The IAM policy
Every action in this policy is a Get, List, or Describe. There is no Put, Create, Update, Modify, or Delete because the source code does not call any. Verify the hash. Read the plain-language allow list. Decide if you trust it.
Kulshan/iam/per-check/. Composed at release time, attested by hash.Plain-language summary. Every line below maps to read-only AWS APIs. The full action list is in the JSON file above.
Decrypt. No GenerateDataKey. No cryptographic operations.Verbs the policy never grants. If you find a Kulshan code path that calls one of these, that is a bug, and it should be reported to [email protected].
Put, Create, Update, Modify, Delete, or Terminate on any service.iam:CreateAccessKey, iam:UpdateLoginProfile, iam:CreateUser, or any IAM mutation.sts:AssumeRole in the policy itself. Kulshan uses your existing credential chain; assuming a role is your decision, not the policy's.s3:GetObject. The bucket configuration is readable; the bucket contents are not.kms:Decrypt, kms:GenerateDataKey, kms:Encrypt, or any cryptographic operation.ec2:RunInstances, ec2:TerminateInstances, ec2:CreateTags, or any compute-lifecycle action.rds:Modify*, lambda:UpdateFunctionCode, secretsmanager:GetSecretValue, or any other resource modification or secret access.Download the JSON, hash it locally, and compare to the SHA256 above. If the two match, the file you have is the file we ship.
$ shasum -a 256 Kulshan-readonly.json
fd39f19d6781488fe54ceb46e76fc2345a9e77a9c6caf33286f2eca1f1889217 Kulshan-readonly.json
If the hash does not match, something is wrong. Email [email protected].
Each pack ships its own minimum-viable policy. Attach only the packs you intend to run. Per-pack totals do not add up to 146 because some read-only actions are reused across multiple checks. The composed policy de-duplicates shared actions into 146 unique IAM actions.
Reuse
Reuse freely under CC BY 4.0. Credit: MissionFinOps, missionfinops.com.
This applies to the policy file (kulshan-readonly.json and the per-pack files in kulshan/iam/per-check/) only. The CC BY 4.0 license on the policy file is in addition to the Apache 2.0 license that covers the rest of the Kulshan codebase.
If your team or tool adopts this policy as a baseline, no permission needed. A link back is appreciated, not required.