The AWS IAM policies required to allow Cloud Accounts to connect to your AWS account provided in JSON code blocks.
The following JSON code blocks are required when manually connecting your AWS account
to
the Trend Vision One Cloud Accounts app. You can find these code blocks within the
stack
template file if you download from Cloud Accounts or use and API to call the template.
The
policies are not unique to your AWS account or Trend Vision One account. For more
information about using the code, see Adding an AWS Account Manually.
Use the links to jump to the policy code you require:
Policy 1:
VisionOnePolicyPart1
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "access-analyzer:ListAnalyzers", "access-analyzer:ListFindings", "acm:DescribeCertificate", "acm:ListCertificates", "acm:ListTagsForCertificate", "apigateway:GET", "appflow:DescribeFlow", "appflow:ListFlows", "application-autoscaling:DescribeScalableTargets", "application-autoscaling:DescribeScalingActivities", "application-autoscaling:DescribeScalingPolicies", "application-autoscaling:DescribeScheduledActions", "athena:GetQueryExecution", "athena:ListQueryExecutions", "athena:ListTagsForResource", "autoscaling:DescribeAccountLimits", "autoscaling:DescribeAutoScalingGroups", "autoscaling:DescribeAutoScalingInstances", "autoscaling:DescribeLaunchConfigurations", "autoscaling:DescribeLoadBalancerTargetGroups", "autoscaling:DescribeLoadBalancers", "autoscaling:DescribeNotificationConfigurations", "autoscaling:DescribeTags", "backup:DescribeBackupVault", "backup:GetBackupVaultAccessPolicy", "backup:ListBackupVaults", "ce:GetAnomalies", "ce:GetAnomalyMonitors", "cloudformation:DescribeAccountLimits", "cloudformation:DescribeStackDriftDetectionStatus", "cloudformation:DescribeStackEvents", "cloudformation:DescribeStackResources", "cloudformation:DescribeStacks", "cloudformation:DetectStackDrift", "cloudformation:GetStackPolicy", "cloudformation:GetTemplate", "cloudformation:ListStackInstances", "cloudformation:ListStackResources", "cloudformation:ListStacks", "cloudfront:GetDistribution", "cloudfront:ListDistributions", "cloudfront:ListTagsForResource", "cloudtrail:DescribeTrails", "cloudtrail:GetEventSelectors", "cloudtrail:GetTrailStatus", "cloudtrail:ListTags", "cloudwatch:DescribeAlarms", "cloudwatch:DescribeAlarmsForMetric", "cloudwatch:GetMetricStatistics", "cloudwatch:ListMetrics", "comprehend:ListDocumentClassificationJobs", "comprehend:ListDominantLanguageDetectionJobs", "comprehend:ListEntitiesDetectionJobs", "comprehend:ListKeyPhrasesDetectionJobs", "comprehend:ListSentimentDetectionJobs", "comprehend:ListTopicsDetectionJobs", "compute-optimizer:GetAutoScalingGroupRecommendations", "compute-optimizer:GetEC2InstanceRecommendations", "config:DescribeComplianceByConfigRule", "config:DescribeConfigRules", "config:DescribeConfigurationRecorderStatus", "config:DescribeConfigurationRecorders", "config:DescribeDeliveryChannelStatus", "config:DescribeDeliveryChannels", "config:GetComplianceDetailsByConfigRule", "config:GetResourceConfigHistory", "config:SelectResourceConfig", "dax:DescribeClusters", "dax:ListTags", "dms:DescribeReplicationInstances", "dms:ListTagsForResource", "ds:DescribeDirectories", "ds:ListTagsForResource", "dynamodb:DescribeContinuousBackups", "dynamodb:DescribeLimits", "dynamodb:DescribeTable", "dynamodb:ListBackups", "dynamodb:ListTables", "dynamodb:ListTagsOfResource", "ec2:DescribeAccountAttributes", "ec2:DescribeAddresses", "ec2:DescribeAvailabilityZones", "ec2:DescribeEgressOnlyInternetGateways", "ec2:DescribeFlowLogs", "ec2:DescribeImages", "ec2:DescribeInstanceAttribute", "ec2:DescribeInstanceStatus", "ec2:DescribeInstances", "ec2:DescribeInternetGateways", "ec2:DescribeKeyPairs", "ec2:DescribeManagedPrefixLists", "ec2:DescribeNatGateways", "ec2:DescribeNetworkAcls", "ec2:DescribeNetworkInterfaces", "ec2:DescribeRegions", "ec2:DescribeReservedInstances", "ec2:DescribeRouteTables", "ec2:DescribeSecurityGroupReferences", "ec2:DescribeSecurityGroups", "ec2:DescribeSnapshotAttribute", "ec2:DescribeSnapshots", "ec2:DescribeSubnets", "ec2:DescribeTags", "ec2:DescribeTransitGatewayPeeringAttachments", "ec2:DescribeTransitGatewayRouteTables", "ec2:DescribeTransitGateways", "ec2:DescribeVolumes", "ec2:DescribeVpcAttribute", "ec2:DescribeVpcEndpoints", "ec2:DescribeVpcPeeringConnections", "ec2:DescribeVpcs", "ec2:DescribeVpnConnections", "ec2:DescribeVpnGateways", "ec2:GetEbsEncryptionByDefault", "ec2:SearchTransitGatewayRoutes", "ecr:DescribeImages", "ecr:DescribeRepositories", "ecr:GetLifecyclePolicy", "ecr:GetRepositoryPolicy", "ecs:DescribeClusters", "ecs:DescribeContainerInstances", "ecs:DescribeServices", "ecs:DescribeTaskDefinition", "ecs:DescribeTasks", "ecs:ListClusters", "ecs:ListContainerInstances", "ecs:ListServices", "ecs:ListTagsForResource", "ecs:ListTaskDefinitions", "ecs:ListTasks", "eks:DescribeCluster", "eks:ListClusters", "elasticache:DescribeCacheClusters", "elasticache:DescribeReplicationGroups", "elasticache:DescribeReservedCacheNodes", "elasticache:ListTagsForResource", "elasticbeanstalk:DescribeConfigurationSettings", "elasticbeanstalk:DescribeEnvironments", "elasticfilesystem:DescribeFileSystems", "elasticfilesystem:DescribeTags", "elasticloadbalancing:DescribeListeners", "elasticloadbalancing:DescribeLoadBalancerAttributes", "elasticloadbalancing:DescribeLoadBalancerPolicies", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeRules", "elasticloadbalancing:DescribeTags", "elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:DescribeTargetHealth", "elasticmapreduce:DescribeCluster", "elasticmapreduce:ListClusters", "elasticmapreduce:ListInstances", "es:DescribeElasticsearchDomain", "es:DescribeElasticsearchDomainConfig", "es:DescribeElasticsearchDomains", "es:DescribeElasticsearchInstanceTypeLimits", "es:DescribeReservedElasticsearchInstanceOfferings", "es:DescribeReservedElasticsearchInstances", "es:ListDomainNames", "es:ListElasticsearchInstanceTypes", "es:ListElasticsearchVersions", "es:ListTags", "events:DescribeEventBus", "events:ListRules", "firehose:DescribeDeliveryStream", "firehose:ListDeliveryStreams", "firehose:ListTagsForDeliveryStream", "glue:GetDataCatalogEncryptionSettings", "glue:GetDatabases", "glue:GetSecurityConfiguration", "glue:GetSecurityConfigurations", "guardduty:GetDetector", "guardduty:GetFindings", "guardduty:ListDetectors", "guardduty:ListFindings", "health:DescribeAffectedEntities", "health:DescribeEventDetails", "health:DescribeEvents", "iam:GenerateCredentialReport", "iam:GetAccessKeyLastUsed", "iam:GetAccountAuthorizationDetails", "iam:GetAccountPasswordPolicy", "iam:GetAccountSummary", "iam:GetCredentialReport", "iam:GetGroup", "iam:GetGroupPolicy", "iam:GetLoginProfile", "iam:GetOpenIDConnectProvider" ], "Resource": [ "*" ], "Effect": "Allow" } ] }
