Lucidity Assessment
The Assessment tool retrieves VM metadata & disk level storage metrics, such as the number of VMs, attached managed disk details, mount point details, and disk utilization.
The below list of permissions are necessary for the Assessment tool to collect storage metrics.
# | Service | Permission | Description |
|---|---|---|---|
1 | Auto Scaling | autoscaling:DescribeAutoScalingGroups | To retrieve details about one or more Auto Scaling groups. |
2 | CloudWatch | cloudwatch:GetMetricStatistics | To fetch historical IOPS metrics for EBS volumes. |
3 | Cost Explorer | ce:GetCostAndUsage | To retrieve cost and usage information from AWS Cost Explorer. |
4 | EC2 | ec2:DescribeInstances | To retrieve EC2 instance details such as state, tags, storage configuration, placement, etc. |
5 | EC2 | ec2:DescribeRegions | To retrieve a list of all available AWS regions for an account. |
6 | EC2 | ec2:DescribeVolumes | To retrieve detailed information about one or more (EBS) volumes such as size, volume type, AZ, etc. |
7 | EC2 | ec2:DescribeImages | To retrieve details about AMIs on an AWS account. |
8 | EC2 | ec2:DescribeIamInstanceProfileAssociations | To query and list the IAM instance profile associations with an EC2 instance |
9 | EC2 | ec2:AssociateIamInstanceProfile | To associate an instance profile with an EC2 instance to interact with the SSM agent. |
10 | EC2 | ec2:DisassociateIamInstance Profile | To detach an instance profile from the EC2 instance post assessment. |
11 | EKS | eks:ListClusters | To retrieve a list of all EKS clusters in the account. |
12 | EKS | eks:ListNodegroups | To retrieve a list of all node groups in a specified EKS cluster. |
13 | EKS | eks:DescribeNodegroup | To retrieve detailed information about a specific node group.. |
14 | IAM | iam:GetInstanceProfile | To retrieve information about an instance profile, such as Profile name, ARN, Associated IAM role, associated tags, etc. |
15 | IAM | iam:GetRole | To fetch the existing roles of an EC2 instance. If a role already exists, an Instance Profile will be attached to that role without creating a new role. |
16 | IAM | iam:ListPolicies | To list the policies attached to an EC2 instance. |
17 | IAM | iam:ListAttachedRolePolicies | To list the policies attached to a particular role. |
18 | IAM | iam:ListRoles | To list the IAM roles attached to an EC2 instance. |
19 | IAM | iam:PassRole | To allow an IAM principal to delegate or pass permissions to an AWS service by configuring a resource such as an EC2 instance with an IAM role. |
20 | IAM | iam:AttachRolePolicy | To attach the temporary AWS policy to the AWS IAM Role. |
21 | IAM | iam:AddRoleToInstanceProfile | To add the temporarily created Lucidity IAM Role with ssm permissions to the instance profile. |
22 | IAM | iam:CreateInstanceProfile | To create an instance profile, which is used to activate each VM’s SSM agent, and fetch its disk details and share it to the SSM server |
23 | IAM | iam:CreateRole | To create a temporary IAM role, with the above mentioned AWS policy. |
24 | IAM | iam:DeleteInstanceProfile | To delete the temporarily created instance profile post assessment. |
25 | IAM | iam:DeleteRole | To delete the temporarily created Role post assessment |
26 | IAM | iam:DetachRolePolicy | To detach the AWS Policy from the role, before deleting it permanently |
27 | IAM | iam:RemoveRoleFromInstanceProfile | To detach the Role from the Instance Profile, before deleting it permanently |
28 | SSM | ssm:DescribeInstanceInformation | To list all EC2s managed by SSM. |
29 | SSM | ssm:GetCommandInvocation | To view details about commands executed using ssm such as Command execution status, Command output and error messages, etc. |
30 | SSM | ssm:SendCommand | To run commands that allow collection of disk utilization metrics on Lucidity managed ec2 instances. |