Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Quick Reference - CFT Permissions

Service

Type

Permissions

AWS Organizations

organizations

organizations:Describe*
organizations:List*

Amazon Elastic Compute Cloud (ASG)

autoscaling

autoscaling:Describe*

Amazon Elastic Compute Cloud (EC2)

ec2

ec2:Describe*
ec2:DescribeInstanceStatus
ec2:DescribeInstances
ec2:DescribeSnapshotAttribute
ec2:DescribeSnapshots
ec2:DescribeTags
ec2:DescribeVolumeAttribute
ec2:DescribeVolumeStatus
ec2:DescribeVolumes

Amazon Elastic Compute Cloud (elb)

elasticloadbalancing

elasticloadbalancing:Describe*

Cloudwatch

cloudwatch

cloudwatch:Describe*
cloudwatch:GetMetricData
cloudwatch:GetMetricStatistics
cloudwatch:ListMetrics

Elastic Container Registry

ecr-public

ecr-public:DescribeImageTags
ecr-public:DescribeImages
ecr-public:DescribeRegistries
ecr-public:DescribeRepositories
ecr-public:GetRegistryCatalogData
ecr-public:GetRepositoryCatalogData
ecr-public:GetRepositoryPolicy
ecr-public:ListTagsForResource
ecr-public:TagResource

Elastic Container Registry

ecr-private

ecr:DescribeImages
ecr:DescribeRegistry
ecr:DescribeRepositories
ecr:GetLifecyclePolicy
ecr:GetLifecyclePolicyPreview
ecr:GetRegistryPolicy
ecr:GetRepositoryPolicy
ecr:ListImages
ecr:ListTagsForResource,

Elastic Container Service

ecs

ecs:Describe
ecs:List*

Elastic Kubernetes Service

eks

eks:Describe*
eks:List*

Elastic Filesystem

elasticfilesystem

elasticfilesystem:ClientMount
elasticfilesystem:DescribeAccessPoints
elasticfilesystem:DescribeAccountPreferences
elasticfilesystem:DescribeBackupPolicy
elasticfilesystem:DescribeFileSystemPolicy
elasticfilesystem:DescribeFileSystems
elasticfilesystem:DescribeLifecycleConfiguration
elasticfilesystem:DescribeMountTargetSecurityGroups
elasticfilesystem:DescribeMountTargets
elasticfilesystem:DescribeTags
elasticfilesystem:ListTagsForResource

Relational Database Service

rds

pi

pi:*
rds:DescribeDBClusters
rds:DescribeDBInstances
rds:DescribeDBParameters
rds:DescribeReservedDBInstances
rds:ListTagsForResource

Simple Storage Service

s3

s3:GetBucketLocation
s3:GetBucketPolicy
s3:GetBucketPolicyStatus
s3:GetBucketTagging
s3:GetBucketVersioning
s3:GetEncryptionConfiguration
s3:GetIntelligentTieringConfiguration
s3:GetInventoryConfiguration
s3:GetLifecycleConfiguration
s3:GetMetricsConfiguration
s3:GetObject
s3:GetObjectRetention
s3:GetObjectTagging
s3:GetObjectVersion
s3:GetReplicationConfiguration
s3:ListAllMyBuckets
s3:ListBucket
s3:ListBucketVersions

AWS Config

config

config:DescribeConfigRules
config:DescribeConfigurationRecorderStatus
config:DescribeConfigurationRecorders
config:GetComplianceDetailsByConfigRule
config:ListAggregateDiscoveredResources
config:ListDiscoveredResources

config:PutConfigRule
config:PutConfigurationRecorder
config:SelectAggregateResourceConfig
config:SelectResourceConfig
config:StartConfigurationRecorder
iam:PassRole

config:DeleteConfigRule

Anchor
S3-Permission-Details
S3-Permission-Details
S3 Bucket Policy Permission Details

Policy

Details

Requirement

s3:GetBucketLocation

Returns Bucket Location

Metadata

s3:GetBucketPolicy

To Retrieve existing bucket life cycle policy

Lifecycle

s3:GetObject

The following action is related to GetBucketPolicy, restricted to bucket retrieval policy

Lifecycle

s3:GetBucketPolicyStatus

Retrieves the policy status for an Amazon S3 bucket, indicating whether the bucket is public

Metadata

s3:GetBucketTagging

Retrieves tags associated with Bucket

Metadata

s3:GetBucketVersioning

Retrieves the versioning state of a bucket

Metadata

s3:GetEncryptionConfiguration

Retrieves the default encryption configuration for an Amazon S3 bucket

Metadata

s3:GetIntelligentTieringConfiguration

Gets the S3 Intelligent-Tiering configuration from the specified bucket, The S3 Intelligent-Tiering storage class is designed to optimize storage costs by automatically moving data to the most cost-effective storage access tier, without performance impact or operational overhead

Metadata

s3:GetInventoryConfiguration

Retrieves inventory configuration (identified by the inventory configuration ID) from the bucket, Parent permission for Bucket Lifecycle Configurations

Metadata

s3:GetLifecycleConfiguration

Retrieves the lifecycle configuration information set on the bucket. For information about lifecycle configuration

Lifecycle

s3:GetMetricsConfiguration

Retrieves the metrics configurations and cloudwatch metrics for the metrics of the bucket

Metrics

s3:GetObjectRetention

Retrieves an object's retention settings based on Lifecycle, evication policy

Lifecycle

s3:GetObjectTagging

Retreives the tag-set of an object. Request to get the tagging subresource associated with the object, part of lifecycle retention policy

Metadata

s3:GetObjectVersion

Retreives metadata about all versions of the objects in a bucket based on lifecycle

Lifecycle

s3:GetReplicationConfiguration

Retreives the replication configuration of a bucket, part of replication policy settings

Metadata

s3:ListAllMyBuckets

Permission to list all the buckets to go over above mentioned metadata and lifecycle calls

Describe

s3:ListBucket

Permission to list the buckets in paginated order to go over above mentioned metadata and lifecycle calls

 

s3:ListBucketVersions

Retreives if can use the versions subresource to list metadata about all of the versions of objects in a bucket.

Lifecycle

How to enable additional memory metrics on EC2 Instances

Collect metrics and logs from Amazon EC2 instances and on-premises servers with the CloudWatch agent