Lucidity AutoScaler for AWS performs disk expansion and shrink operations on your EC2 instances using a secure Cross-Account IAM Role.
Your AWS account needs to have a role that trusts Lucidity’s AWS account (519785724387), enabling Lucidity only to:
Attach / detach / create / delete managed volumes
Securely handle encrypted volumes
Perform one time agent installation through SSM and instance profiles
No persistent credentials are stored by Lucidity — temporary, short-lived STS tokens are used for all actions.
[Optional] You may choose to enforce an external-ID for stronger protection against confused-deputy threats. If you prefer this approach, please contact Lucidity Support to receive your dedicated external-ID value.
Note
To perform AWS account integration with Lucidity AutoScaler, the user integrating account must be either:
An AWS Account Administrator, or
A Delegated Administrator within AWS Organizations that has Trusted Access enabled.
This access is required only once during initial setup to create the cross-account role and required IAM resources. Ongoing operations do not require administrative access.
IAM Policy Attached to the Cross-Account Role
The policy is scoped to apply only to EBS volumes tagged with ManagedByLucidity = true, ensuring Lucidity can operate only on storage resources explicitly onboarded to the platform. To understand need of individual permission visit AWS Permission Overview
When using the Lucidity Dashboard with automated account onboarding, this role and policy are created for you. Alternatively, customers may manually create the role and attach the policy JSON shown below:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AutoScalerVolumeManagement",
"Effect": "Allow",
"Action": [
"ec2:DetachVolume",
"ec2:AttachVolume",
"ec2:DeleteVolume",
"ec2:ModifyInstanceAttribute"
],
"Resource": "*",
"Condition": {
"ForAnyValue:StringEqualsIgnoreCaseIfExists": {
"aws:ResourceTag/ManagedByLucidity": "true"
}
}
},
{
"Sid": "AutoScalerVolumeCreationAndTagging",
"Effect": "Allow",
"Action": [
"ec2:CreateVolume",
"ec2:CreateTags"
],
"Resource": "*"
},
{
"Sid": "AutoScalerStartStopInstancesForOnboarding",
"Effect": "Allow",
"Action": [
"ec2:StopInstances",
"ec2:StartInstances"
],
"Resource": "*",
"Condition": {
"ForAnyValue:StringEqualsIgnoreCaseIfExists": {
"aws:ResourceTag/ManagedByLucidity": "true"
}
}
},
{
"Sid": "AutoScalerAllowKMSCreateGrantForAWSResource",
"Effect": "Allow",
"Action": "kms:CreateGrant",
"Resource": "*",
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": "true"
}
}
},
{
"Sid": "AutoScalerKMSPermissionsForEncryptedVolumes",
"Effect": "Allow",
"Action": [
"kms:Decrypt",
"kms:GenerateDataKeyWithoutPlaintext",
"kms:DescribeKey"
],
"Resource": "*"
},
{
"Sid": "AutoScalerAndAssessmentEC2DiscoveryAccess",
"Effect": "Allow",
"Action": [
"ec2:DescribeTags",
"ec2:DescribeInstances",
"ec2:DescribeVolumes",
"ec2:DescribeInstanceStatus",
"ec2:DescribeRegions",
"ec2:DescribeVolumeStatus",
"ec2:DescribeImages",
"eks:DescribeNodegroup",
"eks:ListClusters",
"eks:ListNodegroups",
"autoscaling:DescribeAutoScalingGroups",
"cloudtrail:LookupEvents"
],
"Resource": "*"
},
{
"Sid": "AllowReadingMetricsAndCost",
"Effect": "Allow",
"Action": [
"cloudwatch:ListMetrics",
"cloudwatch:GetMetricData",
"cloudwatch:GetMetricStatistics",
"ce:GetCostAndUsage"
],
"Resource": "*"
},
{
"Sid": "PassRoleForInstanceProfileSetup",
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": [
"arn:aws:iam::*:role/Lucidity*",
"arn:aws:iam::*:role/lucidity*"
]
},
{
"Sid": "InstantOnboardingWithSnapShot",
"Effect": "Allow",
"Action": [
"ec2:DescribeSnapshots",
"ec2:CreateSnapshot",
"ec2:DeleteSnapshot"
],
"Resource": "*"
},
{
"Sid": "AgentInstallAndAssessmentEvaluateExistingIAMConfigBeforeChanges",
"Effect": "Allow",
"Action": [
"iam:ListAttachedRolePolicies",
"iam:ListPolicies",
"iam:GetRole",
"iam:GetInstanceProfile",
"iam:GetPolicy",
"iam:ListRoles",
"iam:GetRolePolicy",
"iam:GetPolicyVersion"
],
"Resource": "*"
},
{
"Sid": "AgentInstallAndAssessmentAllowInstanceProfile",
"Effect": "Allow",
"Action": [
"ec2:DisassociateIamInstanceProfile",
"ec2:AssociateIamInstanceProfile",
"ec2:DescribeIamInstanceProfileAssociations"
],
"Resource": "*"
},
{
"Sid": "AgentInstallAndAssessmentMakeChangesToExistingIAMOrRevertAllChanges",
"Effect": "Allow",
"Action": [
"iam:RemoveRoleFromInstanceProfile",
"iam:AttachRolePolicy",
"iam:AddRoleToInstanceProfile",
"iam:DetachRolePolicy",
"iam:UpdateRole"
],
"Resource": "*"
},
{
"Sid": "AgentInstallAndAssessmentPolicyRolesInstanceProfilesandTagging",
"Effect": "Allow",
"Action": [
"iam:DeletePolicy",
"iam:CreatePolicy",
"iam:CreateRole",
"iam:UpdateRoleDescription",
"iam:DeleteRole",
"iam:CreateInstanceProfile",
"iam:DeleteInstanceProfile",
"iam:TagRole",
"iam:TagInstanceProfile"
],
"Resource": [
"arn:aws:iam::*:role/Lucidity*",
"arn:aws:iam::*:role/lucidity*",
"arn:aws:iam::*:policy/Lucidity*",
"arn:aws:iam::*:policy/lucidity*",
"arn:aws:iam::*:instance-profile/Lucidity*",
"arn:aws:iam::*:instance-profile/lucidity*"
]
},
{
"Sid": "AgentInstallViaSSM",
"Effect": "Allow",
"Action": [
"ssm:SendCommand",
"ssm:GetCommandInvocation",
"ssm:DescribeInstanceInformation"
],
"Resource": "*"
},
{
"Sid": "AutoScalingGroupFetchPermissions",
"Effect": "Allow",
"Action": [
"autoscaling:DescribeAutoScalingGroups",
"account:ListRegions",
"ec2:DescribeLaunchTemplateVersions"
],
"Resource": "*"
},
{
"Sid": "LucidityPermissionHealthCheck",
"Effect": "Allow",
"Action": [
"iam:SimulatePrincipalPolicy",
"iam:GetContextKeysForPrincipalPolicy"
],
"Resource": "*"
}
]
}