{{#include ../../banners/hacktricks-training.md}}
These are the permissions you need on each AWS account you want to audit to be able to run all the proposed AWS audit tools:
- The default policy arn:aws:iam::aws:policy/ReadOnlyAccess
- To run aws_iam_review you also need the permissions:
- access-analyzer:List*
- access-analyzer:Get*
- iam:CreateServiceLinkedRole
- access-analyzer:CreateAnalyzer
- Optional if the client generates the analyzers for you, but usually it's easier just to ask for this permission)
- access-analyzer:DeleteAnalyzer
- Optional if the client removes the analyzers for you, but usually it's easier just to ask for this permission)
{{#include ../../banners/hacktricks-training.md}}