Document minimal AWS role/permissions to use cloud scanner

Boavizta / cloud-scanner

📡 Get Boavizta impact data for your aws cloud account usage.

GNU Affero General Public License v3.0

34 stars 8 forks source link

Document minimal AWS role/permissions to use cloud scanner #147

Closed demeringo closed 8 months ago

demeringo commented 1 year ago

Problem

Document minimal AWS role/permissions to use cloud scanner

Solution

Alternatives

Additional context or elements

demeringo commented 1 year ago

Todo: verify if the role set in serverless.yml https://github.com/Boavizta/cloud-scanner/blob/aacffd0314828c10483615eb0918e18848e7bd87/serverless.yml#L11 is not too permissive, not sure we need the describe alarms...

iam:
    role:
      statements:
        - Effect: Allow
          Action: "ec2:DescribeInstances"
          Resource: "*"
        - Effect: Allow
          Action: "cloudwatch:GetMetricStatistics"
          Resource: "*"
        - Effect: Allow
          Action: "cloudwatch:DescribeAlarm"
          Resource: "*"

demeringo commented 8 months ago

Closing because it is now described in

https://boavizta.github.io/cloud-scanner/how-to/passing-aws-credentials.html