AWS IAM Policy Permissions

Tip

Looking for instructions on creating or updating an AWS Identity & Access Management (IAM) role for Fugue? See our tutorials Create a Fugue IAM Role and Update the Fugue IAM Role.

Note

The following policies are for reference only. We recommend using the tailored policy Fugue generates for you.

Fugue requires certain permissions to scan and enforce the infrastructure configuration in your AWS account. When you create an AWS Identity & Access Management (IAM) role for Fugue, the following policies are attached:

  1. The AWS-managed read-only SecurityAudit policy

  2. If needed, a supplemental inline policy granting any read permissions not covered by SecurityAudit, tailored to the resource types you select

Note that the role also has a trust policy specifying an external ID. Fugue generates this unique ID for your tenant to prevent other parties from assuming the role without the ID, even if they have your role ARN.

SecurityAudit read-only (scan) permissions

For reference, all SecurityAudit read-only (scan) permissions (AWS policy version 35):

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Resource": "*",
            "Action": [
                "access-analyzer:GetAnalyzedResource",
                "access-analyzer:GetAnalyzer",
                "access-analyzer:GetArchiveRule",
                "access-analyzer:GetFinding",
                "access-analyzer:ListAnalyzedResources",
                "access-analyzer:ListAnalyzers",
                "access-analyzer:ListArchiveRules",
                "access-analyzer:ListFindings",
                "access-analyzer:ListTagsForResource",
                "acm-pca:ListPermissions",
                "acm:Describe*",
                "acm:List*",
                "application-autoscaling:Describe*",
                "appmesh:Describe*",
                "appmesh:List*",
                "appsync:List*",
                "athena:GetWorkGroup",
                "athena:List*",
                "autoscaling-plans:DescribeScalingPlans",
                "autoscaling:Describe*",
                "batch:DescribeComputeEnvironments",
                "batch:DescribeJobDefinitions",
                "chime:List*",
                "cloud9:Describe*",
                "cloud9:ListEnvironments",
                "clouddirectory:ListDirectories",
                "cloudformation:DescribeStack*",
                "cloudformation:GetStackPolicy",
                "cloudformation:GetTemplate",
                "cloudformation:ListStack*",
                "cloudfront:Get*",
                "cloudfront:List*",
                "cloudhsm:ListHapgs",
                "cloudhsm:ListHsms",
                "cloudhsm:ListLunaClients",
                "cloudsearch:DescribeDomainEndpointOptions",
                "cloudsearch:DescribeDomains",
                "cloudsearch:DescribeServiceAccessPolicies",
                "cloudtrail:DescribeTrails",
                "cloudtrail:GetEventSelectors",
                "cloudtrail:GetTrailStatus",
                "cloudtrail:ListTags",
                "cloudtrail:LookupEvents",
                "cloudwatch:Describe*",
                "cloudwatch:ListTagsForResource",
                "codebuild:ListProjects",
                "codecommit:BatchGetRepositories",
                "codecommit:GetBranch",
                "codecommit:GetObjectIdentifier",
                "codecommit:GetRepository",
                "codecommit:GetRepositoryTriggers",
                "codecommit:List*",
                "codedeploy:Batch*",
                "codedeploy:Get*",
                "codedeploy:List*",
                "codepipeline:GetJobDetails",
                "codepipeline:GetPipeline",
                "codepipeline:GetPipelineExecution",
                "codepipeline:GetPipelineState",
                "codepipeline:ListPipelines",
                "codestar:Describe*",
                "codestar:List*",
                "cognito-identity:ListIdentityPools",
                "cognito-idp:DescribeIdentityProvider",
                "cognito-idp:DescribeResourceServer",
                "cognito-idp:DescribeRiskConfiguration",
