Essential Mode: Policy Statement

Lucidity Assessment for AWS: Essential Permission Policy Statement

This IAM policy supports the Essential Permissions Mode, designed for customers who already have AWS Systems Manager (SSM) enabled across their environment. In this mode, Lucidity performs the assessment using existing SSM configurations without creating or modifying any IAM roles or instance profiles. The permissions are strictly read-only, with minimal SSM command access needed to collect metadata securely and non-intrusively. At present, users must manually create the role with given permissions for assessment or use CloudFormation to do that.

lucidity:permissions:start

{
  "Version" : "2012-10-17",
  "Statement" : [
    {
      "Sid" : "GlobalReadOnlyAccess",
      "Effect" : "Allow",
      "Action" : [
        "autoscaling:DescribeAutoScalingGroups",
        "ce:GetCostAndUsage",
        "cloudwatch:GetMetricStatistics",
        "ec2:DescribeIamInstanceProfileAssociations",
        "ec2:DescribeImages",
        "ec2:DescribeInstances",
        "ec2:DescribeRegions",
        "ec2:DescribeVolumes",
        "eks:DescribeNodegroup",
        "eks:ListClusters",
        "eks:ListNodegroups",
        "iam:GetInstanceProfile",
        "iam:GetRole",
        "iam:ListAttachedRolePolicies",
        "iam:ListPolicies",
        "iam:ListRoles",
        "ssm:DescribeInstanceInformation",
        "ssm:GetCommandInvocation"
      ],
      "Resource" : [
        "*"
      ]
    },
    {
      "Sid" : "SendSSMCommands",
      "Effect" : "Allow",
      "Action" : [
        "ssm:SendCommand"
      ],
      "Resource" : [
        "arn:aws:ec2:*:*:instance/*",
        "arn:aws:ssm:*:*:document/AWS-RunPowerShellScript",
        "arn:aws:ssm:*:*:document/AWS-RunShellScript"
      ]
    }
  ]
}

To view and Download CloudFormation Template visit CloudFormation Template for Essential Permissions Mode.