Skip to main content

IAM Permissions Reference

Understand the AWS IAM permissions CloudArq uses to audit your infrastructure. We follow the principle of least privilege and never modify your infrastructure.

Overview

Read-Only Access Only

CloudArq uses read-only IAM permissions. We never create, modify, or delete any AWS resources. All API calls are read-only operations like Describe*, Get*, List*, and Check*.

No Credential Storage in Plain Text

AWS credentials are encrypted with AES-256 before storage and never transmitted unencrypted.

Temporary Credentials

When using IAM Roles with STS AssumeRole (recommended), CloudArq obtains temporary security credentials that expire after 1 hour.

Recommended: IAM Role with External ID

Why This Method?

  • Most secure approach recommended by AWS
  • External ID prevents confused deputy attacks
  • Temporary credentials expire automatically (1 hour)
  • Easy to audit with CloudTrail
  • Can be revoked instantly by deleting the role

How It Works

  1. 1.You create an IAM role in your AWS account with CloudFormation template
  2. 2.Role is configured to trust CloudArq's AWS account
  3. 3.External ID is embedded in the trust relationship for added security
  4. 4.CloudArq uses STS AssumeRole with the External ID to obtain temporary credentials

Alternative: Access Keys

When to Use Access Keys

If you can't create IAM roles or prefer not to establish a cross-account trust relationship, you can use AWS Access Keys. This is less secure than IAM Roles and is NOT recommended.

Important

Access Keys are encrypted with AES-256-GCM at rest and never transmitted in plain text, but they are long-lived credentials. If compromised, an attacker could access your AWS account until you rotate the keys.

Storage Security

  • Encrypted with AES-256-GCM
  • Unique initialization vector per operation
  • Never stored or logged in plaintext

Permission List (Read-Only)

CloudArq requires read-only permissions across 30+ AWS services. Here are common examples organized by service:

EC2 (Compute)

ec2:Describe*
ec2:GetEbsEncryptionByDefault
ec2:GetFlowLogsIntegrationOptions

S3 (Storage)

s3:ListAllMyBuckets
s3:GetBucketPolicy
s3:GetBucketEncryption
s3:GetBucketVersioning
s3:GetBucketAcl
s3:GetBucketLogging
s3:GetObjectTagging

IAM (Identity)

iam:List*
iam:Get*
iam:Simulate*

RDS (Database)

rds:Describe*
rds:ListTagsForResource

Lambda (Serverless)

lambda:List*
lambda:GetFunction*

CloudWatch, KMS, Config, GuardDuty, SecurityHub, and Others

All Describe*, Get*, List* actions for monitoring, encryption, and security services.

What We Never Do

CloudArq never performs these actions:

  • s3:PutObject(write to buckets)
  • s3:DeleteObject(delete from buckets)
  • ec2:RunInstances(create instances)
  • iam:CreateRole(create roles)
  • secretsmanager:GetSecretValue(read secrets)

CloudFormation Template

CloudArq provides a CloudFormation template that creates the correct IAM role with all necessary permissions and proper security configurations.

How to Use

  1. 1.Go to Connections in CloudArq and click "Add Connection"
  2. 2.Click the CloudFormation template link
  3. 3.Deploy the template in your AWS account
  4. 4.Copy the generated Role ARN back to CloudArq

What the Template Does

  • Creates an IAM role named CloudArqAuditRole
  • Attaches read-only permissions for 30+ AWS services
  • Configures trust relationship with CloudArq's AWS account
  • Includes External ID for additional security
  • Follows AWS best practices and principle of least privilege

Principle of Least Privilege

CloudArq follows industry best practices by requesting only the minimum permissions necessary to perform audits.

Best Practices

  • Create a dedicated IAM role specifically for CloudArq (not using root or admin credentials)
  • Review the permissions periodically to ensure they're still necessary
  • Enable CloudTrail to audit CloudArq's API calls
  • Use SCPs (Service Control Policies) to further restrict access if needed
  • Rotate access keys (if using that method) quarterly

Auditing CloudArq

All CloudArq API calls are logged in CloudTrail. You can review CloudTrail logs to see exactly which API calls CloudArq made, when, and from which IP addresses.