The role ARN you provide when onboarding your AWS account must attach to the AWS-managed SecurityAudit policy. For example, arn:aws:iam::aws:policy/SecurityAudit
.
The Security Audit template grants access to read security configuration metadata. It is useful for software that audits the configuration of an AWS account.
The following permissions are the bare minimum for the functionality to work.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Resource": "*", "Action": [ "ec2:Describe*", "autoscaling:Describe*" ] } ] }