1. Home
  2. Docs
  3. Audit Trail Set-up
  4. AWS set-up
  5. Setting up an AWS User
  6. Permissions Needed

Permissions Needed

Audit Trail needs a number of permissions. Previously we used a number of standard AWS policies. However, as the application has grown, we have adapted the permissions to only use what is required. Consequently we have created our own policy that covers the required permissions.

From the Identity and Access Management area, select the policies menu item (under the main Access management branch).

This shows you the list of all the policies that you have available to you in your system. The vast majority of them will be AWS created and managed.

Press the Create policy button.

Change to the JSON tab and paste in the following text overwriting the existing content.

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PreflightCheck",
"Effect": "Allow",
"Action": [
"iam:SimulatePrincipalPolicy",
"sts:GetCallerIdentity"
],
"Resource": "*"
},
{
"Sid": "CloudFormation",
"Effect": "Allow",
"Action": [
"cloudformation:CreateStack",
"cloudformation:UpdateStack",
"cloudformation:DeleteStack",
"cloudformation:DescribeStacks",
"cloudformation:DescribeStackEvents",
"cloudformation:ListStacks",
"cloudformation:ListStackResources",
"cloudformation:GetTemplate",
"cloudformation:ValidateTemplate",
"cloudformation:ContinueUpdateRollback",
"cloudformation:CreateChangeSet",
"cloudformation:ExecuteChangeSet",
"cloudformation:DescribeChangeSet",
"cloudformation:DeleteChangeSet"
],
"Resource": "*"
},
{
"Sid": "Lambda",
"Effect": "Allow",
"Action": [
"lambda:CreateFunction",
"lambda:UpdateFunctionCode",
"lambda:UpdateFunctionConfiguration",
"lambda:DeleteFunction",
"lambda:GetFunction",
"lambda:GetFunctionConfiguration",
"lambda:ListFunctions",
"lambda:AddPermission",
"lambda:RemovePermission",
"lambda:GetPolicy",
"lambda:PublishVersion",
"lambda:TagResource",
"lambda:UntagResource",
"lambda:ListTags",
"lambda:CreateEventSourceMapping",
"lambda:DeleteEventSourceMapping",
"lambda:GetEventSourceMapping",
"lambda:ListEventSourceMappings"
],
"Resource": "*"
},
{
"Sid": "S3",
"Effect": "Allow",
"Action": [
"s3:CreateBucket",
"s3:DeleteBucket",
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject",
"s3:ListBucket",
"s3:PutBucketPolicy",
"s3:GetBucketLocation",
"s3:ListBucketVersions",
"s3:DeleteObjectVersion",
"s3:PutLifecycleConfiguration",
"s3:GetLifecycleConfiguration",
"s3:PutBucketPublicAccessBlock",
"s3:GetBucketPublicAccessBlock"
],
"Resource": "*"
},
{
"Sid": "IAMRoles",
"Effect": "Allow",
"Action": [
"iam:CreateRole",
"iam:DeleteRole",
"iam:AttachRolePolicy",
"iam:DetachRolePolicy",
"iam:PutRolePolicy",
"iam:DeleteRolePolicy",
"iam:GetRole",
"iam:ListRoles",
"iam:UpdateAssumeRolePolicy",
"iam:TagRole",
"iam:UntagRole"
],
"Resource": "*"
},
{
"Sid": "PassAuditTrailRole",
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "arn:aws:iam::*:role/AuditTrailRole-*",
"Condition": {
"StringEquals": {
"iam:PassedToService": [
"lambda.amazonaws.com",
"scheduler.amazonaws.com",
"events.amazonaws.com"
]
}
}
},
{
"Sid": "SQS",
"Effect": "Allow",
"Action": [
"sqs:CreateQueue",
"sqs:DeleteQueue",
"sqs:GetQueueAttributes",
"sqs:SetQueueAttributes",
"sqs:SendMessage",
"sqs:TagQueue",
"sqs:UntagQueue"
],
"Resource": "*"
},
{
"Sid": "DocumentDB",
"Effect": "Allow",
"Action": [
"rds:CreateDBCluster",
"rds:DeleteDBCluster",
"rds:ModifyDBCluster",
"rds:DescribeDBClusters",
"rds:CreateDBInstance",
"rds:DeleteDBInstance",
"rds:ModifyDBInstance",
"rds:DescribeDBInstances",
"rds:CreateDBSubnetGroup",
"rds:DeleteDBSubnetGroup",
"rds:ModifyDBSubnetGroup",
"rds:DescribeDBSubnetGroups",
"rds:AddTagsToResource",
"rds:RemoveTagsFromResource",
"rds:ListTagsForResource"
