IAM Policy to Allow AWS Compliance Scanning
The AWS Compliance Auditing plugin requires access to AWS infrastructure. The required permissions are all read-only in nature, but AWS allows you to limit permissions to the services supported by the plugin. The following is an example IAM policy that covers the services and actions the plugin performs with the given credentials:
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "iam:List*", "iam:Get*", "iam:GetCredentialReport", "ec2:Describe*", "autoscaling:Describe*", "elasticloadbalancing:Describe*", "cloudwatch:List*", "cloudwatch:Get*", "cloudwatch:Describe*", "rds:List*", "rds:Describe*", "sns:List*", "sns:Get*", "support:Describe*", "cloudtrail:List*", "cloudtrail:Get*", "cloudtrail:Describe*", "logs:Describe*", "logs:Get*", "kms:List*", "kms:Get*", "kms:Describe*", "config:List*", "config:Get*", "config:Describe*" ], "Effect": "Allow", "Resource": "*" } ] }