Lucidity Assessment for AWS: Permission Flexibility
Lucidity provides full flexibility in how permissions are granted to run the assessment, ensuring complete alignment with your security and operational controls. We support two permission modes: a Standard Permissions mode for environments where Systems Manager (SSM) is not fully enabled, and an Essential Permissions mode for customers who already have SSM operational across their fleet.
During the assessment, Lucidity uses AWS Systems Manager (SSM) to securely and temporarily run read-only diagnostic commands. If SSM is not already enabled, Lucidity can automatically enable it for the assessment and disable it immediately after completion — ensuring minimal, time-bound cloud access.
To check whether SSM is enabled across your AWS environment, please refer to the AWS guide here.
Comprehensive Permissions
In the Comprehensive Permissions model for AWS, Lucidity Assessment is granted temporary access to ensure that the assessment can run successfully, even in cases where SSM configurations are not already enabled. As part of the flow, Lucidity may create and attach temporary IAM roles/policies, enable SSM commands, and associate instance profiles. All such changes are strictly minimal, automatically reverted after assessment, and covered under the short-lived, time-bound access model.
Cost & Monitoring – Permissions to access cost and usage data, and to read CloudWatch metrics.
EC2 Operations – Ability to describe instances, volumes, and regions, as well as perform minimal modifications to attach temporary IAM roles or adjust attributes required for assessment.
IAM Operations – Permissions to create, attach, detach, and clean up temporary roles, policies, and instance profiles strictly for the duration of the assessment.
SSM Operations – Ability to use Systems Manager (SSM) for running commands on target instances to enable/collect utilization metrics, and to roll back changes after data collection.
Note
To view AWS Policy Statement visit Policy Statement for Comprehensive Permissions Mode.
To view CloudFormation Template visit CloudFormation Template for Comprehensive Permissions Mode.
For customers who already have SSM enabled on at least 40% of EC2 instances or can enable before starting assessment, can proceed with the Essential Permissions mode. In this mode, no IAM changes are made by Lucidity, and we do not enable SSM — instead using your existing SSM configuration to perform the assessment in a lightweight, read-only manner.
Essential Permissions
Under the Essential Permission model, Lucidity is granted a minimal set of read-only and monitoring permissions across Cost & Usage Reporting, EC2, CloudWatch and SSM.
Cost & Monitoring – Read-only access to cost and usage data, and ability to query CloudWatch metrics for performance insights.
EC2 Operations – Permissions limited to describing instances, volumes, regions, and statuses. No permissions to modify or attach IAM instance profiles.
SSM Operations – Access to read and execute commands for data collection on instances, provided the SSM Agent is already enabled.
Unlike the Standard Permissions model, this approach excludes any IAM or instance profile modifications, relying solely on existing configurations. This provides a lightweight way to perform the assessment when environments already have the necessary configuration for SSM in place.
Note
To view AWS Policy Statement visit Policy Statement for Essential Permissions Mode.
To view CloudFormation Template visit CloudFormation Template for Essential Permissions Mode.
To learn more about the full list of actions and why it is required visit Overview of Permission For AWS Assessment .