Skip to main content

Documentation Index

Fetch the complete documentation index at: https://support.configview.com/llms.txt

Use this file to discover all available pages before exploring further.

Part 1: AWS Data Ingestion

Set up an AWS IAM user so ConfigView can pull your AWS infrastructure data into the dashboard. For security, ConfigView requires strictly read-only permissions to aggregate your configurations. We recommend creating a custom policy rather than using the broad AWS-managed ReadOnlyAccess policy to adhere to the principle of least privilege.

Step 1: Create a Custom IAM Policy

  1. Log in to the AWS Management Console as an administrator.
  2. Navigate to the IAM (Identity and Access Management) console.
  3. In the left navigation pane, choose Policies, then click Create policy.
  4. Switch to the JSON tab and paste the following policy. This grants exactly what ConfigView needs to sync your AWS resources and dynamically discover your active regions:
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ConfigViewReadOnlyAccess",
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeRegions",
                "ec2:DescribeInstances",
                "ec2:DescribeVpcs",
                "ec2:DescribeVolumes",
                "ec2:DescribeAddresses",
                "ec2:DescribeSnapshots",
                "cloudtrail:DescribeTrails",
                "ce:GetCostAndUsage",
                "ce:GetCostAndUsageWithResources",
                "ce:GetCostForecast",
                "ce:ListCostCategoryDefinitions",
                "ce:DescribeCostCategoryDefinition",
                "sts:GetCallerIdentity",
                "s3:ListAllMyBuckets",
                "s3:GetBucketLocation",
                "s3:GetLifecycleConfiguration",
                "s3:GetBucketVersioning",
                "s3:GetBucketTagging",
                "s3:GetEncryptionConfiguration",
                "s3:GetBucketPublicAccessBlock",
                "cloudwatch:GetMetricStatistics",
                "cloudwatch:ListMetrics",
                "cloudwatch:DescribeAlarms",
                "compute-optimizer:GetEC2InstanceRecommendations",
                "rds:DescribeDBInstances",
                "route53:ListHostedZones",
                "route53:ListResourceRecordSets",
                "route53:GetHostedZone",
                "route53:ListTagsForResource",
                "sqs:ListQueues",
                "sqs:GetQueueAttributes",
                "sqs:ListQueueTags",
                "redshift:DescribeClusters",
                "redshift:DescribeClusterParameters",
                "redshift:DescribeClusterSubnetGroups",
                "cloudfront:ListDistributions",
                "cloudfront:GetDistribution",
                "cloudfront:ListTagsForResource",
                "dynamodb:ListTables",
                "dynamodb:DescribeTable",
                "dynamodb:ListTagsOfResource",
                "sns:ListTopics",
                "sns:GetTopicAttributes",
                "sns:ListSubscriptions",
                "sns:ListSubscriptionsByTopic",
                "sns:ListTagsForResource",
                "lambda:ListFunctions",
                "lambda:GetFunction",
                "lambda:GetFunctionConfiguration",
                "lambda:ListTags",
                "detective:ListGraphs",
                "detective:ListMembers",
                "glue:GetDatabases",
                "glue:GetTables",
                "glue:GetJobs",
                "glue:GetCrawlers",
                "glue:GetTags",
                "transfer:ListServers",
                "transfer:DescribeServer",
                "transfer:ListUsers",
                "transfer:DescribeUser",
                "transfer:ListTagsForResource",
                "ecr:DescribeRepositories",
                "ecr:DescribeImages",
                "ecr:GetLifecyclePolicy",
                "ecr:ListTagsForResource",
                "sms-voice:DescribePhoneNumbers",
                "sms-voice:DescribeConfigurationSets",
                "sms-voice:DescribeAccountAttributes",
                "cognito-idp:ListUserPools",
                "cognito-idp:DescribeUserPool",
                "cognito-identity:ListIdentityPools",
                "cognito-identity:DescribeIdentityPool",
                "guardduty:ListDetectors",
                "guardduty:GetDetector",
                "guardduty:ListFindings",
                "guardduty:GetFindings",
                "guardduty:ListTagsForResource",
                "ses:ListIdentities",
                "ses:GetIdentityVerificationAttributes",
                "ses:GetSendQuota",
                "ses:GetSendStatistics",
                "ses:ListConfigurationSets",
                "ses:DescribeConfigurationSet",
                "ses:ListEmailIdentities",
                "ses:GetAccount",
                "kms:ListKeys",
                "kms:DescribeKey",
                "kms:ListAliases",
                "kms:GetKeyRotationStatus",
                "kms:ListResourceTags",
                "config:DescribeConfigurationRecorders",
                "config:DescribeConfigurationRecorderStatus",
                "config:DescribeConfigRules",
                "config:DescribeComplianceByConfigRule",
                "config:DescribeDeliveryChannels",
                "securityhub:GetFindings",
                "securityhub:DescribeHub",
                "securityhub:GetEnabledStandards",
                "securityhub:ListTagsForResource",
                "macie2:GetMacieSession",
                "macie2:ListFindings",
                "macie2:GetFindings",
                "macie2:ListClassificationJobs",
                "apigateway:GET",
                "apigatewayv2:GET",
                "kinesis:ListStreams",
                "kinesis:DescribeStream",
                "kinesis:ListTagsForStream",
                "elasticloadbalancing:DescribeLoadBalancers",
                "elasticloadbalancing:DescribeTargetGroups",
                "elasticloadbalancing:DescribeListeners",
                "elasticloadbalancing:DescribeTags",
                "ecs:ListClusters",
                "ecs:DescribeClusters",
                "ecs:ListServices",
                "ecs:DescribeServices",
                "ecs:ListTasks",
                "ecs:DescribeTasks",
                "ecs:ListTaskDefinitions",
                "ecs:DescribeTaskDefinition",
                "ecs:ListTagsForResource",
                "wafv2:ListWebACLs",
                "wafv2:GetWebACL",
                "wafv2:ListResourcesForWebACL",
                "wafv2:GetLoggingConfiguration",
                "wafv2:ListTagsForResource",
                "secretsmanager:ListSecrets",
                "secretsmanager:DescribeSecret"
            ],
            "Resource": "*"
        }
    ]
}
Two actions in this policy require additional one-time setup in the AWS console (no IAM change):
  • Cost Explorer must be enabled (Billing → Cost Explorer → Enable) for the ce:* actions to return data.
  • Hourly and Resource Level Data must be enabled (Billing → Cost Explorer → Settings) for ce:GetCostAndUsageWithResources to return non-empty results. This is a paid Cost Explorer feature and takes ~24 hours to populate after enabling.
  • Compute Optimizer must be opted in at the account level (free) for compute-optimizer:GetEC2InstanceRecommendations to return recommendations.

