Identify and remediate public cloud compliance misconfigurations, mitigate security threats and control your expenses from one simple, easy to use platform.
Our default policy allows us to gather all the asset data from your account.
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"amplify:GetApp",
"amplify:GetBranch",
"amplify:GetJob",
"amplify:GetDomainAssociation",
"amplify:ListApps",
"amplify:ListBranches",
"amplify:ListDomainAssociations",
"amplify:ListJobs",
"apigateway:GET",
"autoscaling:Describe*",
"autoscaling-plans:Describe*",
"autoscaling-plans:GetScalingPlanResourceForecastData",
"athena:List*",
"athena:Batch*",
"athena:Get*",
"backup:Describe*",
"backup:Get*",
"backup:List*",
"batch:List*",
"batch:Describe*",
"cassandra:Select",
"cloudformation:Describe*",
"cloudformation:Detect*",
"cloudformation:Get*",
"cloudformation:List*",
"cloudformation:Estimate*",
"cloudfront:Get*",
"cloudfront:List*",
"cloudsearch:Describe*",
"cloudsearch:List*",
"dax:BatchGetItem",
"dax:Describe*",
"dax:GetItem",
"dax:ListTags",
"dax:Query",
"dax:Scan",
"devicefarm:List*",
"devicefarm:Get*",
"directconnect:Describe*",
"dlm:Get*",
"dms:Describe*",
"dms:List*",
"dms:Test*",
"ds:Check*",
"ds:Describe*",
"ds:Get*",
"ds:List*",
"ds:Verify*",
"dynamodb:BatchGet*",
"dynamodb:Describe*",
"dynamodb:Get*",
"dynamodb:List*",
"ec2:Describe*",
"ec2:Get*",
"ec2:SearchTransitGatewayRoutes",
"ec2messages:Get*",
"ecr:BatchCheck*",
"ecr:BatchGet*",
"ecr:Describe*",
"ecr:Get*",
"ecr:List*",
"ecs:Describe*",
"ecs:List*",
"eks:DescribeCluster",
"eks:DescribeUpdate",
"eks:Describe*",
"eks:ListClusters",
"eks:ListUpdates",
"eks:List*",
"elasticache:Describe*",
"elasticache:List*",
"elasticbeanstalk:Check*",
"elasticbeanstalk:Describe*",
"elasticbeanstalk:List*",
"elasticbeanstalk:Request*",
"elasticbeanstalk:Retrieve*",
"elasticbeanstalk:Validate*",
"elasticfilesystem:Describe*",
"elasticloadbalancing:Describe*",
"es:Describe*",
"es:List*",
"es:Get*",
"es:ESHttpGet",
"es:ESHttpHead",
"fsx:Describe*",
"fsx:List*",
"glacier:List*",
"glacier:Describe*",
"iam:Generate*",
"iam:Get*",
"iam:List*",
"iam:Simulate*",
"imagebuilder:Get*",
"imagebuilder:List*",
"importexport:Get*",
"importexport:List*",
"kafka:Describe*",
"kafka:List*",
"kafka:Get*",
"kms:Describe*",
"kms:Get*",
"kms:List*",
"lambda:List*",
"lambda:Get*",
"machinelearning:Describe*",
"machinelearning:Get*",
"mq:Describe*",
"mq:List*",
"organizations:Describe*",
"organizations:List*",
"rds:Describe*",
"rds:List*",
"rds:Download*",
"redshift:Describe*",
"redshift:GetReservedNodeExchangeOfferings",
"redshift:View*",
"resource-groups:Get*",
"resource-groups:List*",
"resource-groups:Search*",
"route53:Get*",
"route53:List*",
"route53:Test*",
"route53domains:Check*",
"route53domains:Get*",
"route53domains:List*",
"route53domains:View*",
"route53resolver:Get*",
"route53resolver:List*",
"s3:GetAccelerateConfiguration",
"s3:GetAccessPoint*",
"s3:GetAccountPublicAccessBlock",
"s3:GetAnalyticsConfiguration",
"s3:GetBucket*",
"s3:GetEncryptionConfiguration",
"s3:GetInventoryConfiguration",
"s3:GetJobTagging",
"s3:GetLifecycleConfiguration",
"s3:GetMetricsConfiguration",
"s3:GetObjectAcl",
"s3:GetObjectLegalHold",
"s3:GetObjectRetention",
"s3:GetObjectTagging",
"s3:GetObjectTorrent",
"s3:GetObjectVersion",
"s3:GetObjectVersionAcl",
"s3:GetObjectVersionForReplication",
"s3:GetObjectVersionTagging",
"s3:GetObjectVersionTorrent",
"s3:GetReplicationConfiguration",
"s3:GetStorageLensConfiguration",
"s3:GetStorageLensConfigurationTagging",
"s3:GetStorageLensDashboard",
"s3:List*",
"sdb:Get*",
"sdb:List*",
"sdb:Select*",
"serverlessrepo:List*",
"serverlessrepo:Get*",
"serverlessrepo:SearchApplications",
"servicediscovery:Get*",
"servicediscovery:List*",
"ses:Get*",
"ses:List*",
"ses:Describe*",
"sns:Get*",
"sns:List*",
"sns:Check*",
"sqs:Get*",
"sqs:List*",
"sqs:Receive*",
"sts:GetAccessKeyInfo",
"sts:GetCallerIdentity",
"sts:GetSessionToken",
"swf:Count*",
"swf:Describe*",
"swf:Get*",
"swf:List*",
"support:*",
"tag:Get*",
"waf:Get*",
"waf:List*",
"wafv2:CheckCapacity",
"wafv2:Describe*",
"wafv2:Get*",
"wafv2:List*",
"waf-regional:List*",
"waf-regional:Get*",
"workspaces:Describe*"
],
"Resource": "*",
"Effect": "Allow"
}
]
}
