Handy policies for assessment of AWS resources in a read-only approach, useful when you're doing some audit.
Request/add the policies below.
Managed policies:
AWSResourceExplorerReadOnlyAccess- Or
AWSResourceExplorerFullAccessif the service has not yet been enabled
- Or
IAMUserChangePasswordReadOnlyAccessSecurityAudit
Request these permissions for MFA. Replace <account>, <user>, and <device> accordingly:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Action": [
"iam:DeactivateMFADevice",
"iam:DeleteVirtualMFADevice",
"iam:EnableMFADevice",
"iam:ResyncMFADevice",
"iam:CreateVirtualMFADevice",
"iam:ListMFADevices"
],
"Resource": [
"arn:aws:iam::<account>:user/<user>",
"arn:aws:iam::<account>:mfa/<device>"
]
},
{
"Sid": "",
"Effect": "Allow",
"Action": [
"iam:GetAccountPasswordPolicy",
"iam:ListAccountAliases",
"iam:ListMFADevices",
"iam:ListVirtualMFADevices",
"iam:GetAccountSummary"
],
"Resource": "*"
}
]
}Trusted Advisor:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"trustedadvisor:Describe*",
"trustedadvisor:RefreshCheck"
],
"Resource": "*"
}
]
}