Complete IAM Policy

CloudCheckr has updated its least privilege policies to offer a more controlled method for managing permissions in your AWS account.

To ensure that users only have access to a discrete set of permissions, you can now enable permissions by categories that correspond to one of the core areas of functionality within our application:

  • Cost
  • Billing
  • Security/Compliance
  • Inventory
  • CloudWatch Flow Logs
  • CloudTrail

Using the New Policies

Recommended Method: CloudCheckr CloudFormation Stack

The recommended method to use the CloudCheckr policies is via our CloudFormation stack. You can see full documentation on this process here.

  • With this CloudFormation stack, you automatically create a cross-account role that provides least privilege access to CloudCheckr.
  • You will have the option to choose all policy categories or just the specific categories you want.

You can also download a JSON containing the CloudFormation stack here or click the expand below to copy the policy:

{
"AWSTemplateFormatVersion": "2010-09-09",
"Metadata":{
"AWS::CloudFormation::Interface":{
"ParameterGroups":[
{
"Label":{"default":"IAM Role"},
"Parameters":["ExternalAccount","ExternalId"]
},
{
"Label":{"default":"Inventory"},
"Parameters":["InventoryAndUtilzation"]
},
{
"Label":{"default":"Billing"},
"Parameters":["CostPermissions","BillingBucket"]
},
{
"Label":{"default":"Security"},
"Parameters":["Security","CloudTrailBucket"]
},
{
"Label":{"default":"CloudWatch Flow Logs"},
"Parameters":["CloudWatchFlowLogs"]
}
]
}
},
"Parameters": {
"ExternalId":{
"Type":"String",
"Description":"CloudCheckr External ID"
},
"ExternalAccount":{
"Type":"String",
"Default":"352813966189",
"Description":"CloudCheckr Account"
},
"Security":{
"Type": "String",
"Default": "True",
"Description": "Use CloudCheckr to process security data?",
"AllowedValues": ["True", "False"]
},
"InventoryAndUtilzation":{
"Type": "String",
"Default": "True",
"Description": "Use CloudCheckr to process inventory and utilization data?",
"AllowedValues": ["True", "False"]
},
"CostPermissions": {
"Type": "String",
"Default": "True",
"Description": "Use CloudCheckr to process billing data?",
"AllowedValues": ["True", "False"]
},
"BillingBucket":{
"Type":"String",
"Description":"AWS Detailed Billing Report Bucket"
},
"CloudTrailBucket":{
"Type":"String",
"Description":"AWS CloudTrail Bucket"
},
"CloudWatchFlowLogs":{
"Type": "String",
"Default": "True",
"Description": "Use CloudCheckr to process CloudWatch Flow Logs data?",
"AllowedValues": ["True", "False"]
}
},
"Conditions": {
"IncludeCost": {"Fn::Equals": [{"Ref": "CostPermissions"}, "True"]},
"IncludeInventory": {"Fn::Equals": [{"Ref": "InventoryAndUtilzation"}, "True"]},
"IncludeSecurity": {"Fn::Equals": [{"Ref": "Security"}, "True"]},
"IncludeFlowLogs": {"Fn::Equals": [{"Ref": "CloudWatchFlowLogs"}, "True"]},
"IncludeCloudTrailBucket": {"Fn::Not": [{"Fn::Equals": ["", {"Ref": "CloudTrailBucket"}]}]},
"IncludeBillingBucket": {"Fn::Not": [{"Fn::Equals": ["", {"Ref": "BillingBucket"}]}]}
