product
Permissions Matrix
Public mapping of the Core Scan Role and optional scoped AWS capabilities in the OpsCurb trust model.
16 min read
Updated 2026-03-14
Permissions Matrix
This page is generated from the shared access manifest that powers the onboarding wizard, backend capability gating, and the published IAM policy definitions.
Access model
Core scanis the required minimum role for new accounts.- Optional roles unlock only the add-on features they describe.
- Existing broad-access customers can stay connected as
legacy_broaduntil they reconnect under the tiered model. - Observed AWS API actions are recorded per scan and Deep Inspect run so policy changes can be reviewed against real usage.
Capability summary
| Capability | Required | Purpose |
|---|---|---|
| Core scan | Required | Default minimal access for the first scan and ongoing baseline findings. |
| Deep Inspect | Optional | On-demand evidence gathering for a single finding using CloudWatch metrics and CloudTrail events. |
| Advanced log diagnostics | Optional | Optional CloudWatch Logs Insights access for Lambda rightsizing, CloudWatch Logs findings, and NAT or VPC endpoint flow-log enrichment. |
| S3 inventory | Optional | Optional S3 metadata access for lifecycle and multipart-upload findings. |
| IAM hygiene | Optional | Optional IAM listing access for idle-user, role, and access-key hygiene findings. |
| Tag inventory | Optional | Optional tag inventory and remediation access for cost-allocation and compliance findings. |
Permission-to-feature matrix
Core scan
Suggested role: Core scan role
| AWS action | What OpsCurb uses it for | Feature | Access | What we keep |
|---|---|---|---|---|
ec2:DescribeAddresses | List EC2, EBS, NAT, snapshot, subnet, and VPC metadata for baseline waste detection. | Core scan | Required | Stores metadata in findings and scan summaries. |
ec2:DescribeAvailabilityZones | List EC2, EBS, NAT, snapshot, subnet, and VPC metadata for baseline waste detection. | Core scan | Required | Stores metadata in findings and scan summaries. |
ec2:DescribeFastSnapshotRestores | List EC2, EBS, NAT, snapshot, subnet, and VPC metadata for baseline waste detection. | Core scan | Required | Stores metadata in findings and scan summaries. |
ec2:DescribeImages | List EC2, EBS, NAT, snapshot, subnet, and VPC metadata for baseline waste detection. | Core scan | Required | Stores metadata in findings and scan summaries. |
ec2:DescribeInstances | List EC2, EBS, NAT, snapshot, subnet, and VPC metadata for baseline waste detection. | Core scan | Required | Stores metadata in findings and scan summaries. |
ec2:DescribeLaunchTemplates | List EC2, EBS, NAT, snapshot, subnet, and VPC metadata for baseline waste detection. | Core scan | Required | Stores metadata in findings and scan summaries. |
ec2:DescribeLaunchTemplateVersions | List EC2, EBS, NAT, snapshot, subnet, and VPC metadata for baseline waste detection. | Core scan | Required | Stores metadata in findings and scan summaries. |
ec2:DescribeNatGateways | List EC2, EBS, NAT, snapshot, subnet, and VPC metadata for baseline waste detection. | Core scan | Required | Stores metadata in findings and scan summaries. |
ec2:DescribeRegions | List EC2, EBS, NAT, snapshot, subnet, and VPC metadata for baseline waste detection. | Core scan | Required | Stores metadata in findings and scan summaries. |
ec2:DescribeRouteTables | List EC2, EBS, NAT, snapshot, subnet, and VPC metadata for baseline waste detection. | Core scan | Required | Stores metadata in findings and scan summaries. |
ec2:DescribeSnapshots | List EC2, EBS, NAT, snapshot, subnet, and VPC metadata for baseline waste detection. | Core scan | Required | Stores metadata in findings and scan summaries. |
ec2:DescribeSubnets | List EC2, EBS, NAT, snapshot, subnet, and VPC metadata for baseline waste detection. | Core scan | Required | Stores metadata in findings and scan summaries. |
ec2:DescribeVolumes | List EC2, EBS, NAT, snapshot, subnet, and VPC metadata for baseline waste detection. | Core scan | Required | Stores metadata in findings and scan summaries. |
ec2:DescribeVpcEndpoints | List EC2, EBS, NAT, snapshot, subnet, and VPC metadata for baseline waste detection. | Core scan | Required | Stores metadata in findings and scan summaries. |
ec2:DescribeVpcs | List EC2, EBS, NAT, snapshot, subnet, and VPC metadata for baseline waste detection. | Core scan | Required | Stores metadata in findings and scan summaries. |
autoscaling:DescribeAutoScalingGroups | Check whether compute assets are still referenced by Auto Scaling before flagging cleanup. | Core scan | Required | Stores metadata in findings and scan summaries. |
autoscaling:DescribeLaunchConfigurations | Check whether compute assets are still referenced by Auto Scaling before flagging cleanup. | Core scan | Required | Stores metadata in findings and scan summaries. |