Policy 2:
VisionOnePolicyPart2
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "iam:GetPolicy", "iam:GetPolicyVersion", "iam:GetRole", "iam:GetRolePolicy", "iam:GetSAMLProvider", "iam:GetServerCertificate", "iam:GetUser", "iam:GetUserPolicy", "iam:ListAccessKeys", "iam:ListAccountAliases", "iam:ListAttachedGroupPolicies", "iam:ListAttachedRolePolicies", "iam:ListAttachedUserPolicies", "iam:ListEntitiesForPolicy", "iam:ListGroupPolicies", "iam:ListGroups", "iam:ListInstanceProfiles", "iam:ListInstanceProfilesForRole", "iam:ListMFADevices", "iam:ListOpenIDConnectProviders", "iam:ListPolicies", "iam:ListPolicyTags", "iam:ListPolicyVersions", "iam:ListRolePolicies", "iam:ListRoleTags", "iam:ListRoles", "iam:ListSAMLProviders", "iam:ListSSHPublicKeys", "iam:ListServerCertificates", "iam:ListUserPolicies", "iam:ListUserTags", "iam:ListUsers", "iam:ListVirtualMFADevices", "inspector:DescribeAssessmentRuns", "inspector:DescribeAssessmentTargets", "inspector:DescribeAssessmentTemplates", "inspector:DescribeExclusions", "inspector:DescribeFindings", "inspector:DescribeResourceGroups", "inspector:ListAssessmentRuns", "inspector:ListAssessmentTargets", "inspector:ListAssessmentTemplates", "inspector:ListExclusions", "inspector:ListFindings", "inspector:PreviewAgents", "kafka:DescribeCluster", "kafka:ListClusters", "kafka:ListNodes", "kinesis:DescribeStream", "kinesis:ListStreams", "kinesis:ListTagsForStream", "kms:DescribeKey", "kms:GetKeyPolicy", "kms:GetKeyRotationStatus", "kms:ListAliases", "kms:ListGrants", "kms:ListKeyPolicies", "kms:ListKeys", "kms:ListResourceTags", "lambda:GetAccountSettings", "lambda:GetFunctionConfiguration", "lambda:GetPolicy", "lambda:ListEventSourceMappings", "lambda:ListFunctionUrlConfigs", "lambda:ListFunctions", "lambda:ListLayers", "lambda:ListTags", "logs:DescribeLogGroups", "logs:DescribeLogStreams", "logs:DescribeMetricFilters", "macie2:GetClassificationExportConfiguration", "macie2:GetFindingStatistics", "macie2:ListClassificationJobs", "mq:DescribeBroker", "mq:ListBrokers", "organizations:DescribeAccount", "organizations:DescribeCreateAccountStatus", "organizations:DescribeHandshake", "organizations:DescribeOrganization", "organizations:DescribeOrganizationalUnit", "organizations:DescribePolicy", "organizations:ListAWSServiceAccessForOrganization", "organizations:ListAccounts", "organizations:ListAccountsForParent", "organizations:ListChildren", "organizations:ListCreateAccountStatus", "organizations:ListHandshakesForAccount", "organizations:ListHandshakesForOrganization", "organizations:ListOrganizationalUnitsForParent", "organizations:ListParents", "organizations:ListPolicies", "organizations:ListPoliciesForTarget", "organizations:ListRoots", "organizations:ListTargetsForPolicy", "rds:DescribeAccountAttributes", "rds:DescribeDBClusters", "rds:DescribeDBInstances", "rds:DescribeDBParameterGroups", "rds:DescribeDBParameters", "rds:DescribeDBSecurityGroups", "rds:DescribeDBSnapshotAttributes", "rds:DescribeDBSnapshots", "rds:DescribeEventSubscriptions", "rds:DescribeEvents", "rds:DescribeReservedDBInstances", "rds:ListTagsForResource", "redshift:DescribeClusterParameterGroups", "redshift:DescribeClusterParameters", "redshift:DescribeClusters", "redshift:DescribeLoggingStatus", "redshift:DescribeReservedNodes", "redshift:DescribeTags", "route53:GetDNSSEC", "route53:GetGeoLocation", "route53:ListHostedZones", "route53:ListResourceRecordSets", "route53:ListTagsForResource", "route53domains:GetDomainDetail", "route53domains:ListDomains", "route53domains:ListTagsForDomain", "s3:GetAccelerateConfiguration", "s3:GetAccountPublicAccessBlock", "s3:GetBucketAcl", "s3:GetBucketLocation", "s3:GetBucketLogging", "s3:GetBucketObjectLockConfiguration", "s3:GetBucketPolicy", "s3:GetBucketPolicyStatus", "s3:GetBucketPublicAccessBlock", "s3:GetBucketTagging", "s3:GetBucketVersioning", "s3:GetBucketWebsite", "s3:GetEncryptionConfiguration", "s3:GetLifecycleConfiguration", "s3:ListAllMyBuckets", "s3:ListBucket", "sagemaker:DescribeNotebookInstance", "sagemaker:ListNotebookInstances", "sagemaker:ListTags", "secretsmanager:DescribeSecret", "secretsmanager:ListSecrets", "securityhub:DescribeHub", "securityhub:GetEnabledStandards", "securityhub:GetFindings", "securityhub:GetInsightResults", "securityhub:GetInsights", "securityhub:GetMasterAccount", "securityhub:GetMembers", "securityhub:ListEnabledProductsForImport", "securityhub:ListInvitations", "securityhub:ListMembers", "servicequotas:ListServiceQuotas", "ses:GetIdentityDkimAttributes", "ses:GetIdentityPolicies", "ses:GetIdentityVerificationAttributes", "ses:ListIdentities", "ses:ListIdentityPolicies", "shield:DescribeSubscription", "sns:GetTopicAttributes", "sns:ListSubscriptionsByTopic", "sns:ListTagsForResource", "sns:ListTopics", "sqs:GetQueueAttributes", "sqs:ListQueueTags", "sqs:ListQueues", "ssm:AddTagsToResource", "ssm:DeleteParameter", "ssm:DescribeInstanceInformation", "ssm:DescribeParameters", "ssm:DescribeSessions", "ssm:GetParameters", "ssm:PutParameter", "ssm:RemoveTagsFromResource", "storagegateway:DescribeNFSFileShares", "storagegateway:DescribeSMBFileShares", "storagegateway:DescribeTapes", "storagegateway:ListFileShares", "storagegateway:ListTagsForResource", "storagegateway:ListTapes", "support:DescribeSeverityLevels", "support:DescribeTrustedAdvisorCheckRefreshStatuses", "support:DescribeTrustedAdvisorCheckResult", "support:DescribeTrustedAdvisorChecks", "support:RefreshTrustedAdvisorCheck", "tag:GetResources", "tag:GetTagKeys", "tag:GetTagValues", "transfer:DescribeServer", "transfer:ListServers", "waf:GetWebACL", "waf:ListWebACLs", "wafv2:ListWebACLs", "wellarchitected:GetWorkload", "wellarchitected:ListWorkloads", "workspaces:DescribeTags", "workspaces:DescribeWorkspaceBundles", "workspaces:DescribeWorkspaceDirectories", "workspaces:DescribeWorkspaces", "workspaces:DescribeWorkspacesConnectionStatus", "xray:GetEncryptionConfig" ], "Effect": "Allow", "Resource": [ "*" ] } ] }