Required privileges

AWS CLI access

The AWS Command Line Interface (AWS CLI) can be used to access AWS resources through a command line utility. To setup the AWS CLI environment, notably the configuration of credentials, the aws configure command may be used.

The aws configure will ask for the following information, that will be stored (in clear-text) in the config and credentials files (by default in a .aws folder in the current’s user home directory):

• Access key ID.

• Secret access key.

• AWS default region.

• Output format.

To create a Access key ID and secret access key, refer to the AWS official documentation.

ReadOnlyAccess and SecurityAudit managed policy

The ReadOnlyAccess managed policy and SecurityAudit managed policy can be attached to the principal used to retrieve the CloudTrail logs and perform the security review in order to grant the required and necessary permissions.

Additionally, specific tooling may require additional permissions. For example, Invictus-AWS notably requires the permissions to write exported logs to a specific S3 bucket.