},
"Resources": {
"IamRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {"AWS": {"Fn::Sub": "arn:aws:iam::${ExternalAccount}:root"}},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": {
"Ref": "ExternalId"
}
}
}
}]
}
}
},
"CloudWatchFlowLogsPolicy":{
"Type":"AWS::IAM::Policy",
"Condition":"IncludeFlowLogs",
"DependsOn":"IamRole",
"Properties":{
"Roles":[{"Ref":"IamRole"}],
"PolicyName":"CloudCheckr-CloudWatchFlowLogs-Policy",
"PolicyDocument":{
"Version":"2012-10-17",
"Statement":[{
"Sid":"CloudWatchLogsSpecific",
"Effect":"Allow",
"Action":[
"logs:GetLogEvents",
"logs:DescribeLogGroups",
"logs:DescribeLogStreams"
],
"Resource":[
"arn:aws:logs:*:*:*"
]
}]
}
}
},
"CloudTrailPolicy":{
"Type":"AWS::IAM::Policy",
"Condition":"IncludeCloudTrailBucket",
"DependsOn":"IamRole",
"Properties":{
"Roles":[{"Ref":"IamRole"}],
"PolicyName":"CloudCheckr-CloudTrail-Policy",
"PolicyDocument":{
"Version":"2012-10-17",
"Statement":[{
"Sid": "CloudTrailPermissions",
"Effect": "Allow",
"Action": [
"s3:GetBucketACL",
"s3:GetBucketLocation",
"s3:GetBucketLogging",
"s3:GetBucketPolicy",
"s3:GetBucketTagging",
"s3:GetBucketWebsite",
"s3:GetBucketNotification",
"s3:GetLifecycleConfiguration",
"s3:GetNotificationConfiguration",
"s3:GetObject",
"s3:GetObjectMetadata",
"s3:List*"
],
"Resource": [
{"Fn::Sub":"arn:aws:s3:::${CloudTrailBucket}"},
{"Fn::Sub":"arn:aws:s3:::${CloudTrailBucket}/*"}
]
}]
}
}
},
"SecurityPolicy":{
"Type":"AWS::IAM::Policy",
"Condition":"IncludeSecurity",
"DependsOn":"IamRole",
"Properties":{
"Roles":[{"Ref":"IamRole"}],
"PolicyName":"CloudCheckr-Security-Policy",
"PolicyDocument":{
"Version":"2012-10-17",
"Statement":[{
"Sid": "SecurityPermissons",
"Effect":"Allow",
"Action":[
"acm:DescribeCertificate",
"acm:ListCertificates",
"acm:GetCertificate",
"cloudtrail:DescribeTrails",
"cloudtrail:GetTrailStatus",
"logs:GetLogEvents",
"logs:DescribeLogGroups",
"logs:DescribeLogStreams",
"config:DescribeConfigRules",
"config:GetComplianceDetailsByConfigRule",
"config:DescribeDeliveryChannels",
"config:DescribeDeliveryChannelStatus",
"config:DescribeConfigurationRecorders",
"config:DescribeConfigurationRecorderStatus",
"ec2:Describe*",
"iam:Get*",
"iam:List*",
"iam:GenerateCredentialReport",
"kms:DescribeKey",
"kms:GetKeyPolicy",
"kms:GetKeyRotationStatus",
"kms:ListAliases",
"kms:ListGrants",
"kms:ListKeys",
"kms:ListKeyPolicies",
"kms:ListResourceTags",
"rds:Describe*",
"ses:ListIdentities",
"ses:GetSendStatistics",
"ses:GetIdentityDkimAttributes",
"ses:GetIdentityVerificationAttributes",
"ses:GetSendQuota",
"sns:GetSnsTopic",
"sns:GetTopicAttributes",
"sns:GetSubscriptionAttributes",
"sns:ListTopics",
"sns:ListSubscriptionsByTopic",
"sqs:ListQueues",
"sqs:GetQueueAttributes"
],
"Resource": "*"
}]
}
}
},
"InventoryPolicy":{
"Type":"AWS::IAM::Policy",
"Condition":"IncludeInventory",
"DependsOn":"IamRole",
"Properties":{
"Roles":[{"Ref":"IamRole"}],
"PolicyName":"CloudCheckr-Inventory-Policy",
"PolicyDocument":{
"Version":"2012-10-17",
