Creating the IAM Policy

When you add your AWS account to nOps manually, you must create an IAM policy for nOps within AWS. This is the JSON for the IAM policy.

IAM policy for nOps Last Updated: 9/10/2021

JSON

{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"autoscaling:DescribeAutoScalingGroups",
"ce:GetCostAndUsage",
"ce:GetReservationPurchaseRecommendation",
"ce:GetRightsizingRecommendation",
"ce:GetSavingsPlansPurchaseRecommendation",
"ce:GetReservationCoverage",
"ce:GetReservationUtilization",
"ce:GetSavingsPlansCoverage",
"ce:GetSavingsPlansUtilization",
"ce:GetSavingsPlansUtilizationDetails",
"cloudformation:DescribeStackResources",
"cloudformation:DescribeStacks",
"cloudformation:GetTemplate",
"cloudfront:ListDistributions",
"cloudtrail:DescribeTrails",
"cloudtrail:GetTrailStatus",
"cloudtrail:LookupEvents",
"cloudwatch:DescribeAlarms",
"cloudwatch:GetMetricStatistics",
"cloudwatch:ListMetrics",
"config:DescribeConfigurationRecorderStatus",
"config:DescribeConfigurationRecorders",
"config:DescribeDeliveryChannelStatus",
"config:DescribeDeliveryChannels",
"cur:DescribeReportDefinitions",
"cur:PutReportDefinition",
"dynamodb:DescribeContinuousBackups",
"dynamodb:DescribeTable",
"dynamodb:ListTables",
"ec2:DescribeAddresses",
"ec2:DescribeClientVpnConnections",
"ec2:DescribeImages",
"ec2:DescribeInstanceAttribute",
"ec2:DescribeInstanceStatus",
"ec2:DescribeInstances",
"ec2:DescribeFlowLogs",
"ec2:DescribeNatGateways",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeReservedInstancesOfferings",
"ec2:DescribeReservedInstances",
"ec2:DescribeRouteTables",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSnapshots",
"ec2:DescribeSubnets",
"ec2:DescribeVolumes",
"ec2:DescribeVpcs",
"ecs:DescribeClusters",
"ecs:ListClusters",
"eks:ListClusters",
"eks:DescribeCluster",
"eks:DescribeNodegroup",
"eks:ListNodegroups",
"elasticache:DescribeCacheClusters",
"elasticache:DescribeCacheSubnetGroups",
"elasticache:DescribeReplicationGroups",
"elasticfilesystem:DescribeFileSystems",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeTargetGroups",
"elasticloadbalancing:DescribeTargetHealth",
"es:DescribeDomains",
"es:DescribeElasticsearchDomains",
"es:DescribeReservedElasticsearchInstances",
"es:DescribeReservedInstances",
"es:ListDomainNames",
"events:CreateEventBus",
"guardduty:ListDetectors",
"iam:GetAccessKeyLastUsed",
"iam:GetAccountPasswordPolicy",
"iam:GetAccountSummary",
"iam:GetLoginProfile",
"iam:GetRole",
"iam:ListAccessKeys",
"iam:ListAccountAliases",
"iam:ListAttachedGroupPolicies",
"iam:ListAttachedUserPolicies",
"iam:ListAttachedRolePolicies",
"iam:ListGroupsForUser",
"iam:ListMFADevices",
"iam:ListRoles",
"iam:ListUserPolicies",
"iam:ListUsers",
"iam:ListPolicyVersions",
"iam:ListInstanceProfiles",
"inspector:ListAssessmentRuns",
"kms:ListKeys",
"lambda:GetFunction",
"lambda:GetPolicy",
"lambda:ListFunctions",
"organizations:AcceptHandshake",
"organizations:CancelHandshake",
"organizations:DeclineHandshake",
"organizations:Describe*",
"organizations:List*",
"organizations:InviteAccountToOrganization",
"organizations:MoveAccount",
"rds:DescribeDBInstances",
"rds:DescribeDBSnapshots",
"rds:DescribePendingMaintenanceActions",
"rds:ListTagsForResource",
"redshift:DescribeClusters",
"s3:GetBucketAcl",
"s3:GetBucketLogging",
"s3:GetBucketPolicy",
"s3:GetBucketPolicyStatus",
"s3:GetBucketPublicAccessBlock",
"s3:GetBucketVersioning",
"s3:GetEncryptionConfiguration",
"s3:ListAllMyBuckets",
"ssm:ListComplianceSummaries",
"support:DescribeCases",
"support:DescribeTrustedAdvisorCheckRefreshStatuses",
"support:DescribeTrustedAdvisorCheckResult",
"support:DescribeTrustedAdvisorChecks",
"tag:getResources",
"tag:getTagKeys",
"tag:getTagValues",
"wellarchitected:*",
"workspaces:DescribeWorkspaceDirectories",
"workspaces:DescribeWorkspaces"
],
"Effect": "Allow",
"Resource": "*"
}
]
}

What? Why? and How Much?