                "cognito-idp:DescribeUserImportJob",
                "cognito-idp:DescribeUserPool",
                "cognito-idp:DescribeUserPoolClient",
                "cognito-idp:DescribeUserPoolDomain",
                "cognito-idp:ListDevices",
                "cognito-idp:ListGroups",
                "cognito-idp:ListIdentityProviders",
                "cognito-idp:ListResourceServers",
                "cognito-idp:ListTagsForResource",
                "cognito-idp:ListUserImportJobs",
                "cognito-idp:ListUserPoolClients",
                "cognito-idp:ListUserPools",
                "cognito-idp:ListUsers",
                "cognito-idp:ListUsersInGroup",
                "cognito-sync:Describe*",
                "cognito-sync:List*",
                "comprehend:Describe*",
                "comprehend:List*",
                "config:BatchGetAggregateResourceConfig",
                "config:BatchGetResourceConfig",
                "config:Deliver*",
                "config:Describe*",
                "config:Get*",
                "config:List*",
                "datapipeline:DescribeObjects",
                "datapipeline:DescribePipelines",
                "datapipeline:EvaluateExpression",
                "datapipeline:GetPipelineDefinition",
                "datapipeline:ListPipelines",
                "datapipeline:QueryObjects",
                "datapipeline:ValidatePipelineDefinition",
                "datasync:Describe*",
                "datasync:List*",
                "dax:Describe*",
                "dax:ListTags",
                "detective:GetGraphIngestState",
                "detective:ListGraphs",
                "detective:ListMembers",
                "directconnect:Describe*",
                "dms:Describe*",
                "dms:ListTagsForResource",
                "ds:DescribeDirectories",
                "dynamodb:DescribeContinuousBackups",
                "dynamodb:DescribeGlobalTable",
                "dynamodb:DescribeTable",
                "dynamodb:DescribeTimeToLive",
                "dynamodb:ListBackups",
                "dynamodb:ListGlobalTables",
                "dynamodb:ListStreams",
                "dynamodb:ListTables",
                "dynamodb:ListTagsOfResource",
                "ec2:Describe*",
                "ec2:DescribeTransitGatewayAttachments",
                "ec2:DescribeTransitGatewayMulticastDomains",
                "ec2:DescribeTransitGatewayPeeringAttachments",
                "ec2:DescribeTransitGatewayRouteTables",
                "ec2:DescribeTransitGatewayVpcAttachments",
                "ec2:DescribeTransitGateways",
                "ec2:GetManagedPrefixListAssociations",
                "ec2:GetManagedPrefixListEntries",
                "ec2:GetTransitGatewayAttachmentPropagations",
                "ec2:GetTransitGatewayMulticastDomainAssociations",
                "ec2:GetTransitGatewayPrefixListReferences",
                "ec2:GetTransitGatewayRouteTableAssociations",
                "ec2:GetTransitGatewayRouteTablePropagations",
                "ecr-public:DescribeImageTags",
                "ecr-public:DescribeImages",
                "ecr-public:DescribeRegistries",
                "ecr-public:DescribeRepositories",
                "ecr-public:GetRegistryCatalogData",
                "ecr-public:GetRepositoryCatalogData",
                "ecr-public:GetRepositoryPolicy",
                "ecr:DescribeImageScanFindings",
                "ecr:DescribeImages",
                "ecr:DescribeRepositories",
                "ecr:GetLifecyclePolicy",
                "ecr:GetRepositoryPolicy",
                "ecr:ListImages",
                "ecr:ListTagsForResource",
                "ecs:Describe*",
                "ecs:List*",
                "eks:DescribeCluster",
                "eks:DescribeNodeGroup",
                "eks:ListClusters",
                "eks:ListNodeGroups",
                "elasticache:Describe*",
                "elasticache:ListTagsForResource",
                "elasticbeanstalk:Describe*",
                "elasticbeanstalk:DescribeApplications",
