Lucidity Assessment for AWS: Comprehensive Permission Policy Statement
An IAM policy which grants Lucidity limited and controlled permissions to enable AWS Systems Manager (SSM) on behalf of the customer during an assessment. The permissions allow Lucidity to create and manage a temporary role and instance profile, attach the AmazonSSMFullAccess policy, and run SSM commands required for data collection. All actions are strictly limited to resources prefixed with Lucidity* and are fully reverted at the end of the assessment — including removal of any roles, instance profiles, or attached policies — ensuring no persistent changes remain in the customer’s environment.
{
"policy": {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "GlobalReadOnlyAccess",
"Effect": "Allow",
"Action": [
"autoscaling:DescribeAutoScalingGroups",
"ce:GetCostAndUsage",
"cloudwatch:GetMetricStatistics",
"ec2:DescribeIamInstanceProfileAssociations",
"ec2:DescribeImages",
"ec2:DescribeInstances",
"ec2:DescribeRegions",
"ec2:DescribeVolumes",
"eks:DescribeNodegroup",
"eks:ListClusters",
"eks:ListNodegroups",
"iam:GetInstanceProfile",
"iam:GetRole",
"iam:ListAttachedRolePolicies",
"iam:ListPolicies",
"iam:ListRoles",
"ssm:DescribeInstanceInformation",
"ssm:GetCommandInvocation"
],
"Resource": [
"*"
]
},
{
"Sid": "AssociateInstanceProfile",
"Effect": "Allow",
"Action": "ec2:AssociateIamInstanceProfile",
"Resource": "arn:aws:ec2:*:*:instance/*",
"Condition": {
"ArnLike": {
"ec2:NewInstanceProfile": "arn:aws:iam::*:instance-profile/Lucidity*"
}
}
},
{
"Sid": "DisassociateInstanceProfile",
"Effect": "Allow",
"Action": "ec2:DisassociateIamInstanceProfile",
"Resource": "arn:aws:ec2:*:*:instance/*",
"Condition": {
"ArnLike": {
"ec2:InstanceProfile": "arn:aws:iam::*:instance-profile/Lucidity*"
}
}
},
{
"Sid": "ManageInstanceProfiles",
"Effect": "Allow",
"Action": [
"iam:AddRoleToInstanceProfile",
"iam:CreateInstanceProfile",
"iam:DeleteInstanceProfile",
"iam:RemoveRoleFromInstanceProfile"
],
"Resource": [
"arn:aws:iam::*:instance-profile/Lucidity*"
]
},
{
"Sid": "ManageRoles",
"Effect": "Allow",
"Action": [
"iam:CreateRole",
"iam:DeleteRole"
],
"Resource": [
"arn:aws:iam::*:role/Lucidity*"
]
},
{
"Sid": "PassLucidityRolesToEC2",
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": [
"arn:aws:iam::*:role/Lucidity*"
],
"Condition": {
"StringEquals": {
"iam:PassedToService": "ec2.amazonaws.com"
}
}
},
{
"Sid": "AttachDetachSSMPolicy",
"Effect": "Allow",
"Action": [
"iam:AttachRolePolicy",
"iam:DetachRolePolicy"
],
"Resource": [
"arn:aws:iam::*:role/*"
],
"Condition": {
"StringEquals": {
"iam:PolicyARN": "arn:aws:iam::aws:policy/AmazonSSMFullAccess"
}
}
},
{
"Sid": "SendSSMCommands",
"Effect": "Allow",
"Action": [
"ssm:SendCommand"
],
"Resource": [
"arn:aws:ec2:*:*:instance/*",
"arn:aws:ssm:*:*:document/AWS-RunPowerShellScript",
"arn:aws:ssm:*:*:document/AWS-RunShellScript"
]
}
]
}
}To view and Download CloudFormation Templates visit CloudFormation Template for Comprehensive Permissions Mode.