Read only permission required for Aurva Controller is mentioned below
These permission set will be used as part of datasource scanning
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kms:GetPublicKey",
"kms:List*",
"kms:Decrypt",
"kms:Describe*",
"rds:Describe*",
"redshift:Describe*",
"s3:Get*",
"s3:List*",
"dynamodb:Describe*",
"dynamodb:List*",
"dynamodb:Scan",
"dynamodb:Query",
"dynamodb:ListStreams",
"dynamodb:Get*",
"secretsmanager:GetSecretValue",
"secretsmanager:DescribeSecret",
"secretsmanager:ListSecretVersionIds",
"secretsmanager:ListSecrets",
"docdb-elastic:Get*",
"docdb-elastic:List*",
"es:List*",
"es:Describe*",
"cloudwatch:GetMetricStatistics",
"ec2:DescribeInstances",
"ec2:DescribeRegions",
"ec2:DescribeSnapshots",
"redshift:ListDatabases",
"redshift:ListTables",
"redshift:ListSchemas",
"redshift:FetchResults",
"cloudwatch:ListMetrics",
"cloudwatch:GenerateQuery",
"cloudwatch:GetMetricData",
"elasticache:Connect",
"elasticache:DescribeCacheClusters",
"elasticache:DescribeServerlessCaches",
"elasticache:DescribeReplicationGroups",
"elasticache:DescribeGlobalReplicationGroups"
],
"Resource": "*"
}
]
}
Read only permission for AccessIQ
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:GetPolicyVersion",
"iam:GetAccountPasswordPolicy",
"iam:ListRoleTags",
"iam:GetMFADevice",
"iam:ListServerCertificates",
"iam:GenerateServiceLastAccessedDetails",
"iam:TagMFADevice",
"iam:ListServiceSpecificCredentials",
"iam:TagSAMLProvider",
"iam:ListSigningCertificates",
"iam:ListVirtualMFADevices",
"iam:ListSSHPublicKeys",
"iam:SimulateCustomPolicy",
"iam:SimulatePrincipalPolicy",
"iam:GetAccountEmailAddress",
"iam:ListAttachedRolePolicies",
"iam:ListOpenIDConnectProviderTags",
"iam:ListSAMLProviderTags",
"iam:ListRolePolicies",
"iam:GetAccountAuthorizationDetails",
"iam:GetCredentialReport",
"iam:ListPolicies",
"iam:GetServerCertificate",
"iam:GetRole",
"iam:UntagSAMLProvider",
"iam:ListSAMLProviders",
"iam:GetPolicy",
"iam:GetAccessKeyLastUsed",
"iam:ListEntitiesForPolicy",
"iam:ListOrganizationsFeatures",
"iam:TagPolicy",
"iam:GetUserPolicy",
"iam:ListGroupsForUser",
"iam:GetAccountName",
"iam:GetGroupPolicy",
"iam:GetOpenIDConnectProvider",
"iam:ListSTSRegionalEndpointsStatus",
"iam:GetRolePolicy",
"iam:GetAccountSummary",
"iam:GenerateCredentialReport",
"iam:UntagRole",
"iam:GetServiceLastAccessedDetailsWithEntities",
"iam:TagRole",
"iam:ListPoliciesGrantingServiceAccess",
"iam:ListInstanceProfileTags",
"iam:ListMFADevices",
"iam:GetServiceLastAccessedDetails",
"iam:GetGroup",
"iam:GetContextKeysForPrincipalPolicy",
"iam:GetOrganizationsAccessReport",
"iam:GetServiceLinkedRoleDeletionStatus",
"iam:ListInstanceProfilesForRole",
"iam:GenerateOrganizationsAccessReport",
"iam:GetCloudFrontPublicKey",
"iam:ListAttachedUserPolicies",
"iam:ListAttachedGroupPolicies",
"iam:ListPolicyTags",
"iam:GetSAMLProvider",
"iam:ListAccessKeys",
"iam:GetInstanceProfile",
"iam:ListGroupPolicies",
"iam:ListCloudFrontPublicKeys",
"iam:GetSSHPublicKey",
"iam:ListRoles",
"iam:UntagServerCertificate",
"iam:ListUserPolicies",
"iam:ListInstanceProfiles",
"iam:TagUser",
"iam:UntagUser",
"iam:GetContextKeysForCustomPolicy",
"iam:ListPolicyVersions",
"iam:ListOpenIDConnectProviders",
"iam:UntagMFADevice",
"iam:ListServerCertificateTags",
"iam:TagServerCertificate",
"iam:ListAccountAliases",
"iam:UntagPolicy",
"iam:ListUsers",
"iam:GetUser",
"iam:UntagOpenIDConnectProvider",
"iam:ListGroups",
"iam:ListMFADeviceTags",
"iam:UntagInstanceProfile",
"iam:TagOpenIDConnectProvider",
"iam:GetLoginProfile",
"iam:TagInstanceProfile",
"iam:ListUserTags"
],
"Resource": "*"
}
]
}