These docs are for v4.3. Click to read the latest docs for v4.5.

Onboarding Permissions for AWS - Read-Write

Introduction

As part of the AWS account preparation required before onboarding cloud accounts into the platform, you will need to create least privilege policies— individual policies that must be attached to your cross-account role that allow the platform to access the AWS data it needs in order to create its reports.

Least Privilege Polices by Product (Read-Write)

Each least privilege policy provides the necessary permissions to enable core functions in the platform. The policies for enabling Read-Write access to the platform are listed below organized by product and platform capability:

📘

Pre-configured automation templates for allowing access

You can use the S3 URLs provided based on the type of access you wish to provide for CoreStack.


FinOps

CapabilityDescriptionLeast Privilege Permissions
Cost Visibility and Usage (Read)Enabling this permission helps CoreStack retrieve cost data from AWS and display it in the Cost Posture section(s), which provides visibility into costs across all your cloud accounts.s3:GetObject
arn:aws:s3:::[YOUR COST AND USAGE REPORT BUCKET]/* (For Master Account)
Support and RI (Read)Enabling these permissions allows access to pricing model information that can help users increase cost savings for their AWS resource usage, compute Savings Plans that can provide lower prices on EC2 instance usage, and support services that help customers use AWS products and features.ce:DescribeNotificationSubscription,
ce:GetReservationPurchaseRecommendation,
ce:GetReservationUtilization,
support:DescribeServices,
support:DescribeSupportLevel,
support:DescribeTrustedAdvisorCheckResult
Cost Budget and Billing (Read)These permissions allow cloud-native budgets for AWS to be displayed in the CoreStack portal.budgets:ViewBudget,
budgets:DescribeBudgetActionHistories,
budgets:DescribeBudgetActionsForAccount
Cost Optimization (Read)These permissions allow the monitoring of resource utilization data and the reclaiming of native recommendations, which in turn can help users achieve potential cost savings through FinOps policies.compute-optimizer:DescribeRecommendationExportJobs,
compute-optimizer:GetAutoScalingGroupRecommendations,
compute-optimizer:GetEBSVolumeRecommendations,
compute-optimizer:GetEC2InstanceRecommendations,
compute-optimizer:GetEC2RecommendationProjectedMetrics,
compute-optimizer:GetECSServiceRecommendationProjectedMetrics,
compute-optimizer:GetECSServiceRecommendations,
compute-optimizer:GetEffectiveRecommendationPreferences,
compute-optimizer:GetEnrollmentStatus,
compute-optimizer:GetLambdaFunctionRecommendations,
compute-optimizer:GetRecommendationPreferences,
compute-optimizer:GetRecommendationSummaries
Resource Inventory (Read)These permissions allow CoreStack to pull resources from AWS in order to provide cost recommendations through FinOps policies.access-analyzer:List*,
acm:DescribeCertificate,
acm:GetCertificate,
acm:ListCertificates,
acm:ListTagsForCertificate,
apigateway:GET,
application-autoscaling:DescribeScheduledActions,
autoscaling:Describe*,
batch:Describe*,
clouddirectory:DescribeDirectories,
clouddirectory:GetDirectory,
clouddirectory:ListDirectories,
cloudformation:DescribeStacks,
cloudformation:GetStackPolicy,
cloudformation:GetTemplate,
cloudformation:ListStackResources,
cloudformation:ListStacks,
cloudfront:Get*,
cloudfront:List*,
cloudhsm:Describe*,
cloudhsm:List*,
cloudtrail:DescribeTrails,
cloudtrail:Get*,
cloudtrail:ListTrails,
cloudwatch:GetDashboard,
cloudwatch:GetMetricStatistics,
cloudwatch:ListDashboards,
