pblittle/cloudcheckr-policy.json

## cloudcheckr-policy.json
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "FullPolicy",
            "Action": [
                "acm:DescribeCertificate",
                "acm:ListCertificates",
                "acm:GetCertificate",
                "autoscaling:Describe*",
                "cloudformation:DescribeStacks",
                "cloudformation:GetStackPolicy",
                "cloudformation:GetTemplate",
                "cloudformation:ListStackResources",
                "cloudfront:List*",
                "cloudfront:GetDistributionConfig",
                "cloudfront:GetStreamingDistributionConfig",
                "cloudhsm:Describe*",
                "cloudhsm:List*",
                "cloudsearch:DescribeDomains",
                "cloudsearch:DescribeServiceAccessPolicies",
                "cloudsearch:DescribeStemmingOptions",
                "cloudsearch:DescribeStopwordOptions",
                "cloudsearch:DescribeSynonymOptions",
                "cloudsearch:DescribeDefaultSearchField",
                "cloudsearch:DescribeIndexFields",
                "cloudsearch:DescribeRankExpressions",
                "cloudtrail:DescribeTrails",
                "cloudtrail:GetTrailStatus",
                "cloudwatch:DescribeAlarms",
                "cloudwatch:GetMetricStatistics",
                "cloudwatch:ListMetrics",
                "config:DescribeConfigRules",
                "config:GetComplianceDetailsByConfigRule",
                "config:DescribeDeliveryChannels",
                "config:DescribeDeliveryChannelStatus",
                "config:DescribeConfigurationRecorders",
                "config:DescribeConfigurationRecorderStatus",
                "datapipeline:ListPipelines",
                "datapipeline:GetPipelineDefinition",
                "datapipeline:DescribePipelines",
                "directconnect:DescribeLocations",
                "directconnect:DescribeConnections",
                "directconnect:DescribeVirtualInterfaces",
                "dynamodb:ListTables",
                "dynamodb:DescribeTable",
                "ec2:DescribeAccountAttributes",
                "ec2:DescribeAvailabilityZones",
                "ec2:DescribeKeyPairs",
                "ec2:DescribePlacementGroups",
                "ec2:DescribeAddresses",
                "ec2:DescribeReservedInstance*",
                "ec2:DescribeSpotInstanceRequests",
                "ec2:DescribeImages",
                "ec2:DescribeImageAttribute",
                "ec2:DescribeSnapshots",
                "ec2:DescribeVolumes",
                "ec2:DescribeTags",
                "ec2:DescribeNetworkInterfaces",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeInstanceStatus",
                "ec2:DescribeInstanceAttribute",
                "ec2:DescribeVolumeStatus",
                "ec2:DescribeInstances",
                "ec2:GetConsoleOutput",
                "ec2:DescribeDhcpOptions",
                "ec2:DescribeCustomerGateways",
                "ec2:DescribeVpcs",
                "ec2:DescribeVpcAttribute",
	        	"ec2:DescribeVpcPeeringConnections",
                "ec2:DescribeSubnets",
                "ec2:DescribeRouteTables",
                "ec2:DescribeVpnConnections",
                "ec2:DescribeNetworkAcls",
                "ec2:DescribeInternetGateways",
                "ec2:DescribeVpnGateways",
                "ecs:ListClusters",
