Simplifying Zero Trust Security for AWS with Teleport
Jan 23
Virtual
Register Now
Teleport logoTry For Free
Fork me on GitHub

Teleport

Discovery Service AWS IAM Reference

The Teleport Discovery Service requires AWS IAM permissions to discover AWS resources. These permissions must be attached to an AWS IAM identity that the Discovery Service instance can use.

Each section below describes the IAM permissions used to discover a specific type of AWS resource.

EC2

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "EC2Discovery",
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeInstances",
                "ssm:DescribeInstanceInformation",
                "ssm:GetCommandInvocation",
                "ssm:ListCommandInvocations",
                "ssm:SendCommand"
            ],
            "Resource": "*"
        }
    ]
}
StatementPurpose
EC2DiscoveryDiscover EC2 instances.

EKS

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "EKSDiscovery",
            "Effect": "Allow",
            "Action": [
              "eks:DescribeCluster",
              "eks:ListClusters"
            ],
            "Resource": "*"
        },
        {
            "Sid": "EKSManageAccess",
            "Effect": "Allow",
            "Action": [
              "eks:AssociateAccessPolicy",
              "eks:CreateAccessEntry",
              "eks:DeleteAccessEntry",
              "eks:DescribeAccessEntry",
              "eks:TagResource",
              "eks:UpdateAccessEntry"
            ],
            "Resource": "*"
        }
    ]
}
StatementPurpose
EKSDiscoveryDiscover EKS clusters and fetch additional details about them.
EKSManageAccessAutomatically set up Teleport access for discovered EKS clusters.

You can use a list of ARNs and narrow the scope of the permissions to specific regions or EKS clusters instead of using a wildcard. The resource ARN has the following format:

arn:{Partition}:eks:{Region}:{Account}:cluster/{ClusterName}

The permissions in the EKSManageAccess statement are optional because the Discovery Service will discover EKS clusters even when it cannot ensure that the Teleport Kubernetes Service has access to the clusters it discovers. If you omit any of the EKSManageAccess permissions, then it is your responsibility to ensure that the Teleport Kubernetes Service can access each EKS cluster.

Databases

DocumentDB

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "DocumentDBDiscovery",
            "Effect": "Allow",
            "Action": "rds:DescribeDBClusters",
            "Resource": "*"
        }
    ]
}
StatementPurpose
DocumentDBDiscoveryDiscover Amazon DocumentDB Clusters.

DynamoDB

Database discovery is not available for DynamoDB.

To register a DynamoDB database with your Teleport cluster, you must configure the database manually via static config or dynamic db resource.

See the database access reference for more information.

ElastiCache for Redis

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ElastiCacheDiscovery",
            "Effect": "Allow",
            "Action": "elasticache:DescribeReplicationGroups",
            "Resource": "*"
        },
        {
            "Sid": "ElastiCacheFetchMetadata",
            "Effect": "Allow",
            "Action": [
                "elasticache:DescribeCacheClusters",
                "elasticache:DescribeCacheSubnetGroups",
                "elasticache:ListTagsForResource"
            ],
            "Resource": "*"
        }
    ]
}
StatementPurpose
ElastiCacheDiscoveryDiscover ElastiCache replication groups.
ElastiCacheFetchMetadataImport AWS tags and additional metadata for each database as Teleport database labels.

Keyspaces

Database discovery is not available for Keyspaces.

To register a Keyspaces database with your Teleport cluster, you must configure the database manually via static config or dynamic db resource.

See the database access reference for more information.

MemoryDB

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "MemoryDBDiscovery",
            "Effect": "Allow",
            "Action": "memorydb:DescribeClusters",
            "Resource": "*"
        },
        {
            "Sid": "MemoryDBFetchMetadata",
            "Effect": "Allow",
            "Action": [
                "memorydb:DescribeSubnetGroups",
                "memorydb:ListTags"
            ],
            "Resource": "*"
        }
    ]
}
StatementPurpose
MemoryDBDiscoveryDiscover MemoryDB databases.
MemoryDBFetchMetadataImport AWS tags and additional metadata for each database as Teleport database labels.

OpenSearch

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "OpenSearchDiscovery",
            "Effect": "Allow",
            "Action": [
                "es:DescribeDomains",
                "es:ListDomainNames"
            ],
            "Resource": "*"
        },
        {
            "Sid": "OpenSearchFetchMetadata",
            "Effect": "Allow",
            "Action": "es:ListTags",
            "Resource": "*"
        }
    ]
}
StatementPurpose
OpenSearchDiscoveryDiscover OpenSearch domains.
OpenSearchFetchMetadataImport each discovered domain's AWS tags as Teleport database labels.

RDS

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "RDSDiscovery",
            "Effect": "Allow",
            "Action": [
                "rds:DescribeDBClusters",
                "rds:DescribeDBInstances"
            ],
            "Resource": "*"
        }
    ]
}
StatementPurpose
RDSDiscoveryDiscover RDS instances and Aurora clusters.

When configured to discover RDS databases, the Teleport Discovery Service will attempt to discover both RDS instances and Aurora clusters. The rds:DescribeDBInstances permission is used to find RDS instances, but it is also used to find additional information about discovered Aurora clusters, so you should include this permission even if you only have Aurora clusters to discover. If you don't want Aurora cluster discovery, then you can omit the rds:DescribeDBClusters permission.

RDS Proxy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "RDSProxyDiscovery",
            "Effect": "Allow",
            "Action": "rds:DescribeDBProxies",
            "Resource": "*"
        },
        {
            "Sid": "RDSProxyFetchMetadata",
            "Effect": "Allow",
            "Action": [
                "rds:DescribeDBProxyEndpoints",
                "rds:ListTagsForResource"
            ],
            "Resource": "*"
        }
    ]
}
StatementPurpose
RDSProxyDiscoveryDiscover RDS Proxies and register each proxy's default endpoint as a Teleport database.
RDSProxyFetchMetadataFetch metadata for discovered proxies to import AWS resource tags as Teleport database labels and register custom endpoints as Teleport databases.

Redshift

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "RedshiftDiscovery",
            "Effect": "Allow",
            "Action": "redshift:DescribeClusters",
            "Resource": "*"
        }
    ]
}
StatementPurpose
RedshiftDiscoveryDiscover Amazon Redshift Clusters.

Redshift Serverless

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "RedshiftServerlessDiscovery",
            "Effect": "Allow",
            "Action": "redshift-serverless:ListWorkgroups",
            "Resource": "*"
        },
        {
            "Sid": "RedshiftServerlessFetchMetadata",
            "Effect": "Allow",
            "Action": [
                "redshift-serverless:ListEndpointAccess",
                "redshift-serverless:ListTagsForResource"
            ],
            "Resource": "*"
        }
    ]
}
StatementPurpose
RedshiftServerlessDiscoveryDiscover Redshift Serverless Workgroups.
RedshiftServerlessFetchMetadataFetch metadata for discovered workgroups to import AWS tags as Teleport database labels and register any VPC endpoints as Teleport databases.