The following tables describe each permission within the IAM policy:

  • First column: Permission name.

  • Second column: What the permission is?

  • Third column: Why the permission is important for nOps?

  • Forth column: What kind of access the permission gives to nOps?

Good to know:

----------

You will see that some fields in the "Why" section are empty. The developers and tech writers of nOps are working together to write comprehensive yet short descriptions of exactly why nOps requires these permissions. The fields will be updated as soon.

----------

The permissions in the IAM policy are for the following AWS services:

Auto Scaling

What

Why

Access (Limited: List)

DescribeAutoScalingGroups

Gets information about the Auto Scaling groups in the account and Region.

Used for detecting EC2 network utilization in combination with Cloudwatch events.

List: All resources

Cost Explorer

What

Why

Access (Limited: Read)

GetCostAndUsage

Retrieves cost and usage metrics for your account.

nOps fetches monthly costs and usages for Credits and Taxes, looking for BlendedCost metrics.

Read: All resources

GetReservationCoverage

Retrieves the reservation coverage for your account, which you can use to see how much of your Amazon Elastic Compute Cloud, Amazon ElastiCache, Amazon Relational Database Service, or Amazon Redshift usage is covered by a reservation.

Used for RI automation in nOps.

Read: All resources

GetReservationPurchaseRecommendation

Gets recommendations for reservation purchases.

These recommendations allow nOps to help you reduce your costs. Timely reservations provide a discounted hourly rate (up to 75%) compared to On-Demand pricing.

Read: All resources

GetReservationUtilization

Retrieves the reservation utilization for your account.

Used for RI automation in nOps.

Read: All resources

GetRightsizingRecommendation

Creates recommendations that help you save cost by identifying idle and underutilized Amazon EC2 instances.

These recommendations allows nOps to offer you guidance in order to either downsize or terminate instances, along with providing savings detail and metrics.

Read: All resources

GetSavingsPlansCoverage

Retrieves the Savings Plans covered for your account.

Used for RI automation in nOps.

Read: All resources

GetSavingsPlansPurchaseRecommendation

Retrieves your request parameters, Savings Plan Recommendations Summary and Details.

In order to receive better recommendations regarding your SavingsPlans, nOps looks for other options within parameters like SavingsPlan type, period and several other filters.

Read: All resources

GetSavingsPlansUtilization

Retrieves the Savings Plans utilization for your account across date ranges with daily or monthly granularity.

Used for RI automation in nOps.

Read: All resources

GetSavingsPlansUtilizationDetails

Retrieves attribute data along with aggregate utilization and savings data for a given time period.

Used for RI automation in nOps.

Read: All resources

CloudFormation

What

Why

Access (Limited: List, Read)

DescribeStackResources

Returns AWS resource descriptions for running and deleted stacks.

To execute Healthchecks on the client's account in order to see statuses of the executed stacks.

List: All resources

DescribeStacks

Returns the description for the specified stack; if no stack name was specified, then it returns the description for all the stacks created.

To execute Healthchecks on the client's account in order to see statuses of the executed stacks.

Read: All resources

GetTemplate

Returns the template body for a specified stack. You can get the template for running or deleted stacks.

To execute Healthchecks on the client's account in order to see statuses of the executed stacks.

Read: All resources

CloudFront

What

Why

Access (Limited: List)

ListDistributions

List CloudFront distributions.

To be used in the near future for checking if customers are using CloudFront CDN.

List: All resources

CloudTrail

What

Why

Access (Limited: Read)

DescribeTrails

Retrieves settings for one or more trails associated with the current region for your account.

Used for detection of enabled and disabled trails in cloudtrail_enabled_check rule.

Read: All resources

GetTrailStatus

Returns a JSON-formatted list of information about the specified trail.

Used for detection of enabled and disabled trails in cloudtrail_enabled_check rule.

Read: All resources

LookupEvents

Looks up management events or CloudTrail Insights events that are captured by CloudTrail.