Per-script permission reference

If you prefer to grant only what individual scripts need, each endpoint requires the following actions:
ScriptIAM actions
aws_get_ec2.pyec2:DescribeRegions, ec2:DescribeInstances
aws_get_vpc.pyec2:DescribeRegions, ec2:DescribeVpcs
aws_get_cloudtrail.pyec2:DescribeRegions, cloudtrail:DescribeTrails
aws_get_cost_daily.pyce:GetCostAndUsage, sts:GetCallerIdentity
aws_get_ebs_unattached.pyec2:DescribeRegions, ec2:DescribeVolumes
aws_get_eip_unused.pyec2:DescribeRegions, ec2:DescribeAddresses
aws_get_snapshots_aged.pyec2:DescribeRegions, ec2:DescribeSnapshots, ec2:DescribeVolumes
aws_get_s3_storage_stats.pys3:ListAllMyBuckets, s3:GetBucketLocation, s3:GetLifecycleConfiguration, s3:GetBucketVersioning, s3:GetBucketTagging, s3:GetEncryptionConfiguration, s3:GetBucketPublicAccessBlock, cloudwatch:GetMetricStatistics
aws_get_compute_recommendations.pyec2:DescribeRegions, ec2:DescribeInstances, compute-optimizer:GetEC2InstanceRecommendations
aws_get_idle_rds.pyec2:DescribeRegions, rds:DescribeDBInstances, cloudwatch:GetMetricStatistics
aws_get_cost_by_resource.pyce:GetCostAndUsageWithResources, sts:GetCallerIdentity
aws_get_elb.pyec2:DescribeRegions, elasticloadbalancing:DescribeLoadBalancers, elasticloadbalancing:DescribeTargetGroups, elasticloadbalancing:DescribeListeners, elasticloadbalancing:DescribeTags
aws_get_elb_cost.pyce:GetCostAndUsage
aws_get_ecs.pyec2:DescribeRegions, ecs:ListClusters, ecs:DescribeClusters, ecs:ListServices, ecs:DescribeServices, ecs:ListTasks, ecs:DescribeTasks, ecs:ListTagsForResource
aws_get_ecs_cost.pyce:GetCostAndUsage
aws_get_lambda.pyec2:DescribeRegions, lambda:ListFunctions, lambda:GetFunctionConfiguration, lambda:ListTags
aws_get_lambda_cost.pyce:GetCostAndUsage
aws_get_guardduty.pyec2:DescribeRegions, guardduty:ListDetectors, guardduty:ListFindings, guardduty:GetFindings
aws_get_guardduty_cost.pyce:GetCostAndUsage
aws_get_route53.pyroute53:ListHostedZones, route53:ListResourceRecordSets, route53:ListTagsForResource
aws_get_route53_cost.pyce:GetCostAndUsage
aws_get_sqs.pyec2:DescribeRegions, sqs:ListQueues, sqs:GetQueueAttributes, sqs:ListQueueTags
aws_get_sqs_cost.pyce:GetCostAndUsage
aws_get_redshift.pyec2:DescribeRegions, redshift:DescribeClusters
aws_get_redshift_cost.pyce:GetCostAndUsage
aws_get_cloudfront.pycloudfront:ListDistributions, cloudfront:ListTagsForResource
aws_get_cloudfront_cost.pyce:GetCostAndUsage
aws_get_dynamodb.pyec2:DescribeRegions, dynamodb:ListTables, dynamodb:DescribeTable, dynamodb:ListTagsOfResource
aws_get_dynamodb_cost.pyce:GetCostAndUsage
