IAM Policy
Minimum permissions required for RepliMap
RepliMap requires read-only access to scan your AWS resources. We adhere to the principle of least privilege.
Recommended Policy
This policy allows RepliMap to scan all supported resource types:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "RepliMapReadOnly",
"Effect": "Allow",
"Action": [
"ec2:Describe*",
"rds:Describe*",
"rds:ListTagsForResource",
"elasticache:Describe*",
"elasticache:ListTagsForResource",
"autoscaling:Describe*",
"elasticloadbalancing:Describe*",
"s3:ListAllMyBuckets",
"s3:GetBucket*",
"s3:GetLifecycleConfiguration",
"iam:ListRoles",
"iam:ListPolicies",
"iam:ListInstanceProfiles",
"iam:ListRoleTags",
"iam:GetRole",
"iam:GetPolicy",
"sqs:ListQueues",
"sqs:GetQueueAttributes",
"sqs:ListQueueTags",
"sns:ListTopics",
"sns:GetTopicAttributes",
"sns:ListTagsForResource",
"logs:DescribeLogGroups",
"logs:ListTagsLogGroup",
"cloudwatch:DescribeAlarms",
"tag:GetResources",
"sts:GetCallerIdentity"
],
"Resource": "*"
}
]
}A minimal policy for scanning VPCs only:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "RepliMapVPCRead",
"Effect": "Allow",
"Action": [
"ec2:DescribeVpcs",
"ec2:DescribeSubnets",
"ec2:DescribeSecurityGroups",
"ec2:DescribeInstances",
"ec2:DescribeTags",
"sts:GetCallerIdentity"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"ec2:Region": "us-east-1"
}
}
}
]
}Setup Instructions
Option 1: Create Dedicated IAM User
- Go to IAM Console → Users → Add User
- Name:
replimap-scanner - Access type: Programmatic access
- Attach the policy above
- Save the access keys
# Configure AWS CLI
aws configure --profile replimap
# Enter the access key ID and secretOption 2: Create IAM Role (Recommended for EC2/ECS)
- Go to IAM Console → Roles → Create Role
- Select AWS service → EC2/ECS
- Attach the policy above
- Name:
replimap-scanner-role
Verify Permissions
# Verify identity
aws sts get-caller-identity --profile replimap
# Test VPC access
aws ec2 describe-vpcs --profile replimap --region us-east-1
# Test with RepliMap
replimap scan --profile replimap --region us-east-1Permissions by Resource Type
| Resource | Actions Required | Purpose |
|---|---|---|
| VPC | ec2:DescribeVpcs | Scan VPC configurations |
| Subnet | ec2:DescribeSubnets | Scan subnet configurations |
| Security Group | ec2:DescribeSecurityGroups | Scan security rules |
| EC2 Instance | ec2:DescribeInstances | Scan instance configurations |
| RDS Instance | rds:DescribeDBInstances | Scan database configurations |
| S3 Bucket | s3:ListAllMyBuckets, s3:GetBucket* | Scan bucket configurations |
| ELB/ALB | elasticloadbalancing:Describe* | Scan load balancers, listeners, target groups |
| IAM | iam:ListRoles, iam:ListPolicies, iam:ListRoleTags | Scan roles, policies, instance profiles |
| SQS / SNS | sqs:ListQueues, sns:ListTopics | Scan messaging resources |
| CloudWatch | logs:DescribeLogGroups, cloudwatch:DescribeAlarms | Scan log groups and alarms |
| STS | sts:GetCallerIdentity | Verify authentication |
What RepliMap Does NOT Do
RepliMap never:
- ❌ Creates, modifies, or deletes any AWS resources
- ❌ Accesses S3 bucket contents (only metadata)
- ❌ Reads database contents
- ❌ Accesses secrets or credentials
- ❌ Makes cross-account API calls
- ❌ Uploads any data to external services
Troubleshooting
"Access Denied" Error
AccessDeniedException: User: arn:aws:iam::123456789012:user/replimap
is not authorized to perform: ec2:DescribeVpcsSolution: Ensure the IAM policy is correctly attached to your user/role.
"InvalidClientTokenId" Error
InvalidClientTokenId: The security token included in the request is invalid.Solution: Check your AWS credentials are correctly configured:
aws configure list --profile replimapRegion-Specific Issues
If you only have access to specific regions:
# Specify the region explicitly
replimap scan --profile replimap --region eu-west-1