                "ecs:DescribeClusters",
                "ecs:ListContainerInstances",
                "ecs:DescribeContainerInstances",
                "ecs:ListServices",
                "ecs:DescribeServices",
                "ecs:ListTaskDefinitions",
                "ecs:DescribeTaskDefinition",
                "ecs:ListTasks",
                "ecs:DescribeTasks",
                "elasticache:DescribeCacheClusters",
                "elasticache:DescribeReservedCacheNodes",
                "elasticache:DescribeCacheSecurityGroups",
                "elasticache:DescribeCacheParameterGroups",
                "elasticache:DescribeCacheParameters",
                "elasticache:DescribeCacheSubnetGroups",
                "elasticbeanstalk:DescribeApplications",
                "elasticbeanstalk:DescribeConfigurationSettings",
                "elasticbeanstalk:DescribeEnvironments",
                "elasticbeanstalk:DescribeEvents",
                "elasticloadbalancing:DescribeLoadBalancers",
                "elasticloadbalancing:DescribeInstanceHealth",
                "elasticloadbalancing:DescribeLoadBalancerAttributes",
                "elasticloadbalancing:DescribeTags",
                "elasticmapreduce:DescribeJobFlows",
                "elasticmapreduce:DescribeStep",
                "elasticmapreduce:DescribeCluster",
                "elasticmapreduce:DescribeTags",
                "elasticmapreduce:ListSteps",
                "elasticmapreduce:ListInstanceGroups",
                "elasticmapreduce:ListBootstrapActions",
                "elasticmapreduce:ListClusters",
                "elasticmapreduce:ListInstances",
                "es:ListDomainNames",
                "es:DescribeElasticsearchDomains",
                "glacier:List*",
                "glacier:DescribeVault",
                "glacier:GetVaultNotifications",
                "glacier:DescribeJob",
                "glacier:GetJobOutput",
                "iam:Get*",
                "iam:List*",
                "iot:DescribeThing",
                "iot:ListThings",
                "iam:GenerateCredentialReport",
                "kinesis:ListStreams",
                "kinesis:DescribeStream",
                "kinesis:GetShardIterator",
                "kinesis:GetRecords",
                "lambda:ListFunctions",
                "rds:DescribeReservedDBInstances",
                "rds:DescribeDBInstances",
                "rds:DescribeDBSubnetGroups",
                "rds:DescribeDBSecurityGroups",
                "rds:DescribeDBParameterGroups",
                "rds:DescribeDBSnapshots",
                "rds:DescribeEvents",
                "rds:DescribeEventSubscriptions",
                "rds:DescribeDBEngineVersions",
                "rds:DescribeOptionGroups",
                "rds:ListTagsForResource",
                "redshift:Describe*",
                "redshift:ViewQueriesInConsole",
                "route53:ListHealthChecks",
                "route53:ListHostedZones",
                "route53:ListResourceRecordSets",
                "s3:GetBucketACL",
                "s3:GetBucketLocation",
                "s3:GetBucketLogging",
                "s3:GetBucketPolicy",
                "s3:GetBucketTagging",
                "s3:GetBucketWebsite",
                "s3:GetBucketNotification",
                "s3:GetLifecycleConfiguration",
                "s3:GetNotificationConfiguration",
                "s3:GetObject",
