CloudSploit adheres strongly to the principle of least privilege and aims to collect the least amount of information necessary to provide its service. Depending on the cloud accounts you connect to CloudSploit, different information is collected. Please see the table below for a breakdown of all information that CloudSploit collects from each cloud provider.


CloudAPIsDetails
Amazon Web Services (AWS)

acm:Describe*

acm:List*

application-autoscaling:Describe*

appmesh:Describe*

appmesh:List*

appsync:List*

athena:List*

autoscaling:Describe*

batch:DescribeComputeEnvironments

batch:DescribeJobDefinitions

chime:List*

cloud9:Describe*

cloud9:ListEnvironments

clouddirectory:ListDirectories

cloudformation:DescribeStack*

cloudformation:GetTemplate

cloudformation:ListStack*

cloudformation:GetStackPolicy

cloudfront:Get*

cloudfront:List*

cloudhsm:ListHapgs

cloudhsm:ListHsms

cloudhsm:ListLunaClients

cloudsearch:DescribeDomains

cloudsearch:DescribeServiceAccessPolicies

cloudtrail:DescribeTrails

cloudtrail:GetEventSelectors

cloudtrail:GetTrailStatus

cloudtrail:ListTags

cloudtrail:LookupEvents

cloudwatch:Describe*

codebuild:ListProjects

codecommit:BatchGetRepositories

codecommit:GetBranch

codecommit:GetObjectIdentifier

codecommit:GetRepository

codecommit:List*

codedeploy:Batch*

codedeploy:Get*

codedeploy:List*

codepipeline:ListPipelines

codestar:Describe*

codestar:List*

cognito-identity:ListIdentityPools

cognito-idp:ListUserPools

cognito-sync:Describe*

cognito-sync:List*

comprehend:Describe*

comprehend:List*

config:BatchGetAggregateResourceConfig

config:BatchGetResourceConfig

config:Deliver*

config:Describe*

config:Get*

config:List*

datapipeline:DescribeObjects

datapipeline:DescribePipelines

datapipeline:EvaluateExpression

datapipeline:GetPipelineDefinition

datapipeline:ListPipelines

datapipeline:QueryObjects

datapipeline:ValidatePipelineDefinition

datasync:Describe*

datasync:List*

dax:Describe*

dax:ListTags

directconnect:Describe*

dms:Describe*

dms:ListTagsForResource

ds:DescribeDirectories

dynamodb:DescribeContinuousBackups

dynamodb:DescribeGlobalTable

dynamodb:DescribeTable

dynamodb:DescribeTimeToLive

dynamodb:ListBackups

dynamodb:ListGlobalTables

dynamodb:ListStreams

dynamodb:ListTables

ec2:Describe*

ecr:DescribeRepositories

ecr:GetRepositoryPolicy

ecs:Describe*

ecs:List*

eks:DescribeCluster

eks:ListClusters

elasticache:Describe*

elasticbeanstalk:Describe*

elasticfilesystem:DescribeFileSystems

elasticfilesystem:DescribeMountTargetSecurityGroups

elasticfilesystem:DescribeMountTargets

elasticloadbalancing:Describe*

elasticmapreduce:Describe*

elasticmapreduce:ListClusters

elasticmapreduce:ListInstances

es:Describe*

es:ListDomainNames

events:Describe*

events:List*

firehose:Describe*

firehose:List*

fms:ListComplianceStatus

fms:ListPolicies

fsx:Describe*

fsx:List*

gamelift:ListBuilds

gamelift:ListFleets

glacier:DescribeVault

glacier:GetVaultAccessPolicy

glacier:ListVaults

globalaccelerator:Describe*

globalaccelerator:List*

greengrass:List*

guardduty:Get*

guardduty:List*

iam:GenerateCredentialReport

iam:GenerateServiceLastAccessedDetails

iam:Get*

iam:List*

iam:SimulateCustomPolicy

iam:SimulatePrincipalPolicy

inspector:Describe*

inspector:Get*

inspector:List*

inspector:Preview*

iot:Describe*

iot:GetPolicy

iot:GetPolicyVersion

