Create a minimal IAM policy to use with Cloudcraft

Cloudcraft uses a read-only IAM (Identity and access management) role to scan your AWS (Amazon Web Services) account and reverse-engineer the service relationships between components and autogenerate a diagram of your architecture.

See also:

The easiest way to set everything up is to follow the instructions inside the application, which creates the role and sets up the permissions for you in just a few clicks. The role is assigned the AWS-managed ReadOnlyAccess IAM policy by default.

You also have the option to control the access granted to Cloudcraft when scanning your AWS account by creating a custom IAM policy, which you can fully customize by removing access to specific AWS services, and APIs. If you remove access to an AWS service from the policy, Cloudcraft won't discover resources for that particular service.

When using a custom IAM policy, it will be your responsibility to keep it updated as new services and features are added to Cloudcraft.

Creating a custom IAM policy

Start by opening the IAM Policies Console and clicking the Create Policy button.

Create Policy

Switch to the JSON tab, copy the content of the policy you see below or from the minimal IAM API endpoint, and then paste it into the editor box. This policy represents the minimal set of AWS permissions required for a complete environment scan by Cloudcraft.

You may customize the policy to suit your unique requirements.

 1{  2 "Version": "2012-10-17",  3 "Statement": [  4 {  5 "Action": [  6 "apigateway:Get",  7 "autoscaling:Describe*",  8 "cloudfront:Get*",  9 "cloudfront:List*", 10 "cloudwatch:Describe*", 11 "cloudwatch:Get*", 12 "cloudwatch:List*", 13 "directconnect:Describe*", 14 "dynamodb:DescribeTable", 15 "dynamodb:ListTables", 16 "dynamodb:ListTagsOfResource", 17 "ec2:Describe*", 18 "ecr-public:Describe*", 19 "ecr-public:List*", 20 "ecr:Describe*", 21 "ecr:List*", 22 "ecs:Describe*", 23 "ecs:List*", 24 "eks:Describe*", 25 "eks:List*", 26 "elasticache:Describe*", 27 "elasticache:List*", 28 "elasticfilesystem:Describe*", 29 "elasticloadbalancing:Describe*", 30 "es:Describe*", 31 "es:List*", 32 "fsx:Describe*", 33 "fsx:List*", 34 "glacier:Describe*", 35 "glacier:Get*", 36 "glacier:List*", 37 "kinesis:Describe*", 38 "kinesis:List*", 39 "lambda:GetFunction", 40 "lambda:List*", 41 "neptune:Describe*", 42 "neptune:List*", 43 "rds:Describe*", 44 "rds:ListTagsForResource", 45 "redshift:Describe*", 46 "route53:Get*", 47 "route53:List*", 48 "s3:GetBucketAcl", 49 "s3:GetBucketLocation", 50 "s3:GetBucketNotification", 51 "s3:GetBucketTagging", 52 "s3:GetEncryptionConfiguration", 53 "s3:List*", 54 "ses:Get*", 55 "ses:List*", 56 "sns:GetSubscriptionAttributes", 57 "sns:GetTopicAttributes", 58 "sns:List*", 59 "sqs:GetQueueAttributes", 60 "sqs:GetQueueUrl", 61 "sqs:ListQueues", 62 "sqs:ListQueueTags", 63 "tag:Get*", 64 "timestream:Describe*", 65 "timestream:List*", 66 "wafv2:GetWebACL*", 67 "wafv2:List*" 68 ], 69 "Effect": "Allow", 70 "Resource": "*" 71 } 72 ] 73} 

Click the Review policy button at the bottom of the screen, and then fill in the name and description as you see fit. The information following is recommended to keep things organized and easier to audit.

  • Policy Name: Cloudcraft
  • Policy Description: Custom policy for Cloudcraft. Version 20230818.

Now, click the Create policy button to create the policy. The AWS console will redirect you back to the policies page, and you should see a green success message at the top of your screen.

Finally, attach the newly created policy to the Cloudcraft IAM role. If you didn't create the role yet, please follow the instructions inside the application.

Strict policy

A stricter version of the minimal IAM policy is also available.

If you have any questions, reach out to the support team, and they will be happy to help.