CloudSploit recommends using the AWS managed policy, "SecurityAudit". However, you can manually define IAM permissions if needed, with the understanding that future plugins may not have the necessary permissions. To see a current list of permissions, see our GitHub page.