cloudwatch:ListMetrics,
cloudwatch:GetMetricData,
cloudwatch:Describe*,
codeartifact:DescribeDomain,
codepipeline:List,
cognito-identity:Describe*,
cognito-identity:Get*,
cognito-user:List*,
cognito-user:Describe*,
datapipeline:DescribePipelines,
datapipeline:GetPipelineDefinition,
datapipeline:ListPipelines,
directconnect:DescribeConnections,
directconnect:DescribeLocations,
directconnect:DescribeVirtualGateways,
directconnect:DescribeVirtualInterfaces,
dms:Describe*,
dynamodb:Describe*,
dynamodb:ListTables,
dynamodb:ListTagsOfResource,
ec2:Describe*,
ecr:BatchGetImage,
ecr:BatchImportUpstreamImage,
ecr:DescribeRepositories,
ecr:GetLifecyclePolicy,
ecr:GetLifecyclePolicyPreview,
ecr-public:GetRepositoryCatalogData,
ecs:Describe*,
ecs:List*,
eks:Describe*,
eks:List*,
elasticache:Describe*,
elasticbeanstalk:Describe*,
elasticfilesystem:Describe*,
elasticloadbalancing:Describe*,
elasticmapreduce:Describe*,
elasticmapreduce:List*,
es:Describe*,
es:ListDomainNames,
glacier:Describe*,
glacier:List*,
glue:List*,
glue:Get*,
guardduty:GetDetector,
guardduty:ListDetectors,
iam:GetGroup,
iam:GetGroupPolicy,
iam:GetPolicy,
iam:GetRole,
iam:GetRolePolicy,
iam:GetUser,
iam:GetUserPolicy,
iam:List*,
iam:SimulatePrincipalPolicy,
inspector:Describe*,
inspector:List*,
iot:DescribeThing,
iot:ListThings,
kafka:Describe*,
kafka:List*,
kinesis:DescribeStream,
kinesis:GetShardIterator,
kinesis:ListStreams,
kinesis:ListTagsForStream,
kms:Describe*,
kms:Get*,
kms:List*,
lambda:Get*,
lambda:List*,
lightsail:Get*,
logs:DescribeLogGroups,
logs:DescribeLogStreams,
logs:GetLogEvents,
mgh:DescribeApplicationState,
mgh:ListApplicationStates,
mq:DescribeBroker,
mq:ListBrokers,
opsworks:DescribeStacks,
opsworks:DescribeStackSummary,
opsworks:DescribeUserProfiles,
organizations:Describe*,
organizations:List*,
qldb:DescribeLedger,
quicksight:Describe*,
quicksight:List*,
rds:Describe*,
rds:List*,
redshift:Describe*,
route53:GetTrafficPolicy,
route53:GetTrafficPolicyInstance,
route53:List*,
S3:GetAccountPublicAccessBlock,
s3:GetBucketACL,
s3:GetBucketLocation,
s3:GetBucketPolicy,
s3:GetBucketPublicAccessBlock,
s3:GetBucketTagging,
s3:GetLifecycleConfiguration,
s3:GetNotificationConfiguration,
s3:ListAllMyBuckets,
s3:ListBucket,
sdb:DomainMetadata,
sdb:ListDomains,
secretsmanager:List*,
secretsmanager:Describe*,
servicecatalog:Describe*,
servicecatalog:List*,
sheild:DescribeProtection,
sheild:ListProtections,
sns:GetSnsTopic,
sns:GetSubscriptionAttributes,
sns:GetTopicAttributes,
sns:ListSubscriptionsByTopic,
sns:ListTopics,
sqs:GetQueueAttributes,
sqs:ListQueues,
ssm:Describe*,
ssm:Get*,
ssm:List*,
storagegateway:Describe*,
storagegateway:List*,
swf:List*,
waf:Get*,
waf:List*,
waf-regional:Get*,
waf-regional:List*,
wafv2:Get*,
wafv2:List*,
workmail:Describe*,
workmail:List*,
workspaces:Describe*
Resource Inventory (Write)These permissions allow CoreStack to not only pull resources from AWS in order to provide cost recommendations through FinOps policies, but also allow CoreStack to edit resources in AWS accordingly via cloud governance tools.workspaces:TerminateWorkspaces,
ec2:DeregisterImage,
ec2:DeleteSnapshot,
ec2:TerminateInstances,
elasticloadbalancing:CreateLoadBalancer,
rds:DeleteDBSnapshot,
ec2:StopInstances,
elasticloadbalancing:DeleteLoadBalancer,
ec2:DeleteVolume,
workspaces:StopWorkspaces,
rds:DeleteDBClusterSnapshot,
ec2:StartInstances,
redshift:DeleteClusterSnapshot,
workspaces:StartWorkspaces,
rds:ModifyDBInstance,
rds:ModifyDBCluster,
ec2:ModifyInstanceAttribute,
elasticloadbalancing:ModifyLoadBalancerAttributes,
s3:DeleteBucket,
rds:DeleteDBCluster,
elasticache:DeleteSnapshot,
rds:DeleteDBInstance