Used for detecting log activities via Cloudtrail.

Checks for ConsoleLogins and root account usage.

Read: All resources

CloudWatch

What

Why

Access (Limited: List, Read)

DescribeAlarms

Retrieves the specified alarms.

nOps checks if there is at least one Cloudwatch Alarm configured via nOps rules (anticipated for usage in the future).

List: All resources

GetMetricStatistics

Gets statistics for the specified metric.

Used for statistics and rules like dynamodb_limit.

Read: All resource

ListMetrics

List the specified metrics.

nOps uses the returned metrics with GetMetricData or GetMetricStatistics to obtain statistical data.

Read: All resource

Config

What

Why

Access (Limited: List, Read)

DescribeConfigurationRecorderStatus

Returns the current status of the specified configuration recorder.

Used for checking AWS Config status inside aws_config rule.

Read: All resource

DescribeConfigurationRecorders

Returns the details for the specified configuration recorders.

Used for checking AWS Config status inside aws_config rule.

List: All resources

DescribeDeliveryChannelStatus

Returns details about the specified delivery channel.

Used for checking presence of config channels inside aws_config rule.

Read: All resource

DescribeDeliveryChannels

Returns details about the specified delivery channel.

Used for checking presence of config channels inside aws_config rule.

List: All resources

CUR

What

Why

Access (Full: Read, Limited: Write)

DescribeReportDefinitions

Lists the AWS Cost and Usage Report available to this account.

Used for creating reports in billing bucket setup.

Read: All resource

PutReportDefinition

Creates a new report using the description that you provide.

Used for creating reports in billing bucket setup.

Write: All resource

DynamoDB

What

Why

Access (Limited: List, Read)

DescribeContinuousBackups

Checks the status of continuous backups and point in time recovery on the specified table.

Used inside dynamodb_continuous_backup rule which is reporting disabled recovery statuses.

Read: All resources

DescribeTable

Returns information about the table, including the current status of the table, when it was created, the primary key schema, and any indexes on the table.

Used inside dynamodb_limit rule for provisioned throughputs stats.

Read: All resources

ListTables

Returns an array of table names associated with the current account and endpoint.

Usages inside dynamodb_limit rule and healthcheck reports.

List: All resources

EC2

What

Why

Access (Limited: List)

DescribeAddresses

Describes the specified Elastic IP addresses or all of your Elastic IP addresses.

Used in detecting unused EIP resources via nOps rules.

List: All resources

DescribeClientVpnConnections

Describes active client connections and connections that have been terminated within the last 60 minutes for the specified Client VPN endpoint.

To be used in the near future for various rules related to VPN.

List: All resources

DescribeImages

Describes the specified images (AMIs, AKIs, and ARIs) available to you or all of the images available to you.

Used for detection of public and expired AMIs via nOps rules.

List: All resources

DescribeInstanceAttribute

Describes the specified attribute of the specified instance.

To be used in the near future for implementing a rule that checks if there are any EC2 instances that haven’t been restarted for more than 6 months.

List: All resources

DescribeInstanceStatus

Describes the status of the specified instances or all of your instances.

Used inside scheduled_events nOps rule.

List: All resources

DescribeInstances

Describes the specified instances or all instances.

Used for fetching data related to EC2 instances for rules like scheduled_events (in combination with the above permission)

List: All resources

DescribeFlowLogs

Describes one or more flow logs.

Used for checking VPCs with FlowLogging disabled via nOps rules.

List: All resources

DescribeNatGateways

Describes one or more of your NAT gateways.

Used for scanning unused NAT resources via nOps rules.

List: All resources

DescribeNetworkInterfaces

Describes one or more of your network interfaces.

Used for detecting Network Interfaces violations via nOps rules.

List: All resources

DescribeReservedInstances

Describes one or more of the Reserved Instances that you purchased.

Required to run the RI page and Graphql IDE page

List: All resources

DescribeReservedInstancesOfferings

Describes Reserved Instance offerings that are available for purchase.

Used for providing better offerings and pricing recommendations for RI instances.

List: All resources

DescribeRouteTables

Describes one or more of your route tables.

Used for detecting public subnets via public_subnets nOps rule.

List: All resources

DescribeSecurityGroups

Describes the specified security groups or all of your security groups.

Used inside unrestricted_ssh nOps rule which checks on ingress from 0.0.0.0/0 to 80 port.

List: All resources

DescribeSnapshots

Describes the specified EBS snapshots available to you or all of the EBS snapshots available to you.

