Permissions

Learn about StarOps Permission Requirements

IAM Policy Permission

For StarOps to perform various workflows across your AWS Cloud Infrastucture it will require certain permissions. This is provided via automatic IAM Policy setup.

Leveraging CloudFormations, the setup of these IAM policy permissions is a simple process from the Integrations section of StarOps.

AWS IAM Policy Permission Details

Below are a summary listing of the AWS service permissions that will be granted.

It is important to note that many permissions use wildcard (*) access, granting full control over services. This provides maximum flexibility but requires careful monitoring and access control. If you need more guidance on this please don't hesitate to contact the StarOps team via Support.

Route53

  • route53:ListHostedZones - Discovering DNS zones for certificate management
  • route53:ListHostedZonesByName - Finding specific DNS zones by name
  • route53:GetHostedZone - Retrieving DNS zone configuration details
  • route53:ListTagsForResource - Checking DNS resource tags for organization

CloudFormation

  • cloudformation:DescribeStacks - Checking stack status and outputs
  • cloudformation:DeleteStack - Cleaning up CloudFormation stacks
  • cloudformation:* - Full CloudFormation access for infrastructure management

Lambda

  • lambda:ListFunctions - Discovering existing Lambda functions
  • lambda:InvokeFunction - Triggering webhook and notification functions
  • lambda:DeleteFunction - Cleaning up Lambda functions during deprovisioning

CloudWatch Logs

  • logs:CreateLogGroup - Setting up logging for applications and services
  • logs:CreateLogStream - Creating log streams for organized logging
  • logs:PutLogEvents - Writing log entries for monitoring and debugging
  • logs:* - Full CloudWatch Logs access for comprehensive logging management

Other Services

RDS

  • rds:DescribeDBInstances - Discovering database instances for inventory

ECR Public

  • ecr-public:* - Full ECR Public access for container image management

KMS

  • kms:* - Full KMS access for encryption key management

EventBridge

  • events:* - Full EventBridge access for event-driven architecture

SQS

  • sqs:* - Full SQS access for message queue management

Organizations

  • organizations:* - Full Organizations access for account management and information

STS

  • sts:GetServiceBearerToken - Obtaining service tokens for authentication