Onboarding Permissions for AWS

Introduction

As part of the AWS account preparation required before onboarding cloud accounts into CoreStack, you will need to create least privilege policies— individual policies that must be attached to your cross-account role that allow CoreStack to access the AWS data it needs in order to create its reports.

Each least privilege policy provides the necessary permissions to enable core functions in the CoreStack application, and are listed below organized by product bundle:

FinOps

Capability	Description	Least Privilege Permissions
Cost Visibility and Usage	Enabling this permission helps CoreStack retrieve cost data from AWS and display it in the Cost Posture section(s), which provides visibility into costs across all your cloud accounts.	`s3:GetObject` `arn:aws:s3:::[YOUR COST AND USAGE REPORT BUCKET]/* (For Master Account)`
Support and RI	Enabling these permissions allows access to pricing model information that can help users increase cost savings for their AWS resource usage, compute Savings Plans that can provide lower prices on EC2 instance usage, and support services that help customers use AWS products and features.	`ce:DescribeNotificationSubscription,` `ce:GetReservationPurchaseRecommendation,` `ce:GetReservationUtilization,` `support:DescribeServices,` `support:DescribeSupportLevel,` `support:DescribeTrustedAdvisorCheckResult`
Cost Budget and Billing	These permissions allow cloud-native budgets for AWS to be displayed in the CoreStack portal.	`budgets:ViewBudget,` `budgets:DescribeBudgetActionHistories,` `budgets:DescribeBudgetActionsForAccount`
Cost Optimization	These permissions allow the monitoring of resource utilization data and the reclaiming of native recommendations, which in turn can help users achieve potential cost savings through FinOps policies.	`compute-optimizer:DescribeRecommendationExportJobs,` `compute-optimizer:GetAutoScalingGroupRecommendations,` `compute-optimizer:GetEBSVolumeRecommendations,` `compute-optimizer:GetEC2InstanceRecommendations,` `compute-optimizer:GetEC2RecommendationProjectedMetrics,` `compute-optimizer:GetECSServiceRecommendationProjectedMetrics,` `compute-optimizer:GetECSServiceRecommendations,` `compute-optimizer:GetEffectiveRecommendationPreferences,` `compute-optimizer:GetEnrollmentStatus,` `compute-optimizer:GetLambdaFunctionRecommendations,` `compute-optimizer:GetRecommendationPreferences,` `compute-optimizer:GetRecommendationSummaries`
Resource Inventory & Cost Optimizations ( CoreStack Policies)	These permissions allow CoreStack to pull resources from AWS in order to provide cost recommendations through FinOps policies.	`access-analyzer:List,` `acm:DescribeCertificate,` `acm:GetCertificate,` `acm:ListCertificates,` `acm:ListTagsForCertificate,` `apigateway:GET,` `application-autoscaling:DescribeScheduledActions,` `autoscaling:Describe,` `batch:Describe,` `clouddirectory:DescribeDirectories,` `clouddirectory:GetDirectory,` `clouddirectory:ListDirectories,` `cloudformation:DescribeStacks,` `cloudformation:GetStackPolicy,` `cloudformation:GetTemplate,` `cloudformation:ListStackResources,` `cloudformation:ListStacks,` `cloudfront:Get,` `cloudfront:List,` `cloudhsm:Describe,` `cloudhsm:List,` `cloudtrail:DescribeTrails,` `cloudtrail:Get,` `cloudtrail:ListTrails,` `cloudwatch:GetDashboard,` `cloudwatch:GetMetricStatistics,` `cloudwatch:ListDashboards,` `cloudwatch:ListMetrics,` `cloudwatch:GetMetricData,` `cloudwatch:Describe,` `codeartifact:DescribeDomain,` `codepipeline:List,` `cognito-identity:Describe,` `cognito-identity:Get,` `cognito-user:List,` `cognito-user:Describe,` `datapipeline:DescribePipelines,` `datapipeline:GetPipelineDefinition,` `datapipeline:ListPipelines,` `directconnect:DescribeConnections,` `directconnect:DescribeLocations,` `directconnect:DescribeVirtualGateways,` `directconnect:DescribeVirtualInterfaces,` `dms:Describe,` `dynamodb:Describe,` `dynamodb:ListTables,` `dynamodb:ListTagsOfResource,` `ec2:Describe,` `ecr:BatchGetImage,` `ecr:BatchImportUpstreamImage,` `ecr:DescribeRepositories,` `ecr:GetLifecyclePolicy,` `ecr:GetLifecyclePolicyPreview,` `ecr-public:GetRepositoryCatalogData,` `ecs:Describe,` `ecs:List,` `eks:Describe,` `eks:List,` `elasticache:Describe,` `elasticbeanstalk:Describe,` `elasticfilesystem:Describe,` `elasticloadbalancing:Describe,` `elasticmapreduce:Describe,` `elasticmapreduce:List,` `es:Describe,` `es:ListDomainNames,` `glacier:Describe,` `glacier:List,` `glue:List,` `glue:Get,` `guardduty:GetDetector,` `guardduty:ListDetectors,` `iam:GetGroup,` `iam:GetGroupPolicy,` `iam:GetPolicy,` `iam:GetRole,` `iam:GetRolePolicy,` `iam:GetUser,` `iam:GetUserPolicy,` `iam:List,` `iam:SimulatePrincipalPolicy,` `inspector:Describe,` `inspector:List,` `iot:DescribeThing,` `iot:ListThings,` `kafka:Describe,` `kafka:List,` `kinesis:DescribeStream,` `kinesis:GetShardIterator,` `kinesis:ListStreams,` `kinesis:ListTagsForStream,` `kms:Describe,` `kms:Get,` `kms:List,` `lambda:Get,` `lambda:List,` `lightsail:Get,` `logs:DescribeLogGroups,` `logs:DescribeLogStreams,` `logs:GetLogEvents,` `mgh:DescribeApplicationState,` `mgh:ListApplicationStates,` `mq:DescribeBroker,` `mq:ListBrokers,` `opsworks:DescribeStacks,` `opsworks:DescribeStackSummary,` `opsworks:DescribeUserProfiles,` `organizations:Describe,` `organizations:List,` `qldb:DescribeLedger,` `quicksight:Describe,` `quicksight:List,` `rds:Describe,` `rds:List,` `redshift:Describe,` `route53:GetTrafficPolicy,` `route53:GetTrafficPolicyInstance,` `route53:List,` `S3:GetAccountPublicAccessBlock,` `s3:GetBucketACL,` `s3:GetBucketLocation,` `s3:GetBucketPolicy,` `s3:GetBucketPublicAccessBlock,` `s3:GetBucketTagging,` `s3:GetLifecycleConfiguration,` `s3:GetNotificationConfiguration,` `s3:ListAllMyBuckets,` `s3:ListBucket,` `sdb:DomainMetadata,` `sdb:ListDomains,` `secretsmanager:List,` `secretsmanager:Describe,` `servicecatalog:Describe,` `servicecatalog:List,` `sheild:DescribeProtection,` `sheild:ListProtections,` `sns:GetSnsTopic,` `sns:GetSubscriptionAttributes,` `sns:GetTopicAttributes,` `sns:ListSubscriptionsByTopic,` `sns:ListTopics,` `sqs:GetQueueAttributes,` `sqs:ListQueues,` `ssm:Describe,` `ssm:Get,` `ssm:List,` `storagegateway:Describe,` `storagegateway:List,` `swf:List,` `waf:Get,` `waf:List,` `waf-regional:Get,` `waf-regional:List,` `wafv2:Get,` `wafv2:List,` `workmail:Describe,` `workmail:List,` `workspaces:Describe*`