aws_get_sns.pyec2:DescribeRegions, sns:ListTopics, sns:GetTopicAttributes, sns:ListTagsForResource
aws_get_sns_cost.pyce:GetCostAndUsage
aws_get_cloudwatch.pyec2:DescribeRegions, cloudwatch:DescribeAlarms
aws_get_cloudwatch_cost.pyce:GetCostAndUsage
aws_get_detective.pyec2:DescribeRegions, detective:ListGraphs, detective:ListMembers
aws_get_detective_cost.pyce:GetCostAndUsage
aws_get_glue.pyec2:DescribeRegions, glue:GetDatabases, glue:GetJobs, glue:GetCrawlers
aws_get_glue_cost.pyce:GetCostAndUsage
aws_get_transfer.pyec2:DescribeRegions, transfer:ListServers, transfer:DescribeServer, transfer:ListUsers
aws_get_transfer_cost.pyce:GetCostAndUsage
aws_get_ecr.pyec2:DescribeRegions, ecr:DescribeRepositories, ecr:DescribeImages, ecr:ListTagsForResource
aws_get_ecr_cost.pyce:GetCostAndUsage
aws_get_eum.pyec2:DescribeRegions, sms-voice:DescribePhoneNumbers
aws_get_eum_cost.pyce:GetCostAndUsage
aws_get_cognito.pyec2:DescribeRegions, cognito-idp:ListUserPools, cognito-idp:DescribeUserPool, cognito-identity:ListIdentityPools, cognito-identity:DescribeIdentityPool
aws_get_cognito_cost.pyce:GetCostAndUsage
aws_get_ses.pyec2:DescribeRegions, ses:ListEmailIdentities, ses:GetAccount
aws_get_ses_cost.pyce:GetCostAndUsage
aws_get_kms.pyec2:DescribeRegions, kms:ListKeys, kms:DescribeKey, kms:ListAliases, kms:GetKeyRotationStatus, kms:ListResourceTags
aws_get_kms_cost.pyce:GetCostAndUsage
aws_get_config.pyec2:DescribeRegions, config:DescribeConfigurationRecorders, config:DescribeConfigurationRecorderStatus, config:DescribeDeliveryChannels, config:DescribeConfigRules
aws_get_config_cost.pyce:GetCostAndUsage
aws_get_securityhub.pyec2:DescribeRegions, securityhub:GetFindings
aws_get_securityhub_cost.pyce:GetCostAndUsage
aws_get_macie.pyec2:DescribeRegions, macie2:GetMacieSession, macie2:ListFindings, macie2:GetFindings
aws_get_macie_cost.pyce:GetCostAndUsage
aws_get_apigateway.pyec2:DescribeRegions, apigateway:GET, apigatewayv2:GET
aws_get_apigateway_cost.pyce:GetCostAndUsage
aws_get_kinesis.pyec2:DescribeRegions, kinesis:ListStreams, kinesis:DescribeStream, kinesis:ListTagsForStream
aws_get_kinesis_cost.pyce:GetCostAndUsage
aws_get_waf.pyec2:DescribeRegions, wafv2:ListWebACLs, wafv2:GetWebACL, wafv2:ListResourcesForWebACL, wafv2:ListTagsForResource
aws_get_waf_cost.pyce:GetCostAndUsage
aws_get_secretsmanager.pyec2:DescribeRegions, secretsmanager:ListSecrets, secretsmanager:DescribeSecret
aws_get_secretsmanager_cost.pyce:GetCostAndUsage
  1. Click Next to review.
  2. Name the policy ConfigView-ReadOnly-Integration and add a description (e.g., “Allows ConfigView to read AWS resource metadata”).
  3. Click Create policy.