This allows Tenacity to query monitoring related resources from your AWS account.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"cloudtrail:Describe*",
"cloudtrail:Get*",
"cloudtrail:List*",
"cloudtrail:LookupEvents",
"cloudwatch:Describe*",
"cloudwatch:Get*",
"cloudwatch:List*",
"compute-optimizer:DescribeRecommendationExportJobs",
"compute-optimizer:GetAutoScalingGroupRecommendations",
"compute-optimizer:GetEC2InstanceRecommendations",
"compute-optimizer:GetEC2RecommendationProjectedMetrics",
"compute-optimizer:GetEnrollmentStatus",
"compute-optimizer:GetRecommendationSummaries",
"events:Describe*",
"events:List*",
"events:Test*",
"ssm:Describe*",
"ssm:Get*",
"ssm:List*"
],
"Resource": "*",
"Effect": "Allow"
}
]
}
This allows Tenacity to query security related resources from your AWS account.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"access-analyzer:ListAnalyzer",
"access-analyzer:GetAnalyzer",
"acm:Describe*",
"acm:Get*",
"acm:List*",
"acm-pca:Describe*",
"acm-pca:Get*",
"acm-pca:List*",
"clouddirectory:List*",
"clouddirectory:BatchRead",
"clouddirectory:Get*",
"clouddirectory:LookupPolicy",
"cognito-identity:Describe*",
"cognito-identity:GetCredentialsForIdentity",
"cognito-identity:GetIdentityPoolRoles",
"cognito-identity:GetOpenIdToken",
"cognito-identity:GetOpenIdTokenForDeveloperIdentity",
"cognito-identity:List*",
"cognito-identity:Lookup*",
"cognito-sync:List*",
"cognito-sync:Describe*",
"cognito-sync:Get*",
"cognito-sync:QueryRecords",
"cognito-idp:AdminGet*",
"cognito-idp:AdminList*",
"cognito-idp:List*",
"cognito-idp:Describe*",
"cognito-idp:Get*",
"config:Deliver*",
"config:Describe*",
"config:Get*",
"config:List*",
"config:SelectResourceConfig",
"cloudhsm:List*",
"cloudhsm:Describe*",
"cloudhsm:Get*",
"detective:Get*",
"detective:List*",
"guardduty:Get*",
"guardduty:List*",
"inspector:Describe*",
"inspector:Get*",
"inspector:List*",
"inspector:Preview*",
"logs:Describe*",
"logs:Get*",
"logs:FilterLogEvents",
"logs:ListTagsLogGroup",
"logs:StartQuery",
"logs:TestMetricFilter",
"secretsmanager:List*",
"secretsmanager:Describe*",
"secretsmanager:GetResourcePolicy",
"securityhub:Describe*",
"securityhub:Get*",
"securityhub:List*",
"servicecatalog:List*",
"servicecatalog:Scan*",
"servicecatalog:Search*",
"servicecatalog:Describe*",
"shield:Describe*",
"shield:Get*",
"shield:List*",
"sso:Get*",
"sso:Describe*",
"sso:List*",
"sso:Search*",
"sso-directory:Describe*",
"sso-directory:List*",
"sso-directory:Search*",
"trustedadvisor:Describe*"
],
"Resource": "*",
"Effect": "Allow"
}
]
}
This allows Tenacity to query billing information from your AWS account.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ce:DescribeCostCategoryDefinition",
"ce:GetRightsizingRecommendation",
"ce:GetCostAndUsage",
"ce:GetSavingsPlansUtilization",
"ce:GetAnomalies",
"ce:GetReservationPurchaseRecommendation",
"ce:GetCostForecast",
"ce:GetReservationUtilization",
"ce:GetSavingsPlansPurchaseRecommendation",
"ce:GetDimensionValues",
"ce:GetSavingsPlansUtilizationDetails",
"ce:GetAnomalySubscriptions",
"ce:GetCostAndUsageWithResources",
"ce:GetReservationCoverage",
"ce:GetSavingsPlansCoverage",
"ce:GetAnomalyMonitors",
"ce:GetTags",
"ce:GetUsageForecast",
"cur:DescribeReportDefinitions"
],
"Resource": "*",
"Effect": "Allow"
}
]
}
This is the bucket Tenacity creates during the integration process, which is where detailed billing information is delivered from AWS. This policy allows us to copy data from the bucket to the platform.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::tenacity-{UUID}",
"arn:aws:s3:::tenacity-{UUID}/*"
],
"Effect": "Allow"
}
]
}
This allows Tenacity to query data from sub accounts within your AWS account. This is only applicable if you're using AWS Organizations have more than 1 account.
{
"Version": "2012-10-17",
"Statement": [
{
"Condition": {},
"Action": "sts:AssumeRole",
"Resource": [
"arn:aws:iam::{subaccountid1}:role/TenacityIntegrationRole",
"arn:aws:iam::{subaccountid2}:role/TenacityIntegrationRole",
"arn:aws:iam::{subaccountid3}:role/TenacityIntegrationRole",
"arn:aws:iam::{subaccountid4}:role/TenacityIntegrationRole",
"arn:aws:iam::{subaccountid5}:role/TenacityIntegrationRole",
"arn:aws:iam::{subaccountid6}:role/TenacityIntegrationRole"
],
"Effect": "Allow"
}
]
}