Used for detecting public snapshots via nOps public_snapshot rule.

List: All resources

DescribeSubnets

Describes one or more of your subnets.

Used for detecting public subnets via nOps rules.

List: All resources

DescribeVolumes

Describes the specified EBS volumes or all of your EBS volumes.

Used for finding EBS volumes without snapshots.

List: All resources

DescribeVpcs

Describes one or more of your VPCs.

Used for checking VPCs with FlowLogging disabled via nOps rules.

List: All resources

ECS

What

Why

Access (Limited: List, Read)

DescribeClusters

Describes one or more of your clusters.

Used for checking underutilized ECS’ via ecs_underutilised nOps rule.

Read: All resources

ListClusters

Returns a list of existing clusters.

Used for checking underutilized ECS’ via ecs_underutilised nOps rule.

List: All resources

EKS

What

Why

Access (Limited: List)

ListClusters

Lists the Amazon EKS clusters in your AWS account in the specified Region.

Monitoring usage of EKS Clusters for reporting statuses, statistics and costs.

List: All resources

ListNodegroups

Lists the Amazon EKS managed node groups associated with the specified cluster in your Amazon Web Services account in the specified Region.

To be used in the near future for refresh search.

List: All resources

DescribeCluster

Returns descriptive information about an Amazon EKS cluster.

To be used in the near future for refresh search.

List: All resources

DescribeNodegroup

Returns descriptive information about an Amazon EKS node group.

To be used in the near future for refresh search.

List: All resources

ElastiCache

What

Why

Access (Limited: List)

DescribeCacheClusters

Returns information about all provisioned clusters if no cluster identifier is specified, or about a specific cache cluster if a cluster identifier is supplied.

Used for detecting Multi-AZ disabled cache clusters via elasticache_disabled_multizone nOps rule.

List: All resources

DescribeCacheSubnetGroups

Returns a list of cache subnet group descriptions.

Used for mapping subnet groups to running VPCs. Valuable for RI recommendations decisions and pricing management.

List: All resources

DescribeReplicationGroups

Returns information about a particular replication group.

Used for detecting Multi-AZ disabled cache clusters via elasticache_disabled_multizone nOps rule.

List: All resources

EFS

What

Why

Access (Limited: List)

DescribeFileSystems

Returns the description of a specific Amazon EFS file system if either the file system CreationToken or the FileSystemId is provided. Otherwise, it returns descriptions of all file systems owned by the caller's AWS account in the AWS Region of the endpoint that you're calling.

Used for detecting underutilized EFS’ via nOps rules.

List: All resources

ELB

What

Why

Access (Limited: List)

DescribeLoadBalancers

Describes the specified the load balancers. If no load balancers are specified, the call describes all of your load balancers.

Used for detecting unused ELBs via nOps unused_resources rule.

List: All resources

DescribeTargetGroups

Describes the specified target groups or all of your target groups.

Required for the Graphql IDE page

List: All resources

DescribeTargetHealth

Describes the health of the specified targets or all of your targets.

List: All resources

Elasticsearch

What

Why

Access (Limited: List)

DescribeElasticsearchDomains

Describes the domain configuration for up to five specified Amazon ES domains.

Used for application healthcheck status.

List: All resources

EventBridge

What

Why

Access(Limited: Write)

CreateEventBus

Creates a new event bus within your account.

Allows nOps to create EventBridge integrations for automation.

Write: All resources

GuardDuty

What

Why

Access (Limited: List)

ListDetectors

Lists detectorIds of all the existing Amazon GuardDuty detector resources.

Checks for enablement of GuardDuty via guardduty_enabled nOps rule.

List: All resources

IAM

What

Why

Access (Limited: List, Read)

GetAccessKeyLastUsed

Retrieves information about when the specified access key was last used.

Used for detection of inactive keys via root_access_keys nOps rule.

Read: All resources

GetAccountPasswordPolicy

Retrieves the password policy for the AWS account.

Allows nOps to inform you of the complexity requirements and mandatory rotation periods for the IAM user passwords in your account

Read: All resources

GetAccountSummary

Retrieves information about IAM entity usage and IAM quotas in the AWS account.

Used for checking the existence of access keys on the root account which is marked as a violation of root_access_keys nOps rule.

List: All resources

GetLoginProfile

Retrieves the user name for the specified IAM user.

Used for building weekly AWS reporting profile of users without MFA report.

