Skip to main content
AWS Resource Permissions

The available supported AWS resources.

Updated over 10 months ago

The AWS permissions for the following resources are included in the SecurityAudit policy.

AWS Service

Resource Name

ApiGateway

ApiGatewayRestApis

AppSync

AppSyncGraphqlApis

CloudFront

CloudFrontDistributions

CloudTrail

LookupRootEvent

CloudWatch

MetricAlarms

DynamoDB

DynamoDBTables

EC2

SecurityGroups

EC2

ElasticComputeCloudInstances

ECS

ElasticContainerCluster

ECS

ECSService

ElastiCache

ElastiCacheClusters

ElastiCache

ElastiCacheReplicationGroups

ElasticLoadBalancing

ElasticLoadBalancing

ElasticLoadBalancingV2

ElasticLoadBalancingV2

Elasticsearch

ElasticsearchDomains

GuardDuty

GuardDuty

IAM

IAMUsers

RDS

DBClusters

RDS

DBInstances

S3

Buckets

SQS

SQSQueues


The following resources are only available to use if you have Adaptive Automation enabled for your account. When creating a new test, you can choose any supported AWS resources.

In the following table, the column:

  • Additional Permissions: These permissions are not included in SecurityAudit policy, but you must add them for Drata to access the resource from your AWS account. The permissions are not contained within the default AWS policy.

  • Covered in ReadOnlyAccess: Add the blanket ReadOnlyAccess policy instead of the specific permissions of the resources below.

