AWS IAM User and Permissions Setup
In order to facilitate a connection to your AWS environment, we require the use of an IAM user with read-only permissions. This guide has been designed to walk you through that process.
Go to the IAM user you plan to use for the connection
Click add permissions, then ‘add permissions again’
Click ‘Attach policies directly’
Change the ‘Filter by Type’ to ‘AWS managed – job function’
Search for ‘Read’ and tick ‘ReadOnlyAccess’
Search for ‘Security’ and tick ‘SecurityAudit’
Click ‘Next’
Confirm you have selected the correct permissions, then click ‘Add permissions’.
Back in the user screen, click ‘Add permissions’, then ‘Create inline policy’.
A policy editor will open, click the ‘JSON’ button
Delete the contents of the editor, and paste in the below (this must be exact, otherwise the permissions will not be applied correctly)
Click ‘Next’
Assign a name to the policy – we recommend making it recognisable for administrators so it is not accidentally deleted
Click ‘Create policy’
Your IAM user should now look like this:
Go to the IAM user you plan to use for the connection
Click add permissions, then ‘add permissions again’
Click ‘Attach policies directly’
Change the ‘Filter by Type’ to ‘AWS managed – job function’
Search for ‘Read’ and tick ‘ReadOnlyAccess’
Search for ‘Security’ and tick ‘SecurityAudit’
Click ‘Next’
Confirm you have selected the correct permissions, then click ‘Add permissions’.
Back in the user screen, click ‘Add permissions’, then ‘Create inline policy’.
A policy editor will open, click the ‘JSON’ button
Delete the contents of the editor, and paste in the below (this must be exact, otherwise the permissions will not be applied correctly)
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"account:Get*",
"appstream:Describe*",
"appstream:List*",
"backup:List*",
"backup:Get*",
"bedrock:List*",
"bedrock:Get*",
"cloudtrail:GetInsightSelectors",
"codeartifact:List*",
"codebuild:BatchGet*",
"codebuild:ListReportGroups",
"cognito-idp:GetUserPoolMfaConfig",
"dlm:Get*",
"drs:Describe*",
"ds:Get*",
"ds:Describe*",
"ds:List*",
"dynamodb:GetResourcePolicy",
"ec2:GetEbsEncryptionByDefault",
"ec2:GetSnapshotBlockPublicAccessState",
"ec2:GetInstanceMetadataDefaults",
"ecr:Describe*",
"ecr:GetRegistryScanningConfiguration",
"elasticfilesystem:DescribeBackupPolicy",
"glue:GetConnections",
"glue:GetSecurityConfiguration*",
"glue:SearchTables",
"glue:GetMLTransforms",
"lambda:GetFunction*",
"logs:FilterLogEvents",
"lightsail:GetRelationalDatabases",
"macie2:GetMacieSession",
"macie2:GetAutomatedDiscoveryConfiguration",
"s3:GetAccountPublicAccessBlock",
"shield:DescribeProtection",
"shield:GetSubscriptionState",
"securityhub:BatchImportFindings",
"securityhub:GetFindings",
"servicecatalog:Describe*",
"servicecatalog:List*",
"ssm:GetDocument",
"ssm-incidents:List*",
"states:ListTagsForResource",
"support:Describe*",
"tag:GetTagKeys",
"wellarchitected:List*"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "AllowMoreReadOnly"
},
{
"Effect": "Allow",
"Action": [
"apigateway:GET"
],
"Resource": [
"arn:*:apigateway:*::/restapis/*",
"arn:*:apigateway:*::/apis/*"
],
"Sid": "AllowAPIGatewayReadOnly"
}
]
}Click ‘Next’
Assign a name to the policy – we recommend making it recognisable for administrators so it is not accidentally deleted
Click ‘Create policy’
Your IAM user should now look like this:
Updated on: 10/03/2025
Thank you!