SecOps

CapabilityDescriptionLeast Privilege Permissions
Governance Configuration > Threat Management (Read)These permissions allow CoreStack to display the threats detected through Amazon GuardDuty.guardduty:DescribePublishingDestination,
guardduty:GetDetector,
guardduty:GetFindings,
guardduty:ListDetectors,
guardduty:ListFindings,
guardduty:ListPublishingDestinations,
iam:GetRole,
kms:Describe*,
kms:Get*,
kms:List*,
s3:GetBucketNotification,
s3:GetBucketPolicy,
s3:GetBucketTagging,
s3:HeadBucket,
s3:ListBucket
Governance Configuration > Vulnerability Assessments (Read)Enabling these permissions helps CoreStack to continuously scan the findings from the inspector in your AWS cloud account(s).inspector:DescribeAssessmentRuns,
inspector:DescribeFindings,
inspector:DescribeRulesPackages,
inspector:ListAssessmentRuns,
inspector:ListAssessmentTargets,
inspector:ListAssessmentTemplates,
inspector:ListFindings,
inspector:ListRulesPackages
Resource Inventory (Read)These permissions allow CoreStack to pull resources from AWS in order to provide security recommendations through SecOps standards and policies.access-analyzer:List*,
acm:DescribeCertificate,
acm:GetCertificate,
acm:ListCertificates,
acm:ListTagsForCertificate,
apigateway:GET,
application-autoscaling:DescribeScheduledActions,
autoscaling:Describe*,
batch:Describe*,
clouddirectory:DescribeDirectories,
clouddirectory:GetDirectory,
clouddirectory:ListDirectories,
cloudformation:DescribeStacks,
cloudformation:GetStackPolicy,
cloudformation:GetTemplate,
cloudformation:ListStackResources,
cloudformation:ListStacks,
cloudfront:Get*,
cloudfront:List*,
cloudhsm:Describe*,
cloudhsm:List*,
cloudtrail:Get*,
cloudtrail:ListTrails,
cloudwatch:GetDashboard,
cloudwatch:GetMetricStatistics,
cloudwatch:ListDashboards,
cloudwatch:ListMetrics,
cloudwatch:Describe,
codeartifact:DescribeDomain,
codepipeline:List,
cognito-identity:Describe*,
cognito-identity:Get*,
cognito-user:List*,
cognito-user:Describe*,
datapipeline:DescribePipelines,
datapipeline:GetPipelineDefinition,
datapipeline:ListPipelines,
directconnect:DescribeConnections,
directconnect:DescribeLocations,
directconnect:DescribeVirtualGateways,
directconnect:DescribeVirtualInterfaces,
dms:Describe*,