List: All resources

GetRole

Retrieves information about the specified role, including the role's path, GUID, ARN, and the role's trust policy that grants permission to assume the role.

Used for detecting unused roles via unused_roles nOps rule.

Read: All resources

ListAccessKeys

Returns information about the access key IDs associated with the specified IAM user.

Used for detection of inactive keys via root_access_keys nOps rule.

List: All resources

ListAccountAliases

Lists the account alias associated with the AWS account.

Used for performing the healthcheck of the account.

List: All resources

ListAttachedGroupPolicies

Lists all managed policies that are attached to the specified IAM group.

Used for policy scanning inside policy_attached_users nOps rule.

List: All resources

ListAttachedRolePolicies

Lists all managed policies that are attached to the specified IAM role.

Used to test convertible RI automation and to ingest RI details.

List: All resources

ListAttachedUserPolicies

Lists all managed policies that are attached to the specified IAM user.

Used for policy scanning inside policy_attached_users nOps rule.

List: All resources

ListGroupsForUser

Lists the IAM groups that the specified IAM user belongs to.

Used for policy scanning inside policy_attached_users nOps rule.

List: All resources

ListInstanceProfiles

Lists the instance profiles that have the specified path prefix.

Required for the Graphql IDE page

List: All resources

ListMFADevices

Lists the MFA devices for an IAM user.

Creates content for /list-devices/ endpoint.

List: All resources

ListPolicyVersions

Lists information about the versions of the specified managed policy, including the version that is currently set as the policy's default version.

List: All resources

ListRoles

Lists the IAM roles that have the specified path prefix.

Creates content for /resources/iam_roles/ endpoint.

List: All resources

ListUserPolicies

Lists the names of the inline policies embedded in the specified IAM user.

Used for policy scanning inside policy_attached_users nOps rule.

List: All resources

ListUsers

Lists the IAM users that have the specified path prefix.

Used for policy scanning inside policy_attached_users nOps rule.

List: All resources

Inspector

What

Why

Access (Limited: List)

ListAssessmentRuns

Lists the assessment runs that correspond to the assessment templates that are specified by the ARNs of the assessment templates.

Used for checking enablement of AWS Inspector inside aws_inspector_enabled nOps rule.

List: All resources

KMS

What

Why

Access (Limited: List)

ListKeys

Gets a list of all KMS keys in the caller's AWS account and Region.

Checks accounts for KMS usage and to builds reports on that.

List: All resources

Lambda

What

Why

Access (Limited: List, Read)

GetFunction

Returns information about the function or function version, with a link to download the deployment package that's valid for 10 minutes.

Used for detecting public or triggerless lambdas in the account via nOps rules.

Read: All resources

GetPolicy

Returns the resource-based IAM policy for a function, version, or alias.

Used for detecting public or triggerless lambdas in the account via nOps rules.

Read: All resources

ListFunctions

Returns a list of Lambda functions, with the version-specific configuration of each.

Used for detecting public or triggerless lambdas in the account via nOps rules.

List: All resources

Organizations

What

Why

Access (Limited: Write, Full: List, Read)

AcceptHandshake

Sends a response to the originator of a handshake agreeing to the action proposed by the handshake request.

Required for onboarding child accounts via CloudFormation stack during Automatic Setup.

Write: All resources

CancelHandshake

Cancels a handshake

Required for onboarding child accounts via CloudFormation stack during Automatic Setup.

Write: All resources

DeclineHandshake

Declines a handshake request. This sets the handshake state to DECLINED and effectively deactivates the request.

Required for onboarding child accounts via CloudFormation stack during Automatic Setup.

Write: All resources

Describe*

Grants access to all Describe permissions.

Required for onboarding child accounts via CloudFormation stack during Automatic Setup.

Read: All resources

List*

Grants access to all List permissions.

Required for onboarding child accounts via CloudFormation stack during Automatic Setup.

List: All resources

InviteAccountToOrganization

Sends an invitation to another AWS account, asking it to join your organization as a member account.

Required for onboarding child accounts via CloudFormation stack during Automatic Setup.

Write: All resources

MoveAccount

Moves an account from its current root or OU to another parent root or OU.

Required for onboarding child accounts via CloudFormation stack during Automatic Setup.

Write: All resources

RDS

What

Why

Access (Limited: List, Read)

DescribeDBInstances

Returns information about provisioned RDS instances.

Used of various nOps rules such as rds_backup_policy, multi-az and provisioned_iops_ underutilised.

List: All resources

DescribeDBSnapshots

Returns information about DB snapshots.