SecOps

Capability	Description	Least Privilege Permissions
Governance Configuration > Threat Management	These permissions allow CoreStack to display the threats detected through Amazon GuardDuty.	`guardduty:DescribePublishingDestination,` `guardduty:GetDetector,` `guardduty:GetFindings,` `guardduty:ListDetectors,` `guardduty:ListFindings,` `guardduty:ListPublishingDestinations,` `iam:GetRole,` `kms:Describe,` `kms:Get,` `kms:List*,` `s3:GetBucketNotification,` `s3:GetBucketPolicy,` `s3:GetBucketTagging,` `s3:HeadBucket,` `s3:ListBucket`
Governance Configuration > Vulnerability Assessments	Enabling these permissions helps CoreStack to continuously scan the findings from the inspector in your AWS cloud account(s).	`inspector:DescribeAssessmentRuns,` `inspector:DescribeFindings,` `inspector:DescribeRulesPackages,` `inspector:ListAssessmentRuns,` `inspector:ListAssessmentTargets,` `inspector:ListAssessmentTemplates,` `inspector:ListFindings,` `inspector:ListRulesPackages`
Resource Inventory & SecOps Policies	These permissions allow CoreStack to pull resources from AWS in order to provide security recommendations through SecOps standards and policies.	`access-analyzer:List,` `acm:DescribeCertificate,` `acm:GetCertificate,` `acm:ListCertificates,` `acm:ListTagsForCertificate,` `apigateway:GET,` `application-autoscaling:DescribeScheduledActions,` `autoscaling:Describe,` `batch:Describe,` `clouddirectory:DescribeDirectories,` `clouddirectory:GetDirectory,` `clouddirectory:ListDirectories,` `cloudformation:DescribeStacks,` `cloudformation:GetStackPolicy,` `cloudformation:GetTemplate,` `cloudformation:ListStackResources,` `cloudformation:ListStacks,` `cloudfront:Get,` `cloudfront:List,` `cloudhsm:Describe,` `cloudhsm:List,` `cloudtrail:Get,` `cloudtrail:ListTrails,` `cloudwatch:GetDashboard,` `cloudwatch:GetMetricStatistics,` `cloudwatch:ListDashboards,` `cloudwatch:ListMetrics,` `cloudwatch:Describe,` `codeartifact:DescribeDomain,` `codepipeline:List,` `cognito-identity:Describe,` `cognito-identity:Get,` `cognito-user:List,` `cognito-user:Describe,` `datapipeline:DescribePipelines,` `datapipeline:GetPipelineDefinition,` `datapipeline:ListPipelines,` `directconnect:DescribeConnections,` `directconnect:DescribeLocations,` `directconnect:DescribeVirtualGateways,` `directconnect:DescribeVirtualInterfaces,` `dms:Describe,` `dynamodb:Describe,` `dynamodb:ListTables,` `dynamodb:ListTagsOfResource,` `ec2:Describe,` `ecr:BatchGetImage,` `ecr:BatchImportUpstreamImage,` `ecr:DescribeRepositories,` `ecr:GetLifecyclePolicy,` `ecr:GetLifecyclePolicyPreview,` `ecr-public:GetRepositoryCatalogData,` `ecs:Describe,` `ecs:List,` `eks:Describe,` `eks:List,` `elasticache:Describe,` `elasticbeanstalk:Describe,` `elasticfilesystem:Describe,` `elasticloadbalancing:Describe,` `elasticmapreduce:Describe,` `elasticmapreduce:List,` `es:Describe,` `es:ListDomainNames,` `glacier:Describe,` `glacier:List,` `glue:List,` `glue:Get,` `iam:Get,` `iam:List,` `iam:SimulatePrincipalPolicy,` `iot:DescribeThing,` `iot:ListThings,` `kafka:Describe,` `kafka:List,` `kinesis:DescribeStream,` `kinesis:GetShardIterator,` `kinesis:ListStreams,` `kinesis:ListTagsForStream,` `kms:Get,` `kms:List,` `lambda:GetFunction,` `lambda:ListFunctions,` `lambda:ListTags,` `lightsail:Get,` `logs:DescribeLogGroups,` `logs:DescribeLogStreams,` `logs:GetLogEvents,` `mgh:DescribeApplicationState,` `mgh:ListApplicationStates,` `mq:DescribeBroker,` `mq:ListBrokers,` `opsworks:DescribeStacks,` `opsworks:DescribeStackSummary,` `opsworks:DescribeUserProfiles,` `organizations:Describe,` `organizations:List,` `qldb:DescribeLedger,` `quicksight:Describe,` `quicksight:List,` `rds:Describe,` `rds:List,` `redshift:Describe,` `route53:GetTrafficPolicy,` `route53:GetTrafficPolicyInstance,` `route53:List,` `S3:GetAccountPublicAccessBlock,` `s3:GetBucketACL,` `s3:GetBucketPublicAccessBlock,` `s3:GetLifecycleConfiguration,` `s3:GetNotificationConfiguration,` `s3:ListAllMyBuckets,` `s3:ListBucket,` `sdb:DomainMetadata,` `sdb:ListDomains,` `secretsmanager:List,` `secretsmanager:Describe,` `servicecatalog:Describe,` `servicecatalog:List,` `ses:ListIdentities,` `ses:GetSendStatistics,` `ses:GetIdentityDkimAttributes,` `ses:GetIdentityVerificationAttributes,` `ses:GetSendQuota,` `sheild:DescribeProtection,` `sheild:ListProtections,` `sns:GetSnsTopic,` `sns:GetSubscriptionAttributes,` `sns:GetTopicAttributes,` `sns:ListSubscriptionsByTopic,` `sns:ListTopics,` `sqs:GetQueueAttributes,` `sqs:ListQueues,` `ssm:Describe,` `ssm:Get,` `ssm:List,` `storagegateway:Describe,` `storagegateway:List,` `swf:List,` `waf:Get,` `waf:List,` `waf-regional:Get,` `waf-regional:List,` `wafv2:Get,` `wafv2:List,` `workmail:Describe,` `workmail:List,` `workspaces:Describe`

You can use the S3 URLs provided based on the type of access you wish to provide for CoreStack.

S3 URL with Template for Assessment Only (Read-Only Access):