...
Quick Reference - CFT Permissions
Service | Type | Permissions |
---|---|---|
AWS Organizations | organizations | organizations:Describe* |
Amazon Elastic Compute Cloud (ASG) | autoscaling | autoscaling:Describe* |
Amazon Elastic Compute Cloud (EC2) | ec2 | ec2:Describe* |
Amazon Elastic Compute Cloud (elb) | elasticloadbalancing | elasticloadbalancing:Describe* |
Cloudwatch | cloudwatch | cloudwatch:Describe* |
Elastic Container Registry | ecr-public | ecr-public:DescribeImageTags |
Elastic Container Registry | ecr-private | ecr:DescribeImages |
Elastic Container Service | ecs | ecs:Describe |
Elastic Kubernetes Service | eks | eks:Describe* |
Elastic Filesystem | elasticfilesystem | elasticfilesystem:ClientMount |
Relational Database Service | rds pi | pi:* |
s3 | s3:GetBucketLocation | |
AWS Config | config | config:DescribeConfigRules config:PutConfigRule config:DeleteConfigRule |
Anchor | ||||
---|---|---|---|---|
|
Policy | Details | Requirement |
---|---|---|
s3:GetBucketLocation | Returns Bucket Location | Metadata |
s3:GetBucketPolicy | To Retrieve existing bucket life cycle policy | Lifecycle |
s3:GetObject | The following action is related to GetBucketPolicy, restricted to bucket retrieval policy | Lifecycle |
s3:GetBucketPolicyStatus | Retrieves the policy status for an Amazon S3 bucket, indicating whether the bucket is public | Metadata |
s3:GetBucketTagging | Retrieves tags associated with Bucket | Metadata |
s3:GetBucketVersioning | Retrieves the versioning state of a bucket | Metadata |
s3:GetEncryptionConfiguration | Retrieves the default encryption configuration for an Amazon S3 bucket | Metadata |
s3:GetIntelligentTieringConfiguration | Gets the S3 Intelligent-Tiering configuration from the specified bucket, The S3 Intelligent-Tiering storage class is designed to optimize storage costs by automatically moving data to the most cost-effective storage access tier, without performance impact or operational overhead | Metadata |
s3:GetInventoryConfiguration | Retrieves inventory configuration (identified by the inventory configuration ID) from the bucket, Parent permission for Bucket Lifecycle Configurations | Metadata |
s3:GetLifecycleConfiguration | Retrieves the lifecycle configuration information set on the bucket. For information about lifecycle configuration | Lifecycle |
s3:GetMetricsConfiguration | Retrieves the metrics configurations and cloudwatch metrics for the metrics of the bucket | Metrics |
s3:GetObjectRetention | Retrieves an object's retention settings based on Lifecycle, evication policy | Lifecycle |
s3:GetObjectTagging | Retreives the tag-set of an object. Request to get the tagging subresource associated with the object, part of lifecycle retention policy | Metadata |
s3:GetObjectVersion | Retreives metadata about all versions of the objects in a bucket based on lifecycle | Lifecycle |
s3:GetReplicationConfiguration | Retreives the replication configuration of a bucket, part of replication policy settings | Metadata |
s3:ListAllMyBuckets | Permission to list all the buckets to go over above mentioned metadata and lifecycle calls | Describe |
s3:ListBucket | Permission to list the buckets in paginated order to go over above mentioned metadata and lifecycle calls |
|
s3:ListBucketVersions | Retreives if can use the versions subresource to list metadata about all of the versions of objects in a bucket. | Lifecycle |
How to enable additional memory metrics on EC2 Instances
Collect metrics and logs from Amazon EC2 instances and on-premises servers with the CloudWatch agent