJobs
  • ListLabelingJobs
  • ListModels
  • ListNotebookInstances
  • ListPipelines
  • ListProcessingJobs
  • ListProjects
  • ListTags
  • ListTrainingJobs
  • ListTransformJobs
  • ListTrials
  • ListUserProfiles
  • ListWorkteams
secretsmanager
  • ListSecrets
servicequotas
  • ListServiceQuotas
sns
  • GetPlatformApplicationAttributes
  • GetSubscriptionAttributes
  • GetTopicAttributes
  • ListEndpointsByPlatformApplication
  • ListPlatformApplications
  • ListSubscriptions
  • ListTagsForResource
  • ListTopics
sqs
  • GetQueueAttributes
  • ListQueueTags
  • ListQueues
ssm
  • DescribeDocument
  • DescribeInstanceInformation
  • GetDocument
  • ListDocuments
  • ListResourceComplianceSummaries
wafv2
  • GetLoggingConfiguration
  • GetWebAcl
  • ListResourcesForWebAcl
  • ListWebAcls