Document required iam perms for scanning

README.md

@@ -33,6 +33,97 @@ configuration files are included in the `conf/` directory:
 To scan a subset of regions, set the region list parameter `regions` in the `scan`
 section to a list of region names.
 
+## Required IAM permissions
+
+The following permissions are required for a scan of all supported resource types:
+
+    acm:DescribeCertificate
+    acm:ListCertificates
+    cloudtrail:DescribeTrails
+    dynamodb:DescribeContinuousBackups
+    dynamodb:DescribeTable
+    dynamodb:ListTables
+    ec2:DescribeFlowLogs
+    ec2:DescribeImages
+    ec2:DescribeInstances
+    ec2:DescribeInternetGateways
+    ec2:DescribeNetworkInterfaces
+    ec2:DescribeRegions
+    ec2:DescribeRouteTables
+    ec2:DescribeSecurityGroups
+    ec2:DescribeSnapshots
+    ec2:DescribeSubnets
+    ec2:DescribeTransitGatways
+    ec2:DescribeTransitGatwayAttachments
+    ec2:DescribeVolumes
+    ec2:DescribeVpcEndpoints
+    ec2:DescribeVpcEndpointServiceConfigurations
+    ec2:DescribeVpcPeeringConnections
+    ec2:DescribeTransitGatewayVpcAttachments
+    ec2:DescribeVpcs
+    elasticloadbalancing:DescribeLoadBalancers
+    elasticloadbalancing:DescribeLoadBalancerAttributes
+    elasticloadbalancing:DescribeTargetGroups
+    elasticloadbalancing:DescribeTargetGroupAttributes
+    elasticloadbalancing:DescribeTargetHealth
+    eks:ListClusters
+    events:ListRules
+    events:ListTargetsByRule
+    events:DescribeEventBus
+    guardduty:GetDetector
+    guardduty:GetMasterAccount
+    guardduty:ListDetectors
+    guardduty:ListMembers
+    iam:GetAccessKeyLastUsed
+    iam:GetAccountPasswordPolicy
+    iam:GetGroup
+    iam:GetGroupPolicy
+    iam:GetLoginProfile
+    iam:GetOpenIDConnectProvider
+    iam:GetPolicyVersion
+    iam:GetRolePolicy
+    iam:GetSAMLProvider
+    iam:GetUserPolicy
+    iam:ListAccessKeys
+    iam:ListAttachedGroupPolicies
+    iam:ListAttachedRolePolicies
+    iam:ListAttachedUserPolicies
+    iam:ListGroupPolicies
+    iam:ListGroups
+    iam:ListinstanceProfiles
+    iam:ListMFADevices
+    iam:ListOpenIDConnectProviders
+    iam:ListPolicies
+    iam:ListPolicies
+    iam:ListRolePolicies
+    iam:ListRoles
+    iam:ListSAMLProviders
+    iam:ListUserPolicies
+    iam:ListUsers
+    kms:ListKeys
+    lambda:ListFunctions
+    rds:DescribeDBInstances
+    rds:DescribeDBInstanceAutomatedBackups
+    rds:ListTagsForResource
+    rds:DescribeDBSnapshots
+    route53:ListHostedZones
+    route53:ListResourceRecordSets
+    s3:ListBuckets
+    s3:GetBucketLocation
+    s3:GetBucketEncryption
+    s3:GetBucketTagging
+    sts:GetCallerIdentity
+    support:DescribeSeverityLevels
+
+Additionally if you are doing multi-account scanning via an MPA master account you
+will also need:
+
+    organizations:DescribeOrganization
+    organizations:ListAccounts
+    organizations:ListAccountsForParent
+    organizations:ListOrganizationalUnitsForParent
+    organizations:ListRoots
+
 ## Generating the Graph
 
 Assuming you have configured AWS CLI credentials