AWS Permissions
Vantage requests certain IAM permissions to interact with your AWS account. All permissions are ReadOnly by default. The list of permissions was generated based on the ReadOnlyAccess AWS-managed IAM policy, with a number of permissions then removed that were on the original policy list. The list of permissions can be viewed on our provided CloudFormation Stack file.
Permission Descriptions
Below is a line-by-line description of each permission requested and what it is used for. In many cases, we have preemptively requested permissions that are not used but are reserved for future feature support, so that we do not need you to update the permission list for each subsequent feature.
You can modify these permissions as desired, and Vantage will work only with the data to which it has access.
| Permission | Description |
|---|---|
| "a4b:List*" | Not used |
| "a4b:Search*" | Not used |
| "access-analyzer:ListAnalyzedResources" | Not used |
| "access-analyzer:ListAnalyzers" | Not used |
| "access-analyzer:ListArchiveRules" | Not used |
| "access-analyzer:ListFindings" | Not used |
| "access-analyzer:ListTagsForResource" | Not used |
| "acm:Describe*" | Not used |
| "acm:List*" | Not used |
| "acm-pca:Describe*" | Not used |
| "acm-pca:List*" | Not used |
| "amplify:ListApps" | Not used |
| "amplify:ListBranches" | Not used |
| "amplify:ListDomainAssociations" | Not used |
| "amplify:ListJobs" | Not used |
| "application-autoscaling:Describe*" | Not used |
| "applicationinsights:Describe*" | Not used |
| "applicationinsights:List*" | Not used |
| "appmesh:Describe*" | Not used |
| "appmesh:List*" | Not used |
| "appstream:Describe*" | Not used |
| "appstream:List*" | Not used |
| "appsync:List*" | Not used |
| "autoscaling:Describe*" | Not used |
| "autoscaling-plans:Describe*" | Not used |
| "athena:List*" | Not used |
| "athena:Batch*" | Not used |
| "aws-portal:View*" | Not used |
| "backup:Describe*" | Not used |
| "backup:List*" | Not used |
| "batch:List*" | Not used |
| "batch:Describe*" | Not used |
| "budgets:Describe*" | Not used |
| "budgets:View*" | Not used |
| "cassandra:Select" | Not used |
| "ce:Get*" | Used for Vantage Cost Center functionality to display historical price data and trends. This permission was added by default on February 7th, 2021. |
| "chatbot:Describe*" | Not used |
| "chime:List*" | Not used |
| "chime:Retrieve*" | Not used |
| "chime:Search*" | Not used |
| "chime:Validate*" | Not used |
| "cloud9:Describe*" | Not used |
| "cloud9:List*" | Not used |
| "clouddirectory:List*" | Not used |
| "clouddirectory:BatchRead" | Not used |
| "clouddirectory:LookupPolicy" | Not used |
| "cloudformation:Describe*" | Not used |
| "cloudformation:Detect*" | Not used |
| "cloudformation:List*" | Not used |
| "cloudformation:Estimate*" | Not used |
| "cloudfront:List*" | Used for getting CloudFront distributions and showing accompanying costs |
| "cloudhsm:List*" | Not used |
| "cloudhsm:Describe*" | Not used |
| "cloudsearch:Describe*" | Not used |
| "cloudsearch:List*" | Not used |
| "cloudtrail:Describe*" | Used for Vantage Audit Logs features |
| "cloudtrail:Get*" | Used for Vantage Audit Logs features |
| "cloudtrail:List*" | Used for Vantage Audit Logs features |
| "cloudtrail:LookupEvents" | Used for Vantage Audit Logs features |
