Skip to content

Permissions

Vantage requests certain permissions to interact with your AWS account. All permissions are ReadOnly be default and the list of permissions was generated by looking at the AWS-managed IAM policy of ReadOnlyAccess and removing a number of permissions from that. The list of permissions can be viewed on our provided CloudFormation Stack file.

Permission Descriptions

Below is a line-by-line description of each permission requested and what it is used for. In many cases, we have premptively requested permissions that are not used but are reserved for future feature support so that we do not need you to update the permission list for each subsequent feature.

Permission Description
"a4b:List*" Not used
"a4b:Search*" Not used
"access-analyzer:ListAnalyzedResources" Not used
"access-analyzer:ListAnalyzers" Not used
"access-analyzer:ListArchiveRules" Not used
"access-analyzer:ListFindings" Not used
"access-analyzer:ListTagsForResource" Not used
"acm:Describe*" Not used
"acm:List*" Not used
"acm-pca:Describe*" Not used
"acm-pca:List*" Not used
"amplify:ListApps" Not used
"amplify:ListBranches" Not used
"amplify:ListDomainAssociations" Not used
"amplify:ListJobs" Not used
"application-autoscaling:Describe*" Not used
"applicationinsights:Describe*" Not used
"applicationinsights:List*" Not used
"appmesh:Describe*" Not used
"appmesh:List*" Not used
"appstream:Describe*" Not used
"appstream:List*" Not used
"appsync:List*" Not used
"autoscaling:Describe*" Not used
"autoscaling-plans:Describe*" Not used
"athena:List*" Not used
"athena:Batch*" Not used
"aws-portal:View*" Not used
"backup:Describe*" Not used
"backup:List*" Not used
"batch:List*" Not used
"batch:Describe*" Not used
"budgets:Describe*" Not used
"budgets:View*" Not used
"cassandra:Select" Not used
"ce:Get*" Used for Vantage Cost Center functionality to display historical price data and trends. This permission was added by default on February 7th, 2021.
"chatbot:Describe*" Not used
"chime:List*" Not used
"chime:Retrieve*" Not used
"chime:Search*" Not used
"chime:Validate*" Not used
"cloud9:Describe*" Not used
"cloud9:List*" Not used
"clouddirectory:List*" Not used
"clouddirectory:BatchRead" Not used
"clouddirectory:LookupPolicy" Not used
"cloudformation:Describe*" Not used
"cloudformation:Detect*" Not used
"cloudformation:List*" Not used
"cloudformation:Estimate*" Not used
"cloudfront:List*" Not used
"cloudhsm:List*" Not used
"cloudhsm:Describe*" Not used
"cloudsearch:Describe*" Not used
"cloudsearch:List*" Not used
"cloudtrail:Describe*" Used for Vantage Audit Logs features
"cloudtrail:Get*" Used for Vantage Audit Logs features
"cloudtrail:List*" Used for Vantage Audit Logs features
"cloudtrail:LookupEvents" Used for Vantage Audit Logs features
"cloudwatch:Describe*" Used for getting cloudwatch metrics for resources
"cloudwatch:Get*" Used for getting cloudwatch metrics for resources
"cloudwatch:List*" Used for getting cloudwatch metrics for resources
"codeartifact:DescribeDomain" Not used
"codeartifact:DescribePackageVersion" Not used
"codeartifact:DescribeRepository" Not used
"codeartifact:ListDomains" Not used
"codeartifact:ListPackages" Not used
"codeartifact:ListPackageVersionAssets" Not used
"codeartifact:ListPackageVersionDependencies" Not used
"codeartifact:ListPackageVersions" Not used
"codeartifact:ListRepositories" Not used
"codeartifact:ListRepositoriesInDomain" Not used
"codebuild:DescribeCodeCoverages" Not used
"codebuild:DescribeTestCases" Not used
"codebuild:Get*" Used for Vantage Codebuild support
