Access Required by StackZone on AWS
AWS IAM Role required by StackZone
Fernando Honig
Last Update hace 2 años
In order to push configurations and build your StackZone in your AWS Organization, StackZone needs to create an initial AWS IAM Role. This guide describes the permissions/policies needed by the StackZoneLimitedRole and how this role is used.
Role Assumption
Who can assume this role?
- This role can only be assumed by the StackZone Production Account using an ExternalId that belongs to you and you only as a StackZone Customer Account.
- AWS Services like AWS CloudFormation, AWS Lambda, AWS Systems Manager and Amazon EventBridge.
Role Policies
What Policies does this role has?
We make a great effort in reducing permissions needed by StackZoneLimitedRole in each release. At this point in time these are the list of permissions required:
- autoscaling:Describe*
- aws-portal:ViewBilling
- aws-portal:ViewUsage
- cloudformation:ListStacks
- cloudformation:ListStackResources
- cloudformation:DescribeStacks
- cloudformation:DescribeStackEvents
- cloudformation:DescribeStackResources
- cloudformation:GetTemplate
- cloudfront:Get*
- cloudfront:List*
- cloudtrail:DescribeTrails
- cloudtrail:GetEventSelectors
- cloudtrail:ListTags
- cloudwatch:Describe*
- cloudwatch:Get*
- cloudwatch:List*
- config:Get*
- config:Describe*
- config:Deliver*
- config:List*
- config:Select*
- cur:Describe*
- dms:Describe*
- dms:List*
- dynamodb:DescribeTable
- dynamodb:List*
- ec2:Describe*
- ec2:GetReservedInstancesExchangeQuote
- ecs:List*
- ecs:Describe*
- elasticache:Describe*
- elasticache:ListTagsForResource
- elasticbeanstalk:Check*
- elasticbeanstalk:Describe*
- elasticbeanstalk:List*
- elasticbeanstalk:RequestEnvironmentInfo
- elasticbeanstalk:RetrieveEnvironmentInfo
- elasticfilesystem:Describe*
- elasticloadbalancing:Describe*
- elasticmapreduce:Describe*
- elasticmapreduce:List*
- es:List*
- es:Describe*
- firehose:ListDeliveryStreams
- firehose:DescribeDeliveryStream
- iam:List*
- iam:Get*
- iam:GenerateCredentialReport
- kinesis:Describe*
- kinesis:List*
- kms:DescribeKey
- kms:GetKeyRotationStatus
- kms:ListKeys
- lambda:List*
- logs:Describe*
- organizations:List*
- redshift:Describe*
- route53:Get*
- route53:List*
- rds:Describe*
- rds:ListTagsForResource
- savingsplans:DescribeSavingsPlans
- savingsplans:CreateSavingsPlan
- s3:GetAccountPublicAccessBlock
- s3:GetBucketAcl
- s3:GetBucketLocation
- s3:GetBucketLogging
- s3:GetBucketPolicy
- s3:GetBucketPolicyStatus
- s3:GetBucketTagging
- s3:GetBucketVersioning
- s3:GetBucketWebsite
- s3:GetBucketPublicAccessBlock
- s3:List*
- sagemaker:Describe*
- sagemaker:List*
- sdb:GetAttributes
- sdb:List*
- ses:Get*
- ses:List*
- sns:Get*
- sns:List*
- sqs:GetQueueAttributes
- sqs:ListQueues
- storagegateway:List*
- storagegateway:Describe*
- workspaces:Describe*
- ec2:CreateTags
- ec2:ModifyReservedInstances
- ec2:DescribeReservedInstancesOfferings
- ec2:PurchaseReservedInstancesOffering
- sts:GetFederationToken
- rds:PurchaseReservedDBInstancesOffering
- lambda:InvokeFunction
- codepipeline:Get*
- codepipeline:List*
- codepipeline:RetryStageExecution
- ec2:ModifyReservedInstances
- ec2:GetReservedInstancesExchangeQuote
- ec2:AcceptReservedInstancesExchangeQuote
- s3:Get* (On limited resources)
- s3:List* (On limited resources)
- s3:Put* (On limited resources)
- ce:Get*
- ce:Describe*
- ce:List*
- servicecatalog:ProvisionProduct
- servicecatalog:DescribeProduct
- servicecatalog:SearchProducts
- ssm:PutParameter (On limited resources)
- ssm:GetParameter* (On limited resources)
- ssm:DeleteParameter (On limited resources)
- ssm:UpdateServiceSetting (On limited resources)
- organizations:ListAccountsForParent
- organizations:ListOrganizationalUnitsForParent
- resource-groups:*
- tag:TagResources
- ssm:GetServiceSetting
How do you protect your StackZone Production Account?
- We eat our own dog food. Which means, we are protected by more than 100+ Config Rules and GuardRails, in short, we have StackZone enabled in our own cloud accounts.
- Our team requires MFA to login to our production accounts.
If you have any question or concern regarding this, please feel free to contact us via our Live Chat Support or by email via [email protected]