Create a minimal IAM policy to use with Cloudcraft

Cloudcraft can scan your AWS account to reverse-engineer the service relationships between components and auto-generate a diagram of your architecture; we use a read-only IAM role for this purpose.

The easiest way to set everything up is to follow the instructions inside the application, which creates the role and sets up the permissions for you in just a few clicks. The role is assigned the AWS-managed ReadOnlyAccess IAM policy by default.

You also have the option to control the access granted to Cloudcraft when scanning your AWS account by creating a custom IAM policy, which you can fully customize by removing access to specific AWS services, and APIs. If you remove access to an AWS service from the policy, Cloudcraft will not discover resources for that particular service.

When using a custom IAM policy, it will be your responsibility to keep it updated as we add new services and features to Cloudcraft. We recommend adding this page to your bookmarks and checking back from time to time for updates.

Creating a custom IAM policy

Start by opening the IAM Policies Console and clicking the Create Policy button.

Create Policy

Switch to the JSON tab, copy the content of the policy you see below, and then paste it into the editor box. This policy represents the minimal set of AWS permissions required for a complete environment scan by Cloudcraft.

You may customize the policy to suit your unique requirements.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "apigateway:Get",
        "autoscaling:Describe*",
        "cloudfront:Get*",
        "cloudfront:List*",
        "cloudwatch:Describe*",
        "cloudwatch:Get*",
        "cloudwatch:List*",
        "dynamodb:DescribeTable",
        "dynamodb:ListTables",
        "dynamodb:ListTagsOfResource",
        "ec2:Describe*",
        "ecr-public:Describe*",
        "ecr-public:List*",
        "ecr:Describe*",
        "ecr:List*",
        "ecs:Describe*",
        "ecs:List*",
        "eks:Describe*",
        "eks:List*",
        "elasticache:Describe*",
        "elasticache:List*",
        "elasticfilesystem:Describe*",
        "elasticloadbalancing:Describe*",
        "es:Describe*",
        "es:List*",
        "fsx:Describe*",
        "fsx:List*",
        "kinesis:Describe*",
        "kinesis:List*",
        "lambda:GetFunction",
        "lambda:List*",
        "rds:Describe*",
        "rds:ListTagsForResource",
        "redshift:Describe*",
        "route53:Get*",
        "route53:List*",
        "s3:GetBucketAcl",
        "s3:GetBucketLocation",
        "s3:GetBucketNotification",
        "s3:GetBucketTagging",
        "s3:GetEncryptionConfiguration",
        "s3:List*",
        "ses:Get*",
        "ses:List*",
        "sns:GetSubscriptionAttributes",
        "sns:GetTopicAttributes",
        "sns:List*",
        "sqs:GetQueueAttributes",
        "sqs:GetQueueUrl",
        "sqs:ListQueues",
        "sqs:ListQueueTags",
        "tag:Get*",
        "wafv2:GetWebACL*",
        "wafv2:List*"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}

Click the Review policy button at the bottom of the screen, and then fill in the name and description as you see fit. We recommend the following to keep things organized and easier to audit.

  • Policy Name: Cloudcraft
  • Policy Description: Cloudcraft Custom Policy Version 2021-05-19.

Now, click the Create policy button to create the policy. The AWS console will redirect you back to the policies page, and you should see a green success message at the top of your screen.

Finally, attach the newly created policy to the Cloudcraft IAM role. If you did not create the role yet, please follow the instructions inside the application.

Strict policy

A stricter version of our minimal IAM policy is also available.

If you have any questions, reach out to our support team, and they will be happy to help.