IAM & SCP requirements
IAM & SCP requirements for AUTOMATE & AUTOMATE+ SaaS
Ensure deployments go smoothly with the correct level of deployment access and if Control Tower Service Control Policies are in place.
IAM Requirements
(for both AUTOMATE Read Only & AUTOMATE+ SaaS options)
IAM Admin access can be used
OR
IAM User with IAM Policy - see IAM User Policy below:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement1",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"iam:ListRoles",
"iam:GetRole",
"iam:CreateRole",
"iam:PutRolePolicy",
"sns:ListTopics",
"cloudformation:*",
"wellarchitected:*",
"securityhub:*",
"config:*"
],
"Resource": [
"*"
]
},
{
"Sid": "Statement2",
"Effect": "Allow",
"Action": [
"iam:DeleteRole",
"iam:DeleteRolePolicy",
"iam:DetachRolePolicy",
"iam:GetRolePolicy",
"iam:ListRolePolicies"
],
"Resource": [
"arn:aws:iam::*:role/SO0111*",
"arn:aws:iam::*:role/six-pillars*"
]
}
]
}
Service Control Policies
(only required when using AWS OU (Organisation Unit) with SCPs)
AUTOMATE Read only – see the below AUTOMATE Read Only ‘RO’ SCP Policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement1",
"Effect": "Allow",
"Action": [
"cloudformation:CreateStack",
"cloudformation:DescribeChangeSet",
"cloudformation:DescribeStacks",
"config:DeleteConfigurationRecorder",
"config:DeleteDeliveryChannel",
"config:DescribeConfigurationRecorders",
"config:DescribeDeliveryChannels",
"config:GetResourceConfigHistory",
"config:ListDiscoveredResources",
"config:PutConfigurationRecorder",
"config:PutDeliveryChannel",
"config:StartConfigurationRecorder",
"events:DeleteRule",
"events:DescribeRule",
"events:PutRule",
"events:PutTargets",
"events:RemoveTargets",
"iam:AttachRolePolicy",
"iam:CreateRole",
"iam:CreateServiceLinkedRole",
"iam:DeleteRole",
"iam:DeleteRolePolicy",
"iam:DetachRolePolicy",
"iam:GetRole",
"iam:GetRolePolicy",
"iam:ListRolePolicies",
"iam:PassRole",
"iam:PutRolePolicy",
"kms:CreateAlias",
"kms:CreateKey",
"kms:DescribeKey",
"kms:EnableKeyRotation",
"kms:PutKeyPolicy",
"lambda:CreateFunction",
"lambda:DeleteFunction",
"lambda:GetFunction",
"lambda:GetFunctionCodeSigningConfig",
"lambda:InvokeFunction",
"s3:CreateBucket",
"s3:DeleteBucketPolicy",
"s3:GetBucketPolicy",
"s3:PutBucketPolicy",
"s3:PutBucketPublicAccessBlock",
"s3:PutEncryptionConfiguration",
"securityhub:BatchEnableStandards",
"securityhub:BatchDisableStandards",
"securityhub:BatchUpdateFindings",
"securityhub:CreateActionTarget",
"securityhub:DeleteActionTarget",
"securityhub:DescribeActionTargets",
"securityhub:DescribeStandards",
"securityhub:EnableSecurityHub",
"securityhub:UpdateSecurityHubConfiguration",
"sns:AddPermission",
"sns:ConfirmSubscription",
"sns:CreateTopic",
"sns:DeleteTopic",
"sns:GetSubscriptionAttributes",
"sns:GetTopicAttributes",
"sns:List*",
"sns:SetSubscriptionAttributes",
"sns:SetTopicAttributes",
"sns:Subscribe",
"sns:TagResource",
"sts:AssumeRole",
"events:ListRules",
"securityhub:UpdateStandardsControl",
"securityhub:DescribeStandardsControls",
"securityhub:GetEnabledStandards",
"securityhub:GetFindings",
"wellarchitected:CreateWorkload",
"wellarchitected:UpdateAnswer",
"wellarchitected:CreateMilestone",
"wellarchitected:DeleteWorkload",
"wellarchitected:List*",
"wellarchitected:Get*",
"securityhub:EnableImportFindingsForProduct",