"codebuild:List*" Used for Vantage Codebuild support
"codebuild:BatchGetBuilds" Used for Vantage Codebuild support
"codecommit:Describe*" Not used
"codecommit:GitPull" Not used
"codecommit:List*" Not used
"codedeploy:List*" Used for Vantage CodeDeploy support
"codeguru-profiler:Describe*" Not used
"codeguru-profiler:List*" Not used
"codeguru-reviewer:Describe*" Not used
"codeguru-reviewer:List*" Not used
"codepipeline:List*" Used for Vantage CodePipeline support
"codepipeline:Get*" Used for Vantage CodePipeline support
"codestar:List*" Not used
"codestar:Describe*" Not used
"codestar-notifications:describeNotificationRule" Not used
"codestar-notifications:listEventTypes" Not used
"codestar-notifications:listNotificationRules" Not used
"codestar-notifications:listTagsForResource" Not used
"codestar-notifications:ListTargets" Not used
"compute-optimizer:DescribeRecommendationExportJobs" Not used
"compute-optimizer:GetAutoScalingGroupRecommendations" Not used
"compute-optimizer:GetEC2InstanceRecommendations" Not used
"compute-optimizer:GetEC2RecommendationProjectedMetrics" Not used
"compute-optimizer:GetEnrollmentStatus" Not used
"compute-optimizer:GetRecommendationSummaries" Not used
"cognito-identity:Describe*" Not used
"cognito-identity:List*" Not used
"cognito-identity:Lookup*" Not used
"cognito-sync:List*" Not used
"cognito-sync:Describe*" Not used
"cognito-sync:QueryRecords" Not used
"cognito-idp:AdminList*" Not used
"cognito-idp:List*" Not used
"cognito-idp:Describe*" Not used
"config:Deliver*" Not used
"config:Describe*" Not used
"config:List*" Not used
"config:SelectResourceConfig" Not used
"connect:List*" Not used
"connect:Describe*" Not used
"dataexchange:List*" Not used
"datasync:Describe*" Not used
"datasync:List*" Not used
"datapipeline:Describe*" Not used
"datapipeline:EvaluateExpression" Not used
"datapipeline:List*" Not used
"datapipeline:Validate*" Not used
"dax:Describe*" Not used
"dax:ListTags" Not used
"dax:Query" Not used
"dax:Scan" Not used
"detective:List*" Not used
"devicefarm:List*" Not used
"directconnect:Describe*" Not used
"discovery:Describe*" Not used
"discovery:List*" Not used
"dms:Describe*" Not used
"dms:List*" Not used
"dms:Test*" Not used
"ds:Check*" Not used
"ds:Describe*" Not used
"ds:List*" Not used
"ds:Verify*" Not used
"dynamodb:Describe*" Used for Vantage DynamoDB support
"dynamodb:List*" Used for Vantage DynamoDB support
"dynamodb:Query" Not used
"dynamodb:Scan" Not used
"ec2:Describe*" Used for Vantage EC2 support
"ec2:GetCapacityReservationUsage" Used for Vantage EC2 support
"ec2:GetEbsEncryptionByDefault" Not used
"ec2:SearchTransitGatewayRoutes" Not used
"ecr:BatchCheck*" Not used
"ecr:Describe*" Used for Vantage ECR support
"ecr:List*" Used for Vantage ECR support
"ecs:Describe*" Used for Vantage ECS support
"ecs:List*" Used for Vantage ECS support
"eks:DescribeCluster" Used for Vantage EKS support
"eks:DescribeUpdate" Used for Vantage EKS support
"eks:Describe*" Used for Vantage EKS support
"eks:ListClusters" Used for Vantage EKS support
"eks:ListUpdates" Used for Vantage EKS support
"eks:List*" Used for Vantage EKS support
"elasticache:Describe*" Used for Vantage Elasticache support
"elasticache:List*" Used for Vantage Elasticache support
"elasticbeanstalk:Check*" Not used
"elasticbeanstalk:Describe*" Not used
"elasticbeanstalk:List*" Not used
"elasticbeanstalk:Request*" Not used
"elasticbeanstalk:Retrieve*" Not used
"elasticbeanstalk:Validate*" Not used
"elasticfilesystem:Describe*" Not used
