What permissions/roles does cloud-custodian require for each cloud type?

[ckuethe]

Ask your question

I'm starting to experiment with cloud custodian and would like to know what permissions I should grant for each of my cloud providers in order to simply audit my clouds.

I did look at all the documentation, especially the getting started sections (eg. https://cloudcustodian.io/docs/gcp/gettingstarted.html and https://cloudcustodian.io/docs/aws/gettingstarted.html), for a list of permissions and roles that each provider requires. Logging in as me and using my session isn't really a great option.

In contrast, other tools such as ScoutSuite and CloudSploit do list the permissions required.

Policy

No response

Relevant log/traceback output

No response

[ajkerrigan]

Hi @ckuethe - good question! A good "getting started" answer is that a read-only/security audit role is enough to experiment with policies - assuming that you're running policies with no actions and/or using the -d / --dry-run option. We do provide some IAM information here, but providing some clearer guidance in the getting started section seems helpful 👍 .

[syedaffanhamdani]

Hi @ajkerrigan,
I would like to contribute here create a step by step the documentation:

1. Creating IAM Policy
2. Creating an IAM Role
3. Setting up Cloud Custodian to use it