Minimum Access IAM User
How to Create a Minimum Access IAM User
Creating the Hava Read-Only IAM user, that uses the standard AWS ReadOnlyAccess Policy will ensure that your user doesn't have enough privileges to change anything in your environment.
If you feel that the default policy from AWS allows too much access you can create a custom policy to limit it to just what we need.
While we recommend the default Read-Only policy to account for future updates to our supported services you can follow these steps to create a minimum access read-only user that Hava can use to visualize your AWS infrastructure.
Before you start make sure you are logged in to the AWS console.
From the main console screen click on Identity & Access Management.
From the IAM dashboard select the Users section and then click the Create New Users button.
Enter a unique username for your new user, make sure Generate an access key is checked, and then click the Create button.
You should be notified that your user has been created. You can copy the details from this screen or just click Download to save them.
Now that you've created your user, you will need to create the customer policy that grants Hava the security it requires at a minimum.From the IAM dashboard select the Policy section and then click the Create New Policy button.
You will then need to select the Create Your Own Policy option.
You will need to provide the name of your policy such as "HAVA-RO-POLICY", a description of the policy such as "Just enough access to ensure Hava can work it's magic" and then enter in the custom policy seen here:
You can copy and paste the policy from here:
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "acm:DescribeCertificate", "acm:GetCertificate", "acm:ListCertificates", "apigateway:GET", "appsync:GetApiCache", "appsync:ListApiKeys", "appsync:ListDataSources", "appsync:ListDomainNames", "appsync:ListFunctions", "appsync:ListGraphqlApis", "appsync:ListResolvers", "appsync:ListSourceApiAssociations", "appsync:ListTagsForResource", "appsync:ListTypes", "appstream:Get*", "autoscaling:Describe*", "cloudformation:List*", "cloudfront:Get*", "cloudfront:List*", "cloudsearch:Describe*", "cloudsearch:List*", "cloudtrail:DescribeTrails", "cloudtrail:GetTrailStatus", "cloudwatch:Describe*", "cloudwatch:Get*", "cloudwatch:List*", "codecommit:BatchGetRepositories", "codecommit:Get*", "codecommit:GitPull", "codecommit:List*", "codedeploy:Batch*", "codedeploy:Get*", "codedeploy:List*", "config:Deliver*", "config:Describe*", "config:Get*", "datapipeline:DescribeObjects", "datapipeline:DescribePipelines", "datapipeline:EvaluateExpression", "datapipeline:GetPipelineDefinition", "datapipeline:ListPipelines", "datapipeline:QueryObjects", "datapipeline:ValidatePipelineDefinition", "directconnect:Describe*", "ds:Check*", "ds:Describe*", "ds:Get*", "ds:List*", "ds:Verify*", "dynamodb:DescribeGlobalTable", "dynamodb:DescribeTable", "dynamodb:ListGlobalTables", "dynamodb:ListTables", "dynamodb:ListTagsOfResource", "ec2:Describe*", "ec2:GetConsoleOutput", "ecr:BatchCheckLayerAvailability", "ecr:BatchGetImage", "ecr:DescribeRepositories", "ecr:GetDownloadUrlForLayer", "ecr:ListImages", "ecs:Describe*", "ecs:List*", "eks:Describe*", "eks:List*", "elasticache:Describe*", "elasticache:List*", "elasticbeanstalk:Check*", "elasticbeanstalk:Describe*", "elasticbeanstalk:List*", "elasticbeanstalk:RequestEnvironmentInfo", "elasticbeanstalk:RetrieveEnvironmentInfo", "elasticfilesystem:DescribeFileSystems", "elasticfilesystem:DescribeMountTargetSecurityGroups", "elasticfilesystem:DescribeMountTargets", "elasticfilesystem:DescribeTags", "elasticloadbalancing:Describe*", "elasticmapreduce:Describe*", "elasticmapreduce:List*", "elastictranscoder:List*", "elastictranscoder:Read*", "es:DescribeDomain", "es:DescribeDomainNodes", "es:DescribeDomains", "es:DescribeElasticsearchDomain", "es:DescribeElasticsearchDomainConfig", "es:DescribeElasticsearchDomains", "es:DescribeReservedElasticsearchInstances", "es:DescribeVpcEndpoints", "es:ESHttpGet", "es:ESHttpHead", "es:ListDomainNames", "es:ListTags", "es:ListVpcEndpointAccess", "es:ListVpcEndpoints", "es:ListVpcEndpointsForDomain", "events:DescribeApiDestination", "events:DescribeArchive", "events:DescribeConnection", "events:DescribeEndpoint", "events:DescribeEventBus", "events:DescribeEventSource", "events:DescribePartnerEventSource", "events:DescribeReplay", "events:DescribeRule", "events:ListApiDestinations", "events:ListArchives", "events:ListConnections", "events:ListEndpoints", "events:ListEventBuses", "events:ListEventSources", "events:ListPartnerEventSourceAccounts", "events:ListPartnerEventSources", "events:ListReplays", "events:ListRuleNamesByTarget", "events:ListRules", "events:ListTagsForResource", "events:ListTargetsByRule", "events:TestEventPattern", "firehose:DescribeDeliveryStream", "firehose:ListDeliveryStreams", "firehose:ListTagsForDeliveryStream", "glacier:DescribeJob", "glacier:DescribeVault", "glacier:GetDataRetrievalPolicy", "glacier:GetJobOutput", "glacier:GetVaultAccessPolicy", "glacier:GetVaultLock", "glacier:GetVaultNotifications", "glacier:ListJobs", "glacier:ListMultipartUploads", "glacier:ListParts", "glacier:ListTagsForVault", "glacier:ListVaults", "iam:GenerateCredentialReport", "iam:Get*", "iam:List*", "inspector:Describe*", "inspector:Get*", "inspector:List*", "iot:Describe*", "iot:Get*", "iot:List*", "kafka:DescribeCluster", "kafka:DescribeClusterV2", "kafka:DescribeVpcConnection", "kafka:ListClientVpcConnections", "kafka:ListClusters", "kafka:ListClustersV2", "kafka:ListNodes", "kafka:ListTagsForResource", "kafka:ListVpcConnections", "kinesis:Describe*", "kinesis:DescribeStream", "kinesis:DescribeStreamConsumer", "kinesis:DescribeStreamSummary", "kinesis:ListShards", "kinesis:ListStreamConsumers", "kinesis:ListStreams", "kinesis:ListTagsForStream", "kms:Describe*", "kms:Get*", "kms:List*", "lambda:Get*", "lambda:List*", "logs:Describe*", "logs:Get*", "logs:TestMetricFilter", "machinelearning:Describe*", "machinelearning:Get*", "opsworks:Describe*", "opsworks:Get*", "organizations:ListAccounts", "rds:Describe*", "rds:ListTagsForResource", "redshift:Describe*", "redshift:ViewQueriesInConsole", "route53:Get*", "route53:List*", "route53domains:CheckDomainAvailability", "route53domains:GetDomainDetail", "route53domains:GetOperationDetail", "route53domains:ListDomains", "route53domains:ListOperations", "route53domains:ListTagsForDomain", "s3:GetAccelerateConfiguration", "s3:GetAnalyticsConfiguration", "s3:GetBucket*", "s3:GetInventoryConfiguration", "s3:GetLifecycleConfiguration", "s3:GetMetricsConfiguration", "s3:GetReplicationConfiguration", "s3:List*", "sdb:GetAttributes", "sdb:List*", "sdb:Select*", "ses:Get*", "ses:List*", "sns:Get*", "sns:List*", "sqs:GetQueueAttributes", "sqs:ListQueues", "sqs:ReceiveMessage", "storagegateway:Describe*", "storagegateway:List*", "swf:Count*", "swf:Describe*", "swf:Get*", "swf:List*", "tag:Get*", "trustedadvisor:Describe*", "waf-regional:Get*", "waf-regional:List*", "waf:Get*", "waf:List*", "wafv2:GetWebACL", "wafv2:ListResourcesForWebACL", "wafv2:ListTagsForResource", "wafv2:ListWebACLs", "workspaces:Describe*" ], "Effect": "Allow", "Resource": "*" } ] }Once you have entered in all of the details and copy and pasted the policy contents into the Policy Document section, you can click Create Policy to complete the policy creation process.
Click your new user in the list and go to the Managed Policies header under Permissions. Click Attach Policy.
Scroll through the policy list until you find custom policy HAVA-RO-POLICY. Click the checkbox and then click Attach Policy.
This policy will allow you to import everything needed to create diagrams and basic reports. If you would like the full data available in your reports you can also add these policies to your user: arn:aws:iam::aws:policy/SecurityAudit
arn:aws:iam::aws:policy/job-function/ViewOnlyAccess
Now head back to the Hava homepage and enter the credentials you downloaded earlier to get started!
Last updated
Was this helpful?