IAM permission set requirements for AWS plugin asset access in CloudQuery

honest-snipe · March 8, 2024, 11:19pm

Is there a spec defining the IAM permission set required for the AWS plugin? For each asset/service type: SNS, S3, WAF, EC2, EKS, etc. Right now I am building this by searching 403s through logs.

ben · March 8, 2024, 11:25pm

There is not a permission set for the AWS plugin. We recommend using the ReadOnly managed policy and then adding in explicit denies for data plane operations like kinesis:GetRecord and s3:GetObject.

  "cloudformation:GetTemplate",
  "dynamodb:BatchGetItem",
  "dynamodb:GetItem",
  "dynamodb:Query",
  "dynamodb:Scan",
  "ec2:GetConsoleOutput",
  "ec2:GetConsoleScreenshot",
  "ecr:BatchGetImage",
  "ecr:GetAuthorizationToken",
  "ecr:GetDownloadUrlForLayer",
  "kinesis:Get*",
  "lambda:GetFunction",
  "logs:GetLogEvents",
  "s3:GetObject",
  "sdb:Select*",
  "secretsmanager:GetSecretValue",
  "sqs:ReceiveMessage",
  "ssm:GetCommandInvocation",
  "ssm:GetParameter*"

honest-snipe · March 8, 2024, 11:26pm

This does not cover all asset types, but I get the idea.

ben · March 8, 2024, 11:27pm

The above list are the explicit denies.
If you have any other suggestions about permissions that should be denied, let us know.

honest-snipe · March 9, 2024, 12:26am

You mean using this one to allow: AWS ReadOnlyAccess then provide a deny list.

Or do you recommend doing something like:

managed_policy_arns = [
    "AmazonGuardDutyReadOnlyAccess", 
    "AWSWAFReadOnlyAccess", 
    "ServiceQuotasReadOnlyAccess",
    "AWSXrayReadOnlyAccess", 
    "AmazonRedshiftReadOnlyAccess", 
    ...
]

I went through all the policies and came up with this list:

"Action": [
    "cloudformation:GetTemplate",
    "cloudwatch:GenerateQuery",
    "cognito-sync:QueryRecords",
    "datapipeline:QueryObjects",
    "dax:query",
    "dynamodb:BatchGetItem",
    "dynamodb:GetItem",
    "dynamodb:Query",
    "dynamodb:Scan",
    "ec2:GetConsoleOutput",
    "ec2:GetConsoleScreenshot",
    "ecr:BatchGetImage",
    "ecr:GetAuthorizationToken",
    "ecr:GetDownloadUrlForLayer",
    "kendra:Query",
    "kinesis:Get*",
    "lambda:GetFunction",
    "logs:GetLogEvents",
    "logs:Start*",
    "logs:Stop*",
    "mediapackagev2:GetHeadObject",
    "mediapackagev2:GetObject",
    "mediastore:GetObject",
    "s3:GetObject",
    "s3-object-lambda:GetObject",
    "sdb:Select*",
    "secretsmanager:GetSecretValue",
    "sqs:ReceiveMessage",
    "ssm:GetCommandInvocation",
    "ssm:GetParameter*"
]

sweeping-ewe · July 31, 2024, 7:56pm

This may be very useful, I’ll try this one.

Topic		Replies	Views
New Feature: Automate IAM Policies for CloudQuery AWS Syncs Announcements	0	25	February 4, 2025
CloudQuery compatibility with ViewOnlyAccess instead of ReadOnlyAccess CloudQuery Plugins	3	0	January 18, 2024
Aws source plugin for org admin_account issue after updating to v24.3.2 CloudQuery Plugins	17	22	February 22, 2024
CloudQuery AWS source plugin KMS keys sync issues with readonly role CloudQuery Plugins	3	1	January 16, 2024
GCP plugin support for IAM policy bindings in CloudQuery CloudQuery Plugins	0	2	March 19, 2024

IAM permission set requirements for AWS plugin asset access in CloudQuery

Related topics