Step 2: Create an IAM User and Attach the Policy

  1. In the IAM console, go to Users and click Create user.
  2. Enter a user name (e.g., configview-svc). Do not check the box for AWS Management Console access. Click Next.
  3. Choose Attach policies directly.
  4. Search for the ConfigView-ReadOnly-Integration policy you just created, select it, and click Next.
  5. Click Create user.

Step 3: Generate Access Keys

  1. Click on the newly created configview-svc user.
  2. Go to the Security credentials tab.
  3. Scroll down to the Access keys section and click Create access key.
  4. Select Third-party service (or Other).
  5. Add an optional description tag and click Create access key.
  6. Important: Copy the Access Key ID and Secret Access Key immediately. You will not be able to view the Secret Access Key again.

Step 4: Add the Credentials to ConfigView

  1. Go to your ConfigView admin dashboard: https://{companyname}.configview.com/admin/secret/
  2. Click Add Secret and create the following entries based on your newly generated keys:
    • AWS_ACCESS_KEY_ID: Your Access Key ID
    • AWS_SECRET_ACCESS_KEY: Your Secret Access Key
    • AWS_DEFAULT_REGION: Your primary AWS region (e.g., us-east-1). This is used as the starting point for global resource discovery.
  3. Click Save.

Step 5: Enable the AWS Integration

  1. Go to: https://{companyname}.configview.com/admin/cron/
  2. Locate AWS in the list of available integrations (folders).
  3. Select the resource scripts you want to run (e.g., VPCs, CloudTrail, etc.).
  4. Click Save.
When you save, ConfigView creates the database tables, schedules every selected script at the default run time (top of the page — change once, applies to every new script), and triggers a one-shot first run so data starts appearing within minutes. You can still override any individual script’s schedule below.
Default run time is stored in UTC. The picker at the top of /admin/cron/ shows it in your browser’s local time. Per-script overrides are independent of the default.

Step 6: Verify Connection

  1. Go to: https://{companyname}.configview.com/admin/status/
  2. Run the AWS health check or trigger a manual sync.
  3. Ensure the scripts report success.
If a sync fails, double-check that your Access Keys were copied correctly and that the custom IAM policy was properly attached to the user.

Integration Lifecycle (Checking and Unchecking)

ConfigView handles your database schema, scheduling, and secrets automatically based on your integration selections:
  • When you check an integration: ConfigView runs the background createdb scripts to construct the required MySQL tables, registers every script at the default run time (so you don’t have to set 50 schedules by hand), fires one immediate first run so data populates without waiting, and safely stores your secrets in Google Secret Manager.
  • When you uncheck an integration: ConfigView triggers the associated dropdb scripts, which safely drops the tables and deletes the synced data to free up database resources. It also automatically removes the associated secrets from Secret Manager.
  • When new scripts ship in a future ConfigView update: They automatically pick up your configured default run time. No re-click required.