| "cloudwatch:Describe*" | Used for getting CloudWatch metrics for resources and CloudWatch Log Groups |
| "cloudwatch:GetMetricData" | Used for getting CloudWatch metrics for resources |
| "cloudwatch:GetDashboard" | Not used |
| "cloudwatch:GetMetricStatistics" | Not used |
| "cloudwatch:GetMetricStream" | Not used |
| "cloudwatch:List*" | Used for getting CloudWatch metrics for resources |
| "codeartifact:DescribeDomain" | Not used |
| "codeartifact:DescribePackageVersion" | Not used |
| "codeartifact:DescribeRepository" | Not used |
| "codeartifact:ListDomains" | Not used |
| "codeartifact:ListPackages" | Not used |
| "codeartifact:ListPackageVersionAssets" | Not used |
| "codeartifact:ListPackageVersionDependencies" | Not used |
| "codeartifact:ListPackageVersions" | Not used |
| "codeartifact:ListRepositories" | Not used |
| "codeartifact:ListRepositoriesInDomain" | Not used |
| "codebuild:DescribeCodeCoverages" | Not used |
| "codebuild:DescribeTestCases" | Not used |
| "codebuild:Get*" | Used for Vantage CodeBuild support |
| "codebuild:List*" | Used for Vantage CodeBuild support |
| "codebuild:BatchGetBuilds" | Used for Vantage CodeBuild support |
| "codecommit:Describe*" | Not used |
| "codecommit:List*" | Not used |
| "codedeploy:List*" | Used for Vantage CodeDeploy support |
| "codeguru-profiler:Describe*" | Not used |
| "codeguru-profiler:List*" | Not used |
| "codeguru-reviewer:Describe*" | Not used |
| "codeguru-reviewer:List*" | Not used |
| "codepipeline:List*" | Used for Vantage CodePipeline support |
| "codepipeline:Get*" | Used for Vantage CodePipeline support |
| "codestar:List*" | Not used |
| "codestar:Describe*" | Not used |
| "codestar-notifications:describeNotificationRule" | Not used |
| "codestar-notifications:listEventTypes" | Not used |
| "codestar-notifications:listNotificationRules" | Not used |
| "codestar-notifications:listTagsForResource" | Not used |
| "codestar-notifications:ListTargets" | Not used |
| "compute-optimizer:DescribeRecommendationExportJobs" | Not used |
| "compute-optimizer:GetAutoScalingGroupRecommendations" | Not used |
| "compute-optimizer:GetEC2InstanceRecommendations" | Not used |
| "compute-optimizer:GetEC2RecommendationProjectedMetrics" | Not used |
| "compute-optimizer:GetEnrollmentStatus" | Not used |
| "compute-optimizer:GetRecommendationSummaries" | Not used |
| "cognito-identity:Describe*" | Not used |
| "cognito-identity:List*" | Not used |
| "cognito-identity:Lookup*" | Not used |
| "cognito-sync:List*" | Not used |
| "cognito-sync:Describe*" | Not used |
| "cognito-sync:QueryRecords" | Not used |
| "cognito-idp:AdminList*" | Not used |
| "cognito-idp:List*" | Not used |
| "cognito-idp:Describe*" | Not used |
| "config:Deliver*" | Not used |
| "config:Describe*" | Not used |
| "config:List*" | Not used |
| "config:SelectResourceConfig" | Not used |
| "connect:List*" | Not used |
| "connect:Describe*" | Not used |
| "dataexchange:List*" | Not used |
| "datasync:Describe*" | Not used |
| "datasync:List*" | Not used |
| "datapipeline:Describe*" | Not used |
| "datapipeline:List*" | Not used |
| "datapipeline:Validate*" | Not used |
| "dax:Describe*" | Not used |
| "dax:ListTags" | Not used |
| "dax:Query" | Not used |
| "dax:Scan" | Not used |
| "detective:List*" | Not used |
| "devicefarm:List*" | Not used |
| "directconnect:Describe*" | Not used |