AWS Service

Resource Name

Required Permissions

Additional Permissions

Covered in ReadOnlyAccess

MemoryDB

MemoryDBCluster

memorydb:DescribeClusters

memorydb:ListAllowedNodeTypeUpdates

memorydb:ListTags

memorydb:ListAllowedNodeTypeUpdates

memorydb:ListTags

Yes

MemoryDB

MemoryDBACL

memorydb:DescribeAcls

memorydb:DescribeAcls

No

Lambda

Lambda

lambda:ListFunctions

lambda:GetPolicy

None

Yes

EMR

SecurityConfiguration

elasticmapreduce:DescribeSecurityConfiguration

elasticmapreduce: ListSecurityConfigurations

elasticmapreduce:DescribeSecurityConfiguration

Yes

EMR

EMRClusters

elasticmapreduce:DescribeCluster

elasticmapreduce:ListClusters

elasticmapreduce:DescribeCluster

Yes

Backup

BackupJobs

backup:ListBackupJobs

backup:ListBackupJobs

Yes

Backup

BackupPlans

backup:ListBackupPlans

backup:ListBackupPlans

Yes

Backup

BackupGlobalSettings

backup:DescribeGlobalSettings

backup:DescribeGlobalSettings

Yes

Backup

BackupVaults

backup:ListBackupVaults

None

Yes

Cloudtrail

CloudTrail

cloudtrail:ListTrails

cloudtrail:DescribeTrails

cloudtrail:ListTrails

Yes

Cognito

IdentityPool

cognito-identity:ListIdentityPools

cognito-identity:DescribeIdentityPool

cognito-identity:DescribeIdentityPool

Yes

Auto Scaling

AutoScalingInstances

autoscaling:DescribeAutoScalingInstances

autoscaling:DescribeAutoScalingInstances

Yes

Auto Scaling

AutoScalingGroups

autoscaling:DescribeAutoScalingGroups

autoscaling:DescribeAutoScalingGroups

Yes

Auto Scaling

ApplicationAutoScalingScalingPolicies

autoscaling:DescribePolicies

autoscaling:DescribePolicies

Yes

OpenSearch Serverless

OpenSearchServerlessSecurityConfigs

aoss:ListSecurityConfigs

aoss:GetSecurityConfig

aoss:ListSecurityConfigs

aoss:GetSecurityConfig

Yes

OpenSearch Serverless

OpenSearchServerlessAccountSettings

aoss:GetAccountSettings

aoss:GetAccountSettings

Yes

OpenSearch Serverless

OpenSearchServerlessPoliciesStats

aoss:GetPoliciesStats

aoss:GetPoliciesStats

Yes

CodeBuild

SourceCredentials

codebuild:ListSourceCredentials

codebuild:ListSourceCredentials

Yes

CodeBuild

Projects

codebuild:ListProjects

None

Yes

CodeBuild

SharedProjects

codebuild:ListSharedProjects

codebuild:ListSharedProjects

Yes

Auto Scaling

AutoScalingPlans

autoscaling-plans:DescribeScalingPlans

None

Yes

Application Auto Scaling

ApplicationAutoScalingScalingPolicies

application-autoscaling:DescribeScalingPolicies

None

Yes

Kinesis

KinesisStreams

kinesis:ListStreams

kinesis:DescribeStreamSummary

None

Yes

Kinesis

KinesisLimits

kinesis:DescribeLimits

None

Yes

CloudFront

CloudFrontOriginAccessControls

cloudfront:ListOriginAccessControls

None

Yes

CloudFront

CloudFrontRealtimeLogConfigs

cloudfront:ListRealtimeLogConfigs

None

Yes

IAM

IAMUsers

iam:ListAccessKeys iam:ListUserTags

iam:ListUsers iam:ListMFADevices

None

Yes

ElasticLoadBalancingV2

ElasticLoadBalancingV2

elasticloadbalancing:DescribeAccountLimits elasticloadbalancing:DescribeTags

elasticloadbalancing:DescribeLoadBalancerAttributes

elasticloadbalancing:DescribeLoadBalancers

None

Yes

Config Service

ConfigRules

config:DescribeConfigRules

None

Yes

Config Service

ConformancePacks

config:DescribeConformancePacks

config:DescribeConformancePackCompliance

None

Yes

Config Service

ConfigurationAggregators

config:DescribeConfigurationAggregators

config:DescribeAggregateComplianceByConformancePacks

None

Yes

CodePipeline

Pipelines

codepipeline:ListPipelines

None

Yes

KMS

KMSKeys

kms:ListKeys

kms:ListResourceTags

kms:GetKeyRotationStatus

None

Yes

SageMaker

SageMakerNoteBookInstances

sagemaker:ListNotebookInstances

sagemaker:DescribeNotebookInstance

None

Yes

SageMaker

SageMakerTrainingJobs

sagemaker:ListTrainingJobs

sagemaker:DescribeTrainingJob

None

Yes

RDS

DBClusters

rds:DescribeDBClusterSnapshots

rds:DescribeDBClusters

None

Yes

RDS

DBSnapshots

rds:DescribeDBSnapshots

None

Yes

DynamoDBAccelerator (DAX)

DAXClusters

dax:DescribeClusters

None

Yes

Secrets Manager

Secrets

secretsmanager:DescribeSecret

secretsmanager:ListSecrets

None

Yes

VPCLattice

VPCLatticeServices

vpc-lattice:ListServices

vpc-lattice:GetResourcePolicy

vpc-lattice:GetAuthPolicy

vpc-lattice:ListServices

vpc-lattice:GetResourcePolicy

vpc-lattice:GetAuthPolicy

Yes

FSx

FsxBackups

fsx:DescribeBackups

fsx:ListTagsForResource

None

Yes

Lightsail

LightsailBuckets

lightsail:GetBuckets

lightsail:GetBuckets

Yes

Lightsail

LightsailAlarms

lightsail:GetAlarms

lightsail:GetAlarms

Yes

Trusted Advisor

TrustedAdvisorChecks

trustedadvisor:ListChecks

trustedadvisor:ListChecks

No

Trusted Advisor

TrustedAdvisorRecommendations

trustedadvisor:ListRecommendations

trustedadvisor:ListRecommendations

No

CodeCommit

Repositories

codecommit:BatchGetRepositories

codecommit:GetBranch

codecommit:ListPullRequests codecommit:ListBranches

codecommit:ListRepositories

codecommit:GetPullRequest*

codecommit:GetPullRequest*

Yes

OpenSearch

OpenSearchDomains

es:DescribeDomainConfig

es:DescribeDomainHealth

es:DescribeDomains

es:ListDomainNames

es:ListTags

None

Yes

OpenSearch

OpenSearchVpcEndpoints

es:ListVpcEndpoints

es:DescribeVpcEndpoints

es:ListVpcEndpoints

Yes

Route53

Route53Domains

route53domains:ListDomains

None

Yes

Route53

Route53Operations

route53domains:ListOperations

None

Yes

DocumentDB

DocDBCluster

docdb-elastic:ListClusters

docdb-elastic:ListClusterSnapshots

docdb-elastic:ListClusterSnapshots

No

Kakfa

MSKClusters

kafka:ListClusters

None

Yes

Redshift

RedshiftAccountAttributes

redshift:DescribeAccountAttributes

None

Yes

Redshift

RedshiftClusters

redshift:DescribeClusterDbRevisions

redshift:DescribeClusterSnapshots

redshift:DescribeClusters

None

Yes

EC2

Regions

ec2:DescribeRegions

None

Yes

HTTPS

SslCertificate

None

None

Yes

Did this answer your question?