                "elasticbeanstalk:ListTagsForResource",
                "elasticfilesystem:DescribeFileSystems",
                "elasticfilesystem:DescribeMountTargetSecurityGroups",
                "elasticfilesystem:DescribeMountTargets",
                "elasticloadbalancing:Describe*",
                "elasticmapreduce:Describe*",
                "elasticmapreduce:GetBlockPublicAccessConfiguration",
                "elasticmapreduce:ListClusters",
                "elasticmapreduce:ListInstances",
                "elasticmapreduce:ListSecurityConfigurations",
                "es:Describe*",
                "es:ListDomainNames",
                "es:ListElasticsearchInstanceTypeDetails",
                "es:ListElasticsearchVersions",
                "es:ListTags",
                "events:Describe*",
                "events:List*",
                "events:TestEventPattern",
                "firehose:Describe*",
                "firehose:List*",
                "fms:ListComplianceStatus",
                "fms:ListPolicies",
                "fsx:Describe*",
                "fsx:List*",
                "gamelift:ListBuilds",
                "gamelift:ListFleets",
                "glacier:DescribeVault",
                "glacier:GetVaultAccessPolicy",
                "glacier:ListVaults",
                "globalaccelerator:Describe*",
                "globalaccelerator:List*",
                "glue:GetCrawlers",
                "glue:GetDataCatalogEncryptionSettings",
                "glue:GetDatabases",
                "glue:GetDevEndpoints",
                "glue:GetJobs",
                "greengrass:List*",
                "guardduty:DescribePublishingDestination",
                "guardduty:Get*",
                "guardduty:List*",
                "iam:GenerateCredentialReport",
                "iam:GenerateServiceLastAccessedDetails",
                "iam:Get*",
                "iam:List*",
                "iam:SimulateCustomPolicy",
                "iam:SimulatePrincipalPolicy",
                "inspector:Describe*",
                "inspector:Get*",
                "inspector:List*",
                "inspector:Preview*",
                "iot:Describe*",
                "iot:GetPolicy",
                "iot:GetPolicyVersion",
                "iot:List*",
                "kinesis:DescribeLimits",
                "kinesis:DescribeStream",
                "kinesis:DescribeStreamConsumer",
                "kinesis:DescribeStreamSummary",
                "kinesis:ListStreamConsumers",
                "kinesis:ListStreams",
                "kinesis:ListTagsForStream",
                "kinesisanalytics:ListApplications",
                "kms:Describe*",
                "kms:Get*",
                "kms:List*",
                "lambda:GetAccountSettings",
                "lambda:GetFunctionConfiguration",
                "lambda:GetFunctionEventInvokeConfig",
                "lambda:GetLayerVersionPolicy",
                "lambda:GetPolicy",
                "lambda:List*",
                "license-manager:List*",
                "lightsail:GetInstances",
                "lightsail:GetLoadBalancers",
                "logs:Describe*",
                "logs:ListTagsLogGroup",
                "machinelearning:DescribeMLModels",
                "mediaconnect:Describe*",
                "mediaconnect:List*",
                "mediastore:GetContainerPolicy",
                "mediastore:ListContainers",
                "mq:DescribeBroker",
                "mq:DescribeBrokerEngineTypes",
                "mq:DescribeBrokerInstanceOptions",
                "mq:DescribeConfiguration",
                "mq:DescribeConfigurationRevision",
                "mq:DescribeUser",
                "mq:ListBrokers",
                "mq:ListConfigurationRevisions",
                "mq:ListConfigurations",
                "mq:ListTags",
                "mq:ListUsers",
                "network-firewall:ListFirewalls",
                "opsworks-cm:DescribeServers",
                "opsworks:DescribeStacks",
                "organizations:Describe*",
                "organizations:List*",
