TransilienceComplianceRole

Role purpose: Collecting compliance evidence from AWS accounts and monitoring — this role is assumed by the Transilience platform to assess security posture, gather audit artifacts, and run configuration checks across your AWS environment.

Policy	Access	Purpose	Read Permissions	Write Permissions	Scope
SecurityAudit AWS Managed	READ	Collect compliance evidence across AWS services for monitoring and audit	IAM, EC2, RDS, Lambda, Config S3, CloudFormation, CloudWatch Broad read across most AWS services	none	Resource: *
Transilience-ECR-S3-Read Customer Managed	READ	Vulnerability scanning of container images and reading S3 bucket configurations	ECR: auth token, images, repos, scan findings, lifecycle & repo policies S3: bucket location, policy, ACL, versioning, tagging, logging, encryption, CORS, replication, object lock S3: ListBucket, ListAllMyBuckets	none	Resource: *
Transilience-Logs-VPC-Read Customer Managed	READ	Reading logs for compliance monitoring and network configuration evidence	CloudWatch Logs: log groups, streams, events, metric filters, subscriptions EC2/VPC: flow logs, VPCs, subnets, security groups, NACLs, route tables EC2/VPC: NAT/internet gateways, transit gateways, instances, tags	none	Resource: *
Transilience-Security-Services-Read Customer Managed	READ	Collecting compliance evidence from AWS security services	Inspector v2: findings, coverage, members, config Security Hub: findings, insights, standards, controls GuardDuty: findings, detectors, members Macie: findings, bucket stats, session Access Analyzer & Detective: list/get all Account: alternate contacts	none	Resource: *
Transilience-SSM-Read Customer Managed	READ	Reading instance configuration, patch state, and SSH configurations as compliance evidence	Instances: describe info, properties, connection status Inventory: get inventory, schema, entries Patches: instance patches, patch states, baselines, patch groups Commands: list commands & invocations, get invocation Sessions: describe sessions Documents: list, describe, get documents Parameters: get/describe parameters & history Associations: list, describe, execution details Automation: describe/get executions & steps Maintenance Windows: describe/get windows, targets, tasks, executions Compliance: resource summaries, items, compliance summaries	none	Resource: *
Transilience-Cost-Explorer Customer Managed	READ	Cost analysis of compliance runs, service usage, and inventory	Cost Explorer: cost/usage, forecasts, reservations, savings plans, anomalies, tags Cost & Usage Reports: describe report definitions Budgets: view budgets, describe actions & history Billing: data, details, preferences, credits, IAM access	none	Resource: *

Policy

Access

Purpose

Read Permissions

Write Permissions

Scope

SecurityAudit

AWS Managed

READ

Collect compliance evidence across AWS services for monitoring and audit

IAM, EC2, RDS, Lambda, Config
S3, CloudFormation, CloudWatch
Broad read across most AWS services

none

Resource: *

Transilience-ECR-S3-Read

Customer Managed

READ

Vulnerability scanning of container images and reading S3 bucket configurations

ECR: auth token, images, repos, scan findings, lifecycle & repo policies
S3: bucket location, policy, ACL, versioning, tagging, logging, encryption, CORS, replication, object lock
S3: ListBucket, ListAllMyBuckets

none

Resource: *

Transilience-Logs-VPC-Read

Customer Managed

READ

Reading logs for compliance monitoring and network configuration evidence

CloudWatch Logs: log groups, streams, events, metric filters, subscriptions
EC2/VPC: flow logs, VPCs, subnets, security groups, NACLs, route tables
EC2/VPC: NAT/internet gateways, transit gateways, instances, tags

none

Resource: *

Transilience-Security-Services-Read

Customer Managed

READ

Collecting compliance evidence from AWS security services

Inspector v2: findings, coverage, members, config
Security Hub: findings, insights, standards, controls
GuardDuty: findings, detectors, members
Macie: findings, bucket stats, session
Access Analyzer & Detective: list/get all
Account: alternate contacts

none

Resource: *

Transilience-SSM-Read

Customer Managed

READ

Reading instance configuration, patch state, and SSH configurations as compliance evidence

Instances: describe info, properties, connection status
Inventory: get inventory, schema, entries
Patches: instance patches, patch states, baselines, patch groups
Commands: list commands & invocations, get invocation
Sessions: describe sessions
Documents: list, describe, get documents
Parameters: get/describe parameters & history
Associations: list, describe, execution details
Automation: describe/get executions & steps
Maintenance Windows: describe/get windows, targets, tasks, executions
Compliance: resource summaries, items, compliance summaries

none

Resource: *

Transilience-Cost-Explorer

Customer Managed

READ

Cost analysis of compliance runs, service usage, and inventory

Cost Explorer: cost/usage, forecasts, reservations, savings plans, anomalies, tags
Cost & Usage Reports: describe report definitions
Budgets: view budgets, describe actions & history
Billing: data, details, preferences, credits, IAM access

none

Resource: *