elasticloadbalancing:DescribeLoadBalancers | Review load balancer and target-group configuration for idle or low-value spend. | Core scan | Required | Stores metadata in findings and scan summaries. |
elasticloadbalancing:DescribeTags | Review load balancer and target-group configuration for idle or low-value spend. | Core scan | Required | Stores metadata in findings and scan summaries. |
elasticloadbalancing:DescribeTargetGroups | Review load balancer and target-group configuration for idle or low-value spend. | Core scan | Required | Stores metadata in findings and scan summaries. |
elasticloadbalancing:DescribeTargetHealth | Review load balancer and target-group configuration for idle or low-value spend. | Core scan | Required | Stores metadata in findings and scan summaries. |
rds:DescribeDBInstances | Review RDS instance and snapshot metadata for zombie, snapshot, Multi-AZ, and IOPS findings. | Core scan | Required | Stores metadata in findings and scan summaries. |
rds:DescribeDBSnapshots | Review RDS instance and snapshot metadata for zombie, snapshot, Multi-AZ, and IOPS findings. | Core scan | Required | Stores metadata in findings and scan summaries. |
rds:ListTagsForResource | Review RDS instance and snapshot metadata for zombie, snapshot, Multi-AZ, and IOPS findings. | Core scan | Required | Stores metadata in findings and scan summaries. |
cloudwatch:DescribeAlarms | Read CloudWatch metric aggregates needed for utilization-based findings without reading log contents. | Core scan | Required | Stores derived findings, not raw metric datapoints. |
cloudwatch:GetMetricData | Read CloudWatch metric aggregates needed for utilization-based findings without reading log contents. | Core scan | Required | Stores derived findings, not raw metric datapoints. |
cloudwatch:GetMetricStatistics | Read CloudWatch metric aggregates needed for utilization-based findings without reading log contents. | Core scan | Required | Stores derived findings, not raw metric datapoints. |
cloudwatch:ListMetrics | Read CloudWatch metric aggregates needed for utilization-based findings without reading log contents. | Core scan | Required | Stores derived findings, not raw metric datapoints. |
ecr:DescribeImages | Review ECR repository metadata and lifecycle configuration for stale image cleanup. | Core scan | Required | Stores metadata in findings and scan summaries. |
ecr:DescribeRepositories | Review ECR repository metadata and lifecycle configuration for stale image cleanup. | Core scan | Required | Stores metadata in findings and scan summaries. |
ecr:GetLifecyclePolicy | Review ECR repository metadata and lifecycle configuration for stale image cleanup. | Core scan | Required | Stores metadata in findings and scan summaries. |
ecr:ListImages | Review ECR repository metadata and lifecycle configuration for stale image cleanup. | Core scan | Required | Stores metadata in findings and scan summaries. |
ecs:DescribeServices | Review ECS service configuration and task sizing for idle or oversized services. | Core scan | Required | Stores metadata in findings and scan summaries. |
ecs:DescribeTaskDefinition | Review ECS service configuration and task sizing for idle or oversized services. | Core scan | Required | Stores metadata in findings and scan summaries. |
ecs:ListClusters | Review ECS service configuration and task sizing for idle or oversized services. | Core scan | Required | Stores metadata in findings and scan summaries. |
ecs:ListServices | Review ECS service configuration and task sizing for idle or oversized services. | Core scan | Required | Stores metadata in findings and scan summaries. |
ce:GetCostAndUsage | Read cost and commitment data for savings summaries, anomaly context, and forecasting. | Core scan | Required | Cost summaries are stored in findings, dashboards, and historical rollups. |
ce:GetCostForecast | Read cost and commitment data for savings summaries, anomaly context, and forecasting. | Core scan | Required | Cost summaries are stored in findings, dashboards, and historical rollups. |
ce:GetReservationCoverage | Read cost and commitment data for savings summaries, anomaly context, and forecasting. | Core scan | Required | Cost summaries are stored in findings, dashboards, and historical rollups. |
ce:GetReservationPurchaseRecommendation | Read cost and commitment data for savings summaries, anomaly context, and forecasting. | Core scan | Required | Cost summaries are stored in findings, dashboards, and historical rollups. |
ce:GetReservationUtilization | Read cost and commitment data for savings summaries, anomaly context, and forecasting. | Core scan | Required | Cost summaries are stored in findings, dashboards, and historical rollups. |
ce:GetSavingsPlansCoverage | Read cost and commitment data for savings summaries, anomaly context, and forecasting. | Core scan | Required | Cost summaries are stored in findings, dashboards, and historical rollups. |