"Statement":[{
"Sid":"InventoryAndUtilization",
"Effect":"Allow",
"Action":[
"acm:DescribeCertificate",
"acm:ListCertificates",
"acm:GetCertificate",
"ec2:Describe*",
"ec2:GetConsoleOutput",
"cloudformation:DescribeStacks",
"cloudformation:GetStackPolicy",
"cloudformation:GetTemplate",
"cloudformation:ListStackResources",
"cloudfront:List*",
"cloudfront:GetDistributionConfig",
"cloudfront:GetStreamingDistributionConfig",
"cloudhsm:Describe*",
"cloudhsm:List*",
"cloudsearch:Describe*",
"cloudtrail:DescribeTrails",
"cloudtrail:GetTrailStatus",
"cloudwatch:DescribeAlarms",
"cloudwatch:GetMetricStatistics",
"cloudwatch:ListMetrics",
"config:DescribeConfigRules",
"config:GetComplianceDetailsByConfigRule",
"config:Describe*",
"datapipeline:ListPipelines",
"datapipeline:GetPipelineDefinition",
"datapipeline:DescribePipelines",
"directconnect:DescribeLocations",
"directconnect:DescribeConnections",
"directconnect:DescribeVirtualInterfaces",
"dynamodb:ListTables",
"dynamodb:DescribeTable",
"dynamodb:ListTagsOfResource",
"ecs:ListClusters",
"ecs:DescribeClusters",
"ecs:ListContainerInstances",
"ecs:DescribeContainerInstances",
"ecs:ListServices",
"ecs:DescribeServices",
"ecs:ListTaskDefinitions",
"ecs:DescribeTaskDefinition",
"ecs:ListTasks",
"ecs:DescribeTasks",
"ssm:ListResourceDataSync",
"ssm:ListAssociations",
"ssm:ListDocumentVersions",
"ssm:ListDocuments",
"ssm:ListInstanceAssociations",
"ssm:ListInventoryEntries",
"elasticache:Describe*",
"elasticache:List*",
"elasticbeanstalk:Describe*",
"elasticfilesystem:DescribeFileSystem",
"elasticfilesystem:DescribeTags",
"elasticloadbalancing:Describe*",
"elasticmapreduce:Describe*",
"elasticmapreduce:List*",
"es:ListDomainNames",
"es:DescribeElasticsearchDomains",
"glacier:ListTagsForVault",
"glacier:DescribeVault",
"glacier:GetVaultNotifications",
"glacier:DescribeJob",
"glacier:GetJobOutput",
"glacier:ListJobs",
"glacier:ListVaults",
"iam:Get*",
"iam:List*",
"iam:GenerateCredentialReport",
"iot:DescribeThing",
"iot:ListThings",
"kms:DescribeKey",
"kms:GetKeyPolicy",
"kms:GetKeyRotationStatus",
"kms:ListAliases",
"kms:ListGrants",
"kms:ListKeys",
"kms:ListKeyPolicies",
"kms:ListResourceTags",
"kinesis:ListStreams",
"kinesis:DescribeStream",
"kinesis:GetShardIterator",
"kinesis:GetRecords",
"lambda:ListFunctions",
"lambda:ListTags",
"Organizations:List*",
"Organizations:Describe*",
"rds:Describe*",
"rds:List*",
"redshift:Describe*",
"route53:ListHealthChecks",
"route53:ListHostedZones",
"route53:ListResourceRecordSets",
"s3:GetBucketACL",
"s3:GetBucketLocation",
"s3:GetBucketLogging",
"s3:GetBucketPolicy",
"s3:GetBucketTagging",
"s3:GetBucketWebsite",
"s3:GetBucketNotification",
"s3:GetEncryptionConfiguration",
"s3:GetLifecycleConfiguration",
"s3:GetNotificationConfiguration",
"s3:GetObjectMetadata",
"s3:List*",
"sdb:ListDomains",
"sdb:DomainMetadata",
"ses:ListIdentities",
"ses:GetSendStatistics",
"ses:GetIdentityDkimAttributes",
"ses:GetIdentityVerificationAttributes",
"ses:GetSendQuota",
"sns:GetSnsTopic",
"sns:GetTopicAttributes",