"elasticloadbalancing:Describe*" Not used
"elasticmapreduce:Describe*" Not used
"elasticmapreduce:List*" Not used
"elasticmapreduce:View*" Not used
"elastictranscoder:List*" Not used
"elastictranscoder:Read*" Not used
"elemental-appliances-software:List*" Not used
"es:Describe*" Not used
"es:List*" Not used
"es:ESHttpHead" Not used
"events:Describe*" Not used
"events:List*" Not used
"events:Test*" Not used
"firehose:Describe*" Not used
"firehose:List*" Not used
"fsx:Describe*" Not used
"fsx:List*" Not used
"freertos:Describe*" Not used
"freertos:List*" Not used
"gamelift:List*" Not used
"gamelift:Describe*" Not used
"gamelift:RequestUploadCredentials" Not used
"gamelift:ResolveAlias" Not used
"gamelift:Search*" Not used
"glacier:List*" Not used
"glacier:Describe*" Not used
"globalaccelerator:Describe*" Not used
"globalaccelerator:List*" Not used
"glue:ListCrawlers" Not used
"glue:ListDevEndpoints" Not used
"glue:ListJobs" Not used
"glue:ListMLTransforms" Not used
"glue:ListTriggers" Not used
"glue:ListWorkflows" Not used
"greengrass:List*" Not used
"guardduty:List*" Not used
"health:Describe*" Not used
"health:List*" Not used
"iam:Generate*" Not used
"iam:Get*" Used for Vantage IAM support
"iam:List*" Used for Vantage IAM support
"iam:Simulate*" Not used
"imagebuilder:List*" Not used
"importexport:List*" Not used
"inspector:Describe*" Not used
"inspector:List*" Not used
"inspector:Preview*" Not used
"iot:Describe*" Not used
"iot:List*" Not used
"iotanalytics:Describe*" Not used
"iotanalytics:List*" Not used
"iotanalytics:SampleChannelData" Not used
"iotsitewise:Describe*" Not used
"iotsitewise:List*" Not used
"kafka:Describe*" Not used
"kafka:List*" Not used
"kinesisanalytics:Describe*" Not used
"kinesisanalytics:Discover*" Not used
"kinesisanalytics:List*" Not used
"kinesisvideo:Describe*" Not used
"kinesisvideo:List*" Not used
"kinesis:Describe*" Not used
"kinesis:List*" Not used
"kms:Describe*" Not used
"kms:List*" Not used
"lambda:List*" Used for Vantage Lambda support
"license-manager:List*" Not used
"logs:Describe*" Used for Vantage Cloudwatch logs support
"logs:Get*" Used for Vantage Cloudwatch logs support
"logs:FilterLogEvents" Used for Vantage Cloudwatch logs support
"logs:ListTagsLogGroup" Used for Vantage Cloudwatch logs support
"logs:StartQuery" Used for Vantage Cloudwatch logs support
"logs:StopQuery" Used for Vantage Cloudwatch logs support
"logs:TestMetricFilter" Used for Vantage Cloudwatch logs support
"machinelearning:Describe*" Not used
"mediaconvert:DescribeEndpoints" Not used
"mediaconvert:List*" Not used
"mediapackage:List*" Not used
"mediapackage:Describe*" Not used
"mgh:Describe*" Not used
"mgh:List*" Not used
"mobilehub:Describe*" Not used
"mobilehub:List*" Not used
"mobilehub:Verify*" Not used
"mobiletargeting:List*" Not used
"mq:Describe*" Not used
"mq:List*" Not used
"opsworks:Describe*" Not used
"opsworks-cm:List*" Not used
"opsworks-cm:Describe*" Not used
"organizations:Describe*" Not used
"organizations:List*" Not used
"outposts:List*" Not used
"personalize:Describe*" Not used
"personalize:List*" Not used
"pi:DescribeDimensionKeys" Not used
"polly:Describe*" Not used
"polly:List*" Not used
"polly:SynthesizeSpeech" Not used
"qldb:ListLedgers" Not used
"qldb:DescribeLedger" Not used
"qldb:ListTagsForResource" Not used
"ram:List*" Not used
"rekognition:List*" Not used
"rekognition:Search*" Not used
"rds:Describe*" Used for Vantage RDS support
"rds:List*" Used for Vantage RDS support
"redshift:Describe*" Not used
"redshift:View*" Not used
