Create a minimal IAM policy to use with Cloudcraft

Cloudcraft has the ability to scan your AWS account in order to reverse-engineer the service relationships between components and autogenerate your architecture diagrams. A read-only IAM role is used for this purpose. The easiest way to setup the role is to follow the instructions in the application, which both creates the role and setups the permissions for you in a just a few clicks. By default, that role is assigned the AWS managed  ReadOnlyAccess IAM policy.
You have the option to control the access granted to Cloudcraft when scanning your AWS account by creating a custom IAM policy. The policy can be fully customized by removing access to specific AWS services and APIs. In case you remove access to an AWS service from the policy, the Cloudcraft application will not discover the resources for that particular service.

Note: When using a custom IAM policy, you will have to update your policy as we add new services and features to Cloudcraft. Add this page to your bookmarks and check back from time to time for updates to our default policy. On the Live tab of the the Cloudcraft application, services that were excluded from the scan due to your custom policy will be listed as well.

Creating a custom IAM policy

Start by opening the IAM Policies Console and clicking the Create Policy button.

Switch to the JSON tab, copy the content of the policy you see below and then paste into the editor box. This policy represents the minimal set of AWS permissions that is required for a complete environment scan. You may customize the policy to suit your unique requirements, for example by removing statements.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "apigateway:Get",
        "autoscaling:Describe*",
        "cloudfront:List*",
        "cloudwatch:Describe*",
        "cloudwatch:Get*",
        "cloudwatch:List*",
        "dynamodb:DescribeTable",
        "dynamodb:ListTables",
        "dynamodb:ListTagsOfResource",
        "ec2:Describe*",
        "ecr:Describe*",
        "ecr:List*",
        "ecs:Describe*",
        "ecs:List*",
        "eks:Describe*",
        "eks:List*",
        "elasticache:Describe*",
        "elasticache:List*",
        "elasticfilesystem:Describe*",
        "elasticloadbalancing:Describe*",
        "es:Describe*",
        "es:List*",
        "fsx:Describe*",
        "fsx:List*",
        "kinesis:Describe*",
        "kinesis:List*",
        "lambda:List*",
        "rds:Describe*",
        "rds:ListTagsForResource",
        "redshift:Describe*",
        "route53:List*",
        "s3:GetBucketAcl",
        "s3:GetBucketLocation",
        "s3:GetBucketNotification",
        "s3:GetBucketTagging",
        "s3:GetEncryptionConfiguration",
        "s3:List*",
        "ses:Get*",
        "ses:List*",
        "sns:GetTopicAttributes",
        "sns:List*",
        "sqs:GetQueueAttributes",
        "sqs:ListQueues",
        "tag:Get*"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}

Click the  Review policy button at the bottom of the screen and then fill the name and description of as you see fit. To keep things organized and easier to audit later, we recommend the following.

  • Policy Name: Cloudcraft
  • Policy Description: Cloudcraft Custom Policy Version 2020-29-01.

Now, click the  Create policy button to create the policy. You should be redirected back to the policies console and see a green message at the top of your screen telling you that the policy has been created successfully.

Finally, attach the newly created policy to the Cloudcraft IAM role. You can follow the instructions inside the application to create the role if you did not already do so.