iot:List*

kinesis:DescribeStream

kinesis:ListStreams

kinesis:ListTagsForStream

kinesisanalytics:ListApplications

kms:Describe*

kms:Get*

kms:List*

lambda:GetAccountSettings

lambda:GetFunctionConfiguration

lambda:GetLayerVersionPolicy

lambda:GetPolicy

lambda:List*

license-manager:List*

lightsail:GetInstances

lightsail:GetLoadBalancers

logs:Describe*

logs:ListTagsLogGroup

machinelearning:DescribeMLModels

mediaconnect:Describe*

mediaconnect:List*

mediastore:GetContainerPolicy

mediastore:ListContainers

opsworks:DescribeStacks

opsworks-cm:DescribeServers

organizations:List*

organizations:Describe*

quicksight:Describe*

quicksight:List*

ram:List*

rds:Describe*

rds:DownloadDBLogFilePortion

rds:ListTagsForResource

redshift:Describe*

rekognition:Describe*

rekognition:List*

robomaker:Describe*

robomaker:List*

route53:Get*

route53:List*

route53domains:GetDomainDetail

route53domains:GetOperationDetail

route53domains:ListDomains

route53domains:ListOperations

route53domains:ListTagsForDomain

route53resolver:List*

route53resolver:Get*

s3:GetAccelerateConfiguration

s3:GetAccountPublicAccessBlock

s3:GetAnalyticsConfiguration

s3:GetBucket*

s3:GetEncryptionConfiguration

s3:GetInventoryConfiguration

s3:GetLifecycleConfiguration

s3:GetMetricsConfiguration

s3:GetObjectAcl

s3:GetObjectVersionAcl

s3:GetReplicationConfiguration

s3:ListAllMyBuckets

sagemaker:Describe*

sagemaker:List*

sdb:DomainMetadata

sdb:ListDomains

secretsmanager:GetResourcePolicy

secretsmanager:ListSecrets

secretsmanager:ListSecretVersionIds

securityhub:Describe*

securityhub:Get*

securityhub:List*

serverlessrepo:GetApplicationPolicy

serverlessrepo:List*

ses:GetIdentityDkimAttributes

ses:GetIdentityPolicies

ses:GetIdentityVerificationAttributes

ses:ListIdentities

ses:ListIdentityPolicies

ses:ListVerifiedEmailAddresses

shield:Describe*

shield:List*

snowball:ListClusters

snowball:ListJobs

sns:GetTopicAttributes

sns:ListSubscriptionsByTopic

sns:ListTopics

sqs:GetQueueAttributes

sqs:ListDeadLetterSourceQueues

sqs:ListQueues

sqs:ListQueueTags

ssm:Describe*

ssm:GetAutomationExecution

ssm:ListDocuments

sso:DescribePermissionsPolicies

sso:List*

states:ListStateMachines

storagegateway:DescribeBandwidthRateLimit

storagegateway:DescribeCache

storagegateway:DescribeCachediSCSIVolumes

storagegateway:DescribeGatewayInformation

storagegateway:DescribeMaintenanceStartTime

storagegateway:DescribeNFSFileShares

storagegateway:DescribeSnapshotSchedule

storagegateway:DescribeStorediSCSIVolumes

storagegateway:DescribeTapeArchives

storagegateway:DescribeTapeRecoveryPoints

storagegateway:DescribeTapes

storagegateway:DescribeUploadBuffer

storagegateway:DescribeVTLDevices

storagegateway:DescribeWorkingStorage

storagegateway:List*

tag:GetResources

tag:GetTagKeys

transfer:Describe*

transfer:List*

translate:List*

trustedadvisor:Describe*

waf:ListWebACLs

waf-regional:ListWebACLs

workspaces:Describe*

athena:GetWorkGroup

cloudwatchlogs:DescribeLogGroups

cloudwatchlogs:DescribeMetricFilters

efs:DescribeFileSystems

elastictranscoder:ListPipelines

ses:DescribeActiveReceiptRuleSet

This list of permissions comes primarily from the managed AWS policy called "SecurityAudit." The SecurityAudit policy was created to give third-party services (such as CloudSploit) permission to query AWS APIs on your behalf.