                "quicksight:Describe*",
                "quicksight:List*",
                "ram:List*",
                "rds:Describe*",
                "rds:DownloadDBLogFilePortion",
                "rds:ListTagsForResource",
                "redshift:Describe*",
                "rekognition:Describe*",
                "rekognition:List*",
                "robomaker:Describe*",
                "robomaker:List*",
                "route53:Get*",
                "route53:List*",
                "route53domains:GetDomainDetail",
                "route53domains:GetOperationDetail",
                "route53domains:ListDomains",
                "route53domains:ListOperations",
                "route53domains:ListTagsForDomain",
                "route53resolver:Get*",
                "route53resolver:List*",
                "s3:GetAccelerateConfiguration",
                "s3:GetAccessPoint",
                "s3:GetAccessPointPolicy",
                "s3:GetAccessPointPolicyStatus",
                "s3:GetAccountPublicAccessBlock",
                "s3:GetAnalyticsConfiguration",
                "s3:GetBucket*",
                "s3:GetEncryptionConfiguration",
                "s3:GetInventoryConfiguration",
                "s3:GetLifecycleConfiguration",
                "s3:GetMetricsConfiguration",
                "s3:GetObjectAcl",
                "s3:GetObjectVersionAcl",
                "s3:GetReplicationConfiguration",
                "s3:ListAccessPoints",
                "s3:ListAllMyBuckets",
                "sagemaker:Describe*",
                "sagemaker:List*",
                "schemas:DescribeCodeBinding",
                "schemas:DescribeDiscoverer",
                "schemas:DescribeRegistry",
                "schemas:DescribeSchema",
                "schemas:ListDiscoverers",
                "schemas:ListRegistries",
                "schemas:ListSchemaVersions",
                "schemas:ListSchemas",
                "schemas:ListTagsForResource",
                "sdb:DomainMetadata",
                "sdb:ListDomains",
                "secretsmanager:DescribeSecret",
                "secretsmanager:GetResourcePolicy",
                "secretsmanager:ListSecretVersionIds",
                "secretsmanager:ListSecrets",
                "securityhub:Describe*",
                "securityhub:Get*",
                "securityhub:List*",
                "serverlessrepo:GetApplicationPolicy",
                "serverlessrepo:List*",
                "servicequotas:GetAWSDefaultServiceQuota",
                "servicequotas:GetAssociationForServiceQuotaTemplate",
                "servicequotas:GetRequestedServiceQuotaChange",
                "servicequotas:GetServiceQuota",
                "servicequotas:GetServiceQuotaIncreaseRequestFromTemplate",
                "servicequotas:ListAWSDefaultServiceQuotas",
                "servicequotas:ListRequestedServiceQuotaChangeHistory",
                "servicequotas:ListRequestedServiceQuotaChangeHistoryByQuota",
                "servicequotas:ListServiceQuotaIncreaseRequestsInTemplate",
                "servicequotas:ListServiceQuotas",
                "servicequotas:ListServices",
                "servicequotas:ListTagsForResource",
                "ses:GetIdentityDkimAttributes",
                "ses:GetIdentityPolicies",
                "ses:GetIdentityVerificationAttributes",
                "ses:ListIdentities",
                "ses:ListIdentityPolicies",
                "ses:ListVerifiedEmailAddresses",
                "shield:Describe*",
                "shield:List*",
                "snowball:ListClusters",
                "snowball:ListJobs",
                "sns:GetTopicAttributes",
                "sns:ListSubscriptions",
                "sns:ListSubscriptionsByTopic",
                "sns:ListTagsForResource",
                "sns:ListTopics",
                "sqs:GetQueueAttributes",
                "sqs:ListDeadLetterSourceQueues",
                "sqs:ListQueueTags",
                "sqs:ListQueues",
                "ssm:Describe*",
                "ssm:GetAutomationExecution",