"sns:GetSubscriptionAttributes",
"sns:ListTopics",
"sns:ListSubscriptionsByTopic",
"sqs:ListQueues",
"sqs:GetQueueAttributes",
"storagegateway:Describe*",
"storagegateway:List*",
"support:*",
"swf:ListClosedWorkflowExecutions",
"swf:ListDomains",
"swf:ListActivityTypes",
"swf:ListWorkflowTypes",
"workspaces:DescribeWorkspaceDirectories",
"workspaces:DescribeWorkspaceBundles",
"workspaces:DescribeWorkspaces"
],
"Resource":"*"
}]
}
}
},
"DbrPolicy":{
"Type":"AWS::IAM::Policy",
"Condition":"IncludeBillingBucket",
"DependsOn":"IamRole",
"Properties":{
"Roles":[{"Ref":"IamRole"}],
"PolicyName":"CloudCheckr-DBR-Policy",
"PolicyDocument":{
"Version":"2012-10-17",
"Statement":[{
"Sid":"CostReadDBR",
"Effect":"Allow",
"Action":[
"s3:GetBucketACL",
"s3:GetBucketLocation",
"s3:GetBucketLogging",
"s3:GetBucketPolicy",
"s3:GetBucketTagging",
"s3:GetBucketWebsite",
"s3:GetBucketNotification",
"s3:GetLifecycleConfiguration",
"s3:GetNotificationConfiguration",
"s3:GetObject",
"s3:GetObjectMetadata"
],
"Resource":[
{"Fn::Sub":"arn:aws:s3:::${BillingBucket}"},
{"Fn::Sub":"arn:aws:s3:::${BillingBucket}/*"}
]
}]
}
}
},
"CostPolicy": {
"Type": "AWS::IAM::Policy",
"Condition": "IncludeCost",
"DependsOn":"IamRole",
"Properties": {
"PolicyName": "CloudCheckr-Cost-Policy",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [{
"Sid": "CloudCheckrCostPermissions",
"Action": [
"ec2:DescribeAccountAttributes",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeReservedInstancesOfferings",
"ec2:DescribeReservedInstances",
"ec2:DescribeReservedInstancesListings",
"ec2:DescribeHostReservationOfferings",
"ec2:DescribeReservedInstancesModifications",
"ec2:DescribeHostReservations",
"ec2:DescribeInstances",
"ec2:DescribeInstanceStatus",
"ec2:DescribeRegions",
"ec2:DescribeKeyPairs",
"ec2:DescribePlacementGroups",
"ec2:DescribeAddresses",
"ec2:DescribeSpotInstanceRequests",
"ec2:DescribeImages",
"ec2:DescribeImageAttribute",
"ec2:DescribeSnapshots",
"ec2:DescribeVolumes",
"ec2:DescribeTags",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeSecurityGroups",
"ec2:DescribeInstanceAttribute",
"ec2:DescribeVolumeStatus",
"elasticache:DescribeReservedCacheNodes",
"elasticache:DescribeReservedCacheNodesOfferings",
"rds:DescribeReservedDBInstances",
"rds:DescribeReservedDBInstancesOfferings",
"rds:DescribeDBInstances",
"redshift:DescribeReservedNodes",
"redshift:DescribeReservedNodeOfferings",
"s3:GetBucketACL",
"s3:GetBucketLocation",
"s3:GetBucketLogging",
"s3:GetBucketPolicy",
"s3:GetBucketTagging",
"s3:GetBucketWebsite",
"s3:GetBucketNotification",
"s3:GetLifecycleConfiguration",
"s3:GetNotificationConfiguration",
"s3:GetObjectMetadata",
"s3:List*",
"dynamodb:DescribeReservedCapacity",
"dynamodb:DescribeReservedCapacityOfferings",
"iam:GetAccountAuthorizationDetails",
"iam:ListRolePolicies",
"iam:ListAttachedRolePolicies"
],
"Effect": "Allow",
"Resource": "*"
}]
},
"Roles":[{"Ref":"IamRole"}]
}
}
},
"Outputs": {
"RoleArn":{
"Description":"ARN of the IAM Role",
"Value":{"Fn::GetAtt":["IamRole","Arn"]}
}
}
}