"securityhub:BatchImportFindings",
"securityhub:GetInsights",
"securityhub:ListMembers"
],
"Resource": [
"*"
]
}
]
}
AUTOMATE+ (With the ability to fix & self-heal) – see the below AUTOMATE PLUS SCP Policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement1",
"Effect": "Allow",
"Action": [
"securityhub:CreateActionTarget",
"securityhub:DeleteActionTarget",
"securityhub:DescribeActionTargets",
"securityhub:BatchUpdateFindings",
"securityhub:EnableSecurityHub",
"securityhub:DescribeStandards",
"securityhub:BatchEnableStandards",
"securityhub:BatchDisableStandards",
"securityhub:UpdateSecurityHubConfiguration",
"logs:CreateLogDelivery",
"logs:GetLogDelivery",
"logs:UpdateLogDelivery",
"logs:DeleteLogDelivery",
"logs:ListLogDeliveries",
"logs:PutResourcePolicy",
"logs:DescribeResourcePolicies",
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents",
"logs:DescribeLogGroups",
"logs:DescribeLogStreams",
"logs:PutMetricFilter",
"logs:PutRetentionPolicy",
"logs:GetLogEvents",
"sts:AssumeRole",
"sts:GetCallerIdentity",
"states:StartExecution",
"states:CreateStateMachine",
"states:DescribeStateMachine",
"states:TagResource",
"ssm:GetParameter",
"ssm:GetParameters",
"ssm:PutParameter",
"ssm:DescribeAutomationExecutions",
"ssm:DescribeDocument",
"ssm:StartAutomationExecution",
"ssm:GetAutomationExecution",
"ssm:DescribeAutomationStepExecutions",
"ssm:DeleteParameter",
"ssm:CreateActivation",
"ssm:CreateAssociation",
"ssm:CreateDocument",
"ssm:DeleteActivation",
"ssm:DeleteAssociation",
"ssm:DeleteDocument",
"ssm:Describe*",
"ssm:Get*",
"ssm:List*",
"cloudwatch:PutMetricData",
"cloudwatch:PutMetricAlarm",
"iam:GetPolicy",
"iam:ListEntitiesForPolicy",
"iam:DetachUserPolicy",
"iam:DetachGroupPolicy",
"iam:AttachGroupPolicy",
"iam:GetGroup",
"iam:CreateGroup",
"iam:AddUserToGroup",
"iam:GetRole",
"iam:PassRole",
"iam:CreateRole",
"iam:AttachRolePolicy",
"iam:TagRole",
"iam:UpdateAccessKey",
"iam:ListAccessKeys",
"iam:GetAccessKeyLastUsed",
"iam:GetUser",
"iam:GetLoginProfile",
"iam:DeleteLoginProfile",
"iam:UpdateAccountPasswordPolicy",
"iam:GetAccountPasswordPolicy",
"iam:DeleteRolePolicy",
"iam:DetachRolePolicy",
"iam:GetRolePolicy",
"iam:PutRolePolicy",
"iam:DeleteRole",
"iam:CreateServiceLinkedRole",
"iam:CreatePolicy",
"iam:ListRolePolicies",
"cloudtrail:CreateTrail",
"cloudtrail:UpdateTrail",
"cloudtrail:GetTrail",
"cloudtrail:StartLogging",
"s3:GetBucketPolicy",
"s3:CreateBucket",
"s3:PutEncryptionConfiguration",
"s3:PutBucketLogging",
"s3:PutBucketAcl",
"s3:PutBucketPolicy",
"s3:PutBucketPublicAccessBlock",
"s3:GetBucketPublicAccessBlock",
"s3:PutAccountPublicAccessBlock",
"s3:GetAccountPublicAccessBlock",
"s3:DeleteBucketPolicy",
"sns:CreateTopic",
"sns:SetTopicAttributes",
"sns:GetTopicAttributes",
"sns:AddPermission",
"sns:DeleteTopic",
"sns:ConfirmSubscription",
"sns:GetSubscriptionAttributes",
"sns:List*",
"sns:SetSubscriptionAttributes",
"sns:Subscribe",
"sns:TagResource",
"autoscaling:UpdateAutoScalingGroup",
"autoscaling:DescribeAutoScalingGroups",
"config:PutConfigurationRecorder",
"config:PutDeliveryChannel",
"config:DescribeConfigurationRecorders",
"config:StartConfigurationRecorder",
"config:ListDiscoveredResources",
"config:GetResourceConfigHistory",
"config:DeleteDeliveryChannel",
