Audit Trail needs a number of permissions. Previously we used a number of standard AWS policies. However, as the application has grown, we have adapted the permissions to only use what is required. Consequently we have created our own policy that covers the required permissions.
From the Identity and Access Management area, select the policies menu item (under the main Access management branch).
This shows you the list of all the policies that you have available to you in your system. The vast majority of them will be AWS created and managed.
Press the Create policy button.
Change to the JSON tab and paste in the following text overwriting the existing content.
{
"Version": "2012-10-17",
"Statement":
[{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"apigateway:*",
"cloudformation:*",
"dynamodb:*",
"ec2:AllocateAddress",
"ec2:AssignPrivateIpAddresses",
"ec2:AssociateRouteTable",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:CreateNatGateway",
"ec2:CreateNetworkAcl",
"ec2:CreateNetworkAclEntry",
"ec2:CreateRoute",
"ec2:CreateRouteTable",
"ec2:CreateSecurityGroup",
"ec2:CreateSubnet",
"ec2:CreateTags",
"ec2:CreateVpcEndpoint",
"ec2:DeleteNatGateway",
"ec2:DeleteNetworkAcl",
"ec2:DeleteNetworkAclEntry",
"ec2:DeleteRoute",
"ec2:DeleteRouteTable",
"ec2:DeleteSecurityGroup",
"ec2:DeleteSubnet",
"ec2:DeleteTags",
"ec2:DeleteVpcEndpoints",
"ec2:DescribeAccountAttributes",
"ec2:DescribeAddresses",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeInternetGateways",
"ec2:DescribeNatGateways",
"ec2:DescribeNetworkAcls",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeRouteTables",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeTags",
"ec2:DescribeVpcs",
"ec2:DescribeVpcEndpoints",
"ec2:DisassociateAddress",
"ec2:DisassociateRouteTable",
"ec2:ModifyNetworkInterfaceAttribute",
"ec2:ModifySubnetAttribute",
"ec2:ModifyVpcEndpoint",
"ec2:ReleaseAddress",
"ec2:ReplaceNetworkAclAssociation",
"ec2:RevokeSecurityGroupIngress",
"iam:AttachRolePolicy",
"iam:CreateRole",
"iam:DeleteRole",
"iam:DetachRolePolicy",
"iam:GetRole",
"iam:ListRoles",
"iam:PassRole",
"iam:UpdateAssumeRolePolicy",
"lambda:*",
"logs:*",
"rds:CreateDBCluster",
"rds:CreateDBInstance",
"rds:CreateDBSubnetGroup",
"rds:DeleteDBCluster",
"rds:DeleteDBInstance",
"rds:DeleteDBSubnetGroup",
"rds:DescribeDBClusters",
"rds:DescribeDBInstances",
"rds:DescribeDBLogFiles",
"rds:DescribeDBParameterGroups",
"rds:DescribeDBParameters",
"rds:DescribeDBSecurityGroups",
"rds:DescribeDBSubnetGroups",
"rds:ModifyDBInstance",
"rds:ModifyDBCluster",
"rds:ModifyDBSubnetGroup",
"s3:GetBucketAcl",
"s3:GetBucketLocation",
"s3:GetBucketWebsite",
"s3:GetDataAccess",
"s3:GetMultiRegionAccessPoint",
"s3:GetMultiRegionAccessPointPolicy",
"s3:GetMultiRegionAccessPointPolicyStatus",
"s3:GetMultiRegionAccessPointRoutes",
"s3:GetObject",
"s3:GetObjectAcl",
"s3:GetObjectAttributes",
"s3:GetObjectTagging",
"s3:ListAllMyBuckets",
"s3:ListBucket",
"s3:ListBucketMultipartUploads",
"s3:ListBucketVersions",
"s3:ListMultiRegionAccessPoints",
"scheduler:*",
"secretsmanager:*",
"sns:ListSubscriptions",
"sns:ListTopics",
"sns:Publish",
"sqs:*"
],
"Resource": "*"
},
{
"Action": "iam:CreateServiceLinkedRole",
"Effect": "Allow",
"Resource": "arn:aws:iam::*:role/aws-service-role/rds.amazonaws.com/AWSServiceRoleForRDS",
"Condition": {
"StringLike": {
"iam:AWSServiceName": "rds.amazonaws.com"
}
}
}
]
}
Press the Review policy button
Give the policy a name e.g. AuditTrailRole and a description to say why this was created i.e. for use with Audit Trail.
Press the Create Policy button.