Optional Method: Manual Role Creation

Besides the CloudFormation stack method, you can create a cross-account role manually and attach any of the least privilege policy categories to the role.

{  
"Version":"2012-10-17",
"Statement":[
{
"Sid":"CloudCheckrCostPermissions",
"Effect":"Allow",
"Action":[
"ec2:DescribeAccountAttributes",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeReservedInstancesOfferings",
"ec2:DescribeReservedInstances",
"ec2:DescribeReservedInstancesListings",
"ec2:DescribeHostReservationOfferings",
"ec2:DescribeReservedInstancesModifications",
"ec2:DescribeHostReservations",
"ec2:DescribeInstances",
"ec2:DescribeInstanceStatus",
"ec2:DescribeRegions",
"ec2:DescribeKeyPairs",
"ec2:DescribePlacementGroups",
"ec2:DescribeAddresses",
"ec2:DescribeSpotInstanceRequests",
"ec2:DescribeImages",
"ec2:DescribeImageAttribute",
"ec2:DescribeSnapshots",
"ec2:DescribeVolumes",
"ec2:DescribeTags",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeSecurityGroups",
"ec2:DescribeInstanceAttribute",
"ec2:DescribeVolumeStatus",
"elasticache:DescribeReservedCacheNodes",
"elasticache:DescribeReservedCacheNodesOfferings",
"rds:DescribeReservedDBInstances",
"rds:DescribeReservedDBInstancesOfferings",
"rds:DescribeDBInstances",
"redshift:DescribeReservedNodes",
"redshift:DescribeReservedNodeOfferings",
"s3:GetBucketACL",
"s3:GetBucketLocation",
"s3:GetBucketLogging",
"s3:GetBucketPolicy",
"s3:GetBucketTagging",
"s3:GetBucketWebsite",
"s3:GetBucketNotification",
"s3:GetLifecycleConfiguration",
"s3:GetNotificationConfiguration",
"s3:List*",
"dynamodb:DescribeReservedCapacity",
"dynamodb:DescribeReservedCapacityOfferings",
"iam:GetAccountAuthorizationDetails",
"iam:ListRolePolicies",
"iam:ListAttachedRolePolicies"
],
"Resource":"*"
}
]
}

{  
"Version":"2012-10-17",
"Statement":[
{
"Sid":"CostReadDBR",
"Effect":"Allow",
"Action":[
"s3:GetBucketACL",
"s3:GetBucketLocation",
"s3:GetBucketLogging",
"s3:GetBucketPolicy",
"s3:GetBucketTagging",
"s3:GetBucketWebsite",
"s3:GetBucketNotification",
"s3:GetLifecycleConfiguration",
"s3:GetNotificationConfiguration",
"s3:GetObject" ],
"Resource":[
"arn:aws:s3:::[YOUR DETAILED BILLING REPORT BUCKET]",
"arn:aws:s3:::[YOUR DETAILED BILLING REPORT BUCKET]/*",
"arn:aws:s3:::[YOUR COST AND UDAGE REPORT BUCKET] (optional)",
"arn:aws:s3:::[YOUR COST AND UDAGE REPORT BUCKET]/* (optional)"
]
}
]
}

{  
"Version":"2012-10-17",
"Statement":[
{
"Sid":"SecurityPermissons",
"Effect":"Allow",
"Action":[
"acm:DescribeCertificate",
"acm:ListCertificates",
"acm:GetCertificate",
"cloudtrail:DescribeTrails",
"cloudtrail:GetTrailStatus",
"logs:GetLogEvents",
"logs:DescribeLogGroups",
"logs:DescribeLogStreams",
"config:DescribeConfigRules",
"config:GetComplianceDetailsByConfigRule",
"config:DescribeDeliveryChannels",
"config:DescribeDeliveryChannelStatus",
"config:DescribeConfigurationRecorders",
"config:DescribeConfigurationRecorderStatus",
"ec2:Describe*",
"iam:Get*",
"iam:List*",
"iam:GenerateCredentialReport",
"kms:DescribeKey",
"kms:GetKeyPolicy",
"kms:GetKeyRotationStatus",
"kms:ListAliases",
"kms:ListGrants",
"kms:ListKeys",
"kms:ListKeyPolicies",
"kms:ListResourceTags",
"rds:Describe*",
"ses:ListIdentities",
"ses:GetSendStatistics",
"ses:GetIdentityDkimAttributes",
"ses:GetIdentityVerificationAttributes",
"ses:GetSendQuota",
"sns:GetSnsTopic",
"sns:GetTopicAttributes",
"sns:GetSubscriptionAttributes",
"sns:ListTopics",
"sns:ListSubscriptionsByTopic",
"sqs:ListQueues",
"sqs:GetQueueAttributes"
], "Resource":"*" } ] }