                "ssm:ListAssociationVersions",
                "ssm:ListAssociations",
                "ssm:ListCommands",
                "ssm:ListComplianceItems",
                "ssm:ListComplianceSummaries",
                "ssm:ListDocumentMetadataHistory",
                "ssm:ListDocumentVersions",
                "ssm:ListDocuments",
                "ssm:ListInventoryEntries",
                "ssm:ListOpsMetadata",
                "ssm:ListResourceComplianceSummaries",
                "ssm:ListResourceDataSync",
                "ssm:ListTagsForResource",
                "sso:DescribePermissionsPolicies",
                "sso:List*",
                "states:ListStateMachines",
                "storagegateway:DescribeBandwidthRateLimit",
                "storagegateway:DescribeCache",
                "storagegateway:DescribeCachediSCSIVolumes",
                "storagegateway:DescribeGatewayInformation",
                "storagegateway:DescribeMaintenanceStartTime",
                "storagegateway:DescribeNFSFileShares",
                "storagegateway:DescribeSnapshotSchedule",
                "storagegateway:DescribeStorediSCSIVolumes",
                "storagegateway:DescribeTapeArchives",
                "storagegateway:DescribeTapeRecoveryPoints",
                "storagegateway:DescribeTapes",
                "storagegateway:DescribeUploadBuffer",
                "storagegateway:DescribeVTLDevices",
                "storagegateway:DescribeWorkingStorage",
                "storagegateway:List*",
                "support:DescribeTrustedAdvisorCheckRefreshStatuses",
                "support:DescribeTrustedAdvisorCheckResult",
                "support:DescribeTrustedAdvisorCheckSummaries",
                "support:DescribeTrustedAdvisorChecks",
                "tag:GetResources",
                "tag:GetTagKeys",
                "transfer:Describe*",
                "transfer:List*",
                "translate:List*",
                "trustedadvisor:Describe*",
                "waf-regional:GetWebACL",
                "waf-regional:ListResourcesForWebACL",
                "waf-regional:ListTagsForResource",
                "waf-regional:ListWebACLs",
                "waf:GetWebACL",
                "waf:ListTagsForResource",
                "waf:ListWebACLs",
                "wafv2:GetWebACL",
                "wafv2:ListAvailableManagedRuleGroups",
                "wafv2:ListIPSets",
                "wafv2:ListLoggingConfigurations",
                "wafv2:ListRegexPatternSets",
                "wafv2:ListResourcesForWebACL",
                "wafv2:ListRuleGroups",
                "wafv2:ListTagsForResource",
                "wafv2:ListWebACLs",
                "workdocs:DescribeResourcePermissions",
                "workspaces:Describe*",
                "xray:GetEncryptionConfig",
                "xray:GetGroup",
                "xray:GetGroups",
                "xray:GetSamplingRules",
                "xray:GetSamplingTargets",
                "xray:ListTagsForResource"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "apigateway:GET"
            ],
            "Resource": [
                "arn:aws:apigateway:*::/apis",
                "arn:aws:apigateway:*::/apis/*/routes",
                "arn:aws:apigateway:*::/apis/*/stages",
                "arn:aws:apigateway:*::/apis/*/stages/*",
                "arn:aws:apigateway:*::/clientcertificates/*",
                "arn:aws:apigateway:*::/restapis",
                "arn:aws:apigateway:*::/restapis/*/authorizers",
                "arn:aws:apigateway:*::/restapis/*/authorizers/*",
                "arn:aws:apigateway:*::/restapis/*/documentation/versions",
                "arn:aws:apigateway:*::/restapis/*/resources",
                "arn:aws:apigateway:*::/restapis/*/resources/*",
                "arn:aws:apigateway:*::/restapis/*/resources/*/methods/*",
                "arn:aws:apigateway:*::/restapis/*/stages",
                "arn:aws:apigateway:*::/restapis/*/stages/*",
                "arn:aws:apigateway:*::/tags/*",
                "arn:aws:apigateway:*::/vpclinks"
            ]
        }
    ]
}