dynamodb:Describe*,
dynamodb:ListTables,
dynamodb:ListTagsOfResource,
ec2:Describe*,
ecr:BatchGetImage,
ecr:BatchImportUpstreamImage,
ecr:DescribeRepositories,
ecr:GetLifecyclePolicy,
ecr:GetLifecyclePolicyPreview,
ecr-public:GetRepositoryCatalogData,
ecs:Describe*,
ecs:List*,
eks:Describe*,
eks:List*,
elasticache:Describe*,
elasticbeanstalk:Describe*,
elasticfilesystem:Describe*,
elasticloadbalancing:Describe*,
elasticmapreduce:Describe*,
elasticmapreduce:List*,
es:Describe*,
es:ListDomainNames,
glacier:Describe*,
glacier:List*,
glue:List*,
glue:Get*,
iam:Get*,
iam:List*,
iam:SimulatePrincipalPolicy,
iot:DescribeThing,
iot:ListThings,
kafka:Describe*,
kafka:List*,
kinesis:DescribeStream,
kinesis:GetShardIterator,
kinesis:ListStreams,
kinesis:ListTagsForStream,
kms:Get*,
kms:List*,
lambda:GetFunction,
lambda:ListFunctions,
lambda:ListTags,
lightsail:Get*,
logs:DescribeLogGroups,
logs:DescribeLogStreams,
logs:GetLogEvents,
mgh:DescribeApplicationState,
mgh:ListApplicationStates,
mq:DescribeBroker,
mq:ListBrokers,
opsworks:DescribeStacks,
opsworks:DescribeStackSummary,
opsworks:DescribeUserProfiles,
organizations:Describe*,
organizations:List*,
qldb:DescribeLedger,
quicksight:Describe*,
quicksight:List*,
rds:Describe*,
rds:List*,
redshift:Describe*,
route53:GetTrafficPolicy,
route53:GetTrafficPolicyInstance,
route53:List*,
S3:GetAccountPublicAccessBlock,
s3:GetBucketACL,
s3:GetBucketPublicAccessBlock,
s3:GetLifecycleConfiguration,
s3:GetNotificationConfiguration,
s3:ListAllMyBuckets,
s3:ListBucket,
sdb:DomainMetadata,
sdb:ListDomains,
secretsmanager:List*,
secretsmanager:Describe*,
servicecatalog:Describe*,
servicecatalog:List*,
ses:ListIdentities,
ses:GetSendStatistics,
ses:GetIdentityDkimAttributes,
ses:GetIdentityVerificationAttributes,
ses:GetSendQuota,
sheild:DescribeProtection,
sheild:ListProtections,
sns:GetSnsTopic,
sns:GetSubscriptionAttributes,
sns:GetTopicAttributes,
sns:ListSubscriptionsByTopic,
sns:ListTopics,
sqs:GetQueueAttributes,
sqs:ListQueues,
ssm:Describe*,
ssm:Get*,
ssm:List*,
storagegateway:Describe*,
storagegateway:List*,
swf:List*,
waf:Get*,
waf:List*,
waf-regional:Get*,
waf-regional:List*,
wafv2:Get*,
wafv2:List*,
workmail:Describe*,
workmail:List*,
workspaces:Describe*

