CloudQuery compatibility with ViewOnlyAccess instead of ReadOnlyAccess

CloudQuery using ViewOnlyAccess?

Hey there! I’d like to know if we could use ViewOnlyAccess instead of ReadOnlyAccess in CloudQuery.

So my question is if you explored whether ViewOnlyAccess would be enough for CloudQuery to do its job, or if we will face many permission errors.

A quick glance at the two policies indicates that ViewOnlyAccess provides basic access to 93 unique services, while ReadOnlyAccess provides 273.

It’s going to depend on the tables you’re syncing, but that’s quite a difference, so I’d be surprised if ViewOnlyAccess didn’t run into more permission errors.

If you’re interested, here are the services not mentioned in ViewOnlyAccess but mentioned in ReadOnlyAccess. Some of these have corresponding CQ tables, some don’t: Gist Link

In any case, we’d always recommend reviewing the tables you need and tailoring your policy to only allow access to the services/resources you’re syncing.

While ViewOnlyAccess supports some services like iam, it only provides access to the list* actions and not any of the Get*. This is common across many of the other services as well. ViewOnlyAccess is intended to only give a very limited view of the AWS account.

If you really want to generate a narrowly permissive policy for your IAM access, I would suggest investigating the IAM Access Analyzer policy generation functionality: IAM Access Analyzer policy generation

This enables AWS to analyze your CloudTrail events and generate a policy based on that activity.

Using IAM Access Analyzer for that sounds like a great recommendation indeed, but we would need to repeat that exercise every time we add a new table. The main reason I asked this question is that we would like to prevent any kind of data-related access for compliance reasons.