Permissions

Learn about StarOps Permission Requirements

IAM Policy Permission

For StarOps to perform various workflows across your AWS Cloud Infrastucture it will require certain permissions. This is provided via automatic IAM Policy setup.

Leveraging CloudFormations, the setup of these IAM policy permissions is a simple process from the Integrations section of StarOps.

IAM Permissions (as on 09/12/25)

  • iam:CreateRole - Creating new IAM roles for service accounts and applications
  • iam:GetRole - Checking existing role configuration before modifications
  • iam:DeleteRole - Cleaning up unused roles during resource deprovisioning
  • iam:ListRoles - Discovering existing roles for inventory and management
  • iam:UpdateAssumeRolePolicy - Modifying trust relationships for role access
  • iam:PutRolePolicy - Attaching inline policies to roles for specific permissions
  • iam:GetRolePolicy - Reading current role policies before modifications
  • iam:DeleteRolePolicy - Removing unnecessary policies during cleanup
  • iam:ListRolePolicies - Listing all policies attached to a role
  • iam:CreatePolicy - Creating custom policies for specific use cases
  • iam:GetPolicy - Checking policy details before attachment
  • iam:GetPolicyVersion - Reviewing specific policy versions
  • iam:ListPolicyVersions - Managing policy version history
  • iam:DeletePolicy - Removing obsolete policies
  • iam:CreateUser - Creating IAM users for service integrations
  • iam:GetUser - Retrieving user information for access management
  • iam:DeleteUser - Removing users during deprovisioning
  • iam:ListUsers - Inventorying existing users
  • iam:CreateAccessKey - Generating access keys for programmatic access
  • iam:ListAccessKeys - Managing user access keys
  • iam:DeleteAccessKey - Rotating or removing access keys
  • iam:AttachUserPolicy - Granting permissions to users
  • iam:DetachUserPolicy - Removing permissions from users
  • iam:DeleteUserPolicy - Cleaning up user-specific policies
  • iam:ListAttachedRolePolicies - Auditing role permissions
  • iam:ListAttachedUserPolicies - Auditing user permissions
  • iam:ListGroupsForUser - Checking user group memberships
  • iam:ListInstanceProfilesForRole - Managing EC2 instance profiles
  • iam:ListAccountAliases - Retrieving account information for identification
  • iam:* - Full IAM access for comprehensive identity management

S3

  • s3:ListAllMyBuckets - Discovering existing S3 buckets for inventory
  • s3:CreateBucket - Creating new buckets for data storage and model artifacts
  • s3:DeleteBucket - Cleaning up unused buckets during resource deprovisioning
  • s3:ListBucket - Listing objects within buckets for content management
  • s3:GetBucketLocation - Determining bucket regions for compliance and optimization
  • s3:PutBucketPolicy - Configuring bucket access policies for security
  • s3:GetObject - Retrieving files, models, and configurations from buckets
  • s3:PutObject - Uploading models, data, and configuration files
  • s3:DeleteObject - Removing obsolete files and cleaning up storage
  • s3:HeadObject - Checking object metadata without downloading content
  • s3:* - Full S3 access for comprehensive storage management

EKS

  • eks:ListClusters - Discovering existing Kubernetes clusters
  • eks:DescribeCluster - Retrieving cluster configuration and status
  • eks:CreateCluster - Provisioning new Kubernetes clusters
  • eks:DeleteCluster - Decommissioning clusters during cleanup
  • eks:UpdateClusterConfig - Modifying cluster settings and configurations
  • eks:UpdateClusterVersion - Upgrading Kubernetes versions
  • eks:AccessKubernetesApi - Interacting with Kubernetes API for workload management
  • eks:CreateAccessEntry - Managing cluster access for users and services
  • eks:DeleteAccessEntry - Removing cluster access during deprovisioning
  • eks:AssociateAccessPolicy - Granting specific permissions within clusters
  • eks:DisassociateAccessPolicy - Removing permissions from cluster access
  • eks:ListAccessEntries - Auditing cluster access permissions
  • eks:ListAccessPolicies - Reviewing available cluster policies
  • eks:* - Full EKS access for comprehensive cluster management

EC2

  • ec2:DescribeInstances - Inventorying EC2 instances for resource management
  • ec2:DescribeVpcs - Discovering network configurations for deployment planning
  • ec2:* - Full EC2 access for comprehensive compute and networking management

