Required IAM PermissionsΒΆ
Important
The required IAM policy output by awslimitchecker includes only the permissions required to check limits and usage. If you are loading limit overrides and/or threshold overrides from S3, you will need to run awslimitchecker with additional permissions to access those objects.
Below is the sample IAM policy from this version of awslimitchecker, listing the IAM
permissions required for it to function correctly. Please note that in some cases
awslimitchecker may cause AWS services to make additional API calls on your behalf
(such as when enumerating ElasticBeanstalk resources, the ElasticBeanstalk service
itself will make s3:ListBucket
and s3:GetBucketLocation
calls). The policy
below includes only the bare minimum permissions for awslimitchecker to function
properly, and does not include permissions for any side-effect calls made by AWS
services that do not affect the results of this program.
{
"Statement": [
{
"Action": [
"apigateway:GET",
"apigateway:HEAD",
"apigateway:OPTIONS",
"autoscaling:DescribeAccountLimits",
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeLaunchConfigurations",
"cloudformation:DescribeAccountLimits",
"cloudformation:DescribeStacks",
"cloudtrail:DescribeTrails",
"cloudtrail:GetEventSelectors",
"ds:GetDirectoryLimits",
"dynamodb:DescribeLimits",
"dynamodb:DescribeTable",
"dynamodb:ListTables",
"ec2:DescribeAccountAttributes",
"ec2:DescribeAddresses",
"ec2:DescribeInstances",
"ec2:DescribeInternetGateways",
"ec2:DescribeNatGateways",
"ec2:DescribeNetworkAcls",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeReservedInstances",
"ec2:DescribeRouteTables",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSnapshots",
"ec2:DescribeSpotDatafeedSubscription",
"ec2:DescribeSpotFleetInstances",
"ec2:DescribeSpotFleetRequestHistory",
"ec2:DescribeSpotFleetRequests",
"ec2:DescribeSpotInstanceRequests",
"ec2:DescribeSpotPriceHistory",
"ec2:DescribeSubnets",
"ec2:DescribeVolumes",
"ec2:DescribeVpcs",
"ec2:DescribeVpnGateways",
"ecs:DescribeClusters",
"ecs:DescribeServices",
"ecs:ListClusters",
"ecs:ListServices",
"elasticache:DescribeCacheClusters",
"elasticache:DescribeCacheParameterGroups",
"elasticache:DescribeCacheSecurityGroups",
"elasticache:DescribeCacheSubnetGroups",
"elasticbeanstalk:DescribeApplicationVersions",
"elasticbeanstalk:DescribeApplications",
"elasticbeanstalk:DescribeEnvironments",
"elasticfilesystem:DescribeFileSystems",
"elasticloadbalancing:DescribeAccountLimits",
"elasticloadbalancing:DescribeListeners",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeRules",
"elasticloadbalancing:DescribeTargetGroups",
"firehose:ListDeliveryStreams",
"iam:GetAccountSummary",
"lambda:GetAccountSettings",
"rds:DescribeAccountAttributes",
"rds:DescribeDBInstances",
"rds:DescribeDBParameterGroups",
"rds:DescribeDBSecurityGroups",
"rds:DescribeDBSnapshots",
"rds:DescribeDBSubnetGroups",
"rds:DescribeEventSubscriptions",
"rds:DescribeOptionGroups",
"rds:DescribeReservedDBInstances",
"redshift:DescribeClusterSnapshots",
"redshift:DescribeClusterSubnetGroups",
"route53:GetHostedZone",
"route53:GetHostedZoneLimit",
"route53:ListHostedZones",
"s3:ListAllMyBuckets",
"servicequotas:ListServiceQuotas",
"ses:GetSendQuota",
"support:*",
"trustedadvisor:Describe*",
"trustedadvisor:RefreshCheck"
],
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "2012-10-17"
}