Available Data Tables

Once the scripts complete successfully, the corresponding AWS resource tables will be populated in your database. Example tables include:
  • aws_ec2: EC2 instance inventory across all active regions.
  • aws_vpc: Virtual network configurations across all active regions.
  • aws_cloudtrail: Audit trail configurations across all active regions.
  • aws_cost_daily: Daily unblended/amortized cost grouped by service and usage type (last 30 days).
  • aws_ebs_unattached: EBS volumes in available state (unattached waste), with estimated monthly cost.
  • aws_eip_unused: Elastic IPs with no association (each unattached EIP incurs charges).
  • aws_snapshots_aged: EBS snapshots older than 90 days, flagged when their source volume no longer exists.
  • aws_s3_storage_stats: Per-bucket size, object count, storage-class breakdown, lifecycle presence, versioning, encryption.
  • aws_compute_recommendations: AWS Compute Optimizer rightsizing recommendations with estimated monthly savings.
  • aws_idle_rds: RDS instances with 7-day CPU and connection metrics, flagged idle when both fall below thresholds.
  • aws_cost_by_resource: Daily cost grouped by resource ID for the last 14 days (requires Hourly and Resource Level Data in Cost Explorer).
  • aws_elb: Application, Network, Gateway, and Classic load balancers across all active regions (DNS name, VPC, scheme, AZs, security groups, tags).
  • aws_elb_cost: Daily Cost Explorer slice for Elastic Load Balancing grouped by usage type and region (last 30 days).
  • aws_ecs: ECS clusters across all active regions with nested service and task descriptions in JSON.
  • aws_ecs_cost: Daily Cost Explorer slice for Amazon Elastic Container Service grouped by usage type and region (last 30 days).
  • aws_lambda: Lambda functions across all active regions (runtime, handler, memory, timeout, architectures, VPC config, env, tags).
  • aws_lambda_cost: Daily Cost Explorer slice for AWS Lambda grouped by usage type and region (last 30 days).
  • aws_guardduty: Active GuardDuty findings across all detectors and regions (severity, type, affected resource, archived flag).
  • aws_guardduty_cost: Daily Cost Explorer slice for Amazon GuardDuty grouped by usage type and region (last 30 days).
  • aws_route53: Public and private hosted zones with full record-set list and tags (Route 53 is a global service — single fetch, no region iteration).
  • aws_route53_cost: Daily Cost Explorer slice for Amazon Route 53 grouped by usage type and region (last 30 days).
  • aws_sqs: SQS queues across all active regions with message counts, visibility timeout, and queue attributes.
  • aws_redshift: Redshift clusters with node type/count, status, encryption, VPC, and master username.
  • aws_cloudfront: CloudFront distributions (global) with origins, aliases, price class, HTTP version, IPv6 status.
  • aws_dynamodb: DynamoDB tables with item count, size in bytes, billing mode, and provisioned capacity.
  • aws_sns: SNS topics with subscription counts and KMS encryption key.
  • aws_cloudwatch: CloudWatch metric alarms with state, threshold, comparison operator, evaluation periods, and configured actions.
  • aws_detective: Detective behavior graphs with member-account counts.
  • aws_glue: Glue databases, jobs, and crawlers in one table keyed by resource_type.
  • aws_transfer: Transfer Family servers (SFTP/FTPS/FTP) with endpoint type, identity provider, and user count.
  • aws_ecr: ECR repositories with image count, total size in bytes, tag mutability, and scan-on-push setting.
  • aws_eum: End User Messaging phone numbers (origination IDs) with country code, type, and monthly leasing price.
  • aws_cognito: Cognito user pools and identity pools in one table keyed by pool_type.
  • aws_ses: SES verified identities with verification status, DKIM state, configuration set, and account-level 24-hour send quotas.
  • aws_kms: KMS keys with alias, state, usage, key manager (AWS/CUSTOMER), origin, and rotation status. Tags included.
  • aws_config: AWS Config recorders + delivery channels per region with rule counts.
  • aws_securityhub: Active Security Hub findings with severity label/normalized score, compliance status, workflow status, and affected resource.
  • aws_macie: Macie sensitive-data findings with severity, category, S3 resource, and count.
  • aws_apigateway: REST, HTTP, and WebSocket APIs in one table keyed by api_type.
  • aws_kinesis: Kinesis Data Streams with shard count, retention period, stream mode (ON_DEMAND/PROVISIONED), encryption, and creation timestamp.
  • aws_waf: WAFv2 Web ACLs (REGIONAL + CLOUDFRONT) with rule count, capacity, default action, associated resources, and full rule definitions.
  • aws_secretsmanager: Secret metadata only (NOT secret values) — name, KMS key, rotation schedule, last-rotated/changed/accessed dates.
  • aws_sqs_cost through aws_secretsmanager_cost: Daily Cost Explorer slices for each service above, same shared schema (see note below).
Each aws_<service>_cost table shares a consistent schema: usage_date, service_name, usage_type, region, operation, amortized_cost_usd, unblended_cost_usd, usage_quantity, usage_unit, raw, run_at. This lets you UNION across services for cross-cutting cost analysis. Note: ConfigView automatically discovers and polls all active AWS regions during sync operations. All tables include a run_at column to power historical tracking and drift detection.