CloudOps

CapabilityDescriptionLeast Privilege Permissions
Activity and Alerts - Governance Configuration > Operations > Activity Log (Read)These permissions (read and write) are required for CoreStack to configure activity logs and alerts.cloudtrail:DescribeTrails,
cloudtrail:GetTrailStatus,
cloudtrail:ListTags,
iam:GetPolicy,
iam:GetPolicyVersion,
iam:GetRole,
iam:ListAttachedRolePolicies,
iam:ListPolicyVersions,
iam:ListRolePolicies,
iam:ListRoles,
s3:GetBucketLocation,
s3:GetBucketTagging,
s3:HeadBucket,
s3:ListObjects
Activity and Alerts -
Governance Configuration > Operations > Alerts (Read)
These permissions must be allowed to enable the full range of monitoring from CoreStack, as alerts need to be configured with a specific template.cloudwatch:DescribeAlarms,
cloudwatch:GetMetricStatistics,
cloudwatch:ListMetrics
Resource Inventory (Read)These permissions allow CoreStack to pull resources from AWS in order to provide usage recommendations through CloudOps policies.access-analyzer:List*,
acm:DescribeCertificate,
acm:GetCertificate,
acm:ListCertificates,
acm:ListTagsForCertificate,
apigateway:GET,
application-autoscaling:DescribeScheduledActions,
autoscaling:Describe*,
batch:Describe*,
clouddirectory:DescribeDirectories,
clouddirectory:GetDirectory,
clouddirectory:ListDirectories,
cloudformation:DescribeStacks,
cloudformation:GetStackPolicy,
cloudformation:GetTemplate,
cloudformation:ListStackResources,
cloudformation:ListStacks,
cloudfront:Get*,
cloudfront:List*,
cloudhsm:Describe*,
cloudhsm:List*,
cloudtrail:DescribeTrails,
cloudtrail:Get*,
cloudtrail:ListTrails,
cloudwatch:GetDashboard,
cloudwatch:ListDashboards,
cloudwatch:GetMetricData,
cloudwatch:Describe*,
codeartifact:DescribeDomain,
codepipeline:List,
cognito-identity:Describe*,
cognito-identity:Get*,
cognito-user:List*,
cognito-user:Describe*,
datapipeline:DescribePipelines,
datapipeline:GetPipelineDefinition,
datapipeline:ListPipelines,
directconnect:DescribeConnections,
directconnect:DescribeLocations,
directconnect:DescribeVirtualGateways,
directconnect:DescribeVirtualInterfaces,
dms:Describe*,
dynamodb:Describe*,
dynamodb:ListTables,
dynamodb:ListTagsOfResource,
ec2:Describe*,
ecr:BatchGetImage,
ecr:BatchImportUpstreamImage,
ecr:DescribeRepositories,
ecr:GetLifecyclePolicy,
ecr:GetLifecyclePolicyPreview,
ecr-public:GetRepositoryCatalogData,
ecs:Describe*,
ecs:List*,
eks:Describe*,
eks:List*,
elasticache:Describe*,
elasticbeanstalk:Describe*,
elasticfilesystem:Describe*,
elasticloadbalancing:Describe*,
elasticmapreduce:Describe*,
elasticmapreduce:List*,
es:Describe*,
es:ListDomainNames,
glacier:Describe*,
glacier:List*,
iam:GetGroup,
iam:GetGroupPolicy,
iam:GetPolicy,
iam:GetRole,
iam:GetRolePolicy,
iam:GetUser,
iam:GetUserPolicy,
iam:List*,
iam:SimulatePrincipalPolicy,
iot:DescribeThing,
iot:ListThings,
kafka:Describe*,
kafka:List*,
kinesis:DescribeStream,
kinesis:GetShardIterator,
kinesis:ListStreams,
kinesis:ListTagsForStream,
kms:Get*,
kms:List*,
lambda:Get*,
lambda:List*,
lightsail:Get*,
logs:DescribeLogGroups,
logs:DescribeLogStreams,
logs:GetLogEvents,
mgh:DescribeApplicationState,
mgh:ListApplicationStates,
mq:DescribeBroker,
mq:ListBrokers,
opsworks:DescribeStacks,
opsworks:DescribeStackSummary,
opsworks:DescribeUserProfiles,
organizations:Describe,
organizations:List,