Route53

  • route53:ListHostedZones - Discovering DNS zones for certificate management
  • route53:ListHostedZonesByName - Finding specific DNS zones by name
  • route53:GetHostedZone - Retrieving DNS zone configuration details
  • route53:ListTagsForResource - Checking DNS resource tags for organization
  • route53:CreateHostedZone - Creating new DNS hosted zones for domain management
  • route53:DeleteHostedZone - Removing DNS hosted zones during cleanup
  • route53:GetChange - Checking the status of Route 53 change requests
  • route53:ChangeResourceRecordSets - Modifying DNS records within a hosted zone
  • route53:ChangeTagsForResource - Managing tags on Route 53 resources
  • route53:* - Full Route53 access for comprehensive DNS management

CloudFormation

  • cloudformation:DescribeStacks - Checking stack status and outputs
  • cloudformation:DeleteStack - Cleaning up CloudFormation stacks
  • cloudformation:* - Full CloudFormation access for infrastructure management

Lambda

  • lambda:ListFunctions - Discovering existing Lambda functions
  • lambda:InvokeFunction - Triggering webhook and notification functions
  • lambda:DeleteFunction - Cleaning up Lambda functions during deprovisioning

CloudWatch Logs

  • logs:CreateLogGroup - Setting up logging for applications and services
  • logs:CreateLogStream - Creating log streams for organized logging
  • logs:PutLogEvents - Writing log entries for monitoring and debugging
  • logs:* - Full CloudWatch Logs access for comprehensive logging management

CloudFront

  • cloudfront:Get* - Retrieving CloudFront distribution configurations, cache behaviors, and settings
  • cloudfront:List* - Listing CloudFront distributions, invalidations, and origin access controls

DynamoDB

  • dynamodb:List* - Listing DynamoDB tables, backups, and global tables for inventory
  • dynamodb:Describe* - Retrieving table metadata, configurations, and status information
  • dynamodb:GetItem - Reading individual items from DynamoDB tables
  • dynamodb:BatchGetItem - Reading multiple items efficiently from tables
  • dynamodb:Query - Querying tables using partition and sort keys
  • dynamodb:Scan - Scanning entire tables for data analysis
  • dynamodb:ConditionCheckItem - Checking item conditions without modifying data
  • dynamodb:ListTagsOfResource - Retrieving tags associated with DynamoDB resources

Service Quotas

  • servicequotas:GetServiceQuota - Checking current service quota limits
  • servicequotas:ListServiceQuotas - Listing all service quotas for planning
  • servicequotas:RequestServiceQuotaIncrease - Requesting quota increases for scaling

Other Services

RDS

  • rds:DescribeDBInstances - Discovering database instances for inventory
  • rds:Describe* - Full read-only access to RDS metadata, snapshots, and parameters
  • rds:ListTagsForResource - Retrieving tags associated with RDS resources

ECR Public

  • ecr-public:* - Full ECR Public access for container image management

KMS

  • kms:* - Full KMS access for encryption key management

EventBridge

  • events:* - Full EventBridge access for event-driven architecture

SQS

  • sqs:* - Full SQS access for message queue management

Organizations

  • organizations:* - Full Organizations access for account management and information

STS

  • sts:GetServiceBearerToken - Obtaining service tokens for authentication

Comprehensive Read-Only Access

Security Services

  • guardduty:Get*, guardduty:List* - GuardDuty threat detection data
  • inspector:Describe*, inspector:Get*, inspector:List* - Amazon Inspector vulnerability assessments
  • macie:Get*, macie:List* - Amazon Macie data security and privacy findings
  • detective:Get*, detective:List* - Amazon Detective security investigation data
  • securityhub:Get*, securityhub:List* - AWS Security Hub consolidated security findings
  • accessanalyzer:Get*, accessanalyzer:List* - IAM Access Analyzer findings
  • config:Describe*, config:Get*, config:List* - AWS Config compliance and configuration data
  • cloudtrail:Describe*, cloudtrail:Get*, cloudtrail:List* - CloudTrail audit logs and events

Web Application Firewall

  • waf:Get*, waf:List* - Classic WAF rules and configurations
  • wafv2:Get*, wafv2:List*, wafv2:Describe* - WAFv2 web ACLs and rules
  • waf-regional:Get*, waf-regional:List*, waf-regional:Describe* - Regional WAF configurations
  • shield:Describe*, shield:Get*, shield:List* - AWS Shield DDoS protection status

Analytics and Machine Learning

  • glue:Get*, glue:List* - AWS Glue ETL job and catalog metadata
  • athena:Get*, athena:List* - Amazon Athena query execution and results
  • kinesis:Describe*, kinesis:Get*, kinesis:List* - Kinesis data streaming services
  • firehose:Describe*, firehose:List* - Kinesis Data Firehose delivery streams
  • sagemaker:Describe*, sagemaker:Get*, sagemaker:List* - SageMaker ML model and endpoint data
  • comprehend:Describe*, comprehend:Get*, comprehend:List* - Amazon Comprehend NLP analysis
  • translate:Describe*, translate:Get*, translate:List* - Amazon Translate language translation
  • polly:Describe*, polly:Get*, polly:List* - Amazon Polly text-to-speech synthesis
  • rekognition:Describe*, rekognition:Get*, rekognition:List* - Amazon Rekognition image analysis
  • textract:Get* - Amazon Textract document analysis
  • transcribe:Get*, transcribe:List* - Amazon Transcribe speech-to-text

