AWS IAM Permissions
Each version of Fix Inventory programmatically generates the specific IAM permissions it requires to collect (and optionally, manipulate) AWS resources.
| Service Namespace | FixOrgList | FixCollect | FixMutate |
|---|---|---|---|
acm |
| ||
apigateway |
|
| |
athena |
|
| |
autoscaling |
|
| |
backup |
|
| |
cloudformation |
|
| |
cloudfront |
|
| |
cloudtrail |
|
| |
cloudwatch |
|
| |
cognito-idp |
|
| |
config |
|
| |
dynamodb |
|
| |
ec2 |
|
|
|
ecr |
| ||
ecr-public |
| ||
ecs |
|
| |
eks |
|
| |
elasticache |
|
| |
elasticbeanstalk |
|
| |
elasticfilesystem |
|
| |
elasticloadbalancing |
|
| |
glacier |
|
| |
iam |
|
|
|
kinesis |
|
| |
kms |
|
| |
lambda |
|
| |
logs |
|
| |
opensearch |
| ||
organizations |
|
| |
pricing |
| ||
rds |
|
| |
redshift |
|
| |
route53 |
|
| |
s3 |
|
| |
sagemaker |
|
| |
secretsmanager |
| ||
servicequotas |
|
| |
sns |
|
| |
sqs |
|
| |
ssm |
| ||
wafv2 |
|
FixOrgList​
https://cdn.some.engineering/fix/aws/4.1.0/FixOrgList.json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Resource": "*",
"Action": [
"organizations:ListAccounts",
"organizations:DescribeAccount",
"ec2:DescribeRegions",
"iam:ListAccountAliases"
]
}
]
}
FixCollect​
https://cdn.some.engineering/fix/aws/4.1.0/FixCollect.json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Resource": "*",
"Action": [
"acm:DescribeCertificate",
"acm:ListCertificates",
"apigateway:GET",
"athena:GetDataCatalog",
"athena:GetWorkGroup",
"athena:ListDataCatalogs",
"athena:ListTagsForResource",
"athena:ListWorkGroups",
"autoscaling:DescribeAutoScalingGroups",
"backup:ListBackupJobs",
"backup:ListBackupPlans",
"backup:ListBackupVaults",
"backup:ListCopyJobs",
"backup:ListFrameworks",
"backup:ListLegalHolds",
"backup:ListProtectedResources",
"backup:ListRecoveryPointsByBackupVault",
"backup:ListReportPlans",
"backup:ListRestoreJobs",
"backup:ListRestoreTestingPlans",
"backup:ListTags",
"cloudformation:DescribeStacks",
"cloudformation:ListStackInstances",
"cloudformation:ListStackResources",
"cloudformation:ListStackSets",
"cloudformation:ListStacks",
"cloudfront:GetDistribution",
"cloudfront:ListCachePolicies",
"cloudfront:ListDistributions",
"cloudfront:ListFieldLevelEncryptionConfigs",
"cloudfront:ListFieldLevelEncryptionProfiles",
"cloudfront:ListFunctions",
"cloudfront:ListOriginAccessControls",
"cloudfront:ListPublicKeys",
"cloudfront:ListRealtimeLogConfigs",
"cloudfront:ListResponseHeadersPolicies",
"cloudfront:ListStreamingDistributions",
"cloudfront:TagResource",
"cloudfront:UntagResource",
"cloudtrail:GetEventSelectors",
"cloudtrail:GetInsightSelectors",
"cloudtrail:GetTrail",
"cloudtrail:GetTrailStatus",
"cloudtrail:ListTags",
"cloudtrail:ListTrails",
"cloudwatch:DescribeAlarms",
"cloudwatch:GetMetricData",
"cognito-idp:ListGroups",
"cognito-idp:ListTagsForResource",
"cognito-idp:ListUserPools",
"cognito-idp:ListUsers",
"config:DescribeConfigurationRecorderStatus",
"config:DescribeConfigurationRecorders",
"dynamodb:DescribeContinuousBackups",
"dynamodb:DescribeGlobalTable",
"dynamodb:DescribeTable",
"dynamodb:ListGlobalTables",
"dynamodb:ListTables",
"dynamodb:ListTagsOfResource",
"ec2:DescribeAddresses",
"ec2:DescribeFlowLogs",
"ec2:DescribeHosts",
"ec2:DescribeImages",
"ec2:DescribeInstanceTypes",
"ec2:DescribeInstances",
"ec2:DescribeInternetGateways",
"ec2:DescribeKeyPairs",
