# Minimum Access IAM User
### How to Create a Minimum Access IAM User
Creating the Hava Read-Only IAM user, that uses the standard AWS ReadOnlyAccess Policy will ensure that your user doesn't have enough privileges to change anything in your environment.
If you feel that the default policy from AWS allows too much access you can create a custom policy to limit it to just what we need.
While we recommend the default Read-Only policy to account for future updates to our supported services you can follow these steps to create a minimum access read-only user that Hava can use to visualize your AWS infrastructure.
Before you start make sure you are logged in to the [AWS console](https://console.aws.amazon.com/console/home).
1. From the main console screen click on **Identity & Access Management**.
2. From the IAM dashboard select the **Users** section and then click the **Create New Users** button.
3. Enter a unique username for your new user, make sure **Generate an access key** is checked, and then click the **Create** button.\
4. You should be notified that your user has been created. You can copy the details from this screen or just click **Download** to save them.\
5. Now that you've created your user, you will need to create the customer policy that grants Hava the security it requires at a minimum.From the IAM dashboard select the **Policy** section and then click the **Create New Policy** button.\
\
6. You will then need to select the **Create Your Own Policy** option.\
7. You will need to provide the name of your policy such as "**HAVA-RO-POLICY",** a description of the policy such as **"Just enough access to ensure Hava can work it's magic"** and then enter in the custom policy seen here:\
\
\
\
You can copy and paste the policy from here:
```
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"acm:DescribeCertificate",
"acm:GetCertificate",
"acm:ListCertificates",
"apigateway:GET",
"appsync:GetApiCache",
"appsync:ListApiKeys",
"appsync:ListDataSources",
"appsync:ListDomainNames",
"appsync:ListFunctions",
"appsync:ListGraphqlApis",
"appsync:ListResolvers",
"appsync:ListSourceApiAssociations",
"appsync:ListTagsForResource",
"appsync:ListTypes",
"appstream:Get*",
"autoscaling:Describe*",
"cloudformation:List*",
"cloudfront:Get*",
"cloudfront:List*",
"cloudhsm:DescribeBackups",
"cloudhsm:DescribeClusters",
"cloudhsm:GetResourcePolicy",
"cloudhsm:ListTags",
"cloudsearch:Describe*",
"cloudsearch:List*",
"cloudtrail:DescribeTrails",
"cloudtrail:GetTrailStatus",
"cloudwatch:Describe*",
"cloudwatch:Get*",
"cloudwatch:List*",
"config:Describe*",
"config:Get*",
"datapipeline:DescribeObjects",
"datapipeline:DescribePipelines",
"datapipeline:GetPipelineDefinition",
"datapipeline:ListPipelines",
"datapipeline:QueryObjects",
"directconnect:Describe*",
"ds:Check*",
"ds:Describe*",
"ds:Get*",
"ds:List*",
"ds:Verify*",
"dynamodb:DescribeGlobalTable",
"dynamodb:DescribeTable",
"dynamodb:ListGlobalTables",
"dynamodb:ListTables",
"dynamodb:ListTagsOfResource",
"ec2:Describe*",
"ecr:BatchCheckLayerAvailability",
"ecr:BatchGetImage",
"ecr:DescribeRepositories",
"ecr:GetDownloadUrlForLayer",
"ecr:ListImages",
"ecs:Describe*",
"ecs:List*",
"eks:Describe*",
"eks:List*",
"elasticache:Describe*",
"elasticache:List*",
"elasticbeanstalk:Check*",
"elasticbeanstalk:Describe*",
"elasticbeanstalk:List*",
"elasticfilesystem:DescribeFileSystems",
"elasticfilesystem:DescribeMountTargetSecurityGroups",
"elasticfilesystem:DescribeMountTargets",
"elasticfilesystem:DescribeTags",
"elasticloadbalancing:Describe*",
"elasticmapreduce:Describe*",
"elasticmapreduce:List*",
"elastictranscoder:List*",
"elastictranscoder:Read*",
"es:DescribeDomain",
"es:DescribeDomainNodes",
"es:DescribeDomains",
"es:DescribeElasticsearchDomain",
"es:DescribeElasticsearchDomainConfig",
"es:DescribeElasticsearchDomains",
"es:DescribeReservedElasticsearchInstances",
"es:DescribeVpcEndpoints",
"es:ListDomainNames",
"es:ListTags",
