Cloud Access and Permissions - SethBodine/audit-tools GitHub Wiki

Cloud Access and Permissions

This page covers the minimum permissions required to run security assessments against each supported cloud provider. Follow least-privilege principles — create a dedicated audit account and disable or delete it when the review is complete.

AWS

  1. Create a Policy Group named IAM-Audit-Group
  2. Assign the following managed policies to IAM-Audit-Group:
arn:aws:iam::aws:policy/ReadOnlyAccess
arn:aws:iam::aws:policy/SecurityAudit
  1. Create an IAM user and assign it to IAM-Audit-Group
  2. Create an Access Key for the account for use with the CLI

Optional - MFA Self-Registration Policy

Create a custom policy named IAM-Audit-MFASelfManage to allow the audit user to register their own MFA device. See the AWS documentation for the full policy JSON.

  1. Enable MFA on the account

Optional - Self-Managed Access Keys Policy

Create a custom policy named IAM-Audit-ManageOwnAccessKeys to allow the audit user to manage their own access keys. See the AWS documentation for additional information and AWS documentation for the full policy JSON.

Azure

Identity

Request an account against the default tenant domain (e.g. [email protected]). This limits the account's blast radius and avoids confusion with existing users in the customer's domain.

Entra ID (M365)

Assign the following roles. Known limitations as of August 2024 are noted below.

Security Reader
Global Reader

Azure Subscriptions

Reader
Security Reader

Built-in Role Limitations

The limitations below reflect the current state as documented by Microsoft. This list changes as Microsoft updates role support — always check the official permissions reference for the latest.

Global Reader

Reader

The Reader Role grants read resources of all types, except secrets.

Power Portal/Apps

Note: It is not recommended that this be included unless extreme care is taken

  • Power Platform Administrator

Dynamics 365

Note: It is not recommended that this be included unless extreme care is taken

  • Dynamics 365 Administrator

SharePoint

Note: It is not recommended that this be included unless extreme care is taken

  • SharePoint Administrator

Device Codes

As of February 2024, Microsoft recommends disabling Device Code flows via Conditional Access Policies. See the Microsoft documentation for details.

Google Cloud

  1. Create a new account in Google Workspace
  2. Assign the Super Admin role to the account
  3. Ensure 2FA is configured at first login - this may require a screen share session to scan a QR code

Oracle Cloud

  1. Create a new Group named Audit-Group
  2. Create a Policy statement and assign it to Audit-Group:
allow group 'Audit-Group' to read all-resources in tenancy
allow group 'Audit-Group' to manage api-keys in tenancy where target.resource.id = request.user.id
  1. Create an identity (local auth domain or remote SSO) and assign it to Audit-Group
  2. Log in as the new account, create an API key pair, and store the private key securely

Alibaba Cloud

Policy-Based Configuration

  1. Create a new Group named Audit-Group
  2. Create a Policy with the following JSON and assign it to Audit-Group:
{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "*:Get*",
                "*:Audit*",
                "*:Describe*",
                "*:Query*",
                "*:List*"
            ],
            "Resource": "*"
        }
    ]
}
  1. Create an identity and assign it to Audit-Group

Role-Based Configuration

TBC - may not be supported by all tools.

Note: Disable this account immediately when the review is complete. Proceed with caution as there is a risk of unintended changes.