"ec2:DescribeLaunchTemplateVersions",
"ec2:DescribeNatGateways",
"ec2:DescribeNetworkAcls",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeRegions",
"ec2:DescribeReservedInstances",
"ec2:DescribeRouteTables",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSnapshots",
"ec2:DescribeSubnets",
"ec2:DescribeVolumes",
"ec2:DescribeVpcEndpoints",
"ec2:DescribeVpcPeeringConnections",
"ec2:DescribeVpcs",
"ecr-public:DescribeRepositories",
"ecr:DescribeRepositories",
"ecr:GetLifecyclePolicy",
"ecs:DescribeCapacityProviders",
"ecs:DescribeClusters",
"ecs:DescribeContainerInstances",
"ecs:DescribeServices",
"ecs:DescribeTaskDefinition",
"ecs:DescribeTasks",
"ecs:ListClusters",
"ecs:ListContainerInstances",
"ecs:ListServices",
"ecs:ListTaskDefinitions",
"ecs:ListTasks",
"eks:DescribeCluster",
"eks:DescribeNodegroup",
"eks:ListClusters",
"eks:ListNodegroups",
"elasticache:DescribeCacheClusters",
"elasticache:DescribeReplicationGroups",
"elasticache:ListTagsForResource",
"elasticbeanstalk:DescribeApplications",
"elasticbeanstalk:DescribeEnvironmentResources",
"elasticbeanstalk:DescribeEnvironments",
"elasticbeanstalk:ListTagsForResource",
"elasticfilesystem:DescribeAccessPoints",
"elasticfilesystem:DescribeFileSystemPolicy",
"elasticfilesystem:DescribeFileSystems",
"elasticfilesystem:DescribeMountTargets",
"elasticloadbalancing:DescribeListeners",
"elasticloadbalancing:DescribeLoadBalancerAttributes",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeTags",
"elasticloadbalancing:DescribeTargetGroups",
"elasticloadbalancing:DescribeTargetHealth",
"glacier:ListJobs",
"glacier:ListTagsForVault",
"glacier:ListVaults",
"iam:GenerateCredentialReport",
"iam:GetAccessKeyLastUsed",
"iam:GetAccountAuthorizationDetails",
"iam:GetAccountPasswordPolicy",
"iam:GetAccountSummary",
"iam:GetCredentialReport",
"iam:ListAccessKeys",
"iam:ListAccountAliases",
"iam:ListInstanceProfiles",
"iam:ListServerCertificates",
"kinesis:DescribeStream",
"kinesis:ListStreams",
"kinesis:ListTagsForStream",
"kms:DescribeKey",
"kms:GetKeyPolicy",
"kms:GetKeyRotationStatus",
"kms:ListKeys",
"kms:ListResourceTags",
"lambda:GetFunctionUrlConfig",
"lambda:GetPolicy",
"lambda:ListFunctions",
"lambda:ListTags",
"logs:DescribeLogGroups",
"logs:DescribeMetricFilters",
"opensearch:DescribeDomainNames",
"opensearch:ListDomainNames",
"organizations:ListAccounts",
"pricing:GetProducts",
"rds:DescribeDbClusterSnapshots",
"rds:DescribeDbClusters",
"rds:DescribeDbInstances",
"rds:DescribeDbSnapshots",
"rds:ListTagsForResource",
"redshift:DescribeClusters",
"redshift:DescribeLoggingStatus",
"route53:ListHostedZones",
"route53:ListResourceRecordSets",
"route53:ListTagsForResource",
"s3:GetAccountPublicAccessBlock",
"s3:GetBucketAcl",
"s3:GetBucketLocation",
"s3:GetBucketLogging",
"s3:GetBucketPolicy",
"s3:GetBucketTagging",
"s3:GetBucketVersioning",
"s3:GetEncryptionConfiguration",
"s3:ListAllMyBuckets",
"sagemaker:DescribeAlgorithm",
"sagemaker:DescribeApp",
"sagemaker:DescribeArtifact",
"sagemaker:DescribeAutoMlJob",
"sagemaker:DescribeCompilationJob",
"sagemaker:DescribeDomain",
"sagemaker:DescribeEndpoint",
"sagemaker:DescribeHyperParameterTuningJob",
"sagemaker:DescribeImage",
"sagemaker:DescribeInferenceRecommendationsJob",
"sagemaker:DescribeLabelingJob",
"sagemaker:DescribeModel",
"sagemaker:DescribeNotebookInstance",
"sagemaker:DescribePipeline",
"sagemaker:DescribeProcessingJob",