| "discovery:Describe*" | Not used |
| "discovery:List*" | Not used |
| "dms:Describe*" | Not used |
| "dms:List*" | Not used |
| "dms:Test*" | Not used |
| "ds:Check*" | Not used |
| "ds:Describe*" | Not used |
| "ds:List*" | Not used |
| "ds:Verify*" | Not used |
| "dynamodb:Describe*" | Used for Vantage DynamoDB support |
| "dynamodb:List*" | Used for Vantage DynamoDB support |
| "dynamodb:Query" | Not used |
| "dynamodb:Scan" | Not used |
| "ec2:Describe*" | Used for Vantage EC2 support |
| "ec2:GetCapacityReservationUsage" | Used for Vantage EC2 support |
| "ec2:GetEbsEncryptionByDefault" | Not used |
| "ec2:SearchTransitGatewayRoutes" | Not used |
| "ecr:BatchCheck*" | Not used |
| "ecr:Describe*" | Used for Vantage ECR support |
| "ecr:List*" | Used for Vantage ECR support |
| "ecs:Describe*" | Used for Vantage ECS support |
| "ecs:List*" | Used for Vantage ECS support |
| "eks:DescribeCluster" | Used for Vantage EKS support |
| "eks:DescribeUpdate" | Used for Vantage EKS support |
| "eks:Describe*" | Used for Vantage EKS support |
| "eks:ListClusters" | Used for Vantage EKS support |
| "eks:ListUpdates" | Used for Vantage EKS support |
| "eks:List*" | Used for Vantage EKS support |
| "elasticache:Describe*" | Used for Vantage ElastiCache support |
| "elasticache:List*" | Used for Vantage ElastiCache support |
| "elasticbeanstalk:Check*" | Not used |
| "elasticbeanstalk:Describe*" | Not used |
| "elasticbeanstalk:List*" | Not used |
| "elasticbeanstalk:Request*" | Not used |
| "elasticbeanstalk:Retrieve*" | Not used |
| "elasticbeanstalk:Validate*" | Not used |
| "elasticfilesystem:Describe*" | Used for Vantage EFS support |
| "elasticloadbalancing:Describe*" | Not used |
| "elasticmapreduce:Describe*" | Not used |
| "elasticmapreduce:List*" | Not used |
| "elasticmapreduce:View*" | Not used |
| "elastictranscoder:List*" | Not used |
| "elastictranscoder:Read*" | Not used |
| "elemental-appliances-software:List*" | Not used |
| "es:Describe*" | Not used |
| "es:List*" | Not used |
| "es:ESHttpHead" | Not used |
| "events:Describe*" | Not used |
| "events:List*" | Not used |
| "events:Test*" | Not used |
| "firehose:Describe*" | Not used |
| "firehose:List*" | Not used |
| "fsx:Describe*" | Not used |
| "fsx:List*" | Not used |
| "freertos:Describe*" | Not used |
| "freertos:List*" | Not used |
| "gamelift:List*" | Not used |
| "gamelift:Describe*" | Not used |
| "gamelift:RequestUploadCredentials" | Not used |
| "gamelift:ResolveAlias" | Not used |
| "gamelift:Search*" | Not used |
| "glacier:List*" | Used for Vantage Glacier support |
| "glacier:Describe*" | Used for Vantage Glacier support |
| "globalaccelerator:Describe*" | Not used |
| "globalaccelerator:List*" | Not used |
| "glue:ListCrawlers" | Not used |
| "glue:ListDevEndpoints" | Not used |
| "glue:ListJobs" | Not used |
| "glue:ListMLTransforms" | Not used |
| "glue:ListTriggers" | Not used |
| "glue:ListWorkflows" | Not used |
| "greengrass:List*" | Not used |
| "guardduty:List*" | Not used |
| "health:Describe*" | Not used |
| "health:List*" | Not used |
| "iam:Generate*" | Not used |
| "iam:Get*" | Used for Vantage IAM support |
| "iam:List*" | Used for Vantage IAM support |
| "iam:Simulate*" | Not used |
| "imagebuilder:List*" | Not used |
| "importexport:List*" | Not used |
| "inspector:Describe*" | Not used |
