Permission Configuration
To allow the service to import your AWS data, you must provide the necessary permissions via an IAM Policy attached to your Service Account or IAM Role.
Managed Access (Recommended)
The easiest way to get started is to attach the AWS-managed policy: ReadOnlyAccess. This grants broad read-only visibility across your account and ensures all current and future resource types are supported without further configuration.
Granular Permissions
If you prefer to restrict permissions to specific services, you can create a custom policy. Below is the JSON for the minimal required permissions needed for data import across all supported resource types.
Info:
Note: Using this custom policy means that if new resource types are added to the import process in the future, you may need to manually update this policy to include additional Describe or List actions.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"autoscaling:DescribeAutoScalingGroups",
"cloudfront:ListFunctions",
"cloudfront:ListDistributions",
"cloudtrail:DescribeTrails",
"cloudwatch:GetMetricData",
"cloudwatch:GetMetricStatistics",
"cloudwatch:ListMetrics",
"dynamodb:DescribeTable",
"dynamodb:ListTables",
"ec2:DescribeImages",
"ec2:DescribeInstances",
"ec2:DescribeInstanceTypes",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeSubnets",
"ec2:DescribeVolumes",
"ec2:DescribeVpcs",
"eks:DescribeClusters",
"eks:ListClusters",
"ecs:DescribeClusters",
"ecs:ListClusters",
"ecs:ListContainerInstances",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticache:DescribeCacheSubnetGroups",
"elasticache:DescribeCacheClusters",
"elasticfilesystem:DescribeFileSystems",
"elasticfilesystem:DescribeMountTargets",
"es:DescribeElasticsearchDomain",
"kafka:ListClusters",
"kinesis:DescribeStream",
"kinesis:ListStreams",
"lambda:ListFunctions",
"rds:DescribeDBInstances",
"s3:ListAllMyBuckets",
"s3:GetBucketLocation",
"s3:ListBucket",
"secretsmanager:ListSecrets"
],
"Resource": "*"
}
]
}
Permissions listed for each asset type
If you are only interested in a partial import we provide you with the permissions per single asset-type, feel free to combine and use it.
Virtual Machine permissions
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances",
"ec2:DescribeImages",
"ec2:DescribeInstanceTypes",
"cloudwatch:GetMetricStatistics"
],
"Resource": [
"*"
]
}
]
}
Image permissions
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances",
"ec2:DescribeImages"
],
"Resource": [
"*"
]
}
]
}
Volume permissions
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:DescribeVolumes",
"ec2:DescribeInstances",
"cloudwatch:GetMetricStatistics"
],
"Resource": [
"*"
]
}
]
}
Network Zone (VPC) permissions
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:DescribeVpcs"
],
"Resource": [
"*"
]
}
]
}
Network Zone (Subnet) permissions
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:DescribeSubnets"
],
"Resource": [
"*"
]
}
]
}
Load balancer permissions
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "elasticloadbalancing:DescribeLoadBalancers",
"Resource": "*"
}
]
}
RDS Database permissions
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"rds:DescribeDBInstances",
"cloudwatch:GetMetricStatistics"
],
"Resource": "*"
}
]
}
Elasticsearch Domain permissions
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "es:DescribeElasticsearchDomain",
"Resource": "*"
}
]
}
Elasticache permissions
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"elasticache:DescribeCacheSubnetGroups",
"elasticache:DescribeCacheClusters"
],
"Resource": "*"
}
]
}
Lambda Function permissions
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"lambda:ListFunctions",
"cloudwatch:GetMetricStatistics"
],
"Resource": "*"
}
]
}
Elastic File System permissions
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"elasticfilesystem:DescribeFileSystems",
"elasticfilesystem:DescribeMountTargets",
"ec2:DescribeNetworkInterfaces"
],
"Resource": "*"
}
]
}
S3 Bucket permissions
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"s3:GetBucketLocation",
"s3:ListBucket",
"cloudwatch:GetMetricStatistics"
],
"Resource": "*"
}
]
}
EKS Cluster permissions
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"eks:ListClusters",
"eks:DescribeClusters"
],
"Resource": "*"
}
]
}
ECS Cluster permissions
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:ListClusters",
"ecs:DescribeClusters"
],
"Resource": "*"
}
]
}
ECS Container permissions
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:ListClusters",
"ecs:DescribeClusters",
"ecs:ListContainerInstances"
],
"Resource": "*"
}
]
}
CloudFront Distributions permissions
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cloudfront:ListDistributions"
],
"Resource": "*"
}
]
}
CloudFront Functions permissions
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cloudfront:ListFunctions",
"cloudwatch:GetMetricData"
],
"Resource": "*"
}
]
}
CloudTrail permissions
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cloudtrail:DescribeTrails"
],
"Resource": "*"
}
]
}
CloudWatch Metrics permissions
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cloudwatch:ListMetrics"
],
"Resource": "*"
}
]
}
DynamoDB Tables permissions
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"dynamodb:ListTables",
"dynamodb:DescribeTable"
],
"Resource": "*"
}
]
}
Kafka Cluster permissions
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kafka:ListClusters"
],
"Resource": "*"
}
]
}
Kinesis Stream permissions
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kinesis:ListStreams",
"kinesis:DescribeStream"
],
"Resource": "*"
}
]
}
Secrets Manager Secrets permissions
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsManager:ListSecrets"
],
"Resource": "*"
}
]
}
Network Traffic permissions
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cloudwatch:ListMetrics",
"cloudwatch:GetMetricData"
],
"Resource": "*"
}
]
}
Scalable Compute Group permissions
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"autoscaling:DescribeAutoScalingGroups",
"ec2:DescribeInstanceTypes",
"cloudwatch:GetMetricStatistics"
],
"Resource": "*"
}
]
}