 { 
"Version": "2012-10-17",
"Statement": [
{
"Sid": "InventoryAndUtilization",
"Effect": "Allow",
"Action": [
"acm:DescribeCertificate",
"acm:ListCertificates",
"acm:GetCertificate",
"ec2:Describe*",
"ec2:GetConsoleOutput",
"autoscaling:Describe*",
"cloudformation:DescribeStacks",
"cloudformation:GetStackPolicy",
"cloudformation:GetTemplate",
"cloudformation:ListStackResources",
"cloudfront:List*",
"cloudfront:GetDistributionConfig",
"cloudfront:GetStreamingDistributionConfig",
"cloudhsm:Describe*",
"cloudhsm:List*",
"cloudsearch:Describe*",
"cloudtrail:DescribeTrails",
"cloudtrail:GetTrailStatus",
"cloudwatch:DescribeAlarms",
"cloudwatch:GetMetricStatistics",
"cloudwatch:ListMetrics",
"cognito-identity:ListIdentities",
"cognito-identity:ListIdentityPools",
"cognito-idp:ListGroups",
"cognito-idp:ListIdentityProviders",
"cognito-idp:ListUserPools",
"cognito-idp:ListUsers",
"cognito-idp:ListUsersInGroup",
"config:DescribeConfigRules",
"config:GetComplianceDetailsByConfigRule",
"config:Describe*",
"datapipeline:ListPipelines",
"datapipeline:GetPipelineDefinition",
"datapipeline:DescribePipelines",
"directconnect:DescribeLocations",
"directconnect:DescribeConnections",
"directconnect:DescribeVirtualInterfaces",
"dynamodb:ListTables",
"dynamodb:DescribeTable",
"dynamodb:ListTagsOfResource",
"ecs:ListClusters",
"ecs:DescribeClusters",
"ecs:ListContainerInstances",
"ecs:DescribeContainerInstances",
"ecs:ListServices",
"ecs:DescribeServices",
"ecs:ListTaskDefinitions",
"ecs:DescribeTaskDefinition",
"ecs:ListTasks",
"ecs:DescribeTasks",
"ssm:ListResourceDataSync",
"ssm:ListAssociations",
"ssm:ListDocumentVersions",
"ssm:ListDocuments",
"ssm:ListInstanceAssociations",
"ssm:ListInventoryEntries",
"elasticache:Describe*",
"elasticache:List*",
"elasticbeanstalk:Describe*",
"elasticfilesystem:DescribeFileSystems",
"elasticfilesystem:DescribeTags",
"elasticloadbalancing:Describe*",
"elasticmapreduce:Describe*",
"elasticmapreduce:List*",
"es:ListDomainNames",
"es:DescribeElasticsearchDomains",
"glacier:ListTagsForVault",
"glacier:DescribeVault",
"glacier:GetVaultNotifications",
"glacier:DescribeJob",
"glacier:GetJobOutput",
"glacier:ListJobs",
"glacier:ListVaults",
"iam:Get*",
"iam:List*",
"iam:GenerateCredentialReport",
"iot:DescribeThing",
"iot:ListThings",
"kms:DescribeKey",
"kms:GetKeyPolicy",
"kms:GetKeyRotationStatus",
"kms:ListAliases",
"kms:ListGrants",
"kms:ListKeys",
"kms:ListKeyPolicies",
"kms:ListResourceTags",
"kinesis:ListStreams",
"kinesis:DescribeStream",
"kinesis:GetShardIterator",
"lambda:ListFunctions",
"lambda:ListTags",
"Organizations:List*",
"Organizations:Describe*",
"rds:Describe*",
"rds:List*",
"redshift:Describe*",
"route53:ListHealthChecks",
"route53:ListHostedZones",
"route53:ListResourceRecordSets",
"s3:GetBucketACL",
"s3:GetBucketLocation",
"s3:GetBucketLogging",
"s3:GetBucketPolicy",
"s3:GetBucketTagging",
"s3:GetBucketWebsite",
"s3:GetBucketNotification",
"s3:GetEncryptionConfiguration",
"s3:GetLifecycleConfiguration",
"s3:GetNotificationConfiguration",
"s3:List*",
"sdb:ListDomains",
"sdb:DomainMetadata",
"ses:ListIdentities",
"ses:GetSendStatistics",
"ses:GetIdentityDkimAttributes",
"ses:GetIdentityVerificationAttributes",
"ses:GetSendQuota",
"sns:GetSnsTopic",
"sns:GetTopicAttributes",
"sns:GetSubscriptionAttributes",
"sns:ListTopics",
"sns:ListSubscriptionsByTopic",
"sqs:ListQueues",
"sqs:GetQueueAttributes",
"storagegateway:Describe*",
"storagegateway:List*",
"support:*",
"swf:ListClosedWorkflowExecutions",
"swf:ListDomains",
"swf:ListActivityTypes",
"swf:ListWorkflowTypes",
"workspaces:DescribeWorkspaceDirectories",
"workspaces:DescribeWorkspaceBundles",
"workspaces:DescribeWorkspaces"
],
"Resource": "*"
}
]
}

