The AWS permissions for the following resources are included in the SecurityAudit policy.
AWS Service | Resource Name |
ApiGateway | ApiGatewayRestApis |
AppSync | AppSyncGraphqlApis |
CloudFront | CloudFrontDistributions |
CloudTrail | LookupRootEvent |
CloudWatch | MetricAlarms |
DynamoDB | DynamoDBTables |
EC2 | SecurityGroups |
EC2 | ElasticComputeCloudInstances |
ECS | ElasticContainerCluster |
ECS | ECSService |
ElastiCache | ElastiCacheClusters |
ElastiCache | ElastiCacheReplicationGroups |
ElasticLoadBalancing | ElasticLoadBalancing |
ElasticLoadBalancingV2 | ElasticLoadBalancingV2 |
Elasticsearch | ElasticsearchDomains |
GuardDuty | GuardDuty |
IAM | IAMUsers |
RDS | DBClusters |
RDS | DBInstances |
S3 | Buckets |
SQS | SQSQueues |
The following resources are only available to use if you have Adaptive Automation enabled for your account. When creating a new test, you can choose any supported AWS resources.
In the following table, the column:
Additional Permissions: These permissions are not included in SecurityAudit policy, but you must add them for Drata to access the resource from your AWS account. The permissions are not contained within the default AWS policy.
Covered in ReadOnlyAccess: Add the blanket ReadOnlyAccess policy instead of the specific permissions of the resources below.
AWS Service | Resource Name | Required Permissions | Additional Permissions | Covered in ReadOnlyAccess |
MemoryDB | MemoryDBCluster |
|
| Yes |
MemoryDB | MemoryDBACL |
|
| No |
Lambda | Lambda |
| None | Yes |
EMR | SecurityConfiguration |
|
| Yes |
EMR | EMRClusters |
|
| Yes |
Backup | BackupJobs |
|
| Yes |
Backup | BackupPlans |
|
| Yes |
Backup | BackupGlobalSettings |
|
| Yes |
Backup | BackupVaults |
| None | Yes |
Cloudtrail | CloudTrail |
|
| Yes |
Cognito | IdentityPool |
|
| Yes |
Auto Scaling | AutoScalingInstances |
|
| Yes |
Auto Scaling | AutoScalingGroups |
|
| Yes |
Auto Scaling | ApplicationAutoScalingScalingPolicies |
|
| Yes |
OpenSearch Serverless | OpenSearchServerlessSecurityConfigs |
|
| Yes |
OpenSearch Serverless | OpenSearchServerlessAccountSettings |
|
| Yes |
OpenSearch Serverless | OpenSearchServerlessPoliciesStats |
|
| Yes |
CodeBuild | SourceCredentials |
|
| Yes |
CodeBuild | Projects |
| None | Yes |
CodeBuild | SharedProjects |
|
| Yes |
Auto Scaling | AutoScalingPlans |
| None | Yes |
Application Auto Scaling | ApplicationAutoScalingScalingPolicies |
| None | Yes |
Kinesis | KinesisStreams |
| None | Yes |
Kinesis | KinesisLimits |
| None | Yes |
CloudFront | CloudFrontOriginAccessControls |
| None | Yes |
CloudFront | CloudFrontRealtimeLogConfigs |
| None | Yes |
IAM | IAMUsers |
| None | Yes |
ElasticLoadBalancingV2 | ElasticLoadBalancingV2 |
| None | Yes |
Config Service | ConfigRules |
| None | Yes |
Config Service | ConformancePacks |
| None | Yes |
Config Service | ConfigurationAggregators |
| None | Yes |
CodePipeline | Pipelines |
| None | Yes |
KMS | KMSKeys |
| None | Yes |
SageMaker | SageMakerNoteBookInstances |
| None | Yes |
SageMaker | SageMakerTrainingJobs |
| None | Yes |
RDS | DBClusters |
| None | Yes |
RDS | DBSnapshots |
| None | Yes |
DynamoDBAccelerator (DAX) | DAXClusters |
| None | Yes |
Secrets Manager | Secrets |
| None | Yes |
VPCLattice | VPCLatticeServices |
|
| Yes |
FSx | FsxBackups |
| None | Yes |
Lightsail | LightsailBuckets |
|
| Yes |
Lightsail | LightsailAlarms |
|
| Yes |
Trusted Advisor | TrustedAdvisorChecks |
|
| No |
Trusted Advisor | TrustedAdvisorRecommendations |
|
| No |
CodeCommit | Repositories |
|
| Yes |
OpenSearch | OpenSearchDomains |
| None | Yes |
OpenSearch | OpenSearchVpcEndpoints |
|
| Yes |
Route53 | Route53Domains |
| None | Yes |
Route53 | Route53Operations |
| None | Yes |
DocumentDB | DocDBCluster |
|
| No |
Kakfa | MSKClusters |
| None | Yes |
Redshift | RedshiftAccountAttributes |
| None | Yes |
Redshift | RedshiftClusters |
| None | Yes |
EC2 | Regions |
| None | Yes |
HTTPS | SslCertificate | None | None | Yes |