Used for detecting public RDS snapshots in the account via nOps rds_public_snapshot rule.

List: All resources

DescribePendingMaintenanceActions

Returns a list of resources (for example, DB instances) that have at least one pending maintenance action.

Used for detecting RDS scheduled maintenance events.

List: All resources

ListTagsForResource

Lists all tags on an Amazon RDS resource.

Read: All resources

Redshift

What

Why

Access (Limited: List)

DescribeClusters

Returns properties of provisioned clusters including general cluster properties, cluster database properties, maintenance and backup properties, and security and access properties.

Used for detecting Redshift Node utilization via redshift_low_node_utilization nOps rule.

List: All resources

S3

What

Why

Access (Limited: List, Read)

GetBucketAcl

This implementation of the GET action uses the acl subresource to return the access control list (ACL) of a bucket.

Used for detecting bucket security issues via nOps rules.

Read: All resources

GetBucketLogging

Returns the logging status of a bucket.

Used for detecting bucket security issues via nOps rules.

Read: All resources

GetBucketPolicy

Returns the policy of a specified bucket.

Used for detecting bucket security issues via nOps rules.

Read: All resources

GetBucketPolicyStatus

Retrieves the policy status for an Amazon S3 bucket, indicating whether the policy document grants public access.

Used for detecting bucket security issues via nOps rules.

Read: All resources

GetBucketPublicAccessBlock

Grants permission to retrieve the PublicAccessBlock configuration for an Amazon S3 bucket.

Used for detecting bucket security issues via nOps rules.

Read: All resources

GetBucketVersioning

Returns the versioning state of a bucket.

Used for detecting bucket security issues via nOps rules (versioning enabled check).

Read: All resources

GetEncryptionConfiguration

Returns the default encryption configuration for an Amazon S3 bucket.

Used for detecting bucket security issues via nOps rules (ServerSideEncryptionConfiguration).

Read: All resources

ListAllMyBuckets

The ListAllMyBuckets operation returns a list of all buckets owned by the sender of the request.

Fetches buckets to be scanned for compliance checks.

List: All resources

SSM

What

Why

Access (Limited: List)

ListComplianceSummaries

Returns a summary count of compliant and non-compliant resources for a compliance type.

Used for SystemManger compliance checks via system_manager_patch_enabled nOps rule.

List: All resources

Support

What

Why

Access (Limited: Read)

DescribeCases

Returns a list of cases that you specify by passing one or more case IDs.

Establishes AWS Enterprise Support enablement status.

Read: All resources

DescribeTrustedAdvisorCheckRefreshStatuses

Returns the refresh status of the AWS Trusted Advisor checks that have the specified check IDs.

Not used anymore.

Read: All resources

DescribeTrustedAdvisorCheckResult

Returns the results of the AWS Trusted Advisor check that has the specified check ID.

Not used anymore.

Read: All resources

DescribeTrustedAdvisorChecks

Returns information about all available AWS Trusted Advisor checks, including the name, ID, category, description, and metadata.

Not used anymore.

Read: All resources

Tag (Resource Group Tagging)

What

Why

Access (Limited: Read)

getResources

Returns all the tagged or previously tagged resources that are located in the specified AWS Region for the account.

Attaches resource tags (keys and values) to resources enabling better monitoring of the cloud resources.

Read: All resources

getTagKeys

Returns all tag keys currently in use in the specified AWS Region for the calling account.

Attaches resource tags (keys and values) to resources enabling better monitoring of the cloud resources.

Read: All resources

getTagValues

Returns all tag values for the specified key that are used in the specified AWS Region for the calling account.

Attaches resource tags (keys and values) to resources enabling better monitoring of the cloud resources.

Read: All resources

Well-Architected

What

Why

Access (Full access)

wellarchitected

Gives full access to Well-Architected.

nOps provides a full functionality dedicated for wellarchitected compliances and it requires full access of this component for managing cloud workloads.

Full access

WorkSpaces

What

Why

Access (Limited: List, Read)

DescribeWorkspaceDirectories

Describes the available directories that are registered with Amazon WorkSpaces.

Used for detecting unattached workspace directories via nOps rules.

Read: All resources

DescribeWorkspaces

Describes the specified WorkSpaces.

Used for detecting unattached workspace directories via nOps rules.

List: All resources

Go to Help Article: Adding Your AWS account with the Manual Setup

See the latest IAM Policy here : Get IAM Policy

Did this answer your question?