                "s3:GetObjectMetadata",
                "s3:List*",
                "ses:ListIdentities",
                "ses:GetSendStatistics",
                "ses:GetIdentityDkimAttributes",
                "ses:GetIdentityVerificationAttributes",
                "ses:GetSendQuota",
                "sdb:ListDomains",
                "sdb:DomainMetadata",
                "support:*",
                "swf:ListClosedWorkflowExecutions",
                "swf:ListDomains",
                "swf:ListActivityTypes",
                "swf:ListWorkflowTypes",
                "sns:GetSnsTopic",
                "sns:GetTopicAttributes",
                "sns:GetSubscriptionAttributes",
                "sns:ListTopics",
                "sns:ListSubscriptionsByTopic",
                "sqs:ListQueues",
                "sqs:GetQueueAttributes",
                "workspaces:DescribeWorkspaceDirectories",
                "workspaces:DescribeWorkspaceBundles",
                "workspaces:DescribeWorkspaces"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Sid": "CloudWatchLogsSpecific",
            "Effect": "Allow",
            "Action": [
                "logs:GetLogEvents",
                "logs:DescribeLogGroups",
                "logs:DescribeLogStreams"
            ],
            "Resource": [
                "arn:aws:logs:*:*:*"
            ]
        }
    ]
}
	{
	"Version": "2012-10-17",
	"Statement": [
	{
	"Sid": "FullPolicy",
	"Action": [
	"acm:DescribeCertificate",
	"acm:ListCertificates",
	"acm:GetCertificate",
	"autoscaling:Describe*",
	"cloudformation:DescribeStacks",
	"cloudformation:GetStackPolicy",
	"cloudformation:GetTemplate",
	"cloudformation:ListStackResources",
	"cloudfront:List*",
	"cloudfront:GetDistributionConfig",
	"cloudfront:GetStreamingDistributionConfig",
	"cloudhsm:Describe*",
	"cloudhsm:List*",
	"cloudsearch:DescribeDomains",
	"cloudsearch:DescribeServiceAccessPolicies",
	"cloudsearch:DescribeStemmingOptions",
	"cloudsearch:DescribeStopwordOptions",
	"cloudsearch:DescribeSynonymOptions",
	"cloudsearch:DescribeDefaultSearchField",
	"cloudsearch:DescribeIndexFields",
	"cloudsearch:DescribeRankExpressions",
	"cloudtrail:DescribeTrails",
	"cloudtrail:GetTrailStatus",
	"cloudwatch:DescribeAlarms",
	"cloudwatch:GetMetricStatistics",
	"cloudwatch:ListMetrics",
	"config:DescribeConfigRules",
	"config:GetComplianceDetailsByConfigRule",
	"config:DescribeDeliveryChannels",
	"config:DescribeDeliveryChannelStatus",
	"config:DescribeConfigurationRecorders",
	"config:DescribeConfigurationRecorderStatus",
	"datapipeline:ListPipelines",
	"datapipeline:GetPipelineDefinition",
	"datapipeline:DescribePipelines",
	"directconnect:DescribeLocations",
	"directconnect:DescribeConnections",
	"directconnect:DescribeVirtualInterfaces",
	"dynamodb:ListTables",
	"dynamodb:DescribeTable",
	"ec2:DescribeAccountAttributes",
	"ec2:DescribeAvailabilityZones",
	"ec2:DescribeKeyPairs",
	"ec2:DescribePlacementGroups",
	"ec2:DescribeAddresses",
	"ec2:DescribeReservedInstance*",
	"ec2:DescribeSpotInstanceRequests",
	"ec2:DescribeImages",
	"ec2:DescribeImageAttribute",
	"ec2:DescribeSnapshots",
	"ec2:DescribeVolumes",
	"ec2:DescribeTags",
	"ec2:DescribeNetworkInterfaces",
	"ec2:DescribeSecurityGroups",
	"ec2:DescribeInstanceStatus",
	"ec2:DescribeInstanceAttribute",
	"ec2:DescribeVolumeStatus",
	"ec2:DescribeInstances",
	"ec2:GetConsoleOutput",
	"ec2:DescribeDhcpOptions",
	"ec2:DescribeCustomerGateways",
	"ec2:DescribeVpcs",