"config:DeleteConfigurationRecorder",
"config:DescribeDeliveryChannels",
"ec2:CreateFlowLogs",
"ec2:ModifySnapshotAttribute",
"ec2:DescribeSnapshots",
"ec2:DescribeSecurityGroupReferences",
"ec2:DescribeSecurityGroups",
"ec2:UpdateSecurityGroupRuleDescriptionsEgress",
"ec2:UpdateSecurityGroupRuleDescriptionsIngress",
"ec2:RevokeSecurityGroupIngress",
"ec2:RevokeSecurityGroupEgress",
"ec2:EnableEBSEncryptionByDefault",
"ec2:GetEbsEncryptionByDefault",
"rds:ModifyDBSnapshotAttribute",
"rds:ModifyDBClusterSnapshotAttribute",
"rds:DescribeDBClusters",
"rds:ModifyDBCluster",
"rds:ModifyDBInstance",
"rds:DescribeDBInstances",
"rds:CopyDBSnapshot",
"rds:CopyDBClusterSnapshot",
"rds:DescribeDBSnapshots",
"rds:DescribeDBClusterSnapshots",
"rds:DeleteDBSnapshot",
"rds:DeleteDBClusterSnapshot",
"lambda:GetPolicy",
"lambda:InvokeFunction",
"lambda:RemovePermission",
"lambda:GetFunction",
"lambda:GetFunctionCodeSigningConfig",
"lambda:CreateFunction",
"lambda:DeleteFunction",
"lambda:PublishLayerVersion",
"lambda:DeleteLayerVersion",
"lambda:GetLayerVersion",
"kms:EnableKeyRotation",
"kms:GetKeyRotationStatus",
"kms:Encrypt",
"kms:Decrypt",
"kms:GenerateDataKey",
"kms:CreateKey",
"kms:PutKeyPolicy",
"kms:DescribeKey",
"kms:CreateAlias",
"kms:DeleteAlias",
"kms:ListKeys",
"kms:ListAliases",
"cloudformation:CreateStack",
"cloudformation:DescribeChangeSet",
"cloudformation:DescribeStacks",
"events:PutRule",
"events:RemoveTargets",
"events:DescribeRule",
"events:PutTargets",
"events:DeleteRule",
"servicecatalog:SearchProducts",
"servicecatalog:ListLaunchPaths",
"servicecatalog:ListProvisioningArtifacts",
"servicecatalog:ProvisionProduct",
"servicecatalog:DescribeProvisionedProduct",
"sqs:GetQueueAttributes",
"sqs:List*",
"codeBuild:BatchGetProjects",
"codeBuild:UpdateProject",
"redshift:ModifyCluster",
"redshift:DescribeClusters",
"redshift:DescribeLoggingStatus",
"redshift:EnableLogging",
"lambda:PutFunctionConcurrency",
"servicecatalog:CreateApplication",
"servicecatalog:CreateAttributeGroup",
"servicecatalog:DeleteAttributeGroup",
"servicecatalog:TagResource",
"servicecatalog:DeleteApplication",
"servicecatalog:GetApplication",
"servicecatalog:GetAttributeGroup",
"servicecatalog:AssociateAttributeGroup",
"servicecatalog:DisassociateAttributeGroup",
"servicecatalog:AssociateResource",
"servicecatalog:DisassociateResource",
"ssm:AddTagsToResource",
"securityhub:UpdateStandardsControl",
"securityhub:DescribeStandardsControls",
"securityhub:GetEnabledStandards",
"securityhub:GetFindings",
"securityhub:ListSecurityControlDefinitions",
"securityhub:ListStandardsControlAssociations",
"securityhub:BatchUpdateStandardsControlAssociations",
"wellarchitected:CreateWorkload",
"wellarchitected:UpdateAnswer",
"wellarchitected:CreateMilestone",
"wellarchitected:DeleteWorkload",
"wellarchitected:List*",
"wellarchitected:Get*",
"support:DescribeSeverityLevels",
"events:DescribeRule",
"events:DisableRule",
"events:EnableRule",
"events:ListRules",
"states:StartExecution",
"securityhub:EnableImportFindingsForProduct",
"securityhub:BatchImportFindings",
"securityhub:GetInsights",
"securityhub:ListMembers"
]
}
]
}
*If you have an AWS Audit account setup, we recommend deploying to the AWS Audit account, it provides you with wider visibility and in a shorter space of time.