Cloud profiles with minimal permissions for CAL

Zurich IT Operations Management

Release

zurich

ft:locale

en-US

ft:publication_title

Zurich IT Operations Management

ft:clusterId

itom

bundleId

itom

workflow

Technology

Cloud profiles with minimal permissions for Cloud Action Library actions and subflows

Release version: Zurich

Updated July 31, 2025

1 minute to read

You need appropriate cloud permissions to execute the Cloud Action Library actions and subflows. Edit the cloud permissions profile JSON to suit the needs of your organization.

Amazon Web Services (AWS) profile with minimal permissions

{
	"Version": "2012-10-17",
	"Statement": [{
		"Sid": "VisualEditor0",
		"Effect": "Allow",
		"Action": [
			"iam:GenerateCredentialReport",
			"s3:GetEncryptionConfiguration",
			"ec2:DescribeInstances",
			"s3:ListBucketVersions",
			"ec2:DescribeRegions",
			"s3:ListBucket",
			"iam:GetCredentialReport",
			"iam:DeleteLoginProfile",
			"ec2:MonitorInstances",
			"iam:GetLoginProfile",
			"ec2:DescribeImages",
			"s3:PutEncryptionConfiguration",
			"ec2:StopInstances",
			"s3:GetBucketAcl"
		],
		"Resource": "*"
	}]
}

Microsoft Azure profile with minimal permissions

{
	"properties": {
		"roleName": "CCGAzureMinimalPermission",
		"description": "Grants access to scan compute resources from the Azure subscription",
		"assignableScopes": [
			"/subscriptions/${subscription_id}"
		],
		"permissions": [{
			"actions": [
				"Microsoft.ResourceGraph/resources/read",
				"Microsoft.Compute/virtualMachines/instanceView/read",
				"Microsoft.Compute/virtualMachines/*/powerOff"
			],
			"notActions": [],
			"dataActions": [],
			"notDataActions": []
		}]
	}
}