	"ec2:DescribeVpcAttribute",
	"ec2:DescribeVpcPeeringConnections",
	"ec2:DescribeSubnets",
	"ec2:DescribeRouteTables",
	"ec2:DescribeVpnConnections",
	"ec2:DescribeNetworkAcls",
	"ec2:DescribeInternetGateways",
	"ec2:DescribeVpnGateways",
	"ecs:ListClusters",
	"ecs:DescribeClusters",
	"ecs:ListContainerInstances",
	"ecs:DescribeContainerInstances",
	"ecs:ListServices",
	"ecs:DescribeServices",
	"ecs:ListTaskDefinitions",
	"ecs:DescribeTaskDefinition",
	"ecs:ListTasks",
	"ecs:DescribeTasks",
	"elasticache:DescribeCacheClusters",
	"elasticache:DescribeReservedCacheNodes",
	"elasticache:DescribeCacheSecurityGroups",
	"elasticache:DescribeCacheParameterGroups",
	"elasticache:DescribeCacheParameters",
	"elasticache:DescribeCacheSubnetGroups",
	"elasticbeanstalk:DescribeApplications",
	"elasticbeanstalk:DescribeConfigurationSettings",
	"elasticbeanstalk:DescribeEnvironments",
	"elasticbeanstalk:DescribeEvents",
	"elasticloadbalancing:DescribeLoadBalancers",
	"elasticloadbalancing:DescribeInstanceHealth",
	"elasticloadbalancing:DescribeLoadBalancerAttributes",
	"elasticloadbalancing:DescribeTags",
	"elasticmapreduce:DescribeJobFlows",
	"elasticmapreduce:DescribeStep",
	"elasticmapreduce:DescribeCluster",
	"elasticmapreduce:DescribeTags",
	"elasticmapreduce:ListSteps",
	"elasticmapreduce:ListInstanceGroups",
	"elasticmapreduce:ListBootstrapActions",
	"elasticmapreduce:ListClusters",
	"elasticmapreduce:ListInstances",
	"es:ListDomainNames",
	"es:DescribeElasticsearchDomains",
	"glacier:List*",
	"glacier:DescribeVault",
	"glacier:GetVaultNotifications",
	"glacier:DescribeJob",
	"glacier:GetJobOutput",
	"iam:Get*",
	"iam:List*",
	"iot:DescribeThing",
	"iot:ListThings",
	"iam:GenerateCredentialReport",
	"kinesis:ListStreams",
	"kinesis:DescribeStream",
	"kinesis:GetShardIterator",
	"kinesis:GetRecords",
	"lambda:ListFunctions",
	"rds:DescribeReservedDBInstances",
	"rds:DescribeDBInstances",
	"rds:DescribeDBSubnetGroups",
	"rds:DescribeDBSecurityGroups",
	"rds:DescribeDBParameterGroups",
	"rds:DescribeDBSnapshots",
	"rds:DescribeEvents",
	"rds:DescribeEventSubscriptions",
	"rds:DescribeDBEngineVersions",
	"rds:DescribeOptionGroups",
	"rds:ListTagsForResource",
	"redshift:Describe*",
	"redshift:ViewQueriesInConsole",
	"route53:ListHealthChecks",
	"route53:ListHostedZones",
	"route53:ListResourceRecordSets",
	"s3:GetBucketACL",
	"s3:GetBucketLocation",
	"s3:GetBucketLogging",
	"s3:GetBucketPolicy",
	"s3:GetBucketTagging",
	"s3:GetBucketWebsite",
	"s3:GetBucketNotification",
	"s3:GetLifecycleConfiguration",
	"s3:GetNotificationConfiguration",
	"s3:GetObject",
	"s3:GetObjectMetadata",
	"s3:List*",
	"ses:ListIdentities",
	"ses:GetSendStatistics",
	"ses:GetIdentityDkimAttributes",
	"ses:GetIdentityVerificationAttributes",
	"ses:GetSendQuota",
	"sdb:ListDomains",
	"sdb:DomainMetadata",
	"support:*",
	"swf:ListClosedWorkflowExecutions",
	"swf:ListDomains",
	"swf:ListActivityTypes",
	"swf:ListWorkflowTypes",
	"sns:GetSnsTopic",
	"sns:GetTopicAttributes",
	"sns:GetSubscriptionAttributes",
	"sns:ListTopics",
	"sns:ListSubscriptionsByTopic",
	"sqs:ListQueues",
	"sqs:GetQueueAttributes",
	"workspaces:DescribeWorkspaceDirectories",
	"workspaces:DescribeWorkspaceBundles",
	"workspaces:DescribeWorkspaces"
	],
	"Effect": "Allow",
	"Resource": "*"
	},
	{
	"Sid": "CloudWatchLogsSpecific",
	"Effect": "Allow",
	"Action": [
	"logs:GetLogEvents",
	"logs:DescribeLogGroups",
	"logs:DescribeLogStreams"
	],
	"Resource": [
	"arn:aws:logs:::*"
	]
	}
	]
	}