Faddom Help Center

Permissions required to map an AWS environment

Collecting data on AWS entities

To collect details on the entities in your AWS environment, we require the following permissions:

AWS API permissions:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VntAWSDiscoveryPermissions",
            "Effect": "Allow",
            "Action": [
            	"ce:GetDimensionValues",
				"ce:GetCostAndUsage",
                "ec2:DescribeInstances",
                "ec2:DescribeVpcs",
                "ec2:DescribeVpcPeeringConnections",
                "ec2:DescribeFlowLogs",
                "ec2:DescribeNatGateways",
                "ec2:DescribeNetworkInterfaces",
                "ec2:DescribeSubnets",
                "ecs:DescribeTaskDefinition",
                "ecs:DescribeTasks",
                "ecs:DescribeClusters",
                "ecs:DescribeServices",
                "ecs:ListClusters",
                "ecs:ListServices",
                "ecs:ListTasks",
                "elasticloadbalancing:DescribeLoadBalancers",
                "elasticloadbalancing:DescribeTargetGroups",
                "pricing:GetProducts",
                "rds:DescribeDBInstances"
            ],
            "Resource": "*"
        }
    ]
}

 

VPC Flow Logs Permissions

If you enabled VPC Flow Logs to allow Faddom to map the dependencies between the entities in your account, we need the following permissions:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VntS3Permissions",
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::[FLOW_LOGS_BUCKET]/*",
                "arn:aws:s3:::[FLOW_LOGS_BUCKET]"
            ]
        }
    ]
}

* Note: replace {FLOW_LOGS_BUCKET} with the bucket name to which flow logs are stored

 

Was this article helpful?
0 out of 0 found this helpful

Comments