"es:ListVpcEndpointAccess",
"es:ListVpcEndpoints",
"es:ListVpcEndpointsForDomain",
"events:DescribeApiDestination",
"events:DescribeArchive",
"events:DescribeConnection",
"events:DescribeEndpoint",
"events:DescribeEventBus",
"events:DescribeEventSource",
"events:DescribePartnerEventSource",
"events:DescribeReplay",
"events:DescribeRule",
"events:ListApiDestinations",
"events:ListArchives",
"events:ListConnections",
"events:ListEndpoints",
"events:ListEventBuses",
"events:ListEventSources",
"events:ListPartnerEventSourceAccounts",
"events:ListPartnerEventSources",
"events:ListReplays",
"events:ListRuleNamesByTarget",
"events:ListRules",
"events:ListTagsForResource",
"events:ListTargetsByRule",
"events:TestEventPattern",
"firehose:DescribeDeliveryStream",
"firehose:ListDeliveryStreams",
"firehose:ListTagsForDeliveryStream",
"glacier:DescribeJob",
"glacier:DescribeVault",
"glacier:GetDataRetrievalPolicy",
"glacier:GetVaultAccessPolicy",
"glacier:GetVaultLock",
"glacier:GetVaultNotifications",
"glacier:ListJobs",
"glacier:ListMultipartUploads",
"glacier:ListParts",
"glacier:ListTagsForVault",
"glacier:ListVaults",
"iam:Get*",
"iam:List*",
"inspector:Describe*",
"inspector:Get*",
"inspector:List*",
"iot:Describe*",
"iot:Get*",
"iot:List*",
"kafka:DescribeCluster",
"kafka:DescribeClusterV2",
"kafka:DescribeVpcConnection",
"kafka:ListClientVpcConnections",
"kafka:ListClusters",
"kafka:ListClustersV2",
"kafka:ListNodes",
"kafka:ListTagsForResource",
"kafka:ListVpcConnections",
"kinesis:Describe*",
"kinesis:DescribeStream",
"kinesis:DescribeStreamConsumer",
"kinesis:DescribeStreamSummary",
"kinesis:ListShards",
"kinesis:ListStreamConsumers",
"kinesis:ListStreams",
"kinesis:ListTagsForStream",
"kms:Describe*",
"kms:Get*",
"kms:List*",
"lambda:Get*",
"lambda:List*",
"logs:Describe*",
"logs:Get*",
"logs:TestMetricFilter",
"machinelearning:Describe*",
"machinelearning:Get*",
"opsworks:Describe*",
"opsworks:Get*",
"organizations:ListAccounts",
"rds:Describe*",
"rds:ListTagsForResource",
"redshift:Describe*",
"redshift:ViewQueriesInConsole",
"route53:Get*",
"route53:List*",
"route53domains:CheckDomainAvailability",
"route53domains:GetDomainDetail",
"route53domains:GetOperationDetail",
"route53domains:ListDomains",
"route53domains:ListOperations",
"route53domains:ListTagsForDomain",
"s3:GetAccelerateConfiguration",
"s3:GetAnalyticsConfiguration",
"s3:GetBucket*",
"s3:GetInventoryConfiguration",
"s3:GetLifecycleConfiguration",
"s3:GetMetricsConfiguration",
"s3:GetReplicationConfiguration",
"s3:List*",
"sdb:GetAttributes",
"sdb:List*",
"sdb:Select*",
"ses:Get*",
"ses:List*",
"sns:Get*",
"sns:List*",
"sqs:GetQueueAttributes",
"sqs:ListQueues",
"storagegateway:Describe*",
"storagegateway:List*",
"swf:Count*",
"swf:Describe*",
"swf:Get*",
"swf:List*",
"tag:Get*",
"trustedadvisor:Describe*",
"waf-regional:Get*",
"waf-regional:List*",
"waf:Get*",
"waf:List*",
"wafv2:GetWebACL",
"wafv2:ListResourcesForWebACL",
"wafv2:ListTagsForResource",
"wafv2:ListWebACLs",
"workspaces:Describe*"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
```
8. Once you have entered in all of the details and copy and pasted the policy contents into the **Policy Document** section, you can click **Create Policy** to complete the policy creation process.
9. Click your new user in the list and go to the **Managed Policies** header under **Permissions**. Click **Attach Policy**.\
10. Scroll through the policy list until you find custom policy **HAVA-RO-POLICY**. Click the checkbox and then click **Attach Policy**.\
11. This policy will allow you to import everything needed to create diagrams and basic reports. If you would like the full data available in your reports you can also add these policies to your user:\
\
\&#xNAN;*arn:aws:iam::aws:policy/SecurityAudit*
*arn:aws:iam::aws:policy/job-function/ViewOnlyAccess*
12. Now head back to the Hava homepage and enter the credentials you downloaded earlier to get started!