Supplemental read-only (scan) permissions

For reference, all possible read-only (scan) permissions supplemental to SecurityAudit (assuming all resource types, including beta types, are selected):

{
  "Version": "2012-10-17",
  "Statement": [
      {
      "Sid": "0",
      "Effect": "Allow",
      "Resource": "*",
      "Action": [
        "access-analyzer:GetAnalyzer",
        "access-analyzer:ListAnalyzers",
        "account:GetAlternateContact",
        "acm-pca:DescribeCertificateAuthority",
        "acm-pca:GetCertificateAuthorityCertificate",
        "acm-pca:GetCertificateAuthorityCsr",
        "acm-pca:ListCertificateAuthorities",
        "acm-pca:ListTags",
        "apigateway:GET",
        "athena:GetWorkGroup",
        "cloudwatch:GetDashboard",
        "cloudwatch:ListDashboards",
        "cloudwatch:ListTagsForResource",
        "cognito-idp:DescribeIdentityProvider",
        "cognito-idp:DescribeResourceServer",
        "cognito-idp:DescribeUserPool",
        "cognito-idp:DescribeUserPoolClient",
        "cognito-idp:DescribeUserPoolDomain",
        "cognito-idp:GetGroup",
        "cognito-idp:GetUserPoolMfaConfig",
        "cognito-idp:ListGroups",
        "cognito-idp:ListIdentityProviders",
        "cognito-idp:ListResourceServers",
        "cognito-idp:ListUserPoolClients",
        "ds:DescribeConditionalForwarders",
        "ds:ListTagsForResource",
        "dynamodb:ListTagsOfResource",
        "ecr:GetLifecyclePolicy",
        "ecr:ListTagsForResource",
        "elasticache:ListTagsForResource",
        "elasticfilesystem:DescribeLifecycleConfiguration",
        "elasticfilesystem:DescribeTags",
        "es:GetCompatibleElasticsearchVersions",
        "es:GetUpgradeStatus",
        "glacier:GetVaultNotifications",
        "glacier:ListTagsForVault",
        "glue:GetConnection",
        "glue:GetConnections",
        "glue:GetCrawler",
        "glue:GetDatabase",
        "glue:GetJob",
        "glue:GetSecurityConfiguration",
        "glue:GetSecurityConfigurations",
        "glue:GetTable",
        "glue:GetTables",
        "glue:GetTags",
        "glue:GetTrigger",
        "glue:GetWorkflow",
        "glue:ListCrawlers",
        "glue:ListJobs",
        "glue:ListTriggers",
        "glue:ListWorkflows",
        "kinesis:DescribeStreamSummary",
        "lambda:GetAlias",
        "lambda:GetEventSourceMapping",
        "lambda:GetFunction",
        "mediastore:DescribeContainer",
        "mediastore:ListTagsForResource",
        "ram:GetResourceShareAssociations",
        "ram:GetResourceShares",
        "secretsmanager:DescribeSecret",
        "sns:GetSubscriptionAttributes",
        "sns:ListSubscriptions",
        "sns:ListTagsForResource",
        "ssm:GetDocument",
        "ssm:GetMaintenanceWindow",
        "ssm:GetMaintenanceWindowTask",
        "ssm:GetParameter",
        "ssm:GetParameters",
        "ssm:GetPatchBaseline",
        "ssm:ListAssociations",
        "ssm:ListResourceDataSync",
        "ssm:ListTagsForResource",
        "states:DescribeStateMachine",
        "states:ListTagsForResource",
        "waf-regional:Get*",
        "waf-regional:List*",
        "waf:Get*",
        "waf:List*",
        "wafv2:Get*",
        "wafv2:List*"
        ]
      }
    ]
}

Fugue IAM role CloudFormation template

Below is a CloudFormation template you can use to manually create an IAM role with Fugue, for use with AWS standard regions (i.e., not GovCloud). The template includes permissions for all scannable AWS resource types, including beta types.

You must replace YOUR_EXTERNAL_ID_HERE (line 17) with your own external ID:

AWSTemplateFormatVersion: "2010-09-09"
Description: Fugue IAM Role
Resources:
  FugueRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: FugueIAMRoleAllResourcesWithBeta
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: "Allow"
            Principal:
              AWS: arn:aws:iam::370134896156:role/generate-credentials
            Action: "sts:AssumeRole"
            Condition:
              StringEquals:
                "sts:ExternalId": YOUR_EXTERNAL_ID_HERE
      Policies:
        - PolicyName: Fugue
          PolicyDocument: {
            "Version": "2012-10-17",
            "Statement": [
              {
                "Sid": "0",
                "Effect": "Allow",
                "Resource": "*",
                "Action": [
                  "access-analyzer:GetAnalyzer",
                  "access-analyzer:ListAnalyzers",
                  "account:GetAlternateContact",
                  "acm-pca:DescribeCertificateAuthority",
                  "acm-pca:GetCertificateAuthorityCertificate",
                  "acm-pca:GetCertificateAuthorityCsr",
                  "acm-pca:ListCertificateAuthorities",
                  "acm-pca:ListTags",
                  "apigateway:GET",
                  "athena:GetWorkGroup",
                  "cloudwatch:GetDashboard",
                  "cloudwatch:ListDashboards",
                  "cloudwatch:ListTagsForResource",
                  "cognito-idp:DescribeIdentityProvider",
                  "cognito-idp:DescribeResourceServer",
                  "cognito-idp:DescribeUserPool",
                  "cognito-idp:DescribeUserPoolClient",
                  "cognito-idp:DescribeUserPoolDomain",
                  "cognito-idp:GetGroup",
                  "cognito-idp:GetUserPoolMfaConfig",
                  "cognito-idp:ListGroups",
                  "cognito-idp:ListIdentityProviders",
                  "cognito-idp:ListResourceServers",
                  "cognito-idp:ListUserPoolClients",
                  "ds:DescribeConditionalForwarders",
                  "ds:ListTagsForResource",
                  "dynamodb:ListTagsOfResource",
                  "ecr:GetLifecyclePolicy",
                  "ecr:ListTagsForResource",
                  "elasticache:ListTagsForResource",
                  "elasticfilesystem:DescribeLifecycleConfiguration",
                  "elasticfilesystem:DescribeTags",
                  "es:GetCompatibleElasticsearchVersions",
                  "es:GetUpgradeStatus",
                  "glacier:GetVaultNotifications",
                  "glacier:ListTagsForVault",
                  "glue:GetConnection",
                  "glue:GetConnections",
                  "glue:GetCrawler",
                  "glue:GetDatabase",
                  "glue:GetJob",
                  "glue:GetSecurityConfiguration",
                  "glue:GetSecurityConfigurations",
                  "glue:GetTable",
                  "glue:GetTables",
                  "glue:GetTags",
                  "glue:GetTrigger",
                  "glue:GetWorkflow",
                  "glue:ListCrawlers",
                  "glue:ListJobs",
                  "glue:ListTriggers",
                  "glue:ListWorkflows",
                  "kinesis:DescribeStreamSummary",
                  "lambda:GetAlias",
                  "lambda:GetEventSourceMapping",
                  "lambda:GetFunction",
                  "mediastore:DescribeContainer",
                  "mediastore:ListTagsForResource",
                  "ram:GetResourceShareAssociations",
                  "ram:GetResourceShares",
                  "secretsmanager:DescribeSecret",
                  "sns:GetSubscriptionAttributes",
                  "sns:ListSubscriptions",
                  "sns:ListTagsForResource",
                  "ssm:GetDocument",
                  "ssm:GetMaintenanceWindow",
                  "ssm:GetMaintenanceWindowTask",
                  "ssm:GetParameter",
                  "ssm:GetParameters",
                  "ssm:GetPatchBaseline",
                  "ssm:ListAssociations",
                  "ssm:ListResourceDataSync",
                  "ssm:ListTagsForResource",
                  "states:DescribeStateMachine",
                  "states:ListTagsForResource",
                  "waf-regional:Get*",
                  "waf-regional:List*",
                  "waf:Get*",
                  "waf:List*",
                  "wafv2:Get*",
                  "wafv2:List*"
                ]
              }
            ]
          }
      ManagedPolicyArns: ["arn:aws:iam::aws:policy/SecurityAudit"]

Outputs:
  FugueRoleArn:
    Description: IAM Role for Fugue
    Value: !GetAtt FugueRole.Arn
    Export:
      Name: !Join [ ":", [ !Ref "AWS::StackName", FugueRoleArn ] ]

Finding your tenant’s external ID

To find the external ID for your tenant, send an API request to the /metadata/{provider}/permissions endpoint and look for sts:ExternalId in the output (the generated IAM policy). You can find an example request in API Request Examples, or if you have jq installed and your FUGUE_API_ID and FUGUE_API_SECRET set, just run the following command to return your external ID:

curl -X POST \
  "https://api.riskmanager.fugue.co/v0/metadata/aws/permissions" \
  -u $FUGUE_API_ID:$FUGUE_API_SECRET \
  -H "Content-Type: application/json" \
  -d "{\"survey_resource_types\": [\"AWS.EC2.Vpc\"]}" \
  | jq -r '.aws.trust_relationship.Statement[].Condition.StringEquals."sts:ExternalId"'