{  
"Version":"2012-10-17",
"Statement":[
{
"Sid":"CloudWatchLogsSpecific",
"Effect":"Allow",
"Action":[
"logs:GetLogEvents",
"logs:DescribeLogGroups",
"logs:DescribeLogStreams"
],
"Resource":[
"arn:aws:logs:*:*:*"
]
}
]
}

{  
"Version":"2012-10-17",
"Statement":[
{
"Sid":"CloudTrailPermissions",
"Effect":"Allow",
"Action":[
"s3:GetBucketACL",
"s3:GetBucketLocation",
"s3:GetBucketLogging",
"s3:GetBucketPolicy",
"s3:GetBucketTagging",
"s3:GetBucketWebsite",
"s3:GetBucketNotification",
"s3:GetLifecycleConfiguration",
"s3:GetNotificationConfiguration",
"s3:GetObject",
"s3:List*"
],
"Resource":[
"arn:aws:s3:::[YOUR CLOUDTRAIL BUCKET]",
"arn:aws:s3:::[YOUR CLOUDTRAIL BUCKET]/*"
]
}
]
}
AWS policies have a 6,144 character limit, so if you want to create a role manually you'll need to also create individual policies for each of the above categories.

See the article on Create a Cross-Account Role Manually.


A Note on the New Policy Structure

CloudCheckr will attempt to ingest data from all of the categories to populate the Cost, Billing, Security, Inventory, and CloudWatch Flow Log reports.

Since CloudCheckr must make calls even to those categories where you have not enabled permissions, you will see Unauthorized Access attempts in your CloudTrail logs. Please be assured that these logs are only an indication of the CloudCheckr workflow and in no way reflect an attempt on the part of CloudCheckr to collect unauthorized information from our customers.


Notes on s3:GetObject Permissions

In order to help you maintain a secure, least privilege configuration, CloudCheckr's Security/Compliance policy does not include any s3:GetObject permissions. However, there are a couple of reports that can use this data if you choose. If you want these select reports to be fully populated with data you can add permissions in the following ways:

For the S3 Encyrption Details Report: If you want to have CloudCheckr scan your encrypted S3 buckets, you can add the s3:GetObject permission, but we recommend restricting it to only the specific S3 bucket(s) that you choose.

For the List of VPCs Report: When using the default Security/Compliance policy, the Number of Elastic Beanstalk Applications within a VPC will always display 0. If you want to ingest data on the Elastic Beanstalk applications for this report, you will need to add the s3:GetObject* permission to your policy.

Notes on s3:GetEncryptionConfiguration Permission

This permission is now required to allow the application to determine an S3 bucket's default encryption status. For your convenience, we have already added this permission to the Inventory module of the CloudFormation Stack policy in the Recommended Method section and to the separate Inventory category in the Optional Method section in this topic.

How did we do?