qldb:DescribeLedger,
quicksight:Describe,
quicksight:List,
rds:Describe,
rds:List,
redshift:Describe*,
route53:GetTrafficPolicy,
route53:GetTrafficPolicyInstance,
route53:List*,
S3:GetAccountPublicAccessBlock,
s3:GetBucketACL,
s3:GetBucketLocation,
s3:GetBucketPublicAccessBlock,
s3:GetLifecycleConfiguration,
s3:GetNotificationConfiguration,
s3:ListAllMyBuckets,
s3:ListBucket,
sdb:DomainMetadata,
sdb:ListDomains,
servicecatalog:Describe*,
servicecatalog:List*,
secretsmanager:List*,
secretsmanager:Describe*,
sheild:DescribeProtection,
sheild:ListProtections,
sns:GetSnsTopic,
sns:GetSubscriptionAttributes,
sns:GetTopicAttributes,
sns:ListSubscriptionsByTopic,
sns:ListTopics,
sqs:GetQueueAttributes,
sqs:ListQueues,
ssm:Describe*,
ssm:Get*,
ssm:List*,
storagegateway:Describe*,
storagegateway:List*,
swf:List*,
waf:Get*,
waf:List*,
waf-regional:Get*,
waf-regional:List*,
wafv2:Get*,
wafv2:List*,
workmail:Describe*,
workmail:List*,
workspaces:Describe*
Resource Inventory (Write)These permissions allow CoreStack to pull resources from AWS in order to provide usage recommendations through CloudOps policies.cloudformation:CreateStack,
cloudformation:DeleteStack,
cloudformation:TagResource,
cloudformation:UpdateStack,
cloudtrail:CreateTrail,
cloudtrail:DeleteTrail,
cloudtrail:PutEventSelectors,
cloudtrail:UpdateTrail,
cloudwatch:DeleteAlarms,
cloudwatch:PutMetricAlarm,
cloudwatch:TagResource,
dynamodb:CreateTable,
dynamodb:DeleteTable,
dynamodb:UpdateTable,
ec2:AttachVolume,
ec2:CreateImage,
ec2:CreateKeyPair,
ec2:CreateRoute,
ec2:CreateRouteTable,
ec2:CreateSecurityGroup,
ec2:CreateSnapshots,
ec2:CreateSubnet,
ec2:CreateTags,
ec2:CreateVolume,
ec2:CreateVpc,
ec2:DeleteInternetGateway,
ec2:DeleteKeyPair,
ec2:DeleteRouteTable,
ec2:DeleteSecurityGroup,
ec2:DeleteSnapshot,
ec2:DeleteSubnet,
ec2:DeleteVolume,
ec2:DeleteVpc,
ec2:DeregisterImage,
ec2:DetachVolume,
ec2:ModifyInstanceAttribute,
ec2:ModifyVolume,
ec2:ModifyVolumeAttribute,
ec2:RegisterImage,
ec2:ReleaseAddress,
ec2:RunInstances,
ec2:StartInstances,
ec2:StopInstances,
ec2:TerminateInstances,
ecr:BatchDeleteImage,
ecs:CreateCluster,
ecs:DeleteCluster,
ecs:UpdateCluster,
elasticloadbalancing:CreateLoadBalancer,
elasticloadbalancing:DeleteLoadBalancer,
guardduty:CreateDetector,
guardduty:CreatePublishingDestination,
guardduty:DeleteDetector,
guardduty:DeletePublishingDestination,
guardduty:UpdateDetector,
iam:CreateRole,
iam:CreateServiceLinkedRole,
iam:DeleteRole,
iam:DeleteRolePolicy,
iam:PutRolePolicy,
iam:TagRole,
kms:CreateAlias,
kms:CreateKey,
kms:DisableKey,
kms:ReplicateKey,
kms:ScheduleKeyDeletion,
kms:TagResource,
kms:UntagResource,
lambda:AddTagsToResource,
lambda:TagResource,
rds:CreateDBCluster,
rds:CreateDBInstance,
rds:DeleteDBCluster,
rds:DeleteDBClusterSnapshot,
rds:DeleteDBInstance,
rds:DeleteDBSnapshot,
rds:ModifyDBCluster,
rds:ModifyDBInstance,
rds:StartDBCluster,
rds:StartDBInstance,
rds:StopDBCluster,
rds:StopDBInstance,
s3:CreateBucket,
s3:DeleteBucket,
s3:DeleteObject,
sns:CreateTopic,
sns:DeleteEndpoint,
sns:DeleteTopic,
sns:TagResource,
workspaces:CreateTags,
workspaces:StartWorkspaces,
workspaces:StopWorkspaces,
workspaces:TerminateWorkspaces

Pre-configured automation templates for allowing access

You can use the S3 URLs provided based on the type of access you wish to provide for CoreStack.