DAY2™  believes and ensures Least privileged permission model across our platform operations. Our aim is to ensure that our customers are in full control of what permissions that they give out and keep our access granular to the scope of every operation.

In DAY2™, we create specific roles with the least permissions to perform the tasks on your behalf and nothing more. The IAM roles in your AWS Account are attached with the least permissions that it requires and also, with AWS Managed policies which are recommended by AWS. 

We create IAM roles to perform actions in each of the following features. These roles are created in your AWS Account and only if you've opted in to perform the operation, and only with your consent.  

The AWS services used by our features are explained below

  1. Core Platform (Onboarding & Continuous Discovery) 
    CloudWatch Events, S3, CloudTrail, Resource Groups + Tagging

  2. Server Management
    Systems Manager (Automation, Run Command, State manager, Patch policy, Resource data sync, Session manager), S3, AMI, EC2

  3. Blueprints
    CloudFormation, SSM(Automation), other resources and services vary based on the blueprint that is being launched.

  4. Application Management
    Cloudwatch alarm, S3, Cloudformation, SSM(Automation)

  5. Security Bot
    Security Hub, Fargate, SSM( Parameter store, Automation), Cloudformation, Cloudwatch events, SNS

  6. Compliance Bot
    AWS Config, SSM( Parameter store, Automation), Cloudwatch events, SNS

  7. Desired Account State
    Cloudformation, SSM(Automation), S3, SNS, AWS Budget, CloudTrail, AWS Config, IAM, Lambda, Cloudwatch, Trusted Advisor, Security Hub

  8. Desired Region State
    Cloudformation, SSM(Automation), S3, SNS, AWS Config, AWS Gaurd duty, Lambda, Cloudwatch, VPC, Internet Gateway, Elastic IP, NatGateway, Trusted Advisor, Security Hub, IAM Access Analyzer

For granular details of IAM permissions for each of these areas, contact us on