TOC & Recently Viewed

Recently Viewed Topics

IAM Policy to Allow AWS Compliance Scanning

The AWS Compliance Auditing plugin requires access to AWS infrastructure. The required permissions are all read-only in nature, but AWS allows you to limit permissions to the services supported by the plugin. The following is an example IAM policy that covers the services and actions the plugin performs with the given credentials:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "iam:List*",
        "iam:Get*",
        "ec2:Describe*",
        "autoscaling:Describe*",
        "elasticloadbalancing:Describe*",
        "cloudwatch:List*",
        "cloudwatch:Get*",
        "cloudwatch:Describe*",
        "rds:List*",
        "rds:Describe*",
        "sns:List*",
        "sns:Get*",
        "support:Describe*",
        "cloudtrail:List*",
        "cloudtrail:Get*",
        "cloudtrail:Describe*",
        "logs:Describe*",
        "logs:Get*",
        "kms:List*",
        "kms:Get*",
        "kms:Describe*",
        "config:List*",
        "config:Get*",
        "config:Describe*"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}

Copyright © 2019 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered trademarks of Tenable, Inc.. Tenable.sc, Lumin, Assure, and the Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their respective owners.