"sagemaker:DescribeTrainingJob",
"sagemaker:DescribeTransformJob",
"sagemaker:DescribeTrial",
"sagemaker:ListAlgorithms",
"sagemaker:ListApps",
"sagemaker:ListArtifacts",
"sagemaker:ListAutoMlJobs",
"sagemaker:ListCodeRepositories",
"sagemaker:ListCompilationJobs",
"sagemaker:ListDomains",
"sagemaker:ListEndpoints",
"sagemaker:ListExperiments",
"sagemaker:ListHyperParameterTuningJobs",
"sagemaker:ListImages",
"sagemaker:ListInferenceRecommendationsJobs",
"sagemaker:ListLabelingJobs",
"sagemaker:ListModels",
"sagemaker:ListNotebookInstances",
"sagemaker:ListPipelines",
"sagemaker:ListProcessingJobs",
"sagemaker:ListProjects",
"sagemaker:ListTags",
"sagemaker:ListTrainingJobs",
"sagemaker:ListTransformJobs",
"sagemaker:ListTrials",
"sagemaker:ListUserProfiles",
"sagemaker:ListWorkteams",
"secretsmanager:ListSecrets",
"servicequotas:ListServiceQuotas",
"sns:GetPlatformApplicationAttributes",
"sns:GetSubscriptionAttributes",
"sns:GetTopicAttributes",
"sns:ListEndpointsByPlatformApplication",
"sns:ListPlatformApplications",
"sns:ListSubscriptions",
"sns:ListTagsForResource",
"sns:ListTopics",
"sqs:GetQueueAttributes",
"sqs:ListQueueTags",
"sqs:ListQueues",
"ssm:DescribeDocument",
"ssm:DescribeInstanceInformation",
"ssm:GetDocument",
"ssm:ListDocuments",
"ssm:ListResourceComplianceSummaries",
"wafv2:GetLoggingConfiguration",
"wafv2:GetWebAcl",
"wafv2:ListResourcesForWebAcl",
"wafv2:ListWebAcls"
]
}
]
}
FixMutate​
https://cdn.some.engineering/fix/aws/4.1.0/FixMutate.json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Resource": "*",
"Action": [
"apigateway:DELETE",
"apigateway:PATCH",
"apigateway:POST",
"apigateway:PUT",
"athena:DeleteDataCatalog",
"athena:DeleteWorkGroup",
"athena:TagResource",
"athena:UntagResource",
"autoscaling:CreateOrUpdateTags",
"autoscaling:DeleteAutoScalingGroup",
"autoscaling:DeleteTags",
"backup:DeleteBackupPlan",
"backup:DeleteBackupVault",
"backup:DeleteFramework",
"backup:DeleteRecoveryPoint",
"backup:DeleteReportPlan",
"backup:DeleteRestoreTestingPlan",
"backup:TagResource",
"backup:UntagResource",
"cloudformation:DeleteStack",
"cloudformation:DeleteStackSet",
"cloudformation:UpdateStack",
"cloudformation:UpdateStackSet",
"cloudfront:DeleteCachePolicy",
"cloudfront:DeleteDistribution",
"cloudfront:DeleteFieldLevelEncryptionConfig",
"cloudfront:DeleteFieldLevelEncryptionProfile",
"cloudfront:DeleteFunction",
"cloudfront:DeleteOriginAccessControl",
"cloudfront:DeletePublicKey",
"cloudfront:DeleteRealtimeLogConfig",
"cloudfront:DeleteResponseHeadersPolicy",
"cloudfront:DescribeFunction",
"cloudfront:GetCachePolicy",
"cloudfront:GetDistribution",
"cloudfront:GetDistributionConfig",
"cloudfront:GetFieldLevelEncryptionConfig",
"cloudfront:GetFieldLevelEncryptionProfile",
"cloudfront:GetOriginAccessControl",
"cloudfront:GetPublicKey",
"cloudfront:GetResponseHeadersPolicy",
"cloudfront:TagResource",
"cloudfront:UntagResource",
"cloudfront:UpdateDistribution",
"cloudtrail:AddTags",
"cloudtrail:DeleteTrail",
"cloudtrail:RemoveTags",
"cloudwatch:DeleteAlarms",
"cloudwatch:DeleteMetricFilter",
"cloudwatch:TagResource",
"cloudwatch:UntagResource",
"cognito-idp:DeleteGroup",
"cognito-idp:DeleteUserPool",
"cognito-idp:TagResource",
"cognito-idp:UntagResource",
"config:DeleteConfigurationRecorder",
"dynamodb:DeleteTable",
"dynamodb:TagResource",
"dynamodb:UntagResource",