ce:GetSavingsPlansUtilization | Read cost and commitment data for savings summaries, anomaly context, and forecasting. | Core scan | Required | Cost summaries are stored in findings, dashboards, and historical rollups. |
sts:GetCallerIdentity | Confirm the connected role resolves to the expected AWS account. | Connection validation | Required | Stores the resolved AWS account identity as account metadata. |
Deep Inspect
Suggested role: Deep Inspect role
| AWS action | What OpsCurb uses it for | Feature | Access | What we keep |
|---|---|---|---|---|
cloudwatch:GetMetricStatistics | Review recent CloudWatch utilization for a specific finding when an operator requests evidence. | Deep Inspect | Optional | Stores derived evidence on the finding, not raw metric payloads. |
cloudwatch:ListMetrics | Review recent CloudWatch utilization for a specific finding when an operator requests evidence. | Deep Inspect | Optional | Stores derived evidence on the finding, not raw metric payloads. |
cloudtrail:LookupEvents | Check recent change history and ownership signals for a specific finding. | Deep Inspect | Optional | Stores derived evidence on the finding, not raw event payloads. |
ec2:DescribeRouteTables | Resolve current dependencies and routing for the inspected finding. | Deep Inspect | Optional | Stores derived evidence on the finding, not raw metadata. |
ecs:DescribeServices | Resolve current dependencies and routing for the inspected finding. | Deep Inspect | Optional | Stores derived evidence on the finding, not raw metadata. |
ecs:DescribeTaskDefinition | Resolve current dependencies and routing for the inspected finding. | Deep Inspect | Optional | Stores derived evidence on the finding, not raw metadata. |
ecs:ListClusters | Resolve current dependencies and routing for the inspected finding. | Deep Inspect | Optional | Stores derived evidence on the finding, not raw metadata. |
elasticloadbalancing:DescribeLoadBalancers | Resolve current dependencies and routing for the inspected finding. | Deep Inspect | Optional | Stores derived evidence on the finding, not raw metadata. |
elasticloadbalancing:DescribeTargetGroups | Resolve current dependencies and routing for the inspected finding. | Deep Inspect | Optional | Stores derived evidence on the finding, not raw metadata. |
elasticloadbalancing:DescribeTargetHealth | Resolve current dependencies and routing for the inspected finding. | Deep Inspect | Optional | Stores derived evidence on the finding, not raw metadata. |
Advanced log diagnostics
Suggested role: Log diagnostics role
| AWS action | What OpsCurb uses it for | Feature | Access | What we keep |
|---|---|---|---|---|
logs:DescribeLogGroups | Query CloudWatch Logs for Lambda REPORT lines and existing flow-log evidence. | Advanced log diagnostics | Optional | Stores only derived findings and summaries. |
logs:DescribeLogStreams | Query CloudWatch Logs for Lambda REPORT lines and existing flow-log evidence. | Advanced log diagnostics | Optional | Stores only derived findings and summaries. |
logs:GetQueryResults | Query CloudWatch Logs for Lambda REPORT lines and existing flow-log evidence. | Advanced log diagnostics | Optional | Stores only derived findings and summaries. |
logs:StartQuery | Query CloudWatch Logs for Lambda REPORT lines and existing flow-log evidence. | Advanced log diagnostics | Optional | Stores only derived findings and summaries. |
cloudwatch:GetMetricStatistics | Read CloudWatch metric aggregates needed alongside log analysis for Lambda, NAT Gateway, and VPC endpoint diagnostics. | Advanced log diagnostics | Optional | Stores derived findings, not raw metric payloads. |
ec2:DescribeNatGateways | Map log evidence to NAT paths, gateway-endpoint opportunities, and Lambda functions. | Advanced log diagnostics | Optional | Stores finding metadata, not raw log-derived payloads. |
ec2:DescribeRouteTables | Map log evidence to NAT paths, gateway-endpoint opportunities, and Lambda functions. | Advanced log diagnostics | Optional | Stores finding metadata, not raw log-derived payloads. |
ec2:DescribeSubnets | Map log evidence to NAT paths, gateway-endpoint opportunities, and Lambda functions. | Advanced log diagnostics | Optional | Stores finding metadata, not raw log-derived payloads. |
ec2:DescribeFlowLogs | Map log evidence to NAT paths, gateway-endpoint opportunities, and Lambda functions. | Advanced log diagnostics | Optional | Stores finding metadata, not raw log-derived payloads. |
ec2:DescribeManagedPrefixLists | Map log evidence to NAT paths, gateway-endpoint opportunities, and Lambda functions. | Advanced log diagnostics | Optional | Stores finding metadata, not raw log-derived payloads. |
ec2:DescribeVpcEndpoints | Map log evidence to NAT paths, gateway-endpoint opportunities, and Lambda functions. | Advanced log diagnostics | Optional | Stores finding metadata, not raw log-derived payloads. |
ec2:DescribeVpcs | Map log evidence to NAT paths, gateway-endpoint opportunities, and Lambda functions. | Advanced log diagnostics | Optional | Stores finding metadata, not raw log-derived payloads. |
