# Minimum Access IAM User ### How to Create a Minimum Access IAM User Creating the Hava Read-Only IAM user, that uses the standard AWS ReadOnlyAccess Policy will ensure that your user doesn't have enough privileges to change anything in your environment. If you feel that the default policy from AWS allows too much access you can create a custom policy to limit it to just what we need. While we recommend the default Read-Only policy to account for future updates to our supported services you can follow these steps to create a minimum access read-only user that Hava can use to visualize your AWS infrastructure. Before you start make sure you are logged in to the [AWS console](https://console.aws.amazon.com/console/home). 1. From the main console screen click on **Identity & Access Management**.![iam-step1.png](https://www.hava.io/hs-fs/hubfs/iam-help/iam-step1.png?width=256\&name=iam-step1.png) 2. From the IAM dashboard select the **Users** section and then click the **Create New Users** button.![iam-step2.png](https://www.hava.io/hs-fs/hubfs/iam-help/iam-step2.png?width=378\&name=iam-step2.png) 3. Enter a unique username for your new user, make sure **Generate an access key** is checked, and then click the **Create** button.\ ![iam-step3.png](https://www.hava.io/hs-fs/hubfs/iam-help/iam-step3.png?width=583\&name=iam-step3.png) 4. You should be notified that your user has been created. You can copy the details from this screen or just click **Download** to save them.\ ![iam-step4.png](https://www.hava.io/hs-fs/hubfs/iam-help/iam-step4.png?width=575\&name=iam-step4.png) 5. Now that you've created your user, you will need to create the customer policy that grants Hava the security it requires at a minimum.From the IAM dashboard select the **Policy** section and then click the **Create New Policy** button.\ ![IAM-policy-selected.png](https://www.hava.io/hs-fs/hubfs/IAM-policy-selected.png?width=148\&name=IAM-policy-selected.png)\ ![Screen\_Shot\_2016-04-08\_at\_3.23.48\_PM.png](https://www.hava.io/hs-fs/hubfs/Screen_Shot_2016-04-08_at_3.23.48_PM.png?width=293\&name=Screen_Shot_2016-04-08_at_3.23.48_PM.png) 6. You will then need to select the **Create Your Own Policy** option.\ ![Screen\_Shot\_2016-04-08\_at\_3.26.09\_PM.png](https://www.hava.io/hs-fs/hubfs/Screen_Shot_2016-04-08_at_3.26.09_PM.png?width=1024\&name=Screen_Shot_2016-04-08_at_3.26.09_PM.png) 7. You will need to provide the name of your policy such as "**HAVA-RO-POLICY",** a description of the policy such as **"Just enough access to ensure Hava can work it's magic"** and then enter in the custom policy seen here:\ \ ![Screen\_Shot\_2016-04-08\_at\_3.30.20\_PM.png](https://www.hava.io/hs-fs/hubfs/Screen_Shot_2016-04-08_at_3.30.20_PM.png?width=1024\&name=Screen_Shot_2016-04-08_at_3.30.20_PM.png)\ \ You can copy and paste the policy from here:
``` { "Version": "2012-10-17", "Statement": [ { "Action": [ "acm:DescribeCertificate", "acm:GetCertificate", "acm:ListCertificates", "apigateway:GET", "appsync:GetApiCache", "appsync:ListApiKeys", "appsync:ListDataSources", "appsync:ListDomainNames", "appsync:ListFunctions", "appsync:ListGraphqlApis", "appsync:ListResolvers", "appsync:ListSourceApiAssociations", "appsync:ListTagsForResource", "appsync:ListTypes", "appstream:Get*", "autoscaling:Describe*", "cloudformation:List*", "cloudfront:Get*", "cloudfront:List*", "cloudhsm:DescribeBackups", "cloudhsm:DescribeClusters", "cloudhsm:GetResourcePolicy", "cloudhsm:ListTags", "cloudsearch:Describe*", "cloudsearch:List*", "cloudtrail:DescribeTrails", "cloudtrail:GetTrailStatus", "cloudwatch:Describe*", "cloudwatch:Get*", "cloudwatch:List*", "config:Describe*", "config:Get*", "datapipeline:DescribeObjects", "datapipeline:DescribePipelines", "datapipeline:GetPipelineDefinition", "datapipeline:ListPipelines", "datapipeline:QueryObjects", "directconnect:Describe*", "ds:Check*", "ds:Describe*", "ds:Get*", "ds:List*", "ds:Verify*", "dynamodb:DescribeGlobalTable", "dynamodb:DescribeTable", "dynamodb:ListGlobalTables", "dynamodb:ListTables", "dynamodb:ListTagsOfResource", "ec2:Describe*", "ecr:BatchCheckLayerAvailability", "ecr:BatchGetImage", "ecr:DescribeRepositories", "ecr:GetDownloadUrlForLayer", "ecr:ListImages", "ecs:Describe*", "ecs:List*", "eks:Describe*", "eks:List*", "elasticache:Describe*", "elasticache:List*", "elasticbeanstalk:Check*", "elasticbeanstalk:Describe*", "elasticbeanstalk:List*", "elasticfilesystem:DescribeFileSystems", "elasticfilesystem:DescribeMountTargetSecurityGroups", "elasticfilesystem:DescribeMountTargets", "elasticfilesystem:DescribeTags", "elasticloadbalancing:Describe*", "elasticmapreduce:Describe*", "elasticmapreduce:List*", "elastictranscoder:List*", "elastictranscoder:Read*", "es:DescribeDomain", "es:DescribeDomainNodes", "es:DescribeDomains", "es:DescribeElasticsearchDomain", "es:DescribeElasticsearchDomainConfig", "es:DescribeElasticsearchDomains", "es:DescribeReservedElasticsearchInstances", "es:DescribeVpcEndpoints", "es:ListDomainNames", "es:ListTags", "es:ListVpcEndpointAccess", "es:ListVpcEndpoints", "es:ListVpcEndpointsForDomain", "events:DescribeApiDestination", "events:DescribeArchive", "events:DescribeConnection", "events:DescribeEndpoint", "events:DescribeEventBus", "events:DescribeEventSource", "events:DescribePartnerEventSource", "events:DescribeReplay", "events:DescribeRule", "events:ListApiDestinations", "events:ListArchives", "events:ListConnections", "events:ListEndpoints", "events:ListEventBuses", "events:ListEventSources", "events:ListPartnerEventSourceAccounts", "events:ListPartnerEventSources", "events:ListReplays", "events:ListRuleNamesByTarget", "events:ListRules", "events:ListTagsForResource", "events:ListTargetsByRule", "events:TestEventPattern", "firehose:DescribeDeliveryStream", "firehose:ListDeliveryStreams", "firehose:ListTagsForDeliveryStream", "glacier:DescribeJob", "glacier:DescribeVault", "glacier:GetDataRetrievalPolicy", "glacier:GetVaultAccessPolicy", "glacier:GetVaultLock", "glacier:GetVaultNotifications", "glacier:ListJobs", "glacier:ListMultipartUploads", "glacier:ListParts", "glacier:ListTagsForVault", "glacier:ListVaults", "iam:Get*", "iam:List*", "inspector:Describe*", "inspector:Get*", "inspector:List*", "iot:Describe*", "iot:Get*", "iot:List*", "kafka:DescribeCluster", "kafka:DescribeClusterV2", "kafka:DescribeVpcConnection", "kafka:ListClientVpcConnections", "kafka:ListClusters", "kafka:ListClustersV2", "kafka:ListNodes", "kafka:ListTagsForResource", "kafka:ListVpcConnections", "kinesis:Describe*", "kinesis:DescribeStream", "kinesis:DescribeStreamConsumer", "kinesis:DescribeStreamSummary", "kinesis:ListShards", "kinesis:ListStreamConsumers", "kinesis:ListStreams", "kinesis:ListTagsForStream", "kms:Describe*", "kms:Get*", "kms:List*", "lambda:Get*", "lambda:List*", "logs:Describe*", "logs:Get*", "logs:TestMetricFilter", "machinelearning:Describe*", "machinelearning:Get*", "opsworks:Describe*", "opsworks:Get*", "organizations:ListAccounts", "rds:Describe*", "rds:ListTagsForResource", "redshift:Describe*", "redshift:ViewQueriesInConsole", "route53:Get*", "route53:List*", "route53domains:CheckDomainAvailability", "route53domains:GetDomainDetail", "route53domains:GetOperationDetail", "route53domains:ListDomains", "route53domains:ListOperations", "route53domains:ListTagsForDomain", "s3:GetAccelerateConfiguration", "s3:GetAnalyticsConfiguration", "s3:GetBucket*", "s3:GetInventoryConfiguration", "s3:GetLifecycleConfiguration", "s3:GetMetricsConfiguration", "s3:GetReplicationConfiguration", "s3:List*", "sdb:GetAttributes", "sdb:List*", "sdb:Select*", "ses:Get*", "ses:List*", "sns:Get*", "sns:List*", "sqs:GetQueueAttributes", "sqs:ListQueues", "storagegateway:Describe*", "storagegateway:List*", "swf:Count*", "swf:Describe*", "swf:Get*", "swf:List*", "tag:Get*", "trustedadvisor:Describe*", "waf-regional:Get*", "waf-regional:List*", "waf:Get*", "waf:List*", "wafv2:GetWebACL", "wafv2:ListResourcesForWebACL", "wafv2:ListTagsForResource", "wafv2:ListWebACLs", "workspaces:Describe*" ], "Effect": "Allow", "Resource": "*" } ] } ``` 8. Once you have entered in all of the details and copy and pasted the policy contents into the **Policy Document** section, you can click **Create Policy** to complete the policy creation process. 9. Click your new user in the list and go to the **Managed Policies** header under **Permissions**. Click **Attach Policy**.\ ![iam-step5.png](https://www.hava.io/hs-fs/hubfs/iam-help/iam-step5.png?width=401\&name=iam-step5.png) 10. Scroll through the policy list until you find custom policy **HAVA-RO-POLICY**. Click the checkbox and then click **Attach Policy**.\ ![Screen\_Shot\_2016-04-08\_at\_3.35.27\_PM.png](https://www.hava.io/hs-fs/hubfs/Screen_Shot_2016-04-08_at_3.35.27_PM.png?width=1024\&name=Screen_Shot_2016-04-08_at_3.35.27_PM.png) 11. This policy will allow you to import everything needed to create diagrams and basic reports. If you would like the full data available in your reports you can also add these policies to your user:\ \ \&#xNAN;*arn:aws:iam::aws:policy/SecurityAudit* *arn:aws:iam::aws:policy/job-function/ViewOnlyAccess*
12. Now head back to the Hava homepage and enter the credentials you downloaded earlier to get started! --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.hava.io/importing/aws/getting-started-with-aws/minimum-access-iam-user.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.