"ec2:CreateTags",
"ec2:DeleteInternetGateway",
"ec2:DeleteKeyPair",
"ec2:DeleteNatGateway",
"ec2:DeleteNetworkAcl",
"ec2:DeleteNetworkInterface",
"ec2:DeleteRouteTable",
"ec2:DeleteSecurityGroup",
"ec2:DeleteSnapshot",
"ec2:DeleteSubnet",
"ec2:DeleteTags",
"ec2:DeleteVolume",
"ec2:DeleteVpc",
"ec2:DeleteVpcEndpoints",
"ec2:DeleteVpcPeeringConnection",
"ec2:DescribeInstanceAttribute",
"ec2:DetachInternetGateway",
"ec2:DisassociateAddress",
"ec2:DisassociateRouteTable",
"ec2:ReleaseAddress",
"ec2:ReleaseHosts",
"ec2:RevokeSecurityGroupEgress",
"ec2:RevokeSecurityGroupIngress",
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:TerminateInstances",
"ecs:DeleteCapacityProvider",
"ecs:DeleteCluster",
"ecs:DeleteService",
"ecs:DeregisterContainerInstance",
"ecs:DeregisterTaskDefinition",
"ecs:PutClusterCapacityProviders",
"ecs:StopTask",
"ecs:TagResource",
"ecs:UntagResource",
"ecs:UpdateService",
"eks:DeleteCluster",
"eks:DeleteNodegroup",
"eks:TagResource",
"eks:UntagResource",
"elasticache:AddTagsToResource",
"elasticache:DeleteCacheCluster",
"elasticache:DeleteReplicationGroup",
"elasticache:RemoveTagsFromResource",
"elasticbeanstalk:DeleteApplication",
"elasticbeanstalk:TerminateEnvironment",
"elasticbeanstalk:UpdateTagsForResource",
"elasticfilesystem:DeleteFileSystem",
"elasticloadbalancing:AddTags",
"elasticloadbalancing:DeleteLoadBalancer",
"elasticloadbalancing:DeleteTargetGroup",
"elasticloadbalancing:RemoveTags",
"glacier:AddTagsToVault",
"glacier:DeleteVault",
"glacier:RemoveTagsFromVault",
"iam:DeleteGroup",
"iam:DeleteGroupPolicy",
"iam:DeleteInstanceProfile",
"iam:DeletePolicy",
"iam:DeleteRole",
"iam:DeleteRolePolicy",
"iam:DeleteServerCertificate",
"iam:DeleteUser",
"iam:DeleteUserPolicy",
"iam:DetachGroupPolicy",
"iam:DetachRolePolicy",
"iam:DetachUserPolicy",
"iam:RemoveRoleFromInstanceProfile",
"iam:TagInstanceProfile",
"iam:TagPolicy",
"iam:TagRole",
"iam:TagServerCertificate",
"iam:TagUser",
"iam:UntagInstanceProfile",
"iam:UntagPolicy",
"iam:UntagRole",
"iam:UntagServerCertificate",
"iam:UntagUser",
"kinesis:AddTagsToStream",
"kinesis:DeleteStream",
"kinesis:RemoveTagsFromStream",
"kms:DisableKey",
"kms:ScheduleKeyDeletion",
"kms:TagResource",
"kms:UntagResource",
"lambda:DeleteFunction",
"lambda:TagResource",
"lambda:UntagResource",
"logs:DeleteLogGroup",
"logs:TagResource",
"logs:UntagResource",
"rds:AddTagsToResource",
"rds:DeleteDbCluster",
"rds:DeleteDbInstance",
"rds:RemoveTagsFromResource",
"redshift:CreateTags",
"redshift:DeleteCluster",
"redshift:DeleteTags",
"route53:ChangeTagsForResource",
"route53:DeleteHostedZone",
"s3:DeleteBucket",
"s3:DeleteObject",
"s3:PutBucketTagging",
"sagemaker:AddTags",
"sagemaker:DeleteAlgorithm",
"sagemaker:DeleteApp",
"sagemaker:DeleteArtifact",
"sagemaker:DeleteCodeRepository",
"sagemaker:DeleteDomain",
"sagemaker:DeleteEndpoint",
"sagemaker:DeleteExperiment",
"sagemaker:DeleteImage",
"sagemaker:DeleteModel",
"sagemaker:DeleteNotebookInstance",
"sagemaker:DeletePipeline",
"sagemaker:DeleteProject",
"sagemaker:DeleteTags",
"sagemaker:DeleteTrial",
"sagemaker:DeleteUserProfile",
"sagemaker:DeleteWorkteam",
"servicequotas:TagResource",
"servicequotas:UntagResource",
"sns:DeleteEndpoint",
"sns:DeletePlatformApplication",
"sns:DeleteTopic",
"sns:TagResource",
"sns:Unsubscribe",
"sns:UntagResource",
"sqs:DeleteQueue",
"sqs:TagQueue",
"sqs:UntagQueue"
]
}
]
}