Create a minimal IAM policy to use with Cloudcraft

Cloudcraft has the ability to scan your AWS account in order to reverse-engineer the service relationships between components and auto-generate a diagram of your architecture; a read-only IAM role is used for this purpose.

The easiest way to setup the role is to follow the instructions inside the application, which creates the role, and setup the permissions for you in just a few clicks. The role is assigned the AWS managed ReadOnlyAccess IAM policy by default.

You also have the option to control the access granted to Cloudcraft when scanning your AWS account by creating a custom IAM policy, which can be fully customized by removing access to specific AWS services, and APIs. In case you remove access to an AWS service from the policy, Cloudcraft will not discover resources for that particular service.

When using a custom IAM policy, you will have to update your policy as we add new services and features to Cloudcraft. Add this page to your bookmarks and check back from time to time for updates to our default policy.

Creating a custom IAM policy

Start by opening the IAM Policies Console and clicking the Create Policy button.

Create Policy

Switch to the JSON tab, copy the content of the policy you see below, and then paste into the editor box. This policy represents the minimal set of AWS permissions that is required for a complete environment scan by Cloudcraft.

You may customize the policy to suit your unique requirements.

  "Version": "2012-10-17",
  "Statement": [
      "Action": [
      "Effect": "Allow",
      "Resource": "*"

Click the Review policy button at the bottom of the screen, and then fill the name and description of as you see fit. To keep things organized and easier to audit later, we recommend the following.

  • Policy Name: Cloudcraft
  • Policy Description: Cloudcraft Custom Policy Version 2021-05-19.

Now, click the Create policy button to create the policy. You should be redirected back to the policies console, and see a green message at the top of your screen telling you that the policy has been created successfully.

Finally, attach the newly created policy to the Cloudcraft IAM role. You can follow the instructions inside the application to create the role if you did not already.