AWS Permissions

In this article: By creating a custom IAM Policy, you can reduce the number of permissions granted to Cloudcraft when accessing your AWS account

You have the option of connecting your AWS account(s) to Cloudcraft in order to import your existing AWS inventory and view live data from your environments.

In order to access your AWS inventory, Cloudcraft relies on the 3rd Party Cross Account Role-based Access capability of AWS. This is the the highly recommended best security practice for delegating access, and completely eliminates the need to share any IAM access keys with Cloudcraft. Instead, a role is created in your AWS account that authorizes Cloudcraft to access your account with the permissions defined in an attached IAM Policy.

The quickest way to get started is to attach the ReadOnlyAccess policy to your Cloudcraft IAM role. However, this policy does contain many permissions that Cloudcraft does not need or use. If minimizing permissions is a concern for you, you may wish to create a custom IAM Policy with a minimal set of permissions as used by Cloudcraft.

Note! As AWS or Cloudcraft adds support for new services or features, you will have to update any custom IAM Policies manually or the live data will stop functioning

The policy can be manually customized further by removing access to specific AWS services. Cloudcraft will not discover resources for the services you explicitly remove. Only the EC2 service must be present in a custom policy document.

Creating a custom IAM Policy

  1. Open the IAM Policies Console and click Create Policy
  2. Select Create Your Own Policy
  3. Enter the following policy data:

Policy Name: Cloudcraft

Policy Description: Cloudcraft Custom Policy Version 2018-06-01

Policy Document:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "apigateway:Get",
        "autoscaling:Describe*",
        "cloudfront:List*",
        "cloudwatch:Describe*",
        "cloudwatch:Get*",
        "cloudwatch:List*",
        "dynamodb:DescribeTable",
        "dynamodb:ListTables",
        "dynamodb:ListTagsOfResource",
        "ec2:Describe*",
        "elasticache:Describe*",
        "elasticache:List*",
        "elasticfilesystem:Describe*",
        "elasticloadbalancing:Describe*",
        "es:Describe*",
        "es:List*",
        "kinesis:Describe*",
        "kinesis:List*",
        "lambda:List*",
        "rds:Describe*",
        "rds:ListTagsForResource",
        "redshift:Describe*",
        "route53:List*",
        "s3:GetBucketAcl",
        "s3:GetBucketLocation",
        "s3:GetBucketNotification",
        "s3:GetBucketTagging",
        "s3:GetEncryptionConfiguration",
        "s3:List*",
        "ses:Get*",
        "ses:List*",
        "sns:GetTopicAttributes",
        "sns:List*",
        "sqs:GetQueueAttributes",
        "sqs:ListQueues",
        "tag:Get*"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}

Finally, attach the newly created 'Cloudcraft' IAM policy to the 'cloudcraft' IAM role, or follow the instructions in the app to create the role if not yet completed.

Questions?

If you have any questions or concerns regarding the IAM Policy, AWS permissions, or Cloudcraft security in general, please contact Cloudcraft support.