| "inspector:List*" | Not used |
| "inspector:Preview*" | Not used |
| "iot:Describe*" | Not used |
| "iot:List*" | Not used |
| "iotanalytics:Describe*" | Not used |
| "iotanalytics:List*" | Not used |
| "iotanalytics:SampleChannelData" | Not used |
| "iotsitewise:Describe*" | Not used |
| "iotsitewise:List*" | Not used |
| "kafka:Describe*" | Used for Vantage MSK support |
| "kafka:List*" | Used for Vantage MSK support |
| "kinesisanalytics:Describe*" | Not used |
| "kinesisanalytics:Discover*" | Not used |
| "kinesisanalytics:List*" | Not used |
| "kinesisvideo:Describe*" | Not used |
| "kinesisvideo:List*" | Not used |
| "kinesis:Describe*" | Not used |
| "kinesis:List*" | Not used |
| "kms:Describe*" | Not used |
| "kms:List*" | Used to show active KMS key costs |
| "lambda:List*" | Used for Vantage Lambda support |
| "license-manager:List*" | Not used |
| "logs:Describe*" | Used for Vantage CloudWatch logs support |
| "logs:ListTagsLogGroup" | Used for Vantage CloudWatch logs support |
| "logs:TestMetricFilter" | Used for Vantage CloudWatch logs support |
| "machinelearning:Describe*" | Not used |
| "mediaconvert:DescribeEndpoints" | Not used |
| "mediaconvert:List*" | Not used |
| "mediapackage:List*" | Not used |
| "mediapackage:Describe*" | Not used |
| "mgh:Describe*" | Not used |
| "mgh:List*" | Not used |
| "mobilehub:Describe*" | Not used |
| "mobilehub:List*" | Not used |
| "mobilehub:Verify*" | Not used |
| "mobiletargeting:List*" | Not used |
| "mq:Describe*" | Not used |
| "mq:List*" | Not used |
| "opsworks:Describe*" | Not used |
| "opsworks-cm:List*" | Not used |
| "opsworks-cm:Describe*" | Not used |
| "organizations:Describe*" | Not used |
| "organizations:List*" | Used for getting information about AWS member accounts for various cost reporting functionality |
| "outposts:List*" | Not used |
| "personalize:Describe*" | Not used |
| "personalize:List*" | Not used |
| "pi:DescribeDimensionKeys" | Not used |
| "polly:Describe*" | Not used |
| "polly:List*" | Not used |
| "polly:SynthesizeSpeech" | Not used |
| "qldb:ListLedgers" | Not used |
| "qldb:DescribeLedger" | Not used |
| "qldb:ListTagsForResource" | Not used |
| "ram:List*" | Not used |
| "rekognition:List*" | Not used |
| "rekognition:Search*" | Not used |
| "rds:Describe*" | Used for Vantage RDS support |
| "rds:List*" | Used for Vantage RDS support |
| "redshift:Describe*" | Used for Vantage Redshift support |
| "redshift:View*" | Not used |
| "resource-groups:Get*" | Not used |
| "resource-groups:List*" | Not used |
| "resource-groups:Search*" | Not used |
| "robomaker:BatchDescribe*" | Not used |
| "robomaker:Describe*" | Not used |
| "robomaker:List*" | Not used |
| "route53:Get*" | Used for Vantage Route53 support |
| "route53:List*" | Used for Vantage Route53 support |
| "route53:Test*" | Not used |
| "route53domains:Check*" | Not used |
| "route53domains:Get*" | Used for Vantage Route 53 support |
| "route53domains:List*" | Used for Vantage Route 53 support |
| "route53domains:View*" | Used for Vantage Route 53 support |
| "route53resolver:Get*" | Not Used |
| "route53resolver:List*" | Not used |
| "s3:List*" | Used for Vantage S3 support |
| "s3:GetBucketLocation" | Used for Vantage S3 support |
| "s3:GetBucketTagging" | Used for Vantage S3 support |
| "sagemaker:Describe*" | Not used |