"resource-groups:Get*" Not used
"resource-groups:List*" Not used
"resource-groups:Search*" Not used
"robomaker:BatchDescribe*" Not used
"robomaker:Describe*" Not used
"robomaker:List*" Not used
"route53:Get*" Used for Vantage Route53 Support
"route53:List*" Used for Vantage Route53 Support
"route53:Test*" Not used
"route53domains:Check*" Not used
"route53domains:Get*" Used for Vantage Route53 support
"route53domains:List*" Used for Vantage Route53 support
"route53domains:View*" Used for Vantage Route53 support
"route53resolver:Get*" Not Used
"route53resolver:List*" Not used
"s3:List*" Used for Vantage S3 support
"s3:GetBucketLocation" Used for Vantage S3 support
"s3:GetBucketTagging" Used for Vantage S3 support
"sagemaker:Describe*" Not used
"sagemaker:List*" Not used
"sagemaker:Search" Not used
"schemas:Describe*" Not used
"schemas:List*" Not used
"schemas:Search*" Not used
"sdb:List*" Not used
"sdb:Select*" Not used
"secretsmanager:List*" Used for Vantage Secrets Manager Support
"secretsmanager:Describe*" Used for Vantage Secrets Manager Support
"securityhub:Describe*" Not used
"securityhub:List*" Not used
"serverlessrepo:List*" Not used
"serverlessrepo:SearchApplications" Not used
"servicecatalog:List*" Not used
"servicecatalog:Scan*" Not used
"servicecatalog:Search*" Not used
"servicecatalog:Describe*" Not used
"servicediscovery:Get*" Not used
"servicediscovery:List*" Not used
"servicequotas:GetAssociationForServiceQuotaTemplate" Not used
"servicequotas:GetAWSDefaultServiceQuota" Not used
"servicequotas:GetRequestedServiceQuotaChange" Not used
"servicequotas:GetServiceQuota" Not used
"servicequotas:GetServiceQuotaIncreaseRequestFromTemplate" Not used
"servicequotas:ListAWSDefaultServiceQuotas" Not used
"servicequotas:ListRequestedServiceQuotaChangeHistory" Not used
"servicequotas:ListRequestedServiceQuotaChangeHistoryByQuota" Not used
"servicequotas:ListServices" Not used
"servicequotas:ListServiceQuotas" Not used
"servicequotas:ListServiceQuotaIncreaseRequestsInTemplate" Not used
"ses:List*" Not used
"ses:Describe*" Not used
"shield:Describe*" Not used
"shield:List*" Not used
"signer:DescribeSigningJob" Not used
"signer:ListSigningJobs" Not used
"signer:ListSigningPlatforms" Not used
"signer:ListSigningProfiles" Not used
"signer:ListTagsForResource" Not used
"snowball:Describe*" Not used
"snowball:List*" Not used
"sns:List*" Not used
"sns:Check*" Not used
"sqs:List*" Not used
"sqs:Receive*" Not used
"ssm:Describe*" Not used
"ssm:List*" Not used
"sso:Describe*" Not used
"sso:List*" Not used
"sso:Search*" Not used
"sso-directory:Describe*" Not used
"sso-directory:List*" Not used
"sso-directory:Search*" Not used
"states:List*" Not used
"states:Describe*" Not used
"storagegateway:Describe*" Not used
"storagegateway:List*" Not used
"sts:GetCallerIdentity" Used for Cross Account role interactions
"sts:GetSessionToken" Used for Cross Account role interactions
"swf:Count*" Not used
"swf:Describe*" Not used
"swf:List*" Not used
"synthetics:Describe*" Not used
"synthetics:List*" Not used
"tag:Get*" Used for AWS Tag support
"transfer:Describe*" Not used
"transfer:List*" Not used
"transfer:TestIdentityProvider" Not used
"transcribe:List*" Not used
"trustedadvisor:Describe*" Not used
"waf:List*" Not used
"wafv2:CheckCapacity" Not used
"wafv2:Describe*" Not used
"wafv2:List*" Not used
"waf-regional:List*" Not used
"worklink:Describe*" Not used
"worklink:List*" Not used
"workmail:Describe*" Not used
"workmail:List*" Not used
"workmail:Search*" Not used
"workspaces:Describe*" Not used