ec2:GetManagedPrefixListEntries | Map log evidence to NAT paths, gateway-endpoint opportunities, and Lambda functions. | Advanced log diagnostics | Optional | Stores finding metadata, not raw log-derived payloads. |
lambda:GetFunction | Map log evidence to NAT paths, gateway-endpoint opportunities, and Lambda functions. | Advanced log diagnostics | Optional | Stores finding metadata, not raw log-derived payloads. |
lambda:GetFunctionConfiguration | Map log evidence to NAT paths, gateway-endpoint opportunities, and Lambda functions. | Advanced log diagnostics | Optional | Stores finding metadata, not raw log-derived payloads. |
lambda:ListFunctions | Map log evidence to NAT paths, gateway-endpoint opportunities, and Lambda functions. | Advanced log diagnostics | Optional | Stores finding metadata, not raw log-derived payloads. |
S3 inventory
Suggested role: S3 inventory role
| AWS action | What OpsCurb uses it for | Feature | Access | What we keep |
|---|---|---|---|---|
s3:GetBucketLocation | Review bucket-level metadata for lifecycle and orphaned multipart-upload findings without reading objects. | S3 inventory | Optional | Stores bucket metadata summaries only; never reads object contents. |
s3:GetBucketTagging | Review bucket-level metadata for lifecycle and orphaned multipart-upload findings without reading objects. | S3 inventory | Optional | Stores bucket metadata summaries only; never reads object contents. |
s3:GetBucketVersioning | Review bucket-level metadata for lifecycle and orphaned multipart-upload findings without reading objects. | S3 inventory | Optional | Stores bucket metadata summaries only; never reads object contents. |
s3:GetLifecycleConfiguration | Review bucket-level metadata for lifecycle and orphaned multipart-upload findings without reading objects. | S3 inventory | Optional | Stores bucket metadata summaries only; never reads object contents. |
s3:ListAllMyBuckets | Review bucket-level metadata for lifecycle and orphaned multipart-upload findings without reading objects. | S3 inventory | Optional | Stores bucket metadata summaries only; never reads object contents. |
s3:ListBucketMultipartUploads | Review bucket-level metadata for lifecycle and orphaned multipart-upload findings without reading objects. | S3 inventory | Optional | Stores bucket metadata summaries only; never reads object contents. |
s3:ListBucketVersions | Review bucket-level metadata for lifecycle and orphaned multipart-upload findings without reading objects. | S3 inventory | Optional | Stores bucket metadata summaries only; never reads object contents. |
IAM hygiene
Suggested role: IAM hygiene role
| AWS action | What OpsCurb uses it for | Feature | Access | What we keep |
|---|---|---|---|---|
iam:GetAccessKeyLastUsed | Review idle IAM users, roles, and access keys as an optional hygiene workflow. | IAM hygiene | Optional | Stores identity metadata summaries only; never reads secrets or credential values. |
iam:ListAccessKeys | Review idle IAM users, roles, and access keys as an optional hygiene workflow. | IAM hygiene | Optional | Stores identity metadata summaries only; never reads secrets or credential values. |
iam:ListRoles | Review idle IAM users, roles, and access keys as an optional hygiene workflow. | IAM hygiene | Optional | Stores identity metadata summaries only; never reads secrets or credential values. |
iam:ListUsers | Review idle IAM users, roles, and access keys as an optional hygiene workflow. | IAM hygiene | Optional | Stores identity metadata summaries only; never reads secrets or credential values. |
Tag inventory
Suggested role: Tag inventory role
| AWS action | What OpsCurb uses it for | Feature | Access | What we keep |
|---|---|---|---|---|
tag:GetResources | Review tag coverage across resources and apply approved tag remediations when the customer opts into cost-allocation analysis. | Tag inventory | Optional | Stores tag metadata in findings and the tag dashboard. |
tag:GetTagKeys | Review tag coverage across resources and apply approved tag remediations when the customer opts into cost-allocation analysis. | Tag inventory | Optional | Stores tag metadata in findings and the tag dashboard. |
tag:GetTagValues | Review tag coverage across resources and apply approved tag remediations when the customer opts into cost-allocation analysis. | Tag inventory | Optional | Stores tag metadata in findings and the tag dashboard. |
tag:TagResources | Review tag coverage across resources and apply approved tag remediations when the customer opts into cost-allocation analysis. | Tag inventory | Optional | Stores tag metadata in findings and the tag dashboard. |
Legacy broad-access policy
The legacy broad-access policy remains available for migration support only. New accounts should use the tiered core-plus-add-ons model above.
Generated from access manifest version 2026-03-14.