],
"Resource": "*"
},
{
"Sid": "SecretsManager",
"Effect": "Allow",
"Action": [
"secretsmanager:CreateSecret",
"secretsmanager:DeleteSecret",
"secretsmanager:DescribeSecret",
"secretsmanager:UpdateSecret",
"secretsmanager:PutSecretValue",
"secretsmanager:GetSecretValue",
"secretsmanager:TagResource",
"secretsmanager:UntagResource"
],
"Resource": "*"
},
{
"Sid": "EC2VPC",
"Effect": "Allow",
"Action": [
"ec2:DescribeAccountAttributes",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeVpcs",
"ec2:DescribeSubnets",
"ec2:DescribeInternetGateways",
"ec2:DescribeRouteTables",
"ec2:DescribeNetworkAcls",
"ec2:DescribeSecurityGroups",
"ec2:DescribeNatGateways",
"ec2:DescribeVpcEndpoints",
"ec2:DescribeAddresses",
"ec2:DescribeTags",
"ec2:DescribeNetworkInterfaces",
"ec2:CreateSubnet",
"ec2:DeleteSubnet",
"ec2:ModifySubnetAttribute",
"ec2:CreateTags",
"ec2:DeleteTags",
"ec2:CreateSecurityGroup",
"ec2:DeleteSecurityGroup",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:RevokeSecurityGroupIngress",
"ec2:AllocateAddress",
"ec2:ReleaseAddress",
"ec2:AssociateAddress",
"ec2:DisassociateAddress",
"ec2:CreateNatGateway",
"ec2:DeleteNatGateway",
"ec2:CreateRouteTable",
"ec2:DeleteRouteTable",
"ec2:AssociateRouteTable",
"ec2:DisassociateRouteTable",
"ec2:ReplaceRouteTableAssociation",
"ec2:CreateRoute",
"ec2:DeleteRoute",
"ec2:CreateNetworkAcl",
"ec2:DeleteNetworkAcl",
"ec2:CreateNetworkAclEntry",
"ec2:DeleteNetworkAclEntry",
"ec2:ReplaceNetworkAclAssociation",
"ec2:CreateVpcEndpoint",
"ec2:DeleteVpcEndpoints",
"ec2:ModifyVpcEndpoint",
"ec2:DeleteNetworkInterface",
"ec2:DetachNetworkInterface",
"ec2:ModifyNetworkInterfaceAttribute"
],
"Resource": "*"
},
{
"Sid": "DynamoDB",
"Effect": "Allow",
"Action": [
"dynamodb:CreateTable",
"dynamodb:DeleteTable",
"dynamodb:UpdateTable",
"dynamodb:DescribeTable",
"dynamodb:ListTables",
"dynamodb:DescribeTimeToLive",
"dynamodb:UpdateTimeToLive",
"dynamodb:TagResource",
"dynamodb:UntagResource",
"dynamodb:ListTagsOfResource"
],
"Resource": "*"
},
{
"Sid": "ApiGateway",
"Effect": "Allow",
"Action": [
"apigateway:GET",
"apigateway:POST",
"apigateway:PUT",
"apigateway:PATCH",
"apigateway:DELETE"
],
"Resource": "*"
},
{
"Sid": "CloudWatchLogs",
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:DeleteLogGroup",
"logs:DescribeLogGroups",
"logs:PutRetentionPolicy",
"logs:TagResource",
"logs:UntagResource",
"logs:ListTagsForResource"
],
"Resource": "*"
},
{
"Sid": "EventBridgeScheduler",
"Effect": "Allow",
"Action": [
"scheduler:CreateSchedule",
"scheduler:DeleteSchedule",
"scheduler:GetSchedule",
"scheduler:UpdateSchedule",
"scheduler:ListSchedules",
"scheduler:CreateScheduleGroup",
"scheduler:DeleteScheduleGroup",
"scheduler:GetScheduleGroup",
"scheduler:ListScheduleGroups",
"scheduler:TagResource",
"scheduler:UntagResource",
"scheduler:ListTagsForResource"
],
"Resource": "*"
},
{
"Sid": "CloudWatchSNS",
"Effect": "Allow",
"Action": [
"cloudwatch:PutMetricAlarm",
"cloudwatch:DeleteAlarms",
"cloudwatch:DescribeAlarms",
"sns:CreateTopic",
"sns:DeleteTopic",
"sns:Subscribe",
"sns:Unsubscribe",
"sns:ListSubscriptionsByTopic"
],
"Resource": "*"
}
]
}

Note that all of the permissions are required but, as laid out they may be too many characters for one AWS policy. The fix is, under the actions dropdown on the righthand side, select “optimize for size”. This reduces the extra characters that makes this easy to read. While editing it you can always put it back to “optimize for readability” but it won’t save if there are too many characters.

Press the Review policy button

Give the policy a name e.g. AuditTrailRole and a description to say why this was created i.e. for use with Audit Trail.

Press the Create Policy button.