Application and Workflow Services

  • states:Describe*, states:Get*, states:List* - AWS Step Functions workflow data
  • apigateway:GET - API Gateway REST API configurations (read-only HTTP GET)
  • application-insights:Describe*, application-insights:Get*, application-insights:List* - Application performance monitoring
  • xray:Get*, xray:BatchGet* - AWS X-Ray distributed tracing data

Storage and Backup

  • backup:Describe*, backup:Get*, backup:List* - AWS Backup job status and recovery points
  • glacier:Describe*, glacier:Get*, glacier:List* - Amazon Glacier archive storage
  • storagegateway:Describe*, storagegateway:List* - AWS Storage Gateway hybrid storage
  • datasync:Describe*, datasync:List* - AWS DataSync data transfer tasks
  • transfer:Describe*, transfer:List* - AWS Transfer Family file transfer protocols

Enterprise and Productivity

  • workspaces:Describe*, workspaces:List* - Amazon WorkSpaces virtual desktops
  • appstream:Describe*, appstream:List* - Amazon AppStream 2.0 application streaming
  • workdocs:Describe*, workdocs:Get* - Amazon WorkDocs document collaboration
  • workmail:Describe*, workmail:Get*, workmail:List* - Amazon WorkMail email service
  • connect:Describe*, connect:Get*, connect:List* - Amazon Connect contact center
  • chime:Get*, chime:List* - Amazon Chime communications service

Communication and Messaging

  • pinpoint:Get*, pinpoint:List* - Amazon Pinpoint customer engagement
  • ses:Describe*, ses:Get*, ses:List* - Amazon SES email service configuration
  • sns:Get*, sns:List* - Amazon SNS notification topics and subscriptions

Identity and Cognitive Services

  • cognito-idp:Describe*, cognito-idp:Get*, cognito-idp:List* - Amazon Cognito user pools
  • cognito-identity:Describe*, cognito-identity:Get*, cognito-identity:List* - Cognito identity pools

IoT and Edge Computing

  • iot:Describe*, iot:Get*, iot:List* - AWS IoT device and rule configurations
  • greengrass:Get*, greengrass:List* - AWS IoT Greengrass edge computing

Media Services

  • mediaconvert:Describe*, mediaconvert:Get*, mediaconvert:List* - AWS Elemental MediaConvert
  • mediastore:Describe*, mediastore:Get*, mediastore:List* - AWS Elemental MediaStore
  • mediatailor:Describe*, mediatailor:Get*, mediatailor:List* - AWS Elemental MediaTailor

Developer Tools and Code Services

  • codecommit:BatchDescribe*, codecommit:BatchGet*, codecommit:Describe*, codecommit:Get*, codecommit:GitPull, codecommit:List* - AWS CodeCommit repository access

Cost and Resource Management

  • pricing:Describe*, pricing:Get*, pricing:List* - AWS Pricing API for cost information
  • budgets:Describe*, budgets:View* - AWS Budgets cost and usage tracking
  • ce:Describe*, ce:Get*, ce:List* - AWS Cost Explorer cost analysis
  • cur:Describe*, cur:Get* - AWS Cost and Usage Reports
  • tag:Get* - Resource tagging information
  • resource-groups:Get*, resource-groups:List*, resource-groups:Search* - AWS Resource Groups

Support and Management

  • support:Describe*, support:Get*, support:List* - AWS Support case and service information
  • trustedadvisor:Describe*, trustedadvisor:Get*, trustedadvisor:List* - AWS Trusted Advisor recommendations
  • health:Describe*, health:Get*, health:List* - AWS Health Dashboard service status
  • wellarchitected:Get*, wellarchitected:List* - AWS Well-Architected Tool reviews
  • servicecatalog:Describe*, servicecatalog:Get*, servicecatalog:List* - AWS Service Catalog products

AI and ML Services

  • bedrock:Get*, bedrock:List*, bedrock:Describe* - Amazon Bedrock foundation models

CloudFormation

  • cloudformation:EstimateTemplateCost - Estimating CloudFormation template costs
  • cloudformation:ValidateTemplate - Validating CloudFormation template syntax

Security Considerations

⚠️ High-Risk Permissions: Many permissions use wildcard (*) access, granting full control over services. This provides maximum flexibility but requires careful monitoring and access control.