You have complete control over the permissions given to CloudSploit via the IAM role deployed in your account. If CloudSploit does not have a required permission, it will simply mark the test with an "unknown" result but will not skip the scan entirely.
Microsoft Azure

activitylogalerts:ListByResourceGroup

activitylogalerts:ListBySubscriptionId

autoprovisioningsettings:List

autoscalesettings:ListByResourceGroup

availabilitysets:List

blobcontainers:List

blobservice:ListContainersSegmented

configurations:ListByServer

databaseblobauditingpolicies:Get

databases:ListByServer

diagnosticsettingsoperations:Kv

diagnosticsettingsoperations:Lb

diagnosticsettingsoperations:List

diagnosticsettingsoperations:Nsg

disks:List

encryptionprotectors:Get

endpoints:ListByProfile

fileservice:GetShareAcl

fileservice:ListSharesSegmented

firewallrules:ListByServer

keyvaultclient:GetKeys

keyvaultclient:GetSecrets

loadbalancers:List

loadbalancers:ListAll

logprofiles:List

managedclusters:GetUpgradeProfile

managedclusters:List

managementlocks:ListAtSubscriptionLevel

networksecuritygroups:ListAll

networkwatchers:ListAll

origins:ListByEndpoint

policyassignments:List

pricings:List

profiles:List

queueservice:GetQueueAcl

queueservice:ListQueuesSegmented

registries:List

resourcegroups:List

resources:List

roledefinitions:List

securitycontacts:List

serverazureadadministrators:ListByServer

serverblobauditingpolicies:Get

servers:ListByResourceGroup

servers:Mysql

servers:Postgres

servers:Sql

serversecurityalertpolicies:ListByServer

storageaccounts:List

storageaccounts:ListKeys

subscriptions:ListLocations

tableservice:GetTableAcl

tableservice:ListTablesSegmented

usages:List

users:List

vaults:Get

vaults:List

virtualmachineextensions:List

virtualmachines:ListAll

virtualmachinescalesets:List

virtualnetworks:ListAll

webapps:GetAuthSettings

webapps:List

webapps:ListConfigurations


This list of API calls is made by creating an Azure Active Directory application with a "Security Reader" role assignment. This role was created by Azure to give third-party services (such as CloudSploit) read-only access to configuration metadata in the Azure subscription.

You have complete control over the permissions given to CloudSploit via the security reader application deployed in your account. If CloudSploit does not have a required permission, it will simply mark the test with an "unknown" result but will not skip the scan entirely.
Google Cloud Platform (GCP)

alertpolicies:List

autoscalers:AggregatedList

backendservices:List

buckets:GetIamPolicy

buckets:List

clusters:List

cryptokeys:List

disks:List

firewalls:List

instancegroups:AggregatedList

instances:Compute

instances:Sql

keyrings:List

keys:List

managedzones:List

metrics:List

networks:List

projects:Get

projects:GetIamPolicy

serviceaccounts:List

sinks:List

subnetworks:List

targethttpproxies:List

users:List


This list of API calls is made by creating a GCP Service Account with a "Viewer" role assignment. This role was created by GCP to give third-party services (such as CloudSploit) read-only access to configuration metadata in the GCP project.

You have complete control over the permissions given to CloudSploit via the service account deployed in your account. If CloudSploit does not have a required permission, it will simply mark the test with an "unknown" result but will not skip the scan entirely.
Oracle Cloud Infrastructure (OCI)

authenticationpolicy:Get

autoscaleconfiguration:List

bootvolume:List

bootvolumeattachment:List

bootvolumebackup:List

bucket:Get

bucket:List

configuration:Get

database:List

dbhome:List

dbsystem:List

exportsummary:List

exprt:Get

group:List

instance:List

instancepool:List

loadbalancer:List

networksecuritygroup:List

policy:List

preauthenticatedrequest:List

publicip:List

securitylist:List

securityrule:List

subnet:List

user:List

usergroupmembership:List

vcn:Get

vcn:List

volume:List

volumebackup:List

volumebackuppolicyassignment:BootVolume

volumebackuppolicyassignment:Volume

volumegroup:List

volumegroupbackup:List

waaspolicy:Get

waaspolicy:List


This list of API calls is made by creating a user with a "read" access. This user will have read-only access to configuration metadata in the Oracle compartment.

You have complete control over the permissions given to CloudSploit via the user deployed in your account. If CloudSploit does not have a required permission, it will simply mark the test with an "unknown" result but will not skip the scan entirely.