| "sagemaker:List*" | Not used |
| "sagemaker:Search" | Not used |
| "schemas:Describe*" | Not used |
| "schemas:List*" | Not used |
| "schemas:Search*" | Not used |
| "sdb:List*" | Not used |
| "sdb:Select*" | Not used |
| "secretsmanager:List*" | Used for Vantage Secrets Manager support |
| "secretsmanager:Describe*" | Used for Vantage Secrets Manager support |
| "securityhub:Describe*" | Not used |
| "securityhub:List*" | Not used |
| "serverlessrepo:List*" | Not used |
| "serverlessrepo:SearchApplications" | Not used |
| "servicecatalog:List*" | Not used |
| "servicecatalog:Scan*" | Not used |
| "servicecatalog:Search*" | Not used |
| "servicecatalog:Describe*" | Not used |
| "servicediscovery:Get*" | Not used |
| "servicediscovery:List*" | Not used |
| "servicequotas:GetAssociationForServiceQuotaTemplate" | Not used |
| "servicequotas:GetAWSDefaultServiceQuota" | Not used |
| "servicequotas:GetRequestedServiceQuotaChange" | Not used |
| "servicequotas:GetServiceQuota" | Not used |
| "servicequotas:GetServiceQuotaIncreaseRequestFromTemplate" | Not used |
| "servicequotas:ListAWSDefaultServiceQuotas" | Not used |
| "servicequotas:ListRequestedServiceQuotaChangeHistory" | Not used |
| "servicequotas:ListRequestedServiceQuotaChangeHistoryByQuota" | Not used |
| "servicequotas:ListServices" | Not used |
| "servicequotas:ListServiceQuotas" | Not used |
| "servicequotas:ListServiceQuotaIncreaseRequestsInTemplate" | Not used |
| "ses:List*" | Not used |
| "ses:Describe*" | Not used |
| "shield:Describe*" | Not used |
| "shield:List*" | Not used |
| "signer:DescribeSigningJob" | Not used |
| "signer:ListSigningJobs" | Not used |
| "signer:ListSigningPlatforms" | Not used |
| "signer:ListSigningProfiles" | Not used |
| "signer:ListTagsForResource" | Not used |
| "snowball:Describe*" | Not used |
| "snowball:List*" | Not used |
| "sns:List*" | Used for Vantage SNS topic active resource cost support |
| "sns:Check*" | Not used |
| "sqs:List*" | Used for Vantage SQS queue active resource cost support |
| "ssm:Describe*" | Not used |
| "ssm:List*" | Not used |
| "sso:Describe*" | Not used |
| "sso:List*" | Not used |
| "sso:Search*" | Not used |
| "sso-directory:Describe*" | Not used |
| "sso-directory:List*" | Not used |
| "sso-directory:Search*" | Not used |
| "states:List*" | Not used |
| "states:Describe*" | Not used |
| "storagegateway:Describe*" | Not used |
| "storagegateway:List*" | Not used |
| "sts:GetCallerIdentity" | Used for cross-account role interactions |
| "sts:GetSessionToken" | Used for cross-account role interactions |
| "swf:Count*" | Not used |
| "swf:Describe*" | Not used |
| "swf:List*" | Not used |
| "synthetics:Describe*" | Not used |
| "synthetics:List*" | Not used |
| "tag:Get*" | Used for AWS tag support |
| "transfer:Describe*" | Not used |
| "transfer:List*" | Not used |
| "transfer:TestIdentityProvider" | Not used |
| "transcribe:List*" | Not used |
| "trustedadvisor:Describe*" | Not used |
| "waf:List*" | Not used |
| "wafv2:CheckCapacity" | Not used |
| "wafv2:Describe*" | Not used |
| "wafv2:List*" | Not used |
| "waf-regional:List*" | Not used |
| "worklink:Describe*" | Not used |
| "worklink:List*" | Not used |
| "workmail:Describe*" | Not used |
| "workmail:List*" | Not used |
| "workmail:Search*" | Not used